Privacy Policy

Last updated: March 26, 2026

Summary (TL;DR)

  • TinyKicks helps you track your baby's kicks during pregnancy. We collect pregnancy-related data, kick session logs, and basic account info to provide this service.
  • You can use the app anonymously — no email or password required. You can optionally sign in with Apple or Google.
  • Your data is stored in the cloud (Supabase, US servers) and protected by Row Level Security — only you can access your data.
  • We use PostHog for analytics and Sentry for error tracking. Both include session replay features that record screen interactions, including text input and screenshots.
  • We collect push notification tokens if you enable reminders. You can disable notifications at any time.
  • Pregnancy data (due date, baby gender, etc.) may be considered health-related data under GDPR. We process it based on your explicit consent, obtained during onboarding.
  • We never sell your personal data. All third-party processors are listed below.
  • You can delete your account and all data at any time via notjust.app/tinykicks/delete-account.

1. Introduction

This Privacy Policy explains how NOTJUST.DEV, SL ("Company", "we", "us", or "our"), a company registered in C/ Balmes 129bis 4º 2ª, 08008 Barcelona, Spain, collects, uses, discloses, and protects your information when you use the Baby Kick Counter: TinyKicks mobile application ("App").

We are committed to protecting your privacy in accordance with:

  • GDPR — General Data Protection Regulation (EU) 2016/679
  • LOPDGDD — Spanish Organic Law 3/2018 on the Protection of Personal Data
  • CCPA/CPRA — California Consumer Privacy Act and California Privacy Rights Act
  • COPPA — Children's Online Privacy Protection Act
  • ePrivacy Directive — Directive 2002/58/EC on privacy and electronic communications

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy. Where we rely on consent as the legal basis (particularly for pregnancy data and session replays), we will obtain your explicit consent before processing.

2. Data Controller & DPO

The data controller responsible for your personal data is:

NOTJUST.DEV, SL
C/ Balmes 129bis 4º 2ª, 08008 Barcelona, Spain
NIF: B26785477
Email: support@notjust.app

Data Protection Officer (DPO)
For any privacy-related inquiries or to exercise your data rights, contact our Data Protection Officer at:
Email: support@notjust.app
Please include "DPO" or "Privacy Request" in your subject line.

3. Information We Collect

3.1 Information You Provide

  • Account Information: If you sign in with Apple or Google, we receive your name and email address from the authentication provider. If you use the App anonymously, we create an anonymous account with a unique identifier — no name or email is required.
  • Profile Data: Name (optional), onboarding completion status, notification preferences, and preferred notification time.
  • Pregnancy Data: Due date, date calculation method (due date / last period / conception date), baby's gender (boy / girl / surprise), whether this is your first pregnancy, and peak activity time preference (morning / afternoon / evening / night). See Section 5 for details on how we handle this sensitive data.
  • Kick Session Data: Kick counts, session timestamps, duration, and movement logs you record within the App.
  • Support Requests: Information you provide when contacting our support team, including any screenshots submitted via the Sentry feedback feature.

3.2 Information Collected Automatically

  • Usage & Analytics Data: How you interact with the App, including features used, session duration, screens viewed, actions taken, onboarding step completion, paywall interactions, and open events. Collected via PostHog, including session replays (see Section 8).
  • Device Information: Device type, operating system version, platform (iOS/Android), unique device identifiers, language settings, and mobile network information.
  • Network Telemetry: Network request metrics captured on iOS via PostHog.
  • System Logs: Application logs captured on Android via PostHog.
  • Push Notification Tokens: If you enable notifications, we collect your Expo push notification token and store it linked to your user profile and platform. See Section 9.
  • Purchase Data: Records of in-app purchases and subscription status, processed through RevenueCat, including purchase history, subscription status, and device identifiers.
  • Error & Performance Data: Crash reports, performance diagnostics, and session replays (on error) collected via Sentry. Sentry is configured to send default PII, including your user ID and email address (if signed in). User feedback with screenshot capture is enabled.

3.3 Information We Do NOT Collect

  • We do not collect precise geolocation data.
  • We do not collect biometric data.
  • We do not collect data from users who have not installed and opened the App.
  • We do not access your device's camera, microphone, or contacts.

4. Anonymous Accounts

You may use the App without providing any personal information. Here is how anonymous accounts work:

  • On first launch, the App creates an anonymous account with a unique identifier. No email, name, or password is required.
  • Data collected for anonymous accounts: We still collect usage analytics (PostHog), error data (Sentry), device information, and any pregnancy and kick data you enter. This data is linked to your anonymous identifier.
  • Cloud storage: Even anonymous account data is stored in our cloud database (Supabase), not only on your device.
  • Upgrading to a full account: You can upgrade your anonymous account by signing in with Apple or Google at any time. When you upgrade, all your existing data (pregnancy info, kick sessions, preferences) is preserved and linked to your new authenticated account. Your anonymous identifier is replaced by your authenticated identity.
  • Limitations of anonymous accounts: If you uninstall the App or lose your device without upgrading to a full account, you may lose access to your data, as there is no way to recover an anonymous account.

5. Pregnancy Data (Special Category)

The pregnancy data we collect (due date, baby's gender, whether this is your first pregnancy) may be considered health-related data under GDPR Article 9 ("special categories of personal data").

How we handle this data:

  • Explicit consent: We obtain your explicit consent to process this data during the App's onboarding flow, before any pregnancy data is collected. You must affirmatively agree to the collection and processing of this data.
  • Purpose limitation: Pregnancy data is used solely to personalize your kick tracking experience (e.g., calculating gestational age, displaying relevant milestones).
  • Storage: Pregnancy data is stored in a dedicated pregnancies table in Supabase, linked to your user profile. Multiple pregnancies per user are supported (one active at a time).
  • Row Level Security: All pregnancy data is protected by Supabase Row Level Security — only you can access your own data.
  • Withdrawal of consent: You may withdraw your consent at any time by deleting your pregnancy data or your account. Withdrawal does not affect the lawfulness of processing before withdrawal.

6. Legal Bases for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

| Processing Activity | Legal Basis | GDPR Article | |---|---|---| | Providing the App and kick tracking features | Performance of a contract | Art. 6(1)(b) | | Processing payments and subscriptions | Performance of a contract | Art. 6(1)(b) | | Cloud storage and data sync | Performance of a contract | Art. 6(1)(b) | | Account creation and authentication | Performance of a contract | Art. 6(1)(b) | | Processing pregnancy data | Explicit consent | Art. 6(1)(a) & Art. 9(2)(a) | | Analytics and App improvement (PostHog) | Legitimate interest | Art. 6(1)(f) | | Session replay recording (PostHog & Sentry) | Legitimate interest | Art. 6(1)(f) | | Error tracking and diagnostics (Sentry) | Legitimate interest | Art. 6(1)(f) | | Push notification delivery | Consent | Art. 6(1)(a) | | Fraud prevention and security | Legitimate interest | Art. 6(1)(f) | | Legal compliance | Legal obligation | Art. 6(1)(c) |

Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interest (see Section 13).

7. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the App and kick tracking features
  • Store and sync your data across devices when you are signed in
  • Personalize your experience based on your pregnancy data
  • Process transactions and manage subscriptions via RevenueCat
  • Send push notification reminders for daily kick tracking
  • Monitor App performance and fix errors via Sentry
  • Analyze usage patterns, onboarding funnels, and improve the App via PostHog
  • Record session replays to identify usability issues and bugs
  • Detect, investigate, and prevent fraud and abuse
  • Respond to support requests
  • Comply with legal obligations

8. Session Replay & Screen Recording Disclosure

We use session replay technology in PostHog and Sentry to understand how users interact with the App and to diagnose issues. This means your screen interactions may be recorded.

PostHog Session Replay

  • What is captured: Screen interactions, taps, navigation, and scrolling behavior. Text input is captured (text masking is disabled). Images are captured (image masking is disabled). Network request telemetry is captured on iOS. System logs are captured on Android.
  • Recording frequency: Screen snapshots are captured approximately every 1 second.
  • Purpose: To analyze user behavior, identify usability issues, and improve the onboarding flow and overall App experience.

Sentry Session Replay

  • What is captured: Session replays are recorded for 10% of normal sessions and 100% of sessions where an error occurs. Text is not masked. Images are not masked. User feedback with screenshot capture is enabled.
  • PII in error reports: Sentry is configured to send default personally identifiable information (PII), including your user ID and email address (if you are signed in).
  • Purpose: To diagnose crashes, errors, and performance issues.

Your choices

  • Session replays are captured as part of the App's analytics and error tracking functionality. If you do not wish to have your sessions recorded, you may stop using the App.
  • You can request deletion of your data, including any session replays, by contacting us at support@notjust.app.

9. Push Notifications

  • What we collect: If you enable push notifications, we collect your Expo push notification token and store it in our database, linked to your user profile and platform (iOS or Android). One token per device per user is stored.
  • How notifications work: Daily kick reminder notifications are scheduled locally on your device at your preferred time. The push token is used to deliver reminders.
  • How to opt out: You can disable notifications at any time through the App's settings or your device's notification settings. When you disable notifications, your push token is retained but notifications are no longer sent. When you delete your account, your push token is permanently deleted.
  • Purpose: To remind you to complete your daily kick counting session.

10. Data Sharing & Third-Party Processors

We do not sell your personal information. We share data with the following service providers, who process data on our behalf under data processing agreements:

| Processor | Purpose | Data Shared | Location | |---|---|---|---| | Supabase | Database, authentication, storage | User profiles, pregnancy data, kick sessions, push tokens | US (AWS) | | PostHog | Analytics & session replay | User behavior, session video, text input, events, network telemetry | US | | Sentry | Error tracking & session replay | Crash reports, device info, user ID, email, session replays, screenshots | US | | RevenueCat | In-app purchase management | Subscription/payment data, device identifiers | US | | Expo | Push notifications | Push tokens, device identifiers | US | | Apple | Authentication, App Store, payments | Apple ID, auth tokens, purchase data | US | | Google | Authentication, Play Store, payments | Google account, auth tokens, purchase data | US |

We may also disclose your information:

  • To comply with applicable laws, regulations, or legal processes
  • To protect the rights, property, or safety of our Company, our users, or others
  • In connection with a merger, acquisition, or sale of assets (you will be notified in advance)

11. International Data Transfers

Our Company is established in the EU (Spain), but your data is processed by service providers located in the United States. These transfers are conducted in compliance with the GDPR using one or more of the following safeguards:

  • EU-U.S. Data Privacy Framework (DPF) — where the provider is certified under the DPF
  • Standard Contractual Clauses (SCCs) — approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
  • Your explicit consent to the transfer, where applicable

You may request a copy of the relevant safeguards by contacting us at support@notjust.app.

12. Data Retention

We retain your data for the following periods:

| Data Category | Retention Period | |---|---| | Profile data | Retained while your account is active. Deleted within 30 days of account deletion request. | | Pregnancy data | Retained while your account is active. Deleted within 30 days of account deletion request. | | Kick session data | Retained while your account is active. Deleted within 30 days of account deletion request. | | Push notification tokens | Removed when you disable notifications or delete your account. | | Analytics data (PostHog) | Retained for 12 months, then anonymized or deleted. | | Session replays (PostHog) | Retained for 30 days. | | Error logs (Sentry) | Retained for 90 days. | | Session replays (Sentry) | Retained for 90 days. |

When you request account deletion, we will permanently delete your personal data within 30 days, except where retention is required by law (e.g., financial records for tax purposes). You can request account deletion at notjust.app/tinykicks/delete-account.

Anonymous accounts: If you do not upgrade to a full account and do not actively use the App for 24 months, we may delete your anonymous account and associated data.

13. Your Rights (EU/EEA — GDPR)

If you are located in the EU/EEA, you have the following rights under the GDPR:

  • Access (Art. 15) — Request a copy of the personal data we hold about you
  • Rectification (Art. 16) — Request correction of inaccurate or incomplete data
  • Erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten")
  • Restriction (Art. 18) — Request restriction of processing in certain circumstances
  • Data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format (JSON)
  • Object (Art. 21) — Object to processing based on legitimate interests, including session replay recording and analytics
  • Withdraw consent (Art. 7) — Withdraw consent at any time (e.g., for pregnancy data processing or push notifications), without affecting the lawfulness of processing before withdrawal
  • Lodge a complaint — File a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es or your local supervisory authority

To exercise any of these rights, contact us at support@notjust.app. We will respond within 30 days (or as required by applicable law). We may request verification of your identity before processing your request.

14. Your Rights (California — CCPA/CPRA)

If you are a California resident, you have the following rights:

  • Right to Know — Know what personal information we collect, use, disclose, and sell (we do not sell your data)
  • Right to Delete — Request deletion of your personal information
  • Right to Correct — Request correction of inaccurate personal information
  • Right to Opt-Out — Opt out of the sale or sharing of personal information (we do not sell or share your data for cross-context behavioral advertising)
  • Right to Limit Use of Sensitive Personal Information — We collect pregnancy-related information which may be considered sensitive under CPRA. You may request that we limit its use to what is necessary to provide the service.
  • Non-Discrimination — We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact us at support@notjust.app or submit a deletion request at notjust.app/tinykicks/delete-account. We will respond within 45 days as required by the CCPA.

Categories of personal information collected (per CCPA Section 1798.100):

  • Identifiers (name, email, device IDs, anonymous IDs)
  • Internet or electronic network activity (usage data, session replays)
  • Health-related information (pregnancy data)
  • Commercial information (purchase and subscription history)

15. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Row Level Security in Supabase — users can only access their own data
  • Access controls and authentication for internal systems
  • Data processing agreements with all third-party processors
  • Regular security assessments

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (AEPD) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
  • Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
  • Document the breach, its effects, and remedial actions taken

17. Children's Privacy

The App is rated 9+ on app stores. However:

  • We do not knowingly collect personal information from children under 13 (as required by COPPA).
  • We do not knowingly collect personal information from children under 16 without parental consent (as required by GDPR Article 8).
  • The App is designed for expectant mothers and is not targeted at children.

If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@notjust.app.

18. Cookie & Tracking Policy

The App does not use browser cookies. However, the App uses the following tracking technologies:

  • PostHog SDK: Collects analytics events, session replays (including text input and images), and network telemetry. An anonymous or authenticated user identifier is used to link sessions.
  • Sentry SDK: Collects error reports, performance data, and session replays. Configured to send PII (user ID, email).
  • RevenueCat SDK: Tracks subscription and purchase events using device identifiers.
  • Expo Notifications: Stores push notification tokens linked to user profiles.

These tracking technologies are necessary for the operation and improvement of the App. By using the App, you acknowledge the use of these technologies as described in this policy.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated Privacy Policy in the App
  • Updating the "Last updated" date at the top of this page
  • For material changes affecting your rights, providing in-app notification

We encourage you to review this Privacy Policy periodically. Continued use of the App after changes constitutes acceptance of the updated policy, except where consent is required for specific processing activities.

20. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

NOTJUST.DEV, SL
C/ Balmes 129bis 4º 2ª, 08008 Barcelona, Spain
NIF: B26785477
Email: support@notjust.app

For privacy-specific inquiries, please include "Privacy" or "DPO" in your subject line.