Privacy Policy

Last updated: March 2026

TinyYears is operated by ByteNero. We take your family's privacy extremely seriously. This policy explains what data we collect, how we use it, and the measures we take to protect it.

1. Data Collection

We collect the minimum amount of data necessary to provide the TinyYears service:

• Account information: Email address and authentication credentials (managed via Supabase Auth).
• Child profiles: Names, dates of birth, and optional profile photos you choose to add.
• Journal entries: Text, photos, and voice recordings you create within the app. These are encrypted end-to-end before leaving your device.
• Tracking data: Feed times, sleep logs, nappy changes, growth measurements, medicine doses, temperature readings, and contraction timers you choose to record.
• Device information: Minimal analytics data including device type and app version to help us fix bugs and improve the app.

2. End-to-End Encryption

Your journal entries, photos, and voice recordings are encrypted on your device before being uploaded. The encryption keys are derived from your account and are never transmitted to our servers in an unencrypted form. This means:

• ByteNero cannot read your journal entries, view your photos, or listen to your voice notes.
• Our hosting provider cannot access your content.
• Only you and family members you explicitly invite can decrypt and view your data.

3. Photo and Media Storage

Photos and media files are encrypted on-device and stored securely via our hosting infrastructure. Original files remain on your device. Encrypted copies are synced to enable access across your devices and with invited family members.

4. Hosting and Infrastructure

TinyYears uses Supabase for authentication, database, and storage services. Supabase infrastructure is hosted on AWS in secure, SOC 2 Type II compliant data centres. All data is transmitted over TLS-encrypted connections.

5. We Never Sell Your Data

We do not sell, rent, trade, or otherwise share your personal data with third parties for marketing or advertising purposes. We do not display advertisements in TinyYears. Your family's data is not a product.

6. GDPR Compliance

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access: Request a copy of your personal data.
• Right to rectification: Correct inaccurate personal data.
• Right to erasure: Request deletion of your personal data.
• Right to restrict processing: Limit how we use your data.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing of your personal data.

To exercise any of these rights, please contact us at support@tinyyears.app.

7. Children's Privacy (COPPA)

TinyYears is designed for parents and caregivers to record memories about their children. The app is not directed at children under 13, and we do not knowingly collect personal information directly from children. All data about children is entered and managed by their parent or legal guardian.

Parents retain full control over their children's data and can delete it at any time through the app or by contacting us.

8. Data Deletion

You can delete your account and all associated data at any time from within the app under Settings. When you delete your account:

• All journal entries, photos, voice recordings, and tracking data are permanently deleted.
• All child profiles you created are removed.
• Your contributor access to other families' data is revoked.
• This action is irreversible.

You can also request account deletion by emailing support@tinyyears.app.

9. Third-Party Services

TinyYears uses the following third-party services, each with their own privacy policies:

• Supabase: Authentication, database, and storage. Privacy policy.
• Stripe: Payment processing for physical product orders. We do not store your payment card details. Privacy policy.
• RevenueCat: Subscription management and in-app purchases. Privacy policy.
• Sentry: Error tracking and crash reporting. We send minimal diagnostic data with no personal content. Privacy policy.
• Aptabase: Privacy-focused, anonymous usage analytics. No personal data is collected. Privacy policy.
• Lulu: Print-on-demand fulfilment for storybooks. Your shipping address is shared only to fulfil your order. Privacy policy.
• Prodigi: Print-on-demand fulfilment for merchandise (mugs, bibs, etc.). Your shipping address is shared only to fulfil your order. Privacy policy.

10. Data Security

We implement industry-standard security measures including:

• End-to-end encryption for sensitive content.
• TLS encryption for all data in transit.
• Row-level security policies on our database.
• Secure authentication via Supabase Auth.
• Rate limiting on sensitive API endpoints.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the updated policy within the app and on this page, with an updated "Last updated" date. Continued use of TinyYears after changes constitutes acceptance of the revised policy.

12. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us:

• Email: support@tinyyears.app
• Company: ByteNero