CradleCue app iconCradleCue

Privacy Policy for CradleCue

Effective date: March 15, 2026 | Last updated: March 15, 2026

This Privacy Policy explains how James Kay Systems, LLC ("CradleCue", "we", "us", or "our") collects, uses, shares, and protects information when you use the CradleCue mobile app, related services, and website at https://cradlecue.com.

By using CradleCue, you agree to this Privacy Policy.

1. Scope

This policy applies to:

  • The CradleCue iOS app and watch features
  • Our backend services and APIs
  • Our website and support pages

This policy does not apply to third-party services we do not control, including Apple, Google, and Amazon Web Services pages you access separately.

2. Information We Collect

A. Account and authentication data

Depending on how you sign in, we may collect:

  • Email address
  • Password (stored as a one-way hash, not plain text)
  • Full name (if provided)
  • Authentication provider (email, Google, or Apple)
  • Provider user ID and linked-provider metadata
  • Account timestamps (created/login times)

B. Baby profile data

You provide baby profile details such as:

  • Baby name
  • Birth date
  • Optional nicknames
  • Optional baby profile photo

C. Baby activity and health log data

You create event records in the app, including:

  • Feeding and bottle events (amount/unit, side, timing, notes)
  • Sleep events (start/end, notes)
  • Diaper events
  • Pumping events
  • Tummy time sessions
  • Bath logs
  • Medication logs and medication profiles
  • Temperature logs
  • Skin condition logs
  • Notes
  • Event metadata (timestamps, source, collaborator attribution)

This data is entered by you and is not obtained from medical devices or health records systems.

D. Sharing and collaboration data

If you share access, we process:

  • Invite target email
  • Permission roles (owner, editor, viewer)
  • Sharing metadata (who granted access, invite/share status, timestamps)

E. Photos and uploads

If you choose to add photos, we process:

  • Optional profile photos
  • Optional event photos (for supported event types)
  • Upload/download metadata needed to generate secure temporary URLs

Photos are processed to remove EXIF metadata (including location and device information) before being stored on our servers.

F. Notification and device data

To support sync and notifications, we may process:

  • Push token
  • App-generated device ID
  • Platform/environment metadata

G. AI chat data

When you use the AI chat feature (if enabled), we process:

  • Your chat messages and questions
  • Relevant baby data context provided to generate responses
  • Chat conversation history

AI conversations are processed by Amazon Bedrock, an AI service provided by AWS. AI conversations are not used to train AI models.

H. Technical and security logs

We may collect limited technical data for operations and security, such as:

  • API request metadata (for example, route, timestamp, and source IP from infrastructure logs)
  • Authentication/security events
  • Error diagnostics

I. Data from Google or Apple sign-in

If you use Google or Apple sign-in (where available), we receive identity information necessary for authentication, such as your verified email, provider subject ID, and optional profile name.

We do not request Gmail, Google Drive, Calendar, or similar non-authentication scopes.

3. How We Use Information

We use your information to:

  • Create and secure your account
  • Authenticate you and keep you signed in
  • Store and sync baby tracking data across your devices
  • Generate predictions and insights about your baby's patterns
  • Enable sharing with invited caregivers
  • Deliver notifications and reminders
  • Provide charts, summaries, exports, and app functionality
  • Provide AI-powered chat assistance (when enabled)
  • Protect against fraud, abuse, and unauthorized access
  • Maintain, debug, and improve service reliability
  • Comply with legal obligations

We do not use baby activity data for third-party ad targeting.

4. Legal Bases (where applicable)

We process your data under the following legal bases:

  • Performance of a contract — core tracking, collaboration, and export features
  • Legitimate interests — security, fraud prevention, and service improvement
  • Explicit consent — for health-related baby data (GDPR Article 9), push notifications, and AI chat
  • Legal obligation — compliance with applicable laws

You may withdraw consent at any time through Settings, which will not affect the lawfulness of prior processing.

5. How We Share Information

We may share information:

  • With caregivers you invite or authorize in-app
  • With service providers that process data for us (for example, cloud hosting, AI processing, and infrastructure)
  • With identity providers when you choose provider sign-in (Apple/Google)
  • When required by law, regulation, or legal process
  • To protect rights, safety, and security of users or the public

We do not sell personal information.

6. Third-Party Services

CradleCue uses third-party infrastructure and platform services, including:

  • Apple services (iOS, App Intents, notifications, and sign-in where used)
  • Google sign-in services (if enabled and selected by you)
  • Amazon Web Services for backend APIs, storage, and logging
  • Amazon Bedrock for AI chat processing (conversations are not used to train AI models)

Those providers have their own privacy terms.

7. Data Retention

We retain data for as long as needed to provide the service and for legitimate operational/legal reasons.

Examples from current service behavior:

  • Account/auth records: retained while account is active and as needed for security/compliance
  • Deleted event tombstones: may be retained for up to about 90 days for sync integrity before cleanup
  • Push token registrations: include a rolling expiration window (about 60 days unless refreshed)
  • Pending invites: expire automatically (about 30 days)
  • Share links: short-lived expiration (about 7 days)
  • Verification/reset tokens: short-lived security expiration windows
  • AI chat transcripts: retained while your account is active and included in account deletion; chat data is not used to train AI models

Upon account deletion, all baby profiles, activity logs, photos, and AI chat history are permanently deleted within 30 days. Anonymized, aggregated analytics data may be retained.

When you delete a baby profile, all associated data (activity logs, photos, and notes) is archived for 30 days before permanent deletion. During this period, you may contact support@cradlecue.com to request restoration.

8. Your Choices and Rights

Depending on where you live, you may have the following rights:

  • Right of Access — request a copy of your personal data
  • Right to Rectification — correct inaccurate personal data
  • Right to Erasure — request deletion of your personal data
  • Right to Restrict Processing — limit how we use your data
  • Right to Data Portability — receive your data in a machine-readable format (export feature available in Settings as PDF/CSV)
  • Right to Object — object to processing of your personal data
  • Right to Withdraw Consent — withdraw consent at any time for consent-based processing
  • Right to Appeal — appeal denied requests where legally required

You can also:

  • Manage notification permissions in iOS settings
  • Remove shared access for caregivers
  • Disable the AI chat feature in Settings
  • Delete baby records/events in-app (subject to account role permissions)

To exercise these rights, contact: privacy@cradlecue.com

9. Children's Privacy and COPPA Compliance

CradleCue is designed for parents, guardians, and caregivers. The app is operated by adults, not by children directly.

We are committed to complying with the Children's Online Privacy Protection Act (COPPA):

  • We do not knowingly collect personal information directly from children under 13
  • Baby data is entered and controlled by the parent/caregiver account holder
  • Parents and caregivers may review, modify, or delete their child's data at any time
  • We do not use children's data for advertising or marketing purposes

10. Security

We use administrative, technical, and organizational safeguards designed to protect information, including:

  • Encryption in transit (TLS/SSL) and at rest
  • Authenticated APIs and access controls
  • Secure transport for all data transmission

Photos are stored in encrypted cloud storage and are accessible only to you and caregivers you explicitly authorize.

No method of storage or transmission is 100% secure, so we cannot guarantee absolute security.

11. International Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our servers are located. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-U.S. Data Privacy Framework to safeguard international transfers.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will post the updated version on this page and update the "Last updated" date.

Material changes may also be communicated in-app or by email when required.

13. Contact Us

James Kay Systems, LLC
82 Wendell Ave Ste 100, Pittsfield, MA 01201
General support: support@cradlecue.com
Privacy requests: privacy@cradlecue.com