KidSteps Privacy Policy

Last updated: April 14, 2026

1. Introduction

KidSteps is a mobile application that lets parents capture the milestones of their child's life. We value your privacy and the security of your data and that of your children. This privacy policy explains what data we collect, why, and how we protect it.

Data controller:

Innovation Haus B.V.

Netherlands

Contact: support@kidsteps.app

2. What data do we collect?

Account data

• Email address
• Password (encrypted, stored via Supabase Auth)
• Display name (optional)

Child profiles

• Your child's name
• Date of birth
• Profile photo (optional)
• Sports and hobbies (optional)

Moments

• Titles and descriptions of moments
• Photos
• Moment date
• Mood indication (emoji/label)
• Answers to dynamic questions per event type

Growth data (optional)

• Height and weight measurements with date

Calendar access (optional)

• Only with explicit permission we read calendar events
• Used to suggest moments; titles are matched locally only
• Calendar data is never stored on our servers

Technical data

• Device type and OS version
• App version
• Anonymous crash reports — only with your consent
• Push notification token (if notifications are enabled)

Payment data

• Subscription status (via RevenueCat and the app stores)
• We NEVER receive credit card or bank details. Payments are fully handled by Apple (App Store) or Google (Play Store).

3. Why do we collect this data?

4. Who do we share data with?

We never sell data. We only share with:

• Supabase (database and storage provider, EU region) — stores your account, child profiles, moments, and photos
• Anthropic (Claude API) — generates optional photo captions; photos are not retained by Anthropic (0-day retention)
• RevenueCat — handles subscription state; receives only your anonymous user ID
• Apple / Google — process payments and push notifications
• Sentry (crash reports, if enabled) — receives anonymized error data

All these parties have a data processing agreement with us.

5. Children's data

KidSteps stores data ABOUT children, entered by their parents. The parent is responsible for the data they enter about their children. We:

• Do not collect data directly from children
• Never make content public
• Store data only as long as you (the parent) wish
• Recommend sharing the family-viewer feature only with trusted people

6. How long do we retain data?

• Active accounts: as long as your account exists
• Deleted accounts: permanently deleted from our database and backups within 30 days
• Crash reports: 90 days
• Invoice data: 7 years (legal retention obligation)

7. Your rights (GDPR)

You have the right to:

• Access — request a copy of your data
• Rectification — correct data
• Erasure — delete your account and all data (available in the app: Settings → Account → Delete account)
• Restriction — temporarily stop processing
• Portability — export your data in a machine-readable format
• Object — to processing based on legitimate interest
• Withdraw consent — e.g., revoke calendar access via system settings

To make a request: support@kidsteps.app. We respond within 30 days.

Not satisfied with our response? You can file a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl) or your local DPA.

8. Security

• All connections use TLS (HTTPS)
• Passwords are encrypted (bcrypt via Supabase Auth)
• Photos are protected by authentication; only you (and any family viewers you invite) have access
• Our servers run in the EU (Ireland)

9. Cookies and tracking

The app itself uses no cookies or trackers. Our website (kidsteps.app) uses only technical cookies necessary for operation.

10. Changes

We may update this privacy policy. We will notify you of material changes via email or in the app. Minor changes are only published here. The date at the top shows the latest version.

11. Contact

Questions? support@kidsteps.app