Cradly – Global Master Privacy Policy & Terms of Service (EULA)

Last Updated: April 2026
Version: 6.0.0 - Global Compliance & Privacy Shield

DOCUMENT PURPOSE AND SCOPE

This document encompasses the Privacy Policy, End-User License Agreement (EULA), and Global Privacy Notices for the provisioning of the Cradly application worldwide.

Legal Framework (The Global Shield):

General Data Protection Regulation (GDPR - EU/UK)
California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
U.S. Federal Trade Commission (FTC) Act Section 5 standards (Truth-in-Advertising & Privacy)
Children's Online Privacy Protection Act (COPPA - USA)
Health Insurance Portability and Accountability Act (HIPAA - USA) (Disclaimer)
6698 numbered Personal Data Protection Law (KVKK - Turkey)

Binding Nature of the Document:
By downloading, installing, or beginning to use the application, you declare and undertake that you have read, understood, and accepted all provisions in this document.

Language of the Agreement & Comprehension:
The application and its comprehensive legal terms are provided primarily in English. By choosing to use the application and accepting these terms, you explicitly declare and warrant that you possess a sufficient understanding of the English language to comprehend the basic operation of the application, the provided legal summaries, and the associated legal risks. Users who do not possess sufficient language proficiency to understand these terms must not accept this agreement and should refrain from using the application.

1. GLOBAL PRIVACY POLICY

1.1 Architectural Approach: Local-First & Zero-Knowledge (FTC Act Compliance)

Cradly is a local-first application built on the principles of privacy by design and data minimization. In accordance with Section 5 of the FTC Act prohibiting deceptive privacy practices, we explicitly declare how our architecture operates:

Dual-Layer Local Storage Architecture: To ensure optimum device performance while maintaining strict local privacy, your data is partitioned into two secure local layers:
1. Textual & Health Data (AES-256): All structured data (baby profiles, sleep/feeding logs, allergy notes, journals) is encrypted locally inside a SQLite database using the AES-256 algorithm. The 32-byte encryption key is generated and safely stored exclusively within your device's secure keystore (Zero-Knowledge).
2. Media Files (App Sandbox): Because encrypting large media files inside a database causes severe device performance degradation and battery drain, your photos and videos are stored outside the database, strictly within the Operating System's isolated "App Sandbox." These media files are NEVER saved to your public phone gallery and rely directly on your device's native Full Disk Encryption (FDE).
3. On-Device Media Processing & Editing: All advanced photo and video editing features provided within the application (e.g., aspect ratio cropping, rotation, background blurring, adding stickers) are performed 100% locally on your device's processor (On-Device Processing). Cradly DOES NOT upload your private media files to any external AI or cloud servers for editing purposes.
4. OS-Level Cloud Backup Disclaimer: While Cradly isolates your media files within the local App Sandbox, your device's Operating System (e.g., Apple iCloud or Google Drive) may attempt to automatically backup this sandbox to their cloud servers based on your device's global backup settings. Cradly has no control over, and no liability for, your data privacy if your device uploads your Sandbox files to platforms like iCloud or Google Drive.
5. Device Storage Capacity and Uncompressed Media Protocol: As a strict Local-First application, all media, including high-fidelity photos and "uncompressed" or lossless video recordings offered as Premium features, are written directly to your device's physical storage (inside the secure App Sandbox). Cradly operates without cloud servers and therefore intentionally does not impose artificial, server-side data quotas. The user explicitly acknowledges that generating high-resolution, uncompressed media files requires significant disk space and may rapidly deplete the device's remaining local memory.

CRITICAL WARNING: ENCRYPTION KEY AND DATA SECURITY

Because the encryption key is generated and stored solely on your device, Cradly DOES NOT KNOW and TECHNICALLY CANNOT ACCESS this key.

Your data MAY BE PERMANENTLY LOST in the following situations:

Losing or having your device stolen.
Deleting and reinstalling the application without a backup.
Formatting or factory-resetting your device.
Operating system or hardware failure (memory corruption, storage error).
Using aggressive memory cleaning applications.

Advanced Recovery Feature: Our application attempts to repair corrupted local databases (SQLite) using built-in on-device tools. However, in cases of device loss, permanent formatting, or severe hardware crashes, data recovery is technically IMPOSSIBLE.

Cradly CANNOT recover your data from a central server under any circumstances and is NOT LIABLE for data loss because:

By design, the application DOES NOT send your health data to a server; it keeps it on the phone.
We DO NOT KNOW and are technically UNABLE to access the encryption key.
There is absolutely NO backdoor to the system.
Your data relies entirely on the security of your device.

MANDATORY USER RESPONSIBILITY FOR BACKUPS:
The User is ENTIRELY RESPONSIBLE for the security and backup of their data. As a user, you must:

Make regular backups (at least once a week).
Store backups in a secure location.
Always take a backup before changing devices.
Always take a backup before updating the application.
Ensure device security (screen lock, secure password, etc.).

(Note: Features like cross-device syncing, cloud backups, or family sharing are currently disabled. Your data remains completely isolated and offline.)

Cradly accepts no liability for data loss experienced by users who ignore these warnings and fail to take regular backups.

1.2 Data Processed on the Server-Side

In Cradly, the foundational legal agreements MANDATORY for accessing the app (e.g., EULA, Privacy Policy) are embedded as internal files (assets). Your consent to these foundational agreements is NEVER SENT to our servers; it is verified and stored 100% locally (offline) on your device.

Cradly only processes technical records on centralized servers (Supabase) for optional consent proof:

A. Optional Consent Records:

SHA-256 hash of a Device Consent ID (local_uuid_hash)
Unique record ID for each consent event (consent_id)
Consent event type (consent_type - e.g., AD_ALLOWED, CRASHLYTICS_ALLOWED)
Content hash of the related consent text (consent_text_hash)
Application version (app_version)
Server timestamp (created_at)

1.3 Legal Status of Data Processing (Controller vs. Provider)

Cradly operates under the following legal roles regarding the processing of data:

A. Regarding Health Data (WE ARE NOT A DATA CONTROLLER OR BUSINESS):

Cradly acts strictly as a "Technical Infrastructure Provider" and is NOT a "Data Controller" (under GDPR/KVKK) or a "Business" (under CCPA) concerning the health data stored locally on the user's device.

Justification for This Legal Stance:

No Technical Access: This data is stored on the user's device with AES-256 encryption. Cradly CANNOT technically access the contents of this data.
Encryption Key Control: The 32-byte encryption key is generated and stored exclusively on the user's device. Cradly DOES NOT know this key and has NO access to it whatsoever.
Determination of Purpose and Means: This data is processed for purposes determined entirely by the user (baby care tracking) and under the user's explicit control. Cradly merely provides the technical infrastructure (the application software and the encryption library) facilitating this processing.
User as the Data Controller: The User, who possesses the device and holds the exclusive capability to access and decrypt the data, acts as the sole "Data Controller" of the health data stored within their own device.

1.4 Third-Party Services & International Data Transfers

1.4.1 Supabase (Data Storage Infrastructure)

Purpose: Storing optional consent records.
Server Location: EU-West-3 (Paris, France).
Transferred Data: Cryptographic hashes for consent logs. NO HEALTH DATA, NO CREDIT CARD INFO, NO NAMES are transferred.
Legal Basis & DPA: Processed based on Legal Obligation and Legitimate Interest. International transfers are governed by a Data Processing Agreement (DPA) incorporating Standard Contractual Clauses (SCCs) signed with Supabase Inc. (Executed Feb 28, 2026).

1.4.2 Advertising Services (Google AdMob)

Scope: ONLY for users of the Free Version.
Advertiser Identifiers: Apple IDFA or Google GAID.
Data Controller for Ads: Google LLC operates as an independent Data Controller for the processing of advertising identifiers where applicable.

THE TWO-LAYER ADVERTISING FRAMEWORK:

1. Layer One: Ad Display (Contractual Condition)
Showing ads in the free version is an inseparable part of the Free Version EULA—the foundation of our freemium service model. It allows the app to be offered without charging a direct monetary fee. Therefore, the simple display of an ad relies on the performance of a contract (Terms of Service), not explicitly on user consent. To remove all ads entirely, you may purchase the Premium version.

2. Layer Two: Regional Personalization (NPA vs. Explicit Consent)
Whether the ads shown to you are personalized (using your IDFA/GAID) depends strictly on the geographical region in which the application is operated:

Unregulated Regions (Default NPA): For users in regions where specific consent dialogues are not mandated by Google's global policies (e.g., Turkey, Indonesia, and various other jurisdictions globally), Cradly enforces Non-Personalized Ads (NPA) as the default standard.
Regulated Regions (EEA, UK, US Regulated States): If your IP address dictates you are in a heavily regulated jurisdiction requiring active user choice, Google UMP (User Messaging Platform) will present a consent screen asking if you allow personalized ads.

1.4.2.1 Rewarded Ads (Optional, User-Initiated)

In addition to standard banner ads, Cradly offers rewarded ads that Free Version users can voluntarily watch in exchange for specific in-app features.

Features Utilizing Rewarded Ads:

Lullaby Background Playback: Free users may watch a rewarded ad to temporarily enable background audio playback.
14-Day Report Export: Free users may watch a single rewarded ad to export their detailed 14-day statistics report once.

1.4.3 Telemetry, Crash Reports, and Analytics

Cradly collects anonymous crash reports (Firebase Crashlytics) and usage analytics (Firebase Analytics) strictly based on explicit, optional user consent.

1.4.4 Premium Subscription Management (RevenueCat)

Purpose: Managing in-app purchases and subscriptions securely.
Data Processor: RevenueCat Inc.
Processed Data: Anonymous platform receipts and anonymous App User IDs.

2. SPECIFIC REGIONAL DISCLOSURES & RIGHTS (THE GLOBAL SHIELD)

2.1 U.S. Healthcare Disclaimer (HIPAA & FDA)

HIPAA: CRADLY IS NOT A COVERED ENTITY OR A BUSINESS ASSOCIATE UNDER HIPAA.
This application is strictly a personal, consumer-facing record-keeping software tool. Your data is NOT protected by HIPAA regulations.

FDA: This application is NOT a medical device, has not been evaluated by the FDA or any equivalent international medical authority.

2.2 Children's Privacy (COPPA & GDPR-K Disclaimer)

Cradly is strictly designed for, and targeted at, parents and legal guardians aged 18 and older. Cradly is NOT a "Child-Directed" application.

2.3 U.S. State Privacy Laws (CCPA / CPRA / VCDPA)

Cradly DOES NOT sell or share your personal information for cross-context behavioral advertising.

2.5 Data Deletion and the Right to be Forgotten

Deleting Local Data: Uninstalling the app permanently and irreversibly destroys the encrypted health data.
Deleting Server Records: Email your "Consent ID" to infocradlelog@gmail.com with the subject "Data Deletion Request".

3. END-USER LICENSE AGREEMENT (EULA)

3.1 Medical Disclaimer

NOT A MEDICAL DEVICE. Cradly is an administrative tool. It is NOT a medical device, diagnostic tool, or a substitute for professional medical care.

3.2 Update, Compatibility, and Mandatory Backup Risks

MANDATORY OPERATION - BACKUPS PRIOR TO UPDATES: The User is OBLIGATED TO TAKE A BACKUP BEFORE INSTALLING ANY APPLICATION UPDATE.

3.3 Disclaimer of Warranties and Limitation of Liability

THE APPLICATION IS PROVIDED "AS IS".
A. FREE VERSION LIABILITY: No liability for data loss beyond our technical control.
B. PREMIUM VERSION LIABILITY: Total liability shall not exceed the total Premium price paid by the user.

3.5 Device Notifications and Operating System (OS) Limitations

The alarm and reminder functions rely on the local OS. Cradly is not liable for delays caused by battery optimization, Do Not Disturb, or force-closing the app.

4. CLOSING PROVISIONS

4.1 Governing Law, Arbitration, and Class Action Waiver

These Terms shall be governed by the laws of the Republic of Turkey. Disputes shall be determined by binding arbitration.

4.2 Entry into Force and Amendments

This agreement enters into force the moment the user completes the in-app consent flow.