Pebble & Petal

Data Policy

Last updated: March 13, 2026

This Data Policy explains how Pebble & Petal stores, manages, and protects your data. It complements our Privacy Policy, which covers what data we collect and how we use it. This document focuses on the technical architecture, storage model, retention, and your control over your data.

1. Local-First Architecture

Pebble & Petal is designed with a local-first architecture, meaning your data is stored primarily on your device, not in the cloud.

1.1 What This Means for You

  • Privacy by Design: Your baby's tracking data, photos, milestones, and journal entries are stored directly on your phone.
  • Offline Access: You can use the app fully offline. No internet connection is required for core features.
  • No Cloud Storage by Default: We do not automatically upload your data to our servers or third-party cloud services.
  • You Own Your Data: Your data stays on your device unless you explicitly enable optional cloud features (if available) or export it.

1.2 Benefits of Local-First

  • Enhanced Privacy: Your sensitive parenting data isn't stored on remote servers where it could be accessed by third parties.
  • Faster Performance: Data is instantly available without network latency.
  • Reduced Risk: No server breaches, no data mining, no selling your information to advertisers.
  • Data Sovereignty: You control when and where your data goes.

2. What Data is Stored on Your Device

The following types of data are stored locally on your device:

  • Baby Profiles: Names, birthdates, photos, and other details you enter about your children.
  • Timeline Events: All tracking data (sleep, feeds, diapers, medications, growth measurements, etc.).
  • Milestones: Developmental milestones you log or mark as achieved.
  • Photos and Media: Images and videos attached to timeline events or journal entries.
  • Journal Entries: Notes, memories, and reflections you write.
  • User Preferences: App settings, notification preferences, theme choices, etc.
  • Voice Transcriptions: Text transcriptions of voice-logged events (voice audio is processed and discarded, not stored).

3. Optional Cloud Features

3.1 Account-Based Cloud Sync (If Enabled)

If you create an account and enable cloud sync (if available in the app), your data may be uploaded to secure cloud storage to:

  • Sync data across multiple devices (e.g., between your phone and your partner's phone)
  • Provide backup in case you lose or replace your device
  • Enable family sharing features (if available)

Cloud sync is opt-in. If you do not create an account or enable sync, your data remains only on your device.

3.2 Cloud Storage Security

If cloud sync is enabled, your data is:

  • Encrypted in transit using TLS/HTTPS
  • Encrypted at rest on our servers
  • Stored in secure, compliant data centers
  • Accessible only to authorized personnel for support and maintenance purposes

4. Data Export and Portability

4.1 Export Formats

You can export your data at any time from within the app. Export formats include:

  • JSON: Machine-readable format for backup or import into other tools.
  • CSV: Spreadsheet-compatible format for timeline data (sleep logs, feeds, etc.).
  • PDF: Human-readable summaries (e.g., for pediatrician visits).

4.2 What's Included in Exports

Exports include:

  • All baby profiles and metadata
  • Complete timeline history (all events, milestones, journal entries)
  • Photos and media (in JSON/full exports)
  • User preferences and settings (in JSON exports)

4.3 How to Export

To export your data:

  1. Open the app and navigate to SettingsData & Privacy
  2. Select Export Data
  3. Choose your preferred format (JSON, CSV, or PDF)
  4. Save the file to your device or share it via email, cloud storage, etc.

5. Data Retention and Deletion

5.1 Retention Period

Your data is retained:

  • On Your Device: Until you manually delete individual entries, baby profiles, or the entire app.
  • In the Cloud (If Enabled): Until you delete your account or request data deletion.

5.2 Deleting Individual Entries

You can delete individual timeline events, milestones, or journal entries at any time from within the app. Deleted items are removed from your device immediately.

If cloud sync is enabled, deleted items are also removed from cloud storage (though brief retention for sync conflict resolution may occur).

5.3 Deleting Baby Profiles

You can delete entire baby profiles (and all associated data) from the app settings. This action is irreversible and permanently removes:

  • All timeline events for that baby
  • All milestones and journal entries
  • All photos and media
  • Baby profile information

5.4 Deleting Your Account

To delete your account and all associated data:

  1. Go to SettingsAccountDelete Account, OR
  2. Email privacy@pebbleandpetal.com with "Delete Account" in the subject line

Upon account deletion:

  • All data associated with your account is permanently deleted from our servers within 30 days
  • Data on your device is not automatically deleted (you must manually uninstall the app to remove local data)
  • Subscriptions and purchases are managed by Apple/Google and must be canceled separately

5.5 Data Retention After Deletion

After account deletion, we may retain certain data for legitimate business purposes, including:

  • Aggregated Analytics: Anonymized usage data (no personal identifiers) for up to 24 months
  • Legal Compliance: Transaction records, support communications, or data required by law (retained as legally required)
  • Fraud Prevention: Limited data to prevent abuse, chargebacks, or account recreation for fraudulent purposes

6. Data Security Measures

We implement industry-standard security measures to protect your data:

6.1 On-Device Security

  • iOS: Data is stored in the app's secure container with iOS Keychain for sensitive credentials. Device-level encryption (FileVault, if enabled by user) protects data at rest.
  • Android: Data is stored using EncryptedSharedPreferences and Android Keystore for credentials. Device-level encryption (if enabled) protects data at rest.
  • Access Control: Data is accessible only within the Pebble & Petal app. Other apps cannot access it (per OS sandboxing).

6.2 Cloud Security (If Enabled)

  • Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2+ encryption.
  • Encryption at Rest: Cloud-stored data is encrypted using AES-256 encryption.
  • Access Controls: Only authorized personnel can access server infrastructure, with role-based access and audit logging.
  • Regular Audits: We conduct regular security reviews and vulnerability assessments.

6.3 Third-Party Security

Third-party services we use (RevenueCat, authentication providers) are SOC 2 compliant or equivalent and contractually obligated to protect your data.

7. Third-Party Integrations

7.1 RevenueCat (Payment Processing)

RevenueCat processes in-app purchases and subscriptions. They receive:

  • Transaction data (purchase receipts, subscription status)
  • Device identifiers (for subscription management)
  • Email address (if provided for receipts)

RevenueCat does not receive your baby's data, timeline logs, or photos. See RevenueCat's Privacy Policy.

7.2 OAuth Providers (Apple, Google)

If you sign in with Apple or Google, authentication is handled by those providers. We receive only:

  • Your email address (or private relay email for Apple)
  • Your name (if you choose to share it)
  • Authentication tokens (stored securely, not shared with third parties)

Apple and Google do not receive your baby's data, timeline logs, or photos.

7.3 Analytics Services

We may use privacy-focused analytics tools (e.g., self-hosted analytics, anonymized usage metrics) to understand feature usage and improve the app. These tools do not track personally identifiable information or baby data.

8. Backup Recommendations

Because Pebble & Petal uses a local-first model, we strongly recommend backing up your data regularly to prevent loss in case of:

  • Device loss, theft, or damage
  • Accidental app deletion
  • Device upgrades or factory resets

8.1 Backup Options

  • Device Backups: Enable iCloud Backup (iOS) or Google Backup (Android) to include app data in your device backups.
  • Manual Exports: Regularly export your data to JSON or CSV and save it to cloud storage (Dropbox, Google Drive, etc.) or your computer.
  • Cloud Sync (If Available): Enable cloud sync in the app to automatically back up data to our secure servers.

9. International Data Transfers (GDPR & CCPA)

9.1 Data Location

If cloud sync is enabled, your data may be stored on servers located in the United States or other jurisdictions where our service providers operate.

9.2 GDPR Compliance (European Users)

For users in the EEA, UK, or Switzerland, we comply with GDPR requirements, including:

  • Data minimization (we collect only what's necessary)
  • Purpose limitation (data is used only for stated purposes)
  • Storage limitation (data is retained only as long as needed)
  • Data subject rights (access, rectification, erasure, portability, objection)

International data transfers are protected by standard contractual clauses (SCCs) or other approved transfer mechanisms.

9.3 CCPA/CPRA Compliance (California Users)

California residents have rights under the CCPA and CPRA, including:

  • Right to know what personal information is collected and how it's used
  • Right to delete personal information
  • Right to correct inaccurate information
  • Right to opt-out of the sale or sharing of personal information (note: we do not sell personal information)
  • Right to non-discrimination

To exercise these rights, email privacy@pebbleandpetal.com with "CCPA Request" in the subject line.

10. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

  • Notify affected users via email or in-app notification within 72 hours (or as required by law)
  • Describe the nature of the breach and the data affected
  • Outline steps we're taking to address the breach and prevent future incidents
  • Provide guidance on steps you can take to protect yourself
  • Notify relevant regulatory authorities as required by law (e.g., GDPR, state breach notification laws)

11. Changes to This Data Policy

We may update this Data Policy from time to time to reflect changes in the app, our practices, or legal requirements. Updates will be posted in the app and on our website with a revised "Last updated" date.

Material changes will be communicated via email or in-app notification. Your continued use of the app after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

For questions, concerns, or requests regarding this Data Policy or your data, contact us:

Email: privacy@pebbleandpetal.com
Subject Line: Data Policy Inquiry

For specific requests (access, deletion, export, correction), please include:

  • Your full name and email address associated with your account
  • A description of your request
  • Any relevant details to help us verify your identity

We will respond to all legitimate requests within 30 days (or as required by applicable law).