Cradly – Global Master Privacy Policy & Terms of Service (EULA)

Cradly – European Privacy Policy & Terms of Service (EULA)

Target Jurisdiction: European Economic Area (EEA), United Kingdom (UK), and Switzerland (CH)
Last Updated: March 2026
Version: 5.1.0 (EU-GDPR specific)

DOCUMENT PURPOSE AND SCOPE

This comprehensive document encompasses the Privacy Policy, the End-User License Agreement (EULA), and the mandatory Information Notices tailored specifically for users residing in the European Economic Area (EEA), the United Kingdom, and Switzerland.

Governing Legal Framework:

General Data Protection Regulation (EU) 2016/679 (GDPR)
UK General Data Protection Regulation (UK GDPR)
Swiss Federal Act on Data Protection (FADP)
EU ePrivacy Directive (2002/58/EC) as amended (concerning cookies and ad trackers)
EU Consumer Rights Directive (2011/83/EU)
EU Unfair Terms in Consumer Contracts Directive (93/13/EEC)

By downloading, installing, or beginning to use the application, you declare and undertake that you have read, understood, and accepted all provisions in this document as a legally binding agreement.

Linguistic Accessibility and Core Legal Summary (Language Clause):
While the binding legal text is provided in English, we ensure transparency by providing a localized "Critical Contract Summary" within the app's consent interface in your selected language (e.g., Spanish, German). By accepting, you explicitly acknowledge understanding the following core tenets:

Data loss risk: Your data is encrypted locally; if you lose your device or delete the app without a backup, your data is permanently lost. We cannot restore it.
Not medical advice: The app does not provide medical diagnoses or advice. Always consult a pediatrician.
Liability limitation: As a freemium service, our liability for non-intentional damages is strictly limited as permitted by applicable law.

Language of the Agreement & Comprehension:
The application and its comprehensive legal terms are provided primarily in English. By choosing to use the application and accepting these terms, you explicitly declare and warrant that you possess a sufficient understanding of the English language to comprehend the basic operation of the application, the localized "Critical Contract Summary", and the associated legal risks. Users who do not possess sufficient language proficiency to understand these terms must not accept this agreement and should refrain from using the application.

1. EUROPEAN PRIVACY POLICY

1.1 Architectural Approach: Local-First & Zero-Knowledge (Privacy by Design - GDPR Art. 25 & 32)

Cradly is strictly a local-first application built fundamentally on the principles of "Privacy by Design" and "Data Minimization," in absolute compliance with Article 25 of the GDPR.

All sensitive personal data (e.g., baby profiles, health records, feeding, sleep, vaccination logs, photos) is stored EXCLUSIVELY on your personal device.
This data is encrypted locally using the industry-standard AES-256 algorithm.
The encryption key is a randomly generated 32-byte key created securely and exclusively on your device during the initial application setup.
Zero-Knowledge Architecture: Cradly CANNOT access this key, does NOT store it, CANNOT back it up, and CANNOT recover it.

CRITICAL WARNING: ENCRYPTION KEY AND DATA SECURITY

Because the encryption key is generated and stored solely on your device, Cradly DOES NOT KNOW and TECHNICALLY CANNOT ACCESS your health data or decryption keys. By design, the application DOES NOT transmit your health data to a central server.

Your data MAY BE PERMANENTLY LOST in the following situations:

Device loss, theft, permanent formatting, or factory reset.
Deleting and reinstalling the application without possessing a local backup.
Severe hardware failure or operating system memory corruption.

User Responsibility (Mandatory Backups):
You are entirely responsible for the security, integrity, and backup of your data. You must execute regular backups (e.g., weekly) and secure your device with a screen lock/password. Cradly bears no liability for data loss if these mandatory precautions are neglected.

1.2 Our Legal Role: Controller vs. Technical Infrastructure Provider (GDPR Art. 4)

To ensure absolute transparency regarding our legal obligations under GDPR Article 4, we define our roles as follows:

A. Regarding Your Health and Baby Data (WE ARE NOT A DATA CONTROLLER OR PROCESSOR):
Under GDPR, a "Controller" determines the purposes and means of processing, and a "Processor" processes data on behalf of the controller. Because Cradly employs a strict Zero-Knowledge architecture:

We have zero technical access to the encrypted contents on your device.
We do not dictate the purpose of your data entries.
Consequently, since we have no technical access to the encrypted data on your device, we do not act in the capacity of a de facto Data Processor or central Data Controller regarding the content of this health data. Although the processing tools (the software wrapper) are provided by us, data control rests exclusively with you, the user, acting as the sole Controller of your personal household data pursuant to the "household exemption" (GDPR Art. 2(2)(c)).

B. Regarding Optional Consent Data (WE ARE A DATA CONTROLLER):
Cradly acts as a limited Data Controller exclusively concerning pseudonymous technical consent logs.

1.3 Data Processed on the Server-Side and Legal Bases (GDPR Art. 6)

We only process the following strictly limited technical records on our centralized servers (hosted by Supabase):

A. Optional Consent Records:

Data Processed: SHA-256 hash of a Device Consent ID (`local_uuid_hash`), consent event type (`consent_type`), content hash (`consent_text_hash`), app version, and timestamp.
Legal Basis: Processing is necessary for compliance with a legal obligation to demonstrate consent (GDPR Art. 6(1)(c)) and our Legitimate Interest in maintaining verifiable audit trails (GDPR Art. 6(1)(f)).

1.4 Advertising, Google UMP, and the ePrivacy Directive

Scope: ONLY applicable to users of the Free Version.

Cradly operates on a freemium model. Access to the free version is provided strictly on the condition that we may display advertisements to cover development and Server costs.

The Two-Layer Advertising Framework for EEA/UK/CH Residents:

1. Layer One: Ad Display (Performance of a Contract - Art. 6(1)(b)):
The basic display of advertisements is an inseparable contractual condition of utilizing the free version without paying a monetary fee. Therefore, the mere presence of an ad placement relies on the performance of the Terms of Service. To remove all ads, you may purchase the Premium version.

2. Layer Two: Personalization and Ad Trackers (Explicit Consent - Art. 6(1)(a) & ePrivacy Directive):
While the basic display of an ad does not require consent, using your device's advertising identifiers (Apple IDFA or Google GAID) to show you Personalized or Targeted ads strictly requires your explicit, informed consent under the EU ePrivacy Directive and GDPR.

Google UMP Integration: Upon launching the Free Version, you will be presented with a Consent Management Platform dialogue via the Google User Messaging Platform (UMP).
If You Consent: Google LLC (acting as an independent Data Controller) will process your ad identifiers to serve personalized ads tailored to your interests.
If You Decline/Withdraw Consent: The application will respect your choice and automatically fall back to Non-Personalized Ads (NPA). Ads will still be displayed (fulfilling the freemium contract), but they will be contextual and will NOT utilize your IDFA/GAID or tracking history.
Withdrawal: You may easily withdraw your consent for personalized ads at any time via your device's privacy settings or the in-app consent menu.

CRITICAL NOTE: Baby health data entered into the app is NEVER accessed by, or shared with, any advertising networks (including Google) under any circumstances.

1.4.1 Rewarded Ads (Optional, User-Initiated)

In addition to standard banner ads, Cradly offers rewarded ads that Free Version users can voluntarily watch in exchange for specific in-app features. These ads are completely optional and are never shown automatically.

Features Utilizing Rewarded Ads:

Lullaby Background Playback: Free users may watch a rewarded ad to temporarily enable background audio playback within the app's built-in lullaby player (maximum 60 minutes per session, stackable).
14-Day Report Export: Free users may watch a single rewarded ad to export their detailed 14-day statistics report once.

Activation Conditions:
Unlike standard ads, rewarded ads are NOT subject to the 7-day waiting period, the 8-record threshold, or the nighttime filter. Only the following two conditions must be met:

Presence of a valid advertising consent (e.g., UMP personalized or non-personalized state).
An active internet connection.

Completely Optional:
Watching a rewarded ad is never mandatory. Users who do not wish to view ads can purchase the Premium version to access these features ad-free or simply choose not to use the features.

Processed Data and Personalization:
Rewarded ads rely on the same consent decision as standard banner ads. Under the Google UMP consent framework in the EEA/UK, the ads will be served as personalized or non-personalized based on your explicit choice in the UMP consent form. Google's SDK processes the IAB TCF consent string to determine the lawful targeting method. Under no circumstances are baby health data shared with advertising networks or used for any ad targeting.

1.5 Telemetry, Crash Reports, and Analytics

To improve system stability and performance, we collect anonymous crash reports (Firebase Crashlytics) and usage metrics (Firebase Analytics).

Legal Basis: Explicit, optional User Consent (GDPR Art. 6(1)(a)).
Data Processed: Device model, OS version, app version, anonymous installation UUID, and crash stack traces. NO personal identifiers, health data, or tracking IDs are collected for analytics.
You may disable this processing at any time within the application settings without affecting your ability to use the app.

1.6 Third-Party Processors & International Data Transfers (GDPR Chapter V)

A. Supabase (Data Storage Infrastructure):

Server Location: EU-West-3 (Paris, France).
International Transfers: Your technical consent logs are stored within the EU. Any incidental transfers outside the EEA by Supabase’s sub-processors are governed by a Data Processing Agreement (DPA) incorporating the European Commission’s Standard Contractual Clauses (SCCs).

B. Google Analytics, Crashlytics & AdMob:

Server Location: Global (including the USA).
International Transfers: Data processed by Google LLC is transferred to the United States. These transfers are safeguarded under the EU-US Data Privacy Framework (DPF) (where Google is certified) or, alternatively, by Standard Contractual Clauses (SCCs) embedded in Google's Data Processing Terms.

C. RevenueCat (Subscription Management):

Purpose: Managing and validating Premium subscriptions.
Server Location: Global (including the USA).
International Transfers: RevenueCat processes anonymous app store receipts without linking them to your real identity. Transfers are safeguarded by the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs), ensuring full compliance with GDPR Chapter V.

1.7 Data Subject Rights (GDPR Art. 15-22)

Under the GDPR, you possess comprehensive rights regarding your personal data:

Right of Access, Rectification, and Erasure (Right to be Forgotten):
- For Health Data: Because we have absolute Zero-Knowledge, we literally cannot access, view, or delete your health data remotely. You must exercise these rights directly on your own device by modifying or deleting the entries, or by uninstalling the application (which permanently eradicates the local database).
- For Server Consent Logs: To delete logs held on our servers, go to "Settings > My Identity", copy your "Consent ID", and email it to `infocradlelog@gmail.com` with the subject "GDPR Erasure Request". We will irrevocably anonymize or delete your records within 30 days.
Right to Withdraw Consent: You can withdraw your consent for Analytics, Crashlytics, and Personalized Ads (via UMP) at any time through the application settings. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right to Restriction & Object: Applicable to processing based on legitimate interests (e.g., fraud prevention records).
Right to Lodge a Complaint: You have the right to lodge a complaint with the Supervisory Authority in your Member State of habitual residence or place of work if you consider that the processing of your personal data infringes the GDPR.

1.8 Children's Privacy (GDPR Art. 8)

While the subject matter involves baby care, Cradly is strictly designed for, and targeted at, parents and legal guardians aged 18 and older. We do not offer information society services directly to children. By utilizing the app, you declare you are the lawful guardian possessing the legal authority to process the child's sensitive data exclusively on your own device.

2. END-USER LICENSE AGREEMENT (EULA)

2.1 Medical Disclaimer (Not a Medical Device under MDR)

Cradly IS NOT A MEDICAL DEVICE.

Under the EU Medical Device Regulation (MDR 2017/745), Cradly does not qualify as a medical device or diagnostic software. It is strictly an administrative tracking tool.

Information in the app is general and not medical advice.
All medical, feeding, and diagnostic decisions must be consulted directly with a licensed healthcare professional or pediatrician.
The application must NEVER be relied upon in medical emergencies or for monitoring vital physiological processes.

2.2 Disclaimer of Warranties and Limitation of Liability (EU Standards)

A. Statutory Rights Unaffected:
Nothing in this EULA shall exclude or limit Cradly's liability for death or personal injury caused by our negligence, for fraud or fraudulent misrepresentation, or for intentional misconduct ("wilful act") and gross negligence, as mandated by the applicable laws of your EU Member State. Furthermore, this agreement does not affect your mandatory statutory rights as a consumer.

B. Provision "As-Is" and Specific Exclusions:
Subject to the mandatory rights above, the application is provided "as is" and "as available". We specifically exclude liability for:

Data Loss: Cradly is absolutely not liable for any data loss resulting from device failure, loss of device, memory corruption, or the user's failure to create a local backup (especially prior to installing an app update).
Indirect Damages: We accept no liability for indirect losses, consequential damages, lost time, emotional distress, or commercial losses.
Free Version: If you suffer a loss in relation to the Free Version, our liability (outside of death, injury, or gross negligence) is strictly excluded, given the service is provided completely free of charge.
Premium Version Liability Cap: For Premium users, our maximum aggregate liability for any direct, foreseeable damages arising out of this agreement is strictly capped to the exact amount paid for the Premium subscription (e.g., €9.99 or equivalent local currency).

C. Exception for Material Contractual Obligations (Cardinal Duties):
Notwithstanding the above, the limitations and exclusions of liability set forth in this section do not apply to foreseeable and typical damages arising from the breach of material contractual obligations (the core functions of the application) caused by our simple negligence.

2.3 Exception to the Right of Withdrawal (EU Consumer Rights Directive 2011/83/EU)

IMPORTANT NOTICE FOR PREMIUM SUBSCRIPTIONS:
The Premium version of Cradly is classified as digital content supplied instantly on a non-tangible medium. Under Article 16(m) of the EU Consumer Rights Directive, you explicitly consent to the immediate performance of the contract upon purchase and expressly acknowledge that you will lose your 14-day right of withdrawal (refund right) once the download or access begins. Refund requests remain strictly governed by the policies of the platform where you purchased it (Apple App Store or Google Play Store). Cradly possesses no technical capability to override these central app-store refund policies.

2.4 Device Notifications and Operating System (OS) Limitations

The alarm and reminder functions of Cradly are subject to the restrictions of your device's local Operating System (Apple iOS or Google Android). The application does not use remote servers for push notifications (Offline/Local-First functionality); instead, it relies exclusively on local notification scheduling running directly on the device.

As a User, you explicitly understand and agree to the following technical facts:

OS battery management features (such as Doze Mode or Low Power Mode), Focus Modes (Do Not Disturb), or the user's action of force-closing the application from the background (kill-state/swipe-up) may restrict, delay, or block the OS from triggering the scheduled alarms.
Any such technical delays or blocking of alerts by the OS are entirely beyond the control of Cradly and do not constitute a defect in the designated service.
It is absolute that critical reminders (such as fever measurements or medication schedules) must not solely rely on the reliability of an electronic health tracking application (Refer back to Section 2.1 Medical Disclaimer).

3. CLOSING PROVISIONS

3.1 Governing Law, Dispute Resolution, and Consumer Jurisdiction

Governing Law: These Terms and Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of Turkey, provided, however, that this choice of law does not deprive a consumer residing in the European Union, the UK, or Switzerland of the protection afforded by provisions that cannot be derogated from by agreement by virtue of the law of the consumer's habitual residence (Rome I Regulation Art. 6(2)).

Jurisdiction over Consumer Disputes: If you are acting as a consumer, you may bring proceedings against Cradly either in the courts of the Republic of Turkey OR in the competent courts of the EU Member State (or the UK/Switzerland) in which you are domiciled.

Online Dispute Resolution (ODR):
If you reside in the EU, the European Commission provides an Online Dispute Resolution (ODR) platform for resolving consumer disputes, available at http://ec.europa.eu/consumers/odr/. We prefer to resolve issues directly; please contact us at our email address first. We are not obliged and generally unwilling to participate in dispute settlement proceedings before a consumer arbitration board, except where mandated by local law.

3.2 Severability and Amendments

If any provision of this Agreement is found to be unenforceable or invalid by a competent court, the remainder of the Agreement shall remain in full force and effect. We reserve the right to amend these terms; significant changes materially affecting your GDPR rights will trigger a newly required consent dialogue upon launching an app update.

Cross-Border Re-Consent (GDPR Art. 7(3)): Upon each application launch, the app automatically detects the user's legal jurisdiction based on IP address and device locale in accordance with the Rome I Regulation (EC 593/2008). If the user's device crosses into a different legal jurisdiction (e.g., from the EEA to a non-EEA country or vice versa), or if the applicable legal document for the user's jurisdiction has been updated, the application presents the legally applicable document for the new jurisdiction and requires a new freely given, specific, informed, and unambiguous indication of the user's agreement pursuant to GDPR Art. 4(11) and Art. 7. The user may not access the application without accepting the terms applicable to their current jurisdiction. Previous consent records retain their validity and remain stored in encrypted form on the device; re-consent creates an additional record without invalidating prior ones.

Contact Information (Data Controller):

Company Name: Nuran Kocaoğlu – Cebir Mühendislik Proje ve Bilişim
Address: Kazımiye Mahallesi, Salih Omurtak Cad. No:16 İç Kapı No:17, 59850 Çorlu / Tekirdağ / Turkey (Türkiye)
Tax Identification: 5670114825 (Çorlu Tax Office)
Email: infocradlelog@gmail.com
Website: www.cebirproje.com

By utilizing the application, the User declares that they have read, understood, and accepted these texts as a legally binding agreement.