🚧 Babylore is launching soon on iOS. Email help@suyu.ca for early access.
B Babylore

Privacy Policy

Last updated: May 26, 2026

Babylore is a baby-tracking app made by a small team (currently one person). We believe baby data is some of the most sensitive information a family can hold, and we treat it that way. This page explains what we collect, why, where it lives, and what your rights are. If anything here is unclear, email help@suyu.ca and a real human will respond.

The short version

  • We collect only what the app needs to work — sign-in info, the data you log, and the recipes you submit.
  • We don't sell your data. We don't run ads. We don't share with marketing partners.
  • Tracker data (feeds, sleep, diapers) lives on your device by default. Cloud sync is opt-in and free for everyone.
  • Sign-in uses Apple Sign In only — we never see your password and you can use Hide My Email if you don't want to share your real address.
  • You can delete your account and all server-side data at any time from Settings → Delete account.

Who we are

Babylore is operated by Andy Su, a sole developer based in Montreal, Quebec, Canada. You can reach us at help@suyu.ca. For data requests under PIPEDA, GDPR, or CCPA, the same address works.

What we collect

Account information

Sign-in uses Apple Sign In exclusively. When you sign in, we receive an Apple-issued user identifier and your email address (real or a Hide My Email relay, your choice). Optionally, you can share your name during the first sign-in. We never see or store your Apple ID password — Apple handles authentication end-to-end. The Apple identifier and email are passed through to Supabase Inc., which manages our auth tokens.

Baby profile

The name, birthday, nationality, and residence country you enter for each baby. This lives locally and, if you've shared the baby with a co-parent, in our database so both phones see the same profile.

Tracker data

Feeds, sleep, diaper changes, and any notes you log. Stored locally using Apple SwiftData. If you sign in and have tracker sync enabled, the entries are also mirrored to our database so a co-parent's phone (or your own iPad) can read the same data.

Community recipes

If you submit a recipe to the community feed, the title, ingredients, steps, country, language, and your chosen display handle are stored and shown publicly to other Babylore users once safety review finishes. Photos you attach are stored in Supabase Storage and served as public URLs. We describe how safety review works in the Moderation and safety review section below.

Comments and likes

When you comment on a recipe or tap the heart on a community recipe, we store that action along with your user id and a timestamp. Likes are public counts; comments are public text under your display handle.

Subscriptions

Babylore is currently a fully free app with no subscription. If we introduce optional paid features in the future, we'll update this page before they go live and explain what (if anything) Apple shares with us. Apple is always the payment processor when paid features exist — we never see your card or payment method.

Device & diagnostic data

We don't currently use analytics or crash reporters. If we add one in the future (likely Apple's privacy-preserving framework), we'll update this page before turning it on.

Where data lives

Local data sits on your device only. Server-side data is hosted on Supabase infrastructure (database, auth, storage) running on AWS in the ca-central-1 region (Montreal, Canada). Authentication is delegated to Apple Sign In.

Third-party processors

We use a small set of vetted third-party services to run Babylore. Each is named here so you know exactly who has access to what under our instructions.

  • Apple Inc. — App distribution (App Store), Sign in with Apple (authentication), StoreKit (any future paid features). Apple's own privacy policy applies to data Apple holds about you. We don't see your Apple ID password.
  • Supabase Inc. — Hosts our database (Postgres), authentication tokens, file storage (recipe photos), and real-time sync channels. Servers run on AWS infrastructure in Canada.
  • Anthropic, PBC — Provides the AI safety review used in our community recipe moderation pipeline. When you submit a community recipe, we send the recipe's title, ingredients, and steps (no user identifiers, no email, no baby data) to Anthropic's Claude API to flag potential safety concerns. The result feeds our moderation queue. Anthropic's API does not train on this content.

We do not engage data brokers, ad networks, analytics providers, or marketing platforms.

Moderation and safety review

Community recipes go through a layered safety review before they appear in the public feed:

  • Layer 1 — Deterministic rules. When you submit, our database runs a set of rule checks against the recipe's ingredients and the stated minimum age (honey for babies under 12 months, raw fish under 24 months, whole nuts under 36 months, etc.). Submissions that fail a rule are rejected with a specific reason so you can fix and resubmit.
  • Layer 2 — AI-assisted nuanced review. Submissions that pass Layer 1 are sent to a pediatric-nutrition prompt running on Anthropic's Claude API to catch concerns the rules miss (untagged allergens, choking textures, age-inappropriate prep). The output drives whether the recipe is auto-published or held for human review.
  • Layer 3 — Community reports. Published recipes can be flagged by any signed-in user. After three unresolved reports, a recipe is automatically un-published and reviewed.

You can read more about how recipe safety works on the Recipe & content disclaimer page.

How we use your data

We process the data above for these specific purposes:

  • Run the app. Show you your own tracker entries, recipes, comments, likes, and shared babies.
  • Sync between devices. Make sure both phones in a co-parent share see the same data, in near real time.
  • Moderate community content. Run the safety review pipeline described above. Hold submissions that warrant human review.
  • Reply to support requests. If you email us, we keep the thread so we can help.

We do not:

  • Sell or rent your personal data.
  • Build advertising profiles. Babylore has no ads.
  • Use your tracker data to train AI models.
  • Share data with marketing partners, data brokers, or aggregators.

Your rights

You can:

  • Access the data we hold about you — email us and we'll provide an export.
  • Correct any data through Settings or by emailing us.
  • Delete your account and all server-side data from Settings → Delete account. The deletion is immediate and cascades through every table that references your user id (recipes, comments, likes, shared babies, tracker entries).
  • Withdraw a community recipe at any time from the recipe's detail screen, even after it's been approved.
  • Sign out at any time to switch the app into local-only mode.

If you're in the EU, UK, or California, you also have rights under GDPR / UK GDPR / CCPA respectively, including the right to data portability and to lodge a complaint with your local data protection authority. Same email applies: help@suyu.ca.

Children's privacy

Babylore is intended for adult caregivers tracking babies. It is not directed to children under 13, and we don't knowingly collect personal information from anyone under 13. The baby profiles you create represent your child, but the account holder is always an adult.

Data retention

We keep your account and associated data for as long as your account is active. When you delete your account, we delete all personal data immediately. Aggregated, non-identifying analytics (like total recipe counts) may be retained.

Changes to this policy

We'll update this page when the policy changes and bump the "Last updated" date at the top. For material changes, we'll notify existing accounts via in-app message before the change takes effect.

Contact

Questions, complaints, or requests: help@suyu.ca.