Privacy Policy

Effective date: May 3, 2026 · Last updated: May 3, 2026

Your family's privacy isn't a feature, it's a foundation. This page explains what TandemBaby collects, why, where it lives, and how to take it back.

At a glance

  • Your baby's tracking data lives on your iPhone by default. It only leaves the device if you turn on Partner Sync.
  • We use Sign in with Apple. We never see passwords. We never see your credit card.
  • We do not run analytics SDKs in this version of the app.
  • We do not run ads. We do not sell or share your data. We do not track you across other apps or websites.
  • You can delete everything from inside the app, anytime.

1. Who we are

TandemBaby is operated by Minifit SIA, registration number 40203516104, registered office Dauguļu iela 61A, Rīga, LV-1058, Latvia. Minifit SIA is the data controller for the personal information described in this policy.

For privacy questions, write to privacy@tandembaby.com.

We are a small team and have not appointed a statutory Data Protection Officer because our processing does not meet the GDPR Article 37 thresholds. The named privacy contact is the founder.

If you are in the United Kingdom, you can contact us using the details above for any data protection question covered by UK GDPR.

2. What this policy covers

This policy applies to the TandemBaby iOS app, the TandemBaby Watch companion, the TandemBaby widgets, and the related backend services operated by Minifit SIA. It does not cover Apple's own services, which are governed by Apple's Privacy Policy.

3. What data we collect

We have grouped the data into the same categories Apple uses in our App Privacy declaration so the two pages match.

3.1 Account identifiers (linked to you, used for app functionality)

  • User ID. When you sign in with Apple, Apple issues us a stable anonymous user identifier that is unique to your Apple ID and to TandemBaby. We use it to recognise your account on our backend.
  • Email address. Apple lets you choose either to share your real email address with us, or to use Apple's relay address. If you choose to share, we receive and store the real address. If you choose relay, we only ever see the relay address. Either way, we use it only to contact you about your account when needed.
  • Name. On the very first sign-in, Apple lets you optionally share your name. If you provide it, we store it so the app can greet you. We do not receive your name on subsequent sign-ins.

3.2 Health and Fitness data about your child (linked, app functionality)

The core of TandemBaby is a log of events about your baby:

  • Feeding sessions (breastfeeding, bottle, solids)
  • Sleep periods
  • Diaper changes
  • Medication doses
  • Growth measurements (height, weight, head circumference)
  • Developmental milestones
  • Notes and photos you attach to moments

Apple classifies this category as Health and Fitness data. By default it is stored only on your device. If you turn on Partner Sync, a subset (the events themselves, plus baby name and date of birth) is also stored on our servers so the linked caregiver's device can read it. Photos, notes, growth measurements, and milestone data stay on your device only and are not synced.

3.3 Purchases (linked, app functionality)

If you subscribe to TandemBaby Pro, Apple's StoreKit returns a transaction record that includes an original transaction identifier, the product purchased, and the renewal status. We store this so the app knows whether to unlock Pro features. We never see your card number, billing address, or Apple ID password.

3.4 Tracking, advertising identifiers, cookies

We do not track you across other apps or websites. We do not use the IDFA, do not run advertising SDKs, do not use cross-app tracking, and do not embed third-party trackers. The TandemBaby app does not use cookies because it is a native iOS app.

4. Why we collect it (purposes and lawful bases)

PurposeDataGDPR lawful basis
Authenticate you and provision your account User ID, Email, Name Article 6(1)(b) performance of a contract
Let you record and view your baby's events on your device Health and Fitness data Article 6(1)(b) performance of a contract; Article 9(2)(a) explicit consent for special category health data, given by you on behalf of your child when you choose to log it
Sync events between paired caregivers (Partner Sync, optional) Subset of Health and Fitness data, baby name and date of birth Article 6(1)(b); Article 9(2)(a)
Provision Pro subscription Purchases Article 6(1)(b)

You can withdraw consent for any consent-based processing at any time by turning off Partner Sync, deleting the relevant data in-app, or deleting your account.

5. Subprocessors and recipients

We use the following service providers and no others:

ProviderRoleRegion
Apple Inc. Sign in with Apple, App Store, StoreKit United States with EU-US Data Privacy Framework certification
Supabase Inc. Backend storage and realtime sync (Partner Sync) Frankfurt, Germany (EU)

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have not done either in the preceding 12 months and have no plans to start.

6. International transfers

All server-side personal data is stored within the European Union (Frankfurt, Germany on Supabase).

Apple's Sign in with Apple service may process the authentication exchange via Apple servers outside the EEA. Apple's transfers rely on the EU-US Data Privacy Framework and on standard contractual clauses where applicable.

7. How long we keep it

DataRetention
On-device baby tracking data Until you delete it or uninstall the app. Uninstalling permanently removes everything stored locally.
Partner Sync events on our servers 90 days from the event timestamp, then automatically deleted.
Account record (User ID, Email if shared, Name if shared) For as long as you have an account. Deleted within 30 days of account deletion.
Subscription transaction record For as long as required by tax and accounting law (currently 5 years under Latvian law). After that the record is anonymised.
Invite codes for Partner Sync 24 hours, single-use.

8. Security

  • Sign in with Apple. We never store passwords because we never see them.
  • All data in transit between the app and our servers is encrypted using TLS.
  • Data at rest on Supabase is encrypted at the storage layer.
  • Row-level security on Supabase means each household can only read its own data.
  • Invite codes for Partner Sync are 6 characters, single-use, and expire after 24 hours.
  • Account deletion is a server-side wipe followed by a local wipe and signs you out of your Apple ID for TandemBaby. The Apple credential itself is fully revoked when you remove TandemBaby from your Apple ID via Apple's Settings > Apple ID > Sign in with Apple.

9. Your rights

If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with similar laws, you have the right to:

  • Access the personal information we hold about you.
  • Rectify inaccurate information.
  • Erase your information ("right to be forgotten").
  • Restrict how we process your information.
  • Object to processing based on legitimate interests.
  • Receive a portable copy of your information in a structured, machine-readable format.
  • Withdraw consent for any processing that relies on your consent.
  • Not be subject to a decision based solely on automated processing. We do not make any such decisions about you.
  • Lodge a complaint with your local supervisory authority. In Latvia this is the Data State Inspectorate (Datu valsts inspekcija, www.dvi.gov.lv). In the United Kingdom this is the Information Commissioner's Office (ico.org.uk).

10. How to exercise your rights

  • Delete your account and all server-side data: open the app, go to Settings, scroll to Danger Zone, and tap Delete Account and All Data. The app calls our server-side erasure endpoint, then wipes the device.
  • Delete just the on-device copy: uninstall the app.
  • Anything else (access, rectification, portability, objection, consent withdrawal, complaints): email privacy@tandembaby.com from the email address associated with your account. We respond within 30 days.

11. Children's data

TandemBaby is designed for use by parents and other adult caregivers, age 18 or older. The data the app records is, by design, about an infant. That child is under 13 in every realistic case.

In US terms (COPPA), this means TandemBaby is parent-directed and not directed at children. We do not knowingly collect personal information directly from a child under 13. The information about your child that lives in the app was entered by you, the parent or guardian, on behalf of your child.

In EU terms (GDPR Article 8), the information processing about your child relies on your authorisation as the holder of parental responsibility. You may withdraw that authorisation at any time by deleting the data, deleting your account, or contacting us.

If you believe a child has created an account on TandemBaby without parental authorisation, please contact us at privacy@tandembaby.com so we can remove the account.

12. California residents

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you specific rights:

  • The right to know what personal information we collect, the purposes for collection, and the sources. The categories collected are described in section 3 of this policy.
  • The right to delete your personal information, exercised as described in section 10.
  • The right to correct inaccurate personal information.
  • The right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information and have not done so in the preceding 12 months.
  • The right to limit the use and disclosure of sensitive personal information. We process sensitive information (health-and-fitness data about your child) only for the purposes you authorised when you logged it.
  • The right not to be discriminated against for exercising any of these rights.

To exercise any California right, email privacy@tandembaby.com from the address linked to your account, or use the in-app account deletion path described in section 10.

13. Security incidents

If we discover a breach affecting your personal information, we will notify you by email or in-app and notify the relevant supervisory authority within 72 hours, in line with GDPR Article 33.

14. Medical-device disclaimer

TandemBaby is a logging and tracking tool, not a medical device. The app does not provide medical advice, diagnosis, or treatment. Always consult your pediatrician for questions about your child's health.

15. Changes to this policy

If we change this policy in a material way, we will update the "Last updated" date and notify you in the app. Continued use after the change indicates that you accept the updated policy. We keep prior versions on request.

16. Contact

Questions, requests, or concerns:

Email: privacy@tandembaby.com
Postal: Minifit SIA, Dauguļu iela 61A, Rīga, LV-1058, Latvia (registration no. 40203516104)

← Back to home

Parenting in rhythm.