Yum Baby Privacy Policy

Effective date: January 1, 2026

We built Yum Baby to help caregivers introduce solids safely, not to build an advertising profile. This Privacy Policy explains what data we collect through the app and supporting services, how we use it, and the choices you have. By creating an account or using the app, you agree to the practices below.

1. Information We Collect

1.1 Data you provide directly

  • Account & authentication data. When you sign up with email/password or through Apple/Google, we store your email address (plus the identity tokens those providers return) in Firebase Authentication.
  • Caregiver & baby profile details. The onboarding flow saves the baby's name, date of birth, dietary preference, feeding goals, stage progress, and optional profile avatar in our secure cloud database so every invited caregiver sees the same plan.
  • Feeding progress & notes. Any time you add a food to "My List", mark it as tried, change queue order, add tags, or leave notes, we save that information in our database so we can show your progress, streaks, and badges across all your devices and share it with other caregivers you invite.
  • AI recipe inputs & saved recipes. When you ask for a recipe we send only the selected foods, stage, options, and any note you typed to our secured Cloud Function. Saved recipes (title, ingredients, instructions, optional notes/ratings/photos) are stored in our database so you can view them later.
  • Images you choose to upload. Profile or recipe photos are uploaded to Firebase Cloud Storage. We do not access your photo library unless you pick a file.
  • Support interactions & acknowledgements. Accepting the medical disclaimer stores a timestamp in your account. If you contact us we will retain the info you share so we can respond.

1.2 Information collected automatically

  • Device & app diagnostics. Firebase Authentication, Firestore, Functions, Storage, and App Check automatically log IP address, device identifiers, crash traces, and attestation metadata to secure the service and fight abuse. We do not run Firebase Analytics or advertising SDKs.
  • Abuse prevention logs. To prevent scripted recipe generation we keep per-user counters to enforce reasonable usage limits.
  • Local caches. Your device stores authentication credentials and cached food images so the app works smoothly without an internet connection. All sensitive data is encrypted.

1.3 Data from third parties

  • Sign-in partners. If you choose Apple or Google Sign-In we receive the name/email they release. We never receive your Apple/Google password.
  • OpenAI. Our Cloud Function relays recipe prompts to OpenAI’s API. We strip credentials before forwarding and only send food context plus the note you entered. OpenAI may retain that request for up to 30 days per their policy.

2. How We Use Your Information

  • Provide core app functionality: personalize the sequential food list, show allergen progress, sync saved recipes, and keep caregivers in sync.
  • Generate AI-assisted recipes through our Firebase Cloud Function.
  • Maintain safety and integrity: enforce App Check attestation, detect abuse, and comply with medical disclaimer requirements.
  • Communicate with you about updates or support requests.
  • Improve the product by looking at aggregated, de-identified stats (e.g., which features are most used). We do not build marketing profiles.

Legal bases (where applicable): (a) performance of our agreement with you (providing the app); (b) legitimate interests in safeguarding the service; and (c) consent when you opt into optional features like camera/photo uploads or recipe notes.

3. How We Share Information

  • Other caregivers you invite. Everyone you add to a baby profile can see the same baby-specific data (foods, recipes, notes, photos). Removing a caregiver immediately revokes their access.
  • Service providers. We rely on:
    • Google Firebase (Authentication, Firestore, Storage, Cloud Functions) for hosting, storage, and security.
    • Expo (EAS) for build and OTA update delivery.
    • OpenAI for recipe generation.
    • Apple & Google for federated sign-in.
    Each provider may process data in the United States or other regions where they operate and is bound by its own privacy terms.
  • Compliance & safety. We may disclose data if required by law, to enforce our terms, or to protect users’ safety.

We do not sell personal data, run ads, or share data with data brokers.

4. Retention & Deletion

  • We keep your caregiver and baby data for as long as the account remains active.
  • You can delete your own account at any time from Settings → Delete account. Owners can also delete the entire baby profile (which removes all foods, recipes, progress data, images, and all caregiver accounts) or transfer ownership to another caregiver before leaving.
  • If you uninstall the app but keep the account, your data stays on our servers so you can return later. We may delete inactive spaces after a long period of inactivity to protect user privacy.
  • You may also email support@yumbaby.co to request access, correction, or deletion; we will verify your identity via your account email before acting.

5. Device Permissions & Local Storage

  • Camera & Photo Library (iOS) / READ_MEDIA_IMAGES (Android). Needed only when you take or select profile/recipe images. Denying permission simply disables those uploads.
  • Network access & storage. Required for syncing with Firebase and caching assets for offline use.
  • Notifications. Not currently used. If we add push notifications we will request permission first.

6. Security

  • Data in transit is encrypted via HTTPS. Firebase encrypts data at rest.
  • Our database security rules ensure that only authenticated caregivers can access their baby's data, and App Check prevents unauthorized access from modified apps.
  • Cloud Functions validate security tokens and implement per-user rate limits to prevent abuse.
  • Despite these measures, no system is perfect; please use strong passwords and keep your device secure.

7. Children’s Privacy

Yum Baby is intended for parents and caregivers. Children do not create accounts or interact with the service directly. Parents control what information about their child is entered and can delete it at any time. If you believe we collected information from a child without consent, contact us and we will delete it promptly.

8. International Users

The infrastructure we use may process data in the U.S. or other countries. By using the app you consent to these transfers. We rely on Google and OpenAI’s contractual safeguards (including Standard Contractual Clauses where applicable) to protect that data.

9. Your Rights & Choices

Depending on your jurisdiction you may have rights to access, correct, port, object to, or restrict processing of your personal data. You can exercise most controls inside the app (editing the baby profile, deleting the account). For anything else email support@yumbaby.co and we'll respond within 30 days.

10. Changes to This Policy

We may update this Privacy Policy as the app evolves. We will post the new version inside the app (Settings → Privacy) and update the “Effective date” above. Significant changes may also be announced via in-app notice or email.

11. Contact Us

Please reach out with any privacy or security questions.
Email: support@yumbaby.co