Privacy Policy

Last updated: May 12, 2026 (draft v2)

App: Henry (the “Service”). Operator: Angel Jaime, NYC, USA (the “Operator”, “we”, “us”, and the data controller for Henry under GDPR). Privacy contact: privacy@henrytheapp.com. General contact: hello@henrytheapp.com.

1. What this policy covers

This policy explains what information Henry collects, how we use it, who we share it with, and what choices you have. It applies to the Henry iOS app and any website we operate at henrytheapp.com.

2. Information we collect

Account information

When you sign in with Apple or Google, we receive:

• Your name (if you choose to share it)
• Your email address
• A user identifier from the auth provider

We do not receive your password. Authentication is handled by Clerk on our behalf, using OAuth.

Baby and caregiver information

You provide information about your baby:

• Name
• Date of birth
• Birth weight
• Subsequent weigh-ins (if you log them)
• Vaccine records (date, dose, lot number — if you choose to record them)

And about co-caregivers you invite:

• Their email (when you send an invite)
• The relationship, if specified

Tracking events

As you use the app, you create event records:

• Feeds (time, volume, optional note)
• Pumping sessions (time, volume, side)
• Pee and poop events (time, size qualifier)
• Weigh-ins
• Vaccine entries

Technical information

For the app to function and for us to fix bugs, we collect limited technical data:

• Device model and OS version
• App version
• Anonymous crash reports
• Anonymous performance metrics (e.g. time-to-log, sync latency) — server-side first-party logs only, no third-party SDK
• Push notification token (a device-bound identifier issued by Apple/Expo, used only to send the notifications you opt in to)

Website

The marketing site at henrytheapp.com does not set tracking cookies and does not use third-party analytics. The browser may cache static assets like fonts and stylesheets, but no information about you is sent back to us from the marketing site.

We do not use third-party analytics on any data about your baby.

3. How we use information

• To provide the core service: logging, trends, sync between caregivers.
• To compare your logs against general age-appropriate benchmarks from published sources (AAP, WHO). Benchmarks are informational only — see Section 10 (Medical disclaimer).
• To keep you signed in across devices.
• To send transactional messages (e.g. co-parent invite accepted). We do not send marketing emails.
• To fix bugs and improve performance.

Legal basis for processing (EU/UK users)

If you are in the EU/UK, GDPR requires us to state the legal basis for each processing purpose:

• Performance of a contract: core logging, sync, trends — necessary to provide the Service you signed up for.
• Legitimate interest: crash reports, performance metrics, security monitoring, fraud prevention.
• Consent: push notifications and any other feature you explicitly opt in to.

4. What we do NOT do

• We do not sell your data.
• We do not share your data with advertisers.
• We do not run ads in the app.
• We do not run third-party analytics on information about your baby.
• We do not use your data to train AI models, and our service providers are contractually prohibited from doing so.

5. Who can see your data

• You, from any device signed into your account.
• Caregivers you invite to a baby profile. They see the same data you do for that baby. You can remove a caregiver at any time in Settings.
• The Operator (currently Angel Jaime, the sole employee), only as strictly necessary for support or incident response. Access is logged.
• Service providers we use to run the app:
  • Clerk — authentication
  • Managed Postgres host — database hosting (currently Replit's managed Postgres infrastructure)
  • Apple — App Store distribution, Sign in with Apple, in-app purchases via StoreKit
  • Google — Sign in with Google
  • EAS (Expo) — build and distribution pipeline (does not see your data; only handles builds)
  • Cloudflare — website hosting, edge content delivery, and forwarding of mail sent to hello@ and privacy@henrytheapp.com

Each of these providers operates under a Data Processing Agreement (DPA) with terms compatible with GDPR Article 28.

6. Where your data is stored

On servers in the United States. The database provider is a managed Postgres host with encryption at rest and in transit (TLS).

If you are in the EU/UK, your data is transferred to the United States. We rely on Standard Contractual Clauses with our service providers, and on the EU-US Data Privacy Framework where our provider is certified. You can request a copy of the relevant safeguards by writing to privacy@henrytheapp.com.

7. How long we keep your data

• While you use the app: as long as your account exists.
• After you delete your account: data is soft-deleted immediately and hard-deleted after 7 days, except where we are legally required to retain it (we do not currently have any such obligations).
• Backups: rolling 30-day encrypted backups. Deleted data is also removed from backups in the normal rotation cycle.
• Crash reports and performance logs: retained for 90 days, then deleted.
• Push notification tokens: deleted when you uninstall the app or remove the device from your account.

8. Your choices and rights

You can at any time:

• Export your data to CSV from Settings.
• Delete your account and all associated data from Settings.
• Remove a caregiver from your baby's profile from Settings.
• Ask us any question about your data: privacy@henrytheapp.com. We respond within 7 days.

We may ask for verification of your identity (e.g. via a code sent to your registered email) before fulfilling a deletion or export request.

GDPR / UK-GDPR rights (EU/UK users)

If you are in the EU/UK, you have additional rights under GDPR / UK-GDPR:

• Access, rectification, erasure, portability, restriction, objection.
• Withdraw any consent you've given us (this won't affect prior processing).
• Lodge a complaint with your local data protection authority.

Contact privacy@henrytheapp.com to exercise them.

CCPA / CPRA rights (California users)

If you are in California, the CCPA and CPRA give you the right:

• To know what personal information we collect and how we use it (this policy covers it).
• To delete your personal information (see “Delete your account” above).
• To correct inaccurate personal information (Settings → Baby Profile).
• To opt out of “sale” of your personal information — we do not sell data.
• To limit our use of sensitive personal information. We do not use sensitive personal information for purposes beyond providing the Service.

Contact privacy@henrytheapp.com to exercise these rights.

9. Children

Henry's account holders are parents and other adult caregivers (18+). The app's data is about a child, recorded by the parent or caregiver. We do not knowingly collect personal information directly from any child.

If you believe an account about your child was created without your authorization, contact privacy@henrytheapp.com and we will delete it.

Under the US Children's Online Privacy Protection Act (COPPA) and similar laws, we treat information about a child with heightened care: minimized collection, no third-party analytics on that data, strict access controls.

10. Medical disclaimer

Henry is not a medical device and does not provide medical advice. The benchmarks and trends shown in the app are for your general awareness only. They are not a diagnosis, a treatment plan, or a substitute for professional care. If you have any concern about your child's feeding, growth, diapers, or health, contact your pediatrician. In an emergency, call your local emergency number.

11. Security

We take security seriously. Specifically:

• TLS 1.2 or higher for all API traffic.
• AES-256 encryption at rest for the database.
• Strict authentication on every API request.
• No password storage — we use OAuth via Clerk.
• Regular review of access and audit logs.

No system is perfectly secure. If you believe you have found a security issue, email privacy@henrytheapp.com before disclosing publicly. We'll respond within 72 hours.

12. Changes to this policy

If we make material changes — changes that reduce your rights or expand how we collect or use data — we will update the “Last updated” date at the top, and notify account holders by email and in-app banner at least 14 days before the change takes effect.

Minor wording, typo, or non-material clarifications may be published without that 14-day notice.

13. Contact

Privacy contact: Angel Jaime, sole operator and data controller for Henry
Email: privacy@henrytheapp.com

For general questions: hello@henrytheapp.com