Privacy Policy
1. Controller
Vomia Labs
Sole proprietorship, owner: Van Tuan Vo
Business address: Schultheißenbrandstr. 15, 96114 Hirschaid, Germany
General contact: support@windeltracker.de
Privacy: privacy@windeltracker.de
2. What this policy covers
This privacy policy applies to the website windeltracker.de, the Windeltracker mobile app, and the related backend services. The app is intended for adult users, especially parents and caregivers. It is not intended for direct use by children.
3. Visiting the website
When you visit the website for informational purposes only, we process the access data technically required for delivery that your browser or device transmits to the server. This includes in particular your IP address, the date and time of access, the requested file, referrer, browser type, and operating system.
- Purpose: secure and stable operation of the website, error analysis, and abuse prevention
- Legal basis: Art. 6(1)(f) GDPR
- We currently do not use analytics, marketing, or tracking cookies on the website.
4. Contact by email
If you contact us by email, we process your message together with the contact details and other information transmitted with it in order to handle your request.
- Purpose: handling support, contractual, or privacy-related inquiries
- Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR
5. Registration and sign-in in the app
For a synchronized account, we use sign-in by email and one-time passcode (OTP). In this context, we process in particular your email address, verification and security data, IP address, timestamps, and device information required for account protection and device binding.
- Purpose: account creation, sign-in, abuse prevention, and protection of device binding
- Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR
6. App use, local storage, and synchronization
Data you enter in the app is initially stored locally on your device. If you use an account, data may be processed for synchronization with our backend so that your household can access the same content on multiple devices.
- Baby master data, for example name, date of birth, birth weight, or photo
- App usage data, for example diaper events, weight entries, notes, purchases, inventory, coupons, price information, and settings
- Technical synchronization data, for example device information, timestamps, logs, and security data
- If you join a household or invite other people, household data and member email addresses are visible to the respective household members.
The legal basis is Art. 6(1)(b) GDPR. To the extent that certain voluntary entries may relate to health, you decide to provide that data yourself for the use of the app you want.
7. Images and uploads
If you upload baby photos in the app, we process the image file, file metadata, and technical upload data in order to provide the image within your household.
- Purpose: display and synchronization of profile or household images
- Legal basis: Art. 6(1)(b) GDPR
8. Notifications
If you enable push notifications, we process your push tokens, language settings, and notification preferences. Recurring reminders may also be scheduled locally on your device.
- Purpose: sending reminders and optional app notifications
- Legal basis: Art. 6(1)(a) GDPR or the device permission granted by you
9. AI feature "Tootie"
If you use the AI chat, your chat messages are processed together with context provided by you or derived from the app to the extent required to answer your request. This may include, in particular, the baby's name, age, weight, current inventory data, recent diaper events, or similar usage context.
- Purpose: answering your request and providing the chat feature
- Legal basis: Art. 6(1)(b) GDPR
- Recipient: Google LLC as provider of the Gemini API
Please do not enter unnecessary sensitive information in the chat and do not use the feature for medical emergencies or diagnoses.
10. App stores, in-app purchases, and payment data
The app is distributed through the Apple App Store and Google Play. If paid features, in-app purchases, or subscriptions are offered in the future, payment processing will take place exclusively through the respective store. The store operators process payment, device, and transaction data under their own data protection responsibility.
We ourselves typically receive only the reference and status data required for activation, verification, and administration, such as product ID, platform, expiration date, or transaction references.
11. Recipients and service providers used
We only use service providers that are necessary to operate the app and website. These include in particular:
- Hosting and infrastructure providers for the website, API, and data storage
- Email service providers or SMTP infrastructure for sending one-time passcodes and support communication
- Google LLC for the AI chat feature via Gemini
- Expo as well as Apple and Google for the delivery of mobile push notifications
- Apple and Google for app distribution and, where applicable, in-app purchase processing
12. Transfers to third countries
Some service providers may process data in countries outside the European Union or the European Economic Area, in particular in the United States. In such cases, we ensure an adequate level of data protection, for example through adequacy decisions, certifications under the EU-U.S. Data Privacy Framework, or standard contractual clauses, where applicable.
13. Storage period
We store personal data only for as long as necessary for the stated purposes. Account and app data generally remain stored as long as you use the account or synchronization or request deletion, unless statutory retention obligations require otherwise. Log and security data are stored only as long as required for operation, security, and abuse prevention.
14. Your rights
Subject to the applicable statutory requirements, you have in particular the following rights:
- Access to your processed personal data
- Rectification of inaccurate data or completion of incomplete data
- Erasure of your data
- Restriction of processing
- Data portability
- Objection to processing based on Art. 6(1)(f) GDPR
- Withdrawal of consent granted with effect for the future
15. Right to lodge a complaint
You also have the right to lodge a complaint with a data protection supervisory authority.
16. Privacy contact
For privacy-related inquiries, please contact: privacy@windeltracker.de.