This Privacy Policy describes how Punn ("we", "us", or "our") collects, uses, shares, and protects personal information when you use the Punn mobile application ("App"). It is written to comply with the U.S. Children's Online Privacy Protection Act (COPPA, 16 CFR Part 312), the European Union General Data Protection Regulation (GDPR), the United Kingdom GDPR, and the Personal Data Protection Act B.E. 2562 (PDPA) of Thailand.
Punn is directed at parents and legal guardians, not at children. The personal information described in this policy is about a child but is collected from and controlled by the parent or guardian who uses the App. We treat all baby data as personal information of a child under 3 and apply COPPA-grade protections to it regardless of the parent's country of residence.
For the purposes of COPPA, the App operator is:
For the purposes of GDPR, UK GDPR, and Thai PDPA, the same entity acts as the data controller of the personal information collected through the App. For privacy requests, please email us with the subject line "Privacy Request".
When you create an account, we collect your email address, display name, and a Firebase-issued user ID. If you choose to sign in with Apple or Google, we receive only the information you authorize the provider to share (typically email and name). Authentication is provided by Google's Firebase Authentication service.
You provide your baby's name, date of birth, gender, and optionally a profile photo. This data personalizes age-appropriate features such as feeding ranges, sleep guidance, and developmental milestones.
You may upload photos to the in-app family photo feed and to your baby's profile. Photos are stored in Google Firebase Storage. They are visible only to you and to adult family members you have explicitly invited.
When you use the "Ask Punn" assistant, your text prompt and a structured context payload describing your baby are sent to our chat endpoint, which forwards them to OpenAI to generate the reply (see section 4.b). Our server does not store your messages or the context payload; it records technical metadata about each request (timestamp, token counts, latency, request status, your user ID, and a hashed IP address). Your chat history — the 200 most-recent messages per baby — is kept on your device only; older messages are pruned automatically.
You may record temperatures, medications and dosages, vaccines, doctor names, symptom descriptions, and free-text notes. Health data is treated as a special category under GDPR Article 9 and is collected only with your explicit consent (signified by your act of entering it into the corresponding tracking form).
You may record weight, height (length), and head circumference. We compare these to WHO Child Growth Standards for charts and reports.
You may log feeding sessions (including type, amount, duration, content, and food name for solids), sleep periods, diaper changes (including color, consistency, amount, and rash flag), pumping sessions, milk inventory entries, and developmental milestones. All of these fields may include free-text notes.
When you use the cry analysis feature, audio is recorded on your device and analyzed entirely on-device using a bundled ONNX machine-learning model. Only the resulting classification (for example, "hungry"), the confidence score, and an optional audio-quality warning flag are stored. The raw audio recording is not uploaded to our servers. The cry audio is analyzed in memory and is never uploaded as part of cry analysis. The only way a recording ever leaves your device is the opt-in anonymous donation described in section 2.m, which you control per recording.
If you invite a partner or family member, we store the family group, member roles, and share-link metadata in Firestore. Family members are adults; we do not invite children to the family share.
If you correct a cry-analysis result, Punn can send anonymous feedback to help improve the model. This is off by default and is controlled by an opt-in toggle in Settings → Privacy; nothing is sent unless you turn it on, and you can turn it off again at any time. When enabled, Punn uploads only metadata — Punn's prediction, your correction, and your baby's age as a coarse bucket (one of 0–3, 3–6, 6–12, 12–24, or 24–36 months). The exact age, your baby's gender, and any identifying information are not included, and no audio is uploaded through feedback. Audio is shared only through the separate, per-recording donation described in section 2.m.
Crash reports and non-fatal error reports are sent to Firebase Crashlytics. These contain stack traces, device model, OS version, and app version. They are configured to exclude user content and baby data. Crash reporting is disabled in debug builds.
If you subscribe to Punn+, RevenueCat (acting as our subscription processor) receives a pseudonymous app user identifier, the purchased product, the entitlement status, and metadata about the purchase. Apple and Google Play process the actual payment; we never receive your full payment-card details.
Punn's cry analysis runs entirely on your device. Separately, you can choose to donate individual cry recordings to help improve the model. This is opt-in: nothing is ever shared unless you choose it, and you can turn sharing off at any time.
In Settings → Privacy you can set one of three modes:
What is collected when you share a single recording:
What is never collected or sent:
During the roughly 7-second capture the audio is processed on your device and is held in memory; the recording may pass through a temporary file on your device for that brief window, which is deleted immediately after processing. Nothing leaves your device unless you choose to share that recording. When you consent to share, the recording is saved in a protected delivery queue on your device until it finishes uploading (at most 14 days), then removed. The donation is unlinkable by design: it is not tied to your account, name, or device identifier.
Medical-complexity exclusion: A per-baby setting in Settings → Privacy lets you exclude any baby under specialist or NICU care from donation entirely. When excluded, none of that baby's recordings can be shared, even if you change the mode above.
Where it goes and how long we keep it: Donated recordings are processed and stored on Google Cloud servers in the European Union (Belgium, europe-west1), in a dedicated storage location used only for this purpose. They are kept for up to 90 days and then permanently and automatically deleted. They are used only to retrain Punn's cry-classification model. They are not sold and are not shared with advertisers.
Alongside each recording we keep a small anonymous catalogue record (a random file identifier pointing to the stored audio, the predicted cry category, any correction you provided, a coarse age bracket, the audio format, and the month it was received — no account, device, or network identifiers). This catalogue record is stored in our database in the United States; the audio itself never leaves the European Union.
Legal basis and withdrawal: Because your baby's voice is a special category of personal data, we collect donated recordings on the basis of your explicit parental consent under GDPR Article 9(2)(a), given on your child's behalf. The data is anonymized at the point of collection. To withdraw, set the mode in Settings → Privacy to "Never"; this stops all future sharing. Recordings you have already donated are fully anonymous and cannot be retrieved or deleted on request; they are automatically and permanently deleted within 90 days of donation.
We use the following service providers to operate the App. Each acts as a processor on our behalf, under a written data processing agreement where required by law.
We use the following Google services:
https://api.punnbaby.app, which proxies your prompts to OpenAI.Data residency for these services: the Cloud Firestore database (user documents, baby profiles, synced tracking data, and family-sharing metadata) is hosted in the United States (us-central1). The default Firebase Storage bucket (photos) and the chat Cloud Run backend run in asia-southeast1 (Singapore). Donated cry audio (section 2.m) is stored in the European Union (europe-west1, Belgium) in its own dedicated bucket.
OpenAI (United States) acts as our processor for generating Ask Punn replies. When you use the Ask Punn assistant, your typed prompt, your recent chat history, and a structured context payload describing your baby are sent from our Cloud Run endpoint to OpenAI's API so OpenAI's language model can generate the reply. The context payload includes your baby's age in days and recent tracking summaries, which can include health entries you have logged (for example medications and dosages, vaccines, symptoms, and notes). Your baby's name is never sent — the app replaces it with a placeholder before the request and substitutes the real name back into the reply on your device. Your baby's date of birth is not sent. We do not send cry audio, photos, or your account email to OpenAI.
Our own server does not keep a copy of your messages or the context payload (section 2.d). OpenAI processes this data under its API terms: it may retain API inputs and outputs for a limited period for abuse monitoring, and it does not use data submitted through its API to train its models.
RevenueCat (United States) manages Punn+ subscription entitlements. It receives a pseudonymous app user identifier and purchase metadata. See revenuecat.com/privacy.
Apple and Google distribute the App through their respective stores and handle in-app purchases. Their privacy practices apply to data they collect during download and purchase.
We do NOT use advertising SDKs, behavioural-analytics tracking libraries, or data brokers. We do not sell personal information. We do not allow our processors to use your personal information for their own advertising purposes.
We use your tracking data, baby profile, and cry analysis results to provide the features of the App: event logging, charts, insights, growth tracking, reports, and on-device cry classification.
We use your prompt and the structured context payload (see section 3.b) to generate a response. The server system prompt instructs the model to refuse medical questions and to redirect you to a pediatrician.
If you sign in, your data syncs to Firestore so it is available across devices and to adult family members you have explicitly invited.
If you opt in to ML feedback uploads, we use that data to improve the cry classification model.
We use Crashlytics reports to diagnose bugs and improve reliability. We do not use personal information for behavioural advertising.
Most processing (tracking, sync, family sharing, cry analysis, subscription management) is necessary to provide the App service you have signed up for.
Health information (temperatures, medications, vaccines, symptoms, doctor names), cry-audio uploads, and any data revealing the child's physical or mental health is processed only on the basis of your explicit consent, signified by your active choice to enter or upload it.
We rely on consent for: opt-in ML feedback uploads, partner invitations, and any future anonymous cry-donation feature.
We have a legitimate interest in security monitoring, abuse prevention, and Crashlytics-based reliability work. We have balanced this against your rights and offer the controls described in section 7.
Because the personal information is about a child, parental consent is the consent we obtain and rely on. The parent or legal guardian grants consent on the child's behalf.
Under COPPA, GDPR, UK GDPR, and Thai PDPA, as the parent or legal guardian you have the right to:
You can exercise the access, rectification, and erasure rights directly inside the App by viewing, editing, or deleting individual records. For any other request, email admin@punnbaby.app with the subject "Privacy Request" and we will respond within 30 days.
We do not condition your child's participation in any App activity on the disclosure of more personal information than is reasonably necessary to provide that activity (COPPA 16 CFR 312.7).
The data subjects whose information is collected through the App are children under 3 years old. The App is directed at the parent or legal guardian. We do not knowingly allow children to create accounts, enter their own information, contact other users, or post publicly.
Parents and legal guardians grant consent on the child's behalf. By creating an account, entering your baby's profile, or logging tracking data, you confirm that you are a parent or legal guardian of the child and that you consent to the collection, use, and sharing of the child's personal information as described in this policy.
We use the child's personal information only to support the internal operations of the App (providing the tracking features, syncing across the parent's devices, generating reports for the parent, and improving the cry classification model when the parent opts in). We do not use it for behavioural advertising or third-party marketing.
If you believe we have collected information from a child without the necessary parental consent, or you wish to review or delete your child's data, please email admin@punnbaby.app.
Personal information may be processed outside your country of residence:
For transfers from the EU/EEA or the UK, we rely on the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum) as a transfer mechanism with our U.S. processors. EU users should be aware that synced app data is stored in the United States and photos in Singapore by default. For users in the EU/EEA, donated cry audio stays within the EEA, so no Chapter V transfer applies to that data.
You can delete your account and your child's data from inside the App:
Account deletion removes:
Family-sharing note: if you are the owner of a baby, deleting your account permanently deletes that baby and all of its tracking data for every family member who shared it. If you are a non-owner member, deleting your account removes only your own membership — data you logged into a baby owned by someone else remains with that owner.
Account deletion does not immediately remove:
For any deletion request you cannot complete in the App, or to request a copy of your data, email admin@punnbaby.app and we will respond within 30 days.
In compliance with the Personal Data Protection Act B.E. 2562 (PDPA):
We will notify you of material changes to this policy in-app and by updating the "Last updated" date at the top. Where the change affects the personal information of a child and requires new parental consent under COPPA, we will request that consent before applying the change to existing accounts.
For any privacy question or to exercise your rights:
We will respond to verifiable requests within 30 days.