This Privacy Policy applies to the DAD&me mobile application and the busydads.app website ("the Service"). The data controller responsible for your personal data is:
| Field | Value |
|---|---|
| Operator (individual) | Cristina Cibotari (Moldova) |
| Privacy contact | privacy@busydads.app |
| General contact | support@busydads.app |
| Child safety contact | safety@busydads.app |
| EU representative (Article 27 GDPR) | NTY STYLE MANAGEMENT SRL, Romania |
| UK representative (UK GDPR) | Not applicable |
For privacy inquiries, write to privacy@busydads.app. Postal contact details for the operator are available via our App Store listing as required by the EU Digital Services Act.
We do not currently have a Data Protection Officer (DPO) because our processing scale does not require one under GDPR Article 37.
DAD&me does not allow children to create accounts independently. A child can only join through an invitation link created by a parent. By creating the parent account, entering the child's name and age, and generating the invite, the parent provides verifiable parental consent under COPPA (US, children under 13) and Article 8 GDPR (EU, children under 16).
For every category we process, the table below states the lawful basis we rely on (GDPR Article 6) and the purpose:
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account identity | Email, password hash, display name, role (parent / child) | Create the account, sign in, restore your data | Art. 6(1)(b) — Contract |
| Pair & child profile | Child display name, age range, avatar (parent-supplied) | Connect parent and child within their private pair, adapt content to age | Art. 6(1)(b) — Contract; Art. 8 — Parental consent |
| Daily interaction | Moods, pings, daily-question answers, weekend plans, bond quizzes | Operate the cooperative bonding features | Art. 6(1)(b) — Contract |
| User-generated content | Memory Vault, Honest Secret, Photo Challenges, compliments | Save and exchange between you and your partner | Art. 6(1)(b) — Contract |
| Push tokens | Expo push device tokens | Deliver notifications you opted into | Art. 6(1)(a) — Consent (revoke in OS settings) |
| Subscription & payment | Subscription status, trial dates, store receipts | Process subscriptions and the free trial | Art. 6(1)(b) — Contract; Art. 6(1)(c) — Legal obligation (tax) |
| Security & abuse logs | IP address, user-agent, timestamps, error events | Prevent abuse, protect minors, debug | Art. 6(1)(f) — Legitimate interest |
| Device & usage analytics | Anonymised event counts, device model, OS version, timezone | Improve features, measure adoption | Art. 6(1)(f) — Legitimate interest (object via §9) |
Some content in Honest Secret (the private parent-child chat for emotionally heavy topics) may include information that California law (CPRA, since 1 January 2023) treats as "Sensitive Personal Information": mental or physical health, sexual orientation, religious or philosophical beliefs, or the contents of messages. We:
We do not perform automated decision-making or profiling that produces legal effects on you, in the meaning of GDPR Article 22.
Content stays inside your private pair. The following service providers process your data on our behalf, strictly to provide the Service:
| Recipient | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, auth, storage, realtime | EU (Frankfurt, AWS) | SCCs; encryption in transit + at rest |
| Render Services Inc. | Backend API hosting | EU (Frankfurt) | EU region; SCCs in their DPA |
| Expo / Apple APNs / Google FCM | Deliver push notifications | US / global | SCCs; device tokens only |
| Apple Inc. | App Store subscription processing | US | SCCs + EU-US DPF |
| Google LLC | Play Store subscription processing | US | SCCs + EU-US DPF |
| Cloudflare Inc. | CDN for the website | Global edge; EU-resident traffic kept in EU | SCCs + DPF |
| Resend | Transactional email (sign-up confirmation) | US | SCCs; minimal data |
| Better Stack | Operational logs | EU | EU region; PII scrubbed where possible |
| Sentry (Functional Software, Inc.) | Crash reporting & error monitoring (mobile app stack traces, device model, OS, IP-derived country/city, anonymous user id) | EU (Frankfurt) | SCCs + EU-US DPF; no message content, no children's display names |
| Upstash Inc. | Rate-limiting cache (IP address, hashed login keys; ephemeral, max 60 seconds) | EU (Frankfurt) | SCCs; in-memory only |
We never share children's data with advertisers, data brokers, or any third party not listed above.
Most processing happens inside the European Union. Some sub-processors (Apple, Google, Expo, Resend) are based in the United States. When personal data is transferred to a third country outside the EU/UK, we rely on:
You may request a copy of the relevant SCC by writing to privacy@busydads.app.
| Category | Retention | Reason |
|---|---|---|
| Account & pair data, child profile | While active; deleted within 30 days of an account-deletion request | Service operation |
| User-generated content (moods, memories, messages, etc.) | While active; deleted within 30 days of an account-deletion request | You can browse your bond history |
| Push tokens | Until OS revokes the token or you log out (max 90 days inactive) | Reduce stale-token noise |
| Server & security logs | 90 days, then deleted or anonymised | Investigate abuse + outages |
| Subscription receipts | Up to 10 years | Statutory tax / accounting obligation |
| Trial-used flag | Retained while account exists | Prevent trial abuse |
| Anonymised aggregate analytics | Indefinite | Not personal data once anonymised |
To exercise CCPA rights, email privacy@busydads.app with subject "CCPA Request". We respond within 45 days.
The fastest way is to use the in-app controls (Settings → Account). For anything else, write to privacy@busydads.app. We respond within 30 days for GDPR requests and 45 days for CCPA requests.
DAD&me is NOT a therapy, counselling, or emergency service. The "Dad, I Need Help" feature is a communication tool only. In case of emergency, call your local emergency number (112 in the EU, 911 in the US/Canada).
We may implement automated and/or manual review to detect Child Sexual Abuse Material (CSAM) and other illegal content. If detected, we will report to NCMEC (in the US) and to relevant authorities. We never use such detection for any purpose other than child safety.
Under the EU Digital Services Act (Regulation (EU) 2022/2065), you can report illegal content or terms-of-service violations:
We acknowledge reports promptly and provide a Statement of Reasons for any moderation action we take.
The mobile app uses local device storage (AsyncStorage) to keep you signed in and remember preferences. It does not use third-party cookies or cross-app trackers.
The website (busydads.app) uses only first-party functional cookies; no advertising or analytics cookies that require consent.
We will notify users of material changes via in-app notice and email, with at least 30 days advance notice. The "Last updated" date at the top always reflects the most recent revision.
This Service is distributed through the Apple App Store and Google Play. Each platform processes subscription payments and may collect device identifiers under its own privacy policy:
We declare the categories of data we collect in the Apple "App Privacy" labels and the Google Play "Data safety" form on the store listing.
General: support@busydads.app
Privacy: privacy@busydads.app
Child safety: safety@busydads.app
Operator: Cristina Cibotari (Moldova). Postal contact details are available via our App Store listing as required by the EU Digital Services Act.