Privacy Policy

The data controller who decides the purposes and means of processing your data is:

• Name: Lulla App
• Contact email: contact@getlulla.app
• Website: www.getlulla.app
• Jurisdiction: Romania

For any request or question relating to the processing of your data, contact us at contact@getlulla.app. We respond within a maximum of 30 calendar days of receipt, in accordance with Art. 12(3) GDPR.

If, in the future, we designate a Data Protection Officer (DPO), their contact details will be published here and on the official website.

This Policy applies to:

• the Lulla mobile app (currently Android);
• the website www.getlulla.app;
• related backend services;
• email communications with the Lulla team.

The Policy does not cover:

• external sites linked from Lulla (e.g., supabase.com, google.com) — they have their own privacy policies;
• Google Play services, which are operated by Google and have their own policy.

All processing complies with the fundamental principles of Art. 5 GDPR:

• Lawfulness, fairness, transparency — we process data only on a clear legal basis and inform you through this document.
• Purpose limitation — we use data exclusively for the purposes described below.
• Data minimisation — we collect only what is strictly necessary.
• Accuracy — we encourage you to keep your data up to date via Settings → Profile.
• Storage limitation — we keep data only as long as necessary; deleted on your request.
• Integrity and confidentiality — data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Accountability — we can demonstrate compliance on request.

4.1 Account data (required to use the Service)

• Email address — used as a unique identifier and for account recovery;
• First name / last name / nickname — displayed in the interface (e.g., "Hi, Alex");
• Family role — Mother / Father / Guardian / Caregiver / Other (used to personalise text);
• Authentication token — generated at sign-in, kept encrypted on the device and on Supabase Auth.

If you choose to sign in with Google Sign-In, we receive from Google only the email address and the associated Google ID, based on the consent you express in the Google dialog. We do not receive your Google account password.

4.2 Baby data (entered voluntarily by you)

• Baby's name (or nickname);
• Date of birth — used to compute age in months and for age-specific recommendations;
• Sex — used for icon selection (girl / boy / prefer not to say);
• Avatar photo — optional; stored locally on your device (filesDir/baby_photos/); not uploaded to our servers by default.

As parent or legal guardian, you are responsible for entering this data and for obtaining any required legal consent (e.g., the other parent's agreement).

4.3 Sleep data (entered through your use of the app)

• Sleep session start and end times — captured by the built-in timer;
• Session duration — calculated automatically;
• Sleep type — night sleep / day sleep (nap);
• Quality — subjective rating on a scale (optional);
• Notes / tags — free text added by you (optional);
• Feeding sessions — times and type (breastfeeding / bottle / solids), optional.

4.4 Preferences and settings

• Notification settings — bedtime, on/off for reminders, daily tips, and weekly summaries;
• App language — your choice from 8 supported languages;
• Visual theme — personal preference;
• Biometric lock — preference for fingerprint / Face ID app-access protection;
• Target bedtime — used to calculate the sleep score.

4.5 Purchase data (if you subscribe to Premium)

• Purchased product ID (lulla_premium_monthly or lulla_premium_annual);
• Google Play purchase token — used to verify the authenticity of the purchase;
• Subscription date and status — active, cancelled, expired, in trial;
• Trial start date — used to schedule Day 5 / Day 6 reminders.

Important: Lulla never receives your credit/debit card data, IBAN, or other financial details. The transaction is processed exclusively through Google Play Billing; we only receive a token confirming the purchase.

4.6 Device data (automatic)

• Lulla app version — for debugging and diagnostics;
• Android version — to check compatibility;
• Unique identifier generated at install — used only locally, not shared;
• Error code / stack trace — on a crash, kept locally only in filesDir/last_crash.txt and shown on next launch. Not sent to us automatically.

We do not collect: IMEI, MAC address, your full IP, phone number, GPS location, your contacts, calendar, microphone, or camera without your explicit permission. The Android Advertising ID (AAID/GAID) is collected only if you enable marketing attribution via AppsFlyer with your explicit consent (see section 4.10).

4.7 Usage data (analytics)

To understand how the app is used and to improve it, we record certain anonymised events in the analytics_events table in our Supabase database:

• paywall-related events (paywall_shown, paywall_cta_clicked, purchase_completed, trial_started);
• feature category that triggered the event (stats, stories, sounds, etc.);
• purchased product ID, if any;
• reason for cancellation or payment failure.

These events do NOT contain: baby name, sleep hours, photos, note contents, or other personally identifiable data. They contain only stable categorical identifiers and are protected by Row Level Security so only you can see your own events.

4.8 Family-sharing data (Sharing v2 — optional)

If you choose to use the partner-sharing feature:

• we generate a 6-character invite code linked to your account;
• when the other parent accepts the code, their account is linked to your household;
• both parents see the same data about the child (sleep, photos, statistics).

The invite code expires automatically after a single use. You can revoke a partner's access from Settings → Sharing → Revoke access.

4.9 Newsletter (optional, with explicit consent)

If you subscribe to the Lulla newsletter on the website, we collect:

• your email address;
• subscription date and source (homepage / footer / popup);
• frequency preferences, if any.

You can unsubscribe at any time via a link in every email.

4.10 Marketing attribution data (AppsFlyer — only with your consent)

To understand which campaigns and channels bring new parents to Lulla and to measure the effectiveness of our ads, we use AppsFlyer — a mobile attribution platform. AppsFlyer is activated only after you give explicit consent in the dialog shown the first time you open the app; you can withdraw it at any time from Settings → Marketing analytics.

If you accept, AppsFlyer may process:

• the device's Android Advertising ID (AAID/GAID);
• technical device identifiers (model, Android version, language, carrier);
• Play Install Referrer data (which source / campaign the install came from);
• app install and open events.

This data is transmitted to AppsFlyer Ltd., which acts as a data processor / attribution partner and may process the data outside the European Economic Area, on the basis of appropriate safeguards (Standard Contractual Clauses). AppsFlyer does not receive your baby's name, sleep times, photos, or notes. If you decline or withdraw consent, AppsFlyer does not start and no advertising identifier is collected.

Data is collected from three sources:

5.1 Directly from you

When you:

• create an account,
• fill in your profile or your baby's,
• start the sleep timer,
• enter a session manually,
• edit settings,
• contact support.

5.2 Automatically, through your use of the app

When:

• you start or stop the timer (timestamps generated by the app),
• the app syncs with the cloud (read/write operations in Supabase),
• analytics events are recorded.

5.3 From third parties (with your consent)

When:

• you sign in with Google Sign-In — we receive your email and Google ID from Google;
• you subscribe to Premium — Google Play sends us the purchase token for verification.

We use your data strictly for the following purposes:

We do not use your data for: advertising, commercial profiling, automated decisions with significant effects, training AI models, sale to third parties, affiliate marketing.

Each processing operation rests on one or more legal bases:

7.1 Performance of a contract — Art. 6(1)(b)

To provide the Service in accordance with the Terms and Conditions you accepted:

• account data,
• baby and sleep data (needed for the app to function),
• preferences,
• subscription payment processing.

7.2 Your consent — Art. 6(1)(a)

For optional processing that you can enable or disable at any time:

• push notifications,
• newsletter,
• optional photos,
• the partner-sharing feature.

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

7.3 Our legitimate interest — Art. 6(1)(f)

Carefully balanced against your rights:

• anonymised analytics to improve the Service;
• fraud prevention (e.g., repeated attempts to obtain free trial periods);
• security logs to detect unauthorised access;
• debugging based on error codes.

You can object to these processing operations at any time (see section 11).

7.4 Legal obligation — Art. 6(1)(c)

Where we are required by law:

• tax retention of transaction records (Romanian Tax Code — at least 10 years);
• response to legitimate authority requests.

8.1 Minimum user age

Lulla is intended exclusively for adults (18+). We do not knowingly collect data directly from children under 16.

8.2 Data about your baby

Data about your child (name, date of birth, photos, etc.) is entered by you, as parent or legal guardian, on the basis of your consent, and is protected by the same standards as all data in Lulla.

8.3 Special category data

We do not process health data of your child (Art. 9 GDPR). Sleep data are behavioural observations, not medical diagnoses. See the medical disclaimer in Terms and Conditions, section 7.

For the Service to operate we work with the following sub-processors, each with a Data Processing Agreement (DPA) concluded under Art. 28 GDPR:

9.1 Supabase — primary backend

About Row Level Security: Supabase enforces strict database-level policies that guarantee you can access only your own account's data. No other user can read or modify your data, even with database access. These policies are part of the app's open-source migrations and are auditable.

9.2 Google Ireland Limited — Google Play Billing and Sign-In

9.3 Hetzner Online GmbH — website hosting

9.4 Email provider (optional, if you subscribe to the newsletter)

If you subscribe to the Lulla newsletter, your email address is stored in an EU-hosted email marketing service (Mailerlite / Brevo / Resend — we update the actual provider used at the time of launch here). You can unsubscribe at any time.

9.5 AppsFlyer — marketing attribution (optional, only with your consent)

AppsFlyer is activated only with your explicit consent (see section 4.10) and can be disabled at any time from Settings → Marketing analytics. If you do not give consent, AppsFlyer does not start.

9.6 Up-to-date list

An up-to-date list of sub-processors is available at www.getlulla.app/subprocessors and is updated at least 30 days before a significant sub-processor changes.

10.1 Baseline principle

All your data is processed primarily within the European Union (Germany, via Hetzner for the website, and via AWS EU for Supabase).

10.2 Specific exceptions

In certain exceptional technical cases, some data may be transferred outside the EEA:

• Google Play (Ireland) — for payments; Google operates via its European entity (Google Ireland Limited);
• Supabase Inc. is registered in Singapore, but the infrastructure used is in the EU;
• Google Play service accounts for purchase verification — encrypted API communication with Google.
• AppsFlyer Ltd. (Israel / USA) — only if you enable marketing attribution with consent; Israel benefits from a European Commission adequacy decision, and transfers to the USA are covered by Standard Contractual Clauses (see 4.10).

10.3 Safeguards

Any transfer outside the EEA is protected by:

• Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914);
• Adequacy decisions of the Commission (e.g., EU-US Data Privacy Framework for the USA);
• additional contractual and technical measures (encryption, access control).

You may request copies of the applicable clauses and safeguards at contact@getlulla.app at any time.

Under the GDPR (Art. 15–22) and Law 190/2018, you have the following rights:

11.1 Right of access (Art. 15)

You may request a copy of all the data we hold about you. This copy is free of charge and we send it within 30 days at most.

11.2 Right to rectification (Art. 16)

You may modify inaccurate data directly from Settings → Profile or by email at contact@getlulla.app.

11.3 Right to erasure ("right to be forgotten", Art. 17)

You may delete your account and all associated data by:

• Settings → Account → Delete account;
• or email at contact@getlulla.app with subject "Data deletion request".

Data is deleted within a maximum of 30 days. Exceptions: data retained to fulfil a legal obligation (e.g., tax records of transactions — at least 10 years per the Tax Code).

11.4 Right to restriction of processing (Art. 18)

You may request that we suspend processing of certain data in the cases provided by Art. 18 (e.g., while verifying a rectification).

11.5 Right to data portability (Art. 20)

You may receive your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV). You can export PDF / CSV reports of your sleep data at any time from the Statistics screen of the app. For a full machine-readable export of all data, write to contact@getlulla.app.

11.6 Right to object (Art. 21)

You may object to processing based on our legitimate interest (analytics, marketing communications). We are required to comply, except where there are compelling legitimate grounds that override your interests.

11.7 Right not to be subject to automated decisions (Art. 22)

Lulla does not make automated decisions producing legal effects or similarly significantly affecting you. All main app features (statistics, scores, summaries) are indicative.

11.8 Right to withdraw consent

Where processing is based on your consent, you may withdraw it at any time:

• Notifications — Settings → Notifications → Off;
• Newsletter — unsubscribe link in every email;
• Sharing — Settings → Sharing → Revoke;
• Entire account — Settings → Account → Delete account.

Withdrawal of consent does not affect the lawfulness of prior processing.

11.9 Right to lodge a complaint

If you consider that processing of your data infringes the GDPR, you may lodge a complaint with:

• Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
  B-dul G-ral Gheorghe Magheru 28-30, sector 1, Bucharest
  Tel: +40.318.059.211 / +40.318.059.212
  Email: anspdcp@dataprotection.ro
  Web: www.dataprotection.ro
• or the supervisory authority of your country of habitual residence (if you are an EU resident).

We encourage you, however, to contact us first at contact@getlulla.app — we can resolve most issues directly and quickly.

11.10 How to exercise these rights

Send a request to contact@getlulla.app from the email address linked to the account. We reserve the right to request additional identification documents where there are reasonable doubts about your identity (Art. 12(6) GDPR). We respond within 30 days, extendable by 60 days for complex requests (we will notify you if applicable).

After deletion of the account, all active data is removed within a maximum of 30 days. Backups are overwritten within a maximum of 7 days after active-account deletion. Data subject to a legal retention obligation is kept in isolation and used strictly to fulfil that obligation.

We implement appropriate technical and organisational measures to protect your data (Art. 32 GDPR):

13.1 Technical measures

• Encryption in transit: TLS 1.3 for all communications;
• Encryption at rest: AES-256 for data stored in Supabase and backups;
• Row Level Security (RLS): database-level policies guaranteeing data isolation between users;
• Short-lived JWT tokens that refresh automatically;
• Password hashing: bcrypt with unique salt per user (managed by Supabase Auth);
• Anon key + RLS — public API keys in the app cannot directly access sensitive data because RLS filters them;
• No service_role key in the mobile app — sensitive keys remain exclusively on the server.

13.2 Organisational measures

• Access to user data is restricted to team members with a strict need;
• Data Processing Agreement (DPA) signed with each sub-processor;
• Internal incident-management policy;
• Periodic audit of RLS policies.

13.3 Breach notification

In the event of a security breach that presents a risk to your rights, we will notify you without undue delay, and in any case within 72 hours of becoming aware of the breach (Art. 33 GDPR). We will also notify ANSPDCP where applicable.

14.1 The mobile app

The app does not use cookies. Preferences and authentication data are stored locally via:

• DataStore Preferences (user preferences);
• Encrypted SharedPreferences (biometric authentication token);
• Room Database (sleep data, baby profiles — all local).

14.2 The getlulla.app website

The website uses only strictly necessary technical cookies, with no tracking or advertising:

We do not use analytics cookies (Google Analytics, etc.), marketing cookies (Facebook Pixel, etc.), or remarketing cookies.

Fonts are hosted locally on our server (we do not use external Google Fonts).

We send marketing communications only with your explicit consent. If you subscribe to the newsletter:

• you will receive occasional emails (max. 2 / month) with Lulla news, articles about children's sleep, offers;
• every email contains an unsubscribe link;
• you can also unsubscribe by emailing contact@getlulla.app directly;
• we do not sell or share your email address with third parties.

Transactional communications (account confirmation, email verification, security alert) are not optional — they are necessary for the Service to operate.

We may update this Policy to reflect:

• changes in our data-processing practices;
• the addition of new features;
• changes in sub-processors;
• legislative updates.

16.1 Notice of changes

Material changes will be notified by:

• email sent to the account address;
• prominent notice in the app;
• updating the "Last updated" date at the top of this document.

16.2 Effective date

Material changes take effect at least 30 days after notice. Continued use of the Service after the changes take effect constitutes acceptance. If you do not agree with the changes, you may delete the account.

16.3 Previous versions

Previous versions of this Policy are available on request by emailing contact@getlulla.app.

For any question, request to exercise rights, or complaint relating to the processing of your personal data:

• Email: contact@getlulla.app
• Website: www.getlulla.app
• Recommended subject: "GDPR — [type of request]"
• Response time: maximum 30 calendar days
• Languages of communication: English, Romanian