Privacy Policy | BumpSync

1. Introduction

BumpSync ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our pregnancy tracking application and related services (collectively, the "Service").

This policy applies to all users of BumpSync, including users in the United Kingdom and the European Economic Area. We comply with both the UK General Data Protection Regulation ("UK GDPR") as retained in UK law under the European Union (Withdrawal) Act 2018, and the EU General Data Protection Regulation (EU 2016/679) ("EU GDPR") (together referred to as "GDPR" in this policy).

Please read this policy carefully. By using BumpSync, you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are

BumpSync is the data controller responsible for your personal data. As data controller, we determine the purposes and means of processing your personal data.

For all privacy-related enquiries, to exercise your rights, or to raise a concern, you can contact us at: hello@bumpsync.app

3. Information We Collect

Account & Identity Data

Email address and display name — provided directly or via a third-party sign-in provider (Google or Apple)
Authentication provider details (e.g. Google account ID or Apple ID) if you use social sign-in
Marketing communication preferences

Health & Pregnancy Data (Special Category Data)

Pregnancy information — including due date, milestones, and appointment details — constitutes health data under GDPR Article 9. This is a special category of personal data and receives the highest level of protection. We process this data only with your explicit consent, which you provide when you create a pregnancy profile. You may withdraw this consent at any time by deleting your account (see Section 12).

Usage & Preference Data

Baby name preferences and swipe interactions (likes/dislikes)
Product voting and preparation lists
Partner connection data (partner IDs for shared pregnancy tracking)
Chat assistant conversation history — messages you send to and receive from our in-app AI assistant, stored per session

Technical & Analytics Data

Browser type, device type, operating system, and app version
IP address and approximate location (country/region level)
Pages visited, features used, session duration, and interaction events
Referral source (how you found BumpSync)

4. Legal Basis for Processing

Under GDPR, we must have a lawful basis for processing your personal data. The table below sets out the data we process, why we process it, and our lawful basis for doing so.

Data / Processing Activity	Purpose	Lawful Basis
Email address & name	Account creation, authentication, service communications	Contractual necessity (Art. 6(1)(b))
Pregnancy & health data	Core pregnancy tracking functionality	Explicit consent (Art. 6(1)(a) + Art. 9(2)(a))
Partner connection data	Shared pregnancy tracking between partners	Contractual necessity (Art. 6(1)(b))
Name preferences & swipes	Personalised name recommendations	Contractual necessity (Art. 6(1)(b))
Prep lists & product voting	Preparation tracking functionality	Contractual necessity (Art. 6(1)(b))
Marketing emails	Newsletters and product updates	Consent (Art. 6(1)(a))
Analytics data (Google Analytics, Amplitude) — including referral source and UTM parameters	Understanding how the Service is used; improving features; measuring marketing effectiveness	Legitimate interests (Art. 6(1)(f)) — improving our service. You may opt out at any time (see Section 13).
Vercel Analytics — aggregated page view data	Understanding site traffic at an aggregate level; no individual tracking	Legitimate interests (Art. 6(1)(f)) — cookieless and anonymised; no consent required.
Affiliate click tracking	Earning commissions that fund service development	Legitimate interests (Art. 6(1)(f))
Chat assistant messages & conversation history	Providing AI assistant responses; storing conversation history	Contractual necessity (Art. 6(1)(b))
Push notification tokens (mobile)	Sending partner updates and milestone reminders	Consent (Art. 6(1)(a)) — opt-in only

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests at any time by contacting us.

5. How We Use Your Information

To provide and maintain our pregnancy tracking services
To enable partner synchronisation and collaboration features
To personalise your experience (e.g. AI-powered name recommendations based on your stated preferences)
To send you important transactional updates about your account and milestones
To send you marketing communications where you have consented
To improve our services and develop new features
To detect, prevent, and address technical issues or abuse

6. Partner Data Sharing

BumpSync is designed for couples to share pregnancy information. When you connect with a partner via invite code, both partners will have access to the same pregnancy data, including milestones, baby names, and preparation lists. This sharing is explicit and opt-in through our partner invitation system — you initiate it, and your partner must accept before any data is shared.

Each partner's individual swipe preferences and final votes are visible to the other partner within the app as a core feature of the service. If you disconnect from a partner or delete your account, shared access is revoked immediately.

7. Third-Party Services

We share data with the following third-party processors and partners. Where these services are based outside the UK or EEA, we ensure appropriate safeguards are in place (see Section 8).

Infrastructure & Authentication

Supabase: Our primary database, authentication, and infrastructure provider. Your account data, pregnancy data, and all app content is stored on Supabase servers. Supabase is GDPR-compliant and processes data under Standard Contractual Clauses. See Supabase's Privacy Policy.
Apple Sign-In: If you choose to sign in with Apple, Apple authenticates you and provides your email address (or a private relay address) and name to BumpSync. Apple's handling of your data is governed by Apple's Privacy Policy.
Google Sign-In: If you choose to sign in with Google, Google authenticates you and provides your email address and name to BumpSync. Google's handling of your data is governed by Google's Privacy Policy.

AI & Enrichment

Anthropic Claude: We use Anthropic's Claude API in two ways:
- Baby name enrichment: Generic name strings (e.g. "Oliver") are sent to Anthropic to generate meanings, origins, pronunciations, and style tags for our shared name library. No personal or account data is included.
- In-app chat assistant: When you use our AI chat assistant, your messages and relevant pregnancy context (such as your due date) are sent to Anthropic to generate responses. Conversation history is stored in our database. Do not share sensitive personal information (e.g. medical details, financial data) in chat messages beyond what is necessary to use the feature.
See Anthropic's Privacy Policy.

Communications

Resend: We use Resend to deliver transactional emails (e.g. account verification, password reset) and marketing emails (where you have consented). Resend receives your email address and name for this purpose. See Resend's Privacy Policy.

Analytics

Vercel Analytics: Privacy-preserving, cookieless website analytics provided by Vercel, our hosting platform. Vercel Analytics collects aggregated, anonymised data about page views and visitor geography without using cookies or tracking individuals. No personal data is shared with Vercel for this purpose. Because it is cookieless and does not identify individuals, it operates under our legitimate interests and does not require cookie consent. For more information, see Vercel's Analytics Privacy Policy.
Google Analytics: Website usage analytics to understand how visitors use our site and improve user experience. Google Analytics uses cookies to collect usage data including page views and session information. For more information, see Google's Privacy Policy.
Amplitude: Product analytics to understand how users interact with features and improve user experience. Amplitude collects usage data including page views, feature interactions, session information, and referral source (UTM parameters and referring website). For more information, see Amplitude's Privacy Policy.

Affiliate Networks

Amazon Associates: BumpSync is a participant in the Amazon Associates Programme. When you click product links in our Prep section that lead to Amazon, these links contain affiliate tracking codes. This allows us to earn a small commission on qualifying purchases at no additional cost to you. For more information, see Amazon's Privacy Notice.
AWIN Affiliate Network: BumpSync participates in the AWIN affiliate network, which connects us with various UK retailers. When you click product links from retailers in our Prep section (such as John Lewis, Boots, Argos, and others), these links contain affiliate tracking codes managed by AWIN. This allows us to earn a small commission on qualifying purchases at no additional cost to you. For more information, see AWIN's Privacy Policy.

8. International Data Transfers

Some of our third-party service providers (including Supabase, Anthropic, Amplitude, Vercel, and Resend) are based in the United States. This means your personal data may be transferred to and processed in a country outside the UK or EEA.

Whenever we transfer personal data outside the UK or EEA, we ensure an appropriate safeguard is in place, such as:

UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) — the primary mechanism used by our US-based processors
An adequacy decision by the UK Secretary of State or the European Commission for countries recognised as providing equivalent protection

You may request details of the specific safeguards in place for any transfer by contacting us at hello@bumpsync.app.

9. Mobile App Data (iOS & Android)

In addition to the data described above, our native mobile apps may collect a small set of mobile-specific data:

Push notification tokens: If you opt in to push notifications, we store a device token on our servers so we can send you partner updates (e.g. name matches or milestone reminders). You can withdraw consent at any time in your device's notification settings.
Device identifiers: Basic device and app metadata such as platform (iOS/Android), OS version, and app version for troubleshooting and analytics.

10. Data Security

We implement appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access. These measures include:

Encrypted connections (HTTPS/TLS) for all data in transit
Row-Level Security (RLS) policies in our database to ensure users can only access their own and their partner's data
Secure authentication through Supabase, including support for multi-factor authentication
Regular security updates and dependency monitoring

While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. If you believe your account has been compromised, please contact us immediately.

11. Your Rights (GDPR & UK GDPR)

Depending on your location, you have the following rights regarding your personal data. To exercise any of these rights, contact us at hello@bumpsync.app. We will respond within 30 days.

Right of access: Obtain a copy of the personal data we hold about you
Right to rectification: Correct inaccurate or incomplete data
Right to erasure: Request deletion of your personal data (see Section 12 for in-app deletion)
Right to data portability: Receive your data in a structured, machine-readable format
Right to withdraw consent: Where processing is based on consent (including explicit consent for health data), you may withdraw it at any time without affecting the lawfulness of prior processing
Right to object: Object to processing based on legitimate interests, including for direct marketing
Right to restrict processing: Ask us to pause processing while a complaint is being resolved

Right to Lodge a Complaint

If you are unhappy with how we handle your data, you have the right to lodge a complaint with your supervisory authority:

UK users: The Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint
EU users: The data protection authority in your EU member state

We would, however, appreciate the chance to address your concerns before you approach a regulator, so please contact us first.

12. Data Retention & Account Deletion

We retain your personal data for as long as your account is active. We do not retain data longer than is necessary for the purposes for which it was collected.

Deleting Your Account

You can permanently delete your account and all associated data at any time:

In-app: Go to Settings → Delete Account. You will be asked to confirm before deletion proceeds. Deletion is immediate and permanent.
By email: Send a request to hello@bumpsync.app with the subject "Account Deletion Request." We will process your request within 48 hours.

What Gets Deleted

Account deletion is a complete cascade — the following is permanently removed:

Your profile and login credentials
All pregnancy data, milestones, and appointments
Baby name preferences, swipes, and matches
Preparation lists and product votes
Chat assistant conversation history and sessions
Partner connection (your partner's account and data is unaffected)
Push notification tokens
Any other data held in our systems linked to your account

Residual copies held in automated backups are purged within 30 days. Anonymised analytics data that cannot be linked back to you is retained for service improvement.

13. Cookies and Tracking

We use the following types of cookies and similar tracking technologies:

Essential cookies: Session cookies required for authentication and core functionality. These are strictly necessary and cannot be disabled without breaking the Service.
Analytics cookies: Google Analytics and Amplitude set cookies to collect usage statistics (page views, session duration, feature interactions, and referral source). We use this data under legitimate interests to improve the Service. These are not required for the Service to function.
Cookieless analytics: Vercel Analytics collects anonymised, aggregated page view data without using cookies. It does not track individual users and requires no consent.

Your Cookie Choices

When you first visit BumpSync, a cookie consent banner will appear. You can choose to:

Accept All: Allow both essential and analytics cookies. Google Analytics and Amplitude will be enabled.
Reject Non-Essential: Only essential cookies will be used. Analytics will not be loaded.

Your choice is stored in your browser's local storage. To change your preferences, clear the local storage for bumpsync.app and refresh the page to see the banner again.

You can also opt out of specific analytics providers independently:

Install the Google Analytics Opt-out Browser Add-on to block Google Analytics across all sites.
Visit Amplitude's privacy page to opt out of Amplitude tracking.
Most browsers allow you to block or delete cookies through their settings. Blocking essential cookies will prevent you from logging in to BumpSync.

14. Marketing Communications

We send marketing emails (such as product updates and tips) only where you have given your explicit consent during registration. You can withdraw this consent at any time:

Click the Unsubscribe link at the bottom of any marketing email
Update your preferences in Settings within the app
Email us at hello@bumpsync.app

Note: Even if you opt out of marketing emails, we may still send you essential transactional emails about your account (e.g. password resets, security notices). These cannot be opted out of while your account remains active.

15. Children's Privacy

Our service is intended for expectant parents aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

16. Affiliate Links & Product Recommendations

BumpSync participates in affiliate programmes with Amazon Associates and the AWIN affiliate network. When you click on product links in our Prep section and make a purchase, we may receive a small commission at no additional cost to you.

Our Affiliate Partners

Amazon Associates: Links to Amazon products contain affiliate tracking codes
AWIN Network: Links to UK retailers (including John Lewis, Boots, Argos, Mothercare, and others) are managed through the AWIN affiliate network and contain tracking codes

How Affiliate Links Work

Affiliate links appear in our Prep section when browsing or saving products
Product links contain tracking codes that identify purchases as originating from BumpSync
Clicking these links and making purchases does not affect the price you pay
Commissions help support the ongoing development of BumpSync

Our Commitment

Product suggestions and recommendations are based on what we believe will be genuinely useful for expectant parents, not on commission rates. We prioritise your needs and trust over affiliate revenue. We curate products from trusted retailers to help you make informed decisions together as a couple.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or applicable law. When we make material changes, we will notify you by email and by updating the "Last Updated" date at the top of this policy. We encourage you to review this policy periodically.

18. Contact Us

For any privacy-related questions, to exercise your rights, or to raise a concern, please contact us:

Email: hello@bumpsync.app
Subject line: Privacy Enquiry

We aim to respond to all privacy requests within 30 days. If we need more time due to the complexity of your request, we will let you know.