Cradly – Global Master Privacy Policy & Terms of Service (EULA)

Last Updated: March 2026
Version: 5.1.0 - Global Compliance & Privacy Shield

DOCUMENT PURPOSE AND SCOPE

This document encompasses the Privacy Policy, End-User License Agreement (EULA), and Global Privacy Notices for the provisioning of the Cradly application worldwide.

Legal Framework (The Global Shield):

General Data Protection Regulation (GDPR - EU/UK)
California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
U.S. Federal Trade Commission (FTC) Act Section 5 standards (Truth-in-Advertising & Privacy)
Children's Online Privacy Protection Act (COPPA - USA)
Health Insurance Portability and Accountability Act (HIPAA - USA) (Disclaimer)
6698 numbered Personal Data Protection Law (KVKK - Turkey)

Binding Nature of the Document:
By downloading, installing, or beginning to use the application, you declare and undertake that you have read, understood, and accepted all provisions in this document.

Language of the Agreement & Comprehension:
The application and its comprehensive legal terms are provided primarily in English. By choosing to use the application and accepting these terms, you explicitly declare and warrant that you possess a sufficient understanding of the English language to comprehend the basic operation of the application, the provided legal summaries, and the associated legal risks. Users who do not possess sufficient language proficiency to understand these terms must not accept this agreement and should refrain from using the application.

1. GLOBAL PRIVACY POLICY

1.1 Architectural Approach: Local-First & Zero-Knowledge (FTC Act Compliance)

Cradly is a local-first application built on the principles of privacy by design and data minimization. In accordance with Section 5 of the FTC Act prohibiting deceptive privacy practices, we explicitly declare how our architecture operates:

All baby profiles, health records, feeding, sleep, vaccination logs, photos, and similar content are stored ONLY on your personal device.
This data is encrypted on the device using the industry-standard AES-256 algorithm.
The encryption key is a randomly generated 32-byte key created exclusively on your device during the initial application setup.
Zero-Knowledge Architecture: Cradly CANNOT access this key, does NOT store it, CANNOT back it up, and CANNOT recover it.

CRITICAL WARNING: ENCRYPTION KEY AND DATA SECURITY

Because the encryption key is generated and stored solely on your device, Cradly DOES NOT KNOW and TECHNICALLY CANNOT ACCESS this key.

Your data MAY BE PERMANENTLY LOST in the following situations:

Losing or having your device stolen.
Deleting and reinstalling the application without a backup.
Formatting or factory-resetting your device.
Operating system or hardware failure (memory corruption, storage error).
Using aggressive memory cleaning applications.

Advanced Recovery Feature:
Our application attempts to repair corrupted local databases (SQLite) using built-in on-device tools. However, in cases of device loss, permanent formatting, or severe hardware crashes, data recovery is technically IMPOSSIBLE.

Cradly CANNOT recover your data from a central server under any circumstances and is NOT LIABLE for data loss because:

By design, the application DOES NOT send your health data to a server; it keeps it on the phone.
We DO NOT KNOW and are technically UNABLE to access the encryption key.
There is absolutely NO backdoor to the system.
Your data relies entirely on the security of your device.

MANDATORY USER RESPONSIBILITY FOR BACKUPS:
The User is ENTIRELY RESPONSIBLE for the security and backup of their data. As a user, you must:

Make regular backups (at least once a week).
Store backups in a secure location.
Always take a backup before changing devices.
Always take a backup before updating the application.
Ensure device security (screen lock, secure password, etc.).

(Note: Features like cross-device syncing, cloud backups, or family sharing are currently disabled. Your data remains completely isolated and offline.)

Cradly accepts no liability for data loss experienced by users who ignore these warnings and fail to take regular backups.

1.2 Data Processed on the Server-Side

In Cradly, the foundational legal agreements MANDATORY for accessing the app (e.g., EULA, Privacy Policy) are embedded as internal files (assets). Your consent to these foundational agreements is NEVER SENT to our servers; it is verified and stored 100% locally (offline) on your device.

Cradly only processes technical records on centralized servers (Supabase) for optional consent proof:

A. Optional Consent Records:

SHA-256 hash of a Device Consent ID (local_uuid_hash)
Unique record ID for each consent event (consent_id)
Consent event type (consent_type - e.g., AD_ALLOWED, CRASHLYTICS_ALLOWED)
Content hash of the related consent text (consent_text_hash)
Application version (app_version)
Server timestamp (created_at)

These cryptographic or pseudonymous tokens do not reveal individual identities. However, for maximum compliance, they are treated conceptually as personal data under global frameworks.

1.3 Legal Status of Data Processing (Controller vs. Provider)

Cradly operates under the following legal roles regarding the processing of data:

A. Regarding Health Data (WE ARE NOT A DATA CONTROLLER OR BUSINESS):

Cradly acts strictly as a "Technical Infrastructure Provider" and is NOT a "Data Controller" (under GDPR/KVKK) or a "Business" (under CCPA) concerning the health data stored locally on the user's device.

Justification for This Legal Stance:

No Technical Access: This data is stored on the user's device with AES-256 encryption. Cradly CANNOT technically access the contents of this data.
Encryption Key Control: The 32-byte encryption key is generated and stored exclusively on the user's device. Cradly DOES NOT know this key and has NO access to it whatsoever.
Determination of Purpose and Means: This data is processed for purposes determined entirely by the user (baby care tracking) and under the user's explicit control. Cradly merely provides the technical infrastructure (the application software and the encryption library) facilitating this processing.
User as the Data Controller: The User, who possesses the device and holds the exclusive capability to access and decrypt the data, acts as the sole "Data Controller" of the health data stored within their own device.

Our Responsibilities as a Technical Infrastructure Provider:
While we are not a Data Controller for your health information, we are obligated to provide a secure processing environment (acting effectively in a service-provisioning capacity). This includes employing AES-256 encryption standards, warning users about data loss risks (the need for backups), and complying with application-level security best practices.

Rights Regarding Your Encrypted Data:
Because Cradly has absolute Zero-Knowledge and zero access to the encrypted contents, legal rights (such as the Right to Rectification or the Right to Erasure) concerning health data cannot be addressed to Cradly. These rights remain inherently under the control of you, the device owner. You may exercise these rights directly within the application by modifying or deleting the entries yourself.

B. Regarding Optional Consent Data (LIMITED DATA CONTROLLER):

Cradly acts as a limited Data Controller exclusively concerning the pseudonymous consent logs (e.g., whether you accepted crash analytics). We determine the purpose (consent proof) and the means for this specific, highly limited processing.

1.4 Third-Party Services & International Data Transfers

1.4.1 Supabase (Data Storage Infrastructure)

Purpose: Storing optional consent records.
Server Location: EU-West-3 (Paris, France).
Transferred Data: Cryptographic hashes for consent logs. NO HEALTH DATA, NO CREDIT CARD INFO, NO NAMES are transferred.
Legal Basis & DPA: Processed based on Legal Obligation and Legitimate Interest. International transfers are governed by a Data Processing Agreement (DPA) incorporating Standard Contractual Clauses (SCCs) signed with Supabase Inc. (Executed Feb 28, 2026).

1.4.2 Advertising Services (Google AdMob)

Scope: ONLY for users of the Free Version.
Advertiser Identifiers: Apple IDFA or Google GAID.
Data Controller for Ads: Google LLC operates as an independent Data Controller for the processing of advertising identifiers where applicable.

THE TWO-LAYER ADVERTISING FRAMEWORK:

The legal framework for displaying advertisements consists of two distinct layers:

1. Layer One: Ad Display (Contractual Condition)
Showing ads in the free version is an inseparable part of the Free Version EULA—the foundation of our freemium service model. It allows the app to be offered without charging a direct monetary fee. Therefore, the simple display of an ad relies on the performance of a contract (Terms of Service), not explicitly on user consent. To remove all ads entirely, you may purchase the Premium version.

2. Layer Two: Regional Personalization (NPA vs. Explicit Consent)
Whether the ads shown to you are personalized (using your IDFA/GAID) depends strictly on the geographical region in which the application is operated:

Unregulated Regions (Default NPA): For users in regions where specific consent dialogues are not mandated by Google's global policies (e.g., Turkey, Indonesia, and various other jurisdictions globally), Cradly enforces Non-Personalized Ads (NPA) as an unalterable default standard. Because your personal advertising identifiers (IDFA/GAID) are NOT processed and no ad targeting is performed, NO ad consent dialog is ever shown or requested in these regions. Ad display operates purely as an anonymous, contextual condition of the freemium contract.
Regulated Regions (EEA, UK, US Regulated States): If your IP address dictates you are in a heavily regulated jurisdiction requiring active user choice, Google UMP (User Messaging Platform) will present a consent screen asking if you allow personalized ads. If you deny this consent, or later withdraw it via your privacy settings, the application defaults to Non-Personalized Ads (NPA).

Note: The baby health data entered into the app is NEVER shared with advertising networks under any circumstances.

1.4.2.1 Rewarded Ads (Optional, User-Initiated)

In addition to standard banner ads, Cradly offers rewarded ads that Free Version users can voluntarily watch in exchange for specific in-app features. These ads are completely optional and are never shown automatically.

Features Utilizing Rewarded Ads:

Lullaby Background Playback: Free users may watch a rewarded ad to temporarily enable background audio playback within the app's built-in lullaby player (maximum 60 minutes per session, stackable).
14-Day Report Export: Free users may watch a single rewarded ad to export their detailed 14-day statistics report once.

Activation Conditions:
Unlike standard ads, rewarded ads are NOT subject to the 7-day waiting period, the 8-record threshold, or the nighttime filter. Only the following two conditions must be met:
1. Presence of a valid advertising consent (where applicable).
2. An active internet connection.

Completely Optional:
Watching a rewarded ad is never mandatory. Users who do not wish to view ads can purchase the Premium version to access these features ad-free or simply choose not to use the features.

Processed Data and Personalization:
Rewarded ads rely on the same consent decision as standard banner ads. In regions where Google UMP applies (EEA, UK, US regulated states), ads may be personalized or non-personalized based on your choice in the UMP consent form—Google's SDK makes the targeting decision based on the IAB TCF consent string. Outside these regulated regions, the application mandatorily applies the Non-Personalized (NPA) mode regardless of user action. Under no circumstances are baby health data shared with advertising networks or used for any ad targeting.

1.4.3 Telemetry, Crash Reports, and Analytics

Cradly collects anonymous crash reports (Firebase Crashlytics) and usage analytics (Firebase Analytics) strictly based on explicit, optional user consent.

Transferred Data: Device model, OS version, app version, anonymous installation UUID, and crash stack traces. NO personal identifiers, no health data, no tracking IDs (IDFA/GAID tracking is disabled for Analytics).
Data Processor: Google LLC. Transfers to the USA are safeguarded by Standard Contractual Clauses (SCCs) via Firebase Data Processing Terms.

1.4.4 Premium Subscription Management (RevenueCat)

Purpose: Managing in-app purchases and subscriptions securely, and syncing them with app stores.
Data Processor: RevenueCat Inc.
Processed Data: Anonymous platform receipts and anonymous App User IDs. This data does NOT contain your name, email, or credit card. All payments are handled securely by Apple or Google; RevenueCat only verifies the transaction's success.
Legal Basis: Performance of a Contract and Legitimate Interest (Fraud Prevention). International transfers are safeguarded under SCCs.

2. SPECIFIC REGIONAL DISCLOSURES & RIGHTS (THE GLOBAL SHIELD)

2.1 U.S. Healthcare Disclaimer (HIPAA & FDA)

HIPAA & FDA DISCLAIMER

HIPAA (Health Insurance Portability and Accountability Act):
Cradly IS NOT A COVERED ENTITY OR A BUSINESS ASSOCIATE UNDER HIPAA.
This application is strictly a personal, consumer-facing record-keeping software tool. Because we do not collect, transmit, or process your health data on our servers, and we do not share it with healthcare providers, doctors, or health insurance companies, the data you enter is NOT protected by HIPAA regulations. Your data security relies entirely on the local device encryption and your device's security practices.

FDA (Food and Drug Administration):
This application is NOT a medical device, has not been evaluated by the FDA or any equivalent international medical authority, and does not provide medical diagnoses, treatment advice, or emergency alerts. (See EULA Section 3.1 for more details).

2.2 Children's Privacy (COPPA & GDPR-K Disclaimer)

COPPA (Children's Online Privacy Protection Act - USA) & Global Equivalents:
While the subject matter of Cradly involves babies and children, the application is strictly designed for, and targeted at, parents and legal guardians aged 18 and older.
Cradly is NOT a "Child-Directed" application. We do not knowingly collect personal information from children under the age of 13 (or 16 under GDPR).

By using the application, you declare that you are the parent or legal guardian of the child(ren) whose data you enter, and you possess the legal authority to process such sensitive data on your own device. Device Security Warning: We strongly advise keeping your device locked to prevent accidental data deletion or modification by a child.

2.3 U.S. State Privacy Laws (CCPA / CPRA / VCDPA)

If you are a resident of California, Virginia, Colorado, or a state with a similar comprehensive privacy law, the following rights apply to the limited technical data we process:

Right to Know & Access: We collect minimal technical data (consent hashes). We DO NOT hold your health data.
Right to Delete: See Section 2.5 on how to delete server-side consent logs. Local health data is deleted immediately upon uninstalling the app.
"DO NOT SELL OR SHARE MY PERSONAL INFORMATION": Cradly DOES NOT sell or share your personal information for cross-context behavioral advertising. Because we do not collect your health, name, or contact data, we have no such data to sell. Our Free Version utilizes Google AdMob; if you reside in a state requiring it (e.g., California), we utilize Google UMP to respect your right to opt-out of personalized advertising. You may also disable personalized advertising entirely via your device's global privacy settings.

2.4 European Economic Area (EEA) & UK Residents (GDPR)

If you are located in the EEA or the UK, your technical data (consent logs) is processed under the following legal bases (GDPR Art. 6):

Consent (Art. 6(1)(a)): For processing personalized ads (via Google UMP) and Firebase Crashlytics/Analytics.
Performance of a Contract (Art. 6(1)(b)): Processing Premium subscription status via RevenueCat, and displaying anonymous ads for the Freemium service.
Legitimate Interests (Art. 6(1)(f)): Fraud prevention and maintaining the security of consent logs.

Your GDPR Rights:
Because we do not have technical access to your locally encrypted health data (Zero-Knowledge), rights regarding access, rectification, and erasure of the health data itself must be exercised directly by you on your own device. For the deletion of technical consent logs on our servers, see Section 2.5.

2.5 Data Deletion and the Right to be Forgotten

Because of our "Local-First" architecture, we do not possess 99% of your data.

Deleting Local Data: Uninstalling the app permanently and irreversibly destroys the encrypted health data stored on your device.
Deleting Server Records: To delete optional consent logs held on our Supabase servers, go to "Settings > My Identity" in the app, copy your "Consent ID", and email it to infocradlelog@gmail.com with the subject "Data Deletion Request". We will hash this ID, locate your records, and permanently anonymize or delete them within 30 days (unless required to be retained by law).

3. END-USER LICENSE AGREEMENT (EULA)

3.1 Medical Disclaimer

NOT A MEDICAL DEVICE.

Cradly is an administrative tool designed to help parents record and organize baby care information. It is NOT a medical device, diagnostic tool, or a substitute for professional medical care.

USER AGREES THAT:

Information in the app is general and not medical advice.
All decisions relating to baby health, feeding, and medical care must be consulted with a licensed healthcare professional (e.g., pediatrician).
The application must NEVER be relied upon in medical emergencies.

3.2 Update, Compatibility, and Mandatory Backup Risks

Cradly provides updates for security and new features. While we exercise reasonable technical care to ensure backward compatibility, local device environments are highly variable.

MANDATORY OPERATION - BACKUPS PRIOR TO UPDATES:

The User is OBLIGATED TO TAKE A BACKUP BEFORE INSTALLING ANY APPLICATION UPDATE.

Failure to do so may result in:

Irreversible data loss.
Database corruption or encryption key failure.

Cradly is NOT LIABLE for data loss resulting from the user's failure to create a backup before an update. Local devices may suffer data damage due to OS restrictions, hardware constraints, third-party software interruptions, or unforeseen technical errors, none of which Cradly controls.

3.3 Disclaimer of Warranties and Limitation of Liability

DISCLAIMER OF WARRANTIES (COMMON LAW COMPLIANCE):

THE APPLICATION IS PROVIDED "AS IS" AND "AS AVAILABLE". TO THE FULLEST EXTENT PERMISSIBLE PURSUANT TO APPLICABLE LAW, CRADLY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE APP WILL BE BUG-FREE OR THAT THE DEVICE RELIABILITY WILL PREVENT DATA LOSS.

A. FREE VERSION LIABILITY (Freemium Model):
The free version is provided strictly on an "as-is" basis. Despite extensive technical safeguards designed by us (such as pre-update dynamic backups, schema auto-fixes, memory snapshots, and CSV export capabilities), device-level hardware/OS failures can occur. By using the Free Version, the user explicitly agrees that Cradly:
✓ Remains liable for intentional misconduct or gross negligence.
✗ Bears no liability for data loss beyond our technical control, as we provide all reasonable technical recovery safeguards locally.

B. PREMIUM VERSION LIABILITY (Capped Liability):
For users purchasing the Premium Version, Cradly's total, cumulative liability for all claims arising out of or related to this Agreement or the App shall not exceed the total Premium price paid by the user (e.g., $9.99). Liability is strictly limited to direct, foreseeable financial damages stemming from gross negligence or intentional misconduct. We do not compensate for indirect or consequential damages, emotional distress, lost time, or data loss resulting from missing backups or hardware issues.

3.4 Exception to the Right of Withdrawal (Digital Content)

IMPORTANT NOTICE FOR PREMIUM SUBSCRIPTIONS:

The Premium version of Cradly is classified as digital content supplied instantly in a non-tangible medium. Under applicable global consumer protection laws (including the EU Consumer Rights Directive), you explicitly consent to perform the contract immediately upon purchase and acknowledge that you will lose your 14-day right of withdrawal (refund right) once the download or access begins. Refund requests are governed strictly by the policies of the platform where you purchased it (Apple App Store or Google Play Store). Cradly cannot override these platform policies.

3.5 Device Notifications and Operating System (OS) Limitations

The alarm and reminder functions of Cradly are subject to the restrictions of your device's local Operating System (Apple iOS or Google Android). The application does not use remote servers for push notifications (Offline/Local-First functionality); instead, it relies on local notification scheduling running directly on the device.

As a User, you explicitly understand and agree to the following technical facts:

OS battery management features (such as Doze Mode or Low Power Mode), Focus Modes (Do Not Disturb), or the user's action of force-closing the application from the background (kill-state/swipe-up) may block or delay the OS from triggering the alarms.
Any such technical delays or blocking of alerts by the OS are entirely beyond the control or liability of Cradly.
It is absolute that critical reminders (such as fever measurements or medication schedules) must not solely rely on the reliability of an electronic application instrument (Refer back to Section 3.1 Medical Disclaimer).

4. CLOSING PROVISIONS

4.1 Governing Law, Arbitration, and Class Action Waiver

Subject to any mandatory overriding consumer protection laws of the jurisdiction in which you reside, these Terms and Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of Turkey.

BINDING ARBITRATION AND CLASS ACTION WAIVER (FOR US AND NON-EU USERS):

Any dispute, claim, or controversy arising out of or relating to this Agreement shall be determined by binding arbitration rather than in court. You and Cradly agree to waive the right to a trial by jury or to participate in a class action. For claims under $10,000, the arbitration will be conducted based solely on written submissions (Online Dispute Resolution) to minimize legal costs for both parties. By agreeing to this, you understand that your remedies are limited to individual arbitration and you cannot force Cradly into a foreign courtroom.

4.2 Entry into Force and Amendments

This agreement enters into force the moment the user completes the in-app consent flow.
Cradly reserves the right to amend these terms. Significant changes (e.g., broader data processing scopes) will be pushed via an application update, triggering a new mandatory required consent screen to ensure compliance. Refusal to accept updated terms may prevent further use of the application.

Jurisdiction Change and Re-Consent: Upon each launch, the application automatically detects the user's legal jurisdiction based on their IP address and device locale. If the device enters a different legal jurisdiction (e.g., moving from an unregulated region to the U.S. regulated states covered by CCPA/CPRA, or vice versa), or if the applicable legal text has been updated for the user's current region, the application will present the applicable regional legal document and require a new affirmative acceptance. Access to the application is conditioned upon acceptance of the terms applicable to the user's current jurisdiction. Prior consent records are not invalidated; all records are retained in encrypted form on the device.

4.3 Severability

If any provision of this Agreement is found to be unenforceable or invalid under any applicable law, such unenforceability or invalidity shall not render this Agreement unenforceable or invalid as a whole, and such provisions shall be deleted without affecting the remaining provisions herein. The valid portions of the agreement, especially the limitations of liability, shall remain in full force and effect.

4.4 Survivability

Sections relating to limitation of liability, disclaimer of warranties, arbitration, and data zero-knowledge architecture shall survive any termination of this agreement or deletion of the Application by the user.

Contact Information:

Company Name: Nuran Kocaoğlu – Cebir Mühendislik Proje ve Bilişim
Address: Kazımiye Mahallesi, Salih Omurtak Cad. No:16 İç Kapı No:17, 59850 Çorlu / Tekirdağ / Turkey
Tax Identification: 5670114825 (Çorlu Tax Office)
Email: infocradlelog@gmail.com
Website: www.cebirproje.com

This document has been prepared in compliance with the GDPR, CCPA, FTC Act, COPPA, and the framework of the Personal Data Protection Law of Turkey (KVKK).

By utilizing the application, the User declares that they have read, understood, and accepted these texts in their entirety.