Privacy Policy

This Privacy Policy describes how Cutting Soup Pty Ltd ("we", "us", "our") collects, uses, stores and discloses personal information when you use MyBabyTales — including our mobile app, the website at mybabytales.com, related web applications, and our gift voucher shop at shop.mybabytales.com (together, the "Services"). We are based in Australia and make the Services available internationally, including to users in the United States, the European Union, the United Kingdom, Canada and elsewhere.

Our principal contact address for privacy matters is: Unit 113, 18-20 Edinburgh Street, OAKLEIGH SOUTH, VIC, 3167, Australia. For day-to-day privacy questions or to exercise your rights, you can also email us at support@mybabytales.com.

The Services are designed for adults (typically parents and caregivers) who create and manage content on behalf of a baby or young child. We do not knowingly seek personal information directly from children for their own independent use. Information about a child is generally provided by the holder of the account. If you believe a child has provided personal information to us outside this context, please contact us and we will take appropriate steps.

We collect information you give us, information generated when you use the Services, and limited information from our service providers as described below.

Account and profile information: when you create or use an account we process identifiers tied to your account (for example a user ID from our authentication provider), and optional details such as display name and email address if you choose to add or verify them.

Keepsake content: the core of MyBabyTales is the content you add, such as child profile details (for example name and date of birth), journal-style memories, milestone responses, photos and similar media, notification preferences, and app settings. This content is stored so we can provide the Services to you.

Purchases and gifting: if you buy a gift voucher or make a related purchase, our payment processor (Stripe) receives and processes payment details. We receive limited transaction and fulfilment information (for example what was purchased, voucher identifiers, billing email where provided, and payment status) so we can deliver the Services and meet our legal and accounting obligations.

Transactional email: we use an email delivery provider (Resend) to send operational messages such as voucher delivery or purchase-related communications. These messages are sent to addresses you (or the purchaser) supply for that purpose.

Technical and usage information: like most online services, our servers and providers may process technical data such as IP address, device or browser type, general location derived from IP, timestamps, and diagnostic logs when you interact with websites, checkout or cloud endpoints. We use this information to operate, secure and improve the Services.

Analytics: we use or plan to use Google Analytics on our marketing and web surfaces (and in the mobile app where enabled) to understand aggregate usage — for example which pages or screens are viewed, general technical information about devices, and high-level engagement patterns. We configure analytics toward aggregated and pseudonymous insights rather than knowing everything you do as an identifiable individual in our own systems; Google processes data under its own terms and policies. You can read more at https://policies.google.com/privacy and use browser, device or app settings that limit analytics or ad tracking where available.

We use personal information to provide, maintain and secure the Services; to process purchases and redemptions; to communicate with you about the Services (including important notices); to troubleshoot and improve performance; to detect, prevent or address fraud, abuse or technical issues; and to comply with applicable law. Where required, we rely on appropriate legal bases such as performing our contract with you, our legitimate interests (balanced against your rights), or consent where we ask for it separately.

We host most application data in Google Cloud / Firebase services (including Firebase Authentication, Cloud Firestore for structured data, and Cloud Functions for server-side logic). User photos and similar media are stored as objects in Cloudflare R2 (or compatible object storage) with access controlled by our application. These providers process data on our behalf and may use facilities in Australia, the United States, the European Union and other regions depending on configuration and redundancy. By using the Services you acknowledge that your information may be transferred to and stored in countries other than your own, including countries that may not be assessed as providing an equivalent level of protection to your home jurisdiction. Where we rely on standard contractual clauses, the policies of the relevant provider, or other safeguards, those mechanisms help support compliant transfers as applicable.

Payment data is processed by Stripe, Inc. and its affiliates according to Stripe's privacy policy (see https://stripe.com/privacy). We do not store full payment card numbers on our own servers.

We retain personal information for as long as your account is active and for a reasonable period afterwards to resolve disputes, enforce our agreements, comply with legal obligations (including tax and accounting rules), and maintain security backups where appropriate. If you delete your account or ask us to delete personal information, we will follow our deletion processes subject to any minimum retention periods required by law or legitimate business needs (for example limited billing records).

Depending on where you live, you may have rights to access, correct, delete or port your personal information, to object to or restrict certain processing, to withdraw consent where processing is consent-based, and to lodge a complaint with a supervisory authority. Australian users may have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Users in the European Economic Area, Switzerland or the United Kingdom may have rights under the GDPR or UK GDPR. Users in certain US states may have additional rights under local consumer privacy laws. Users in Canada may have rights under PIPEDA or applicable provincial laws. To exercise any of these rights, contact support@mybabytales.com and we will respond within a reasonable time, verifying your identity where needed.

We implement technical and organisational measures appropriate to the nature of the data we handle, including encryption in transit where supported, access controls, and reliance on established cloud providers. No method of transmission or storage is completely secure; we encourage you to use a strong password, enable email verification where offered, and protect access to your devices.

The Services are not a public social network. Content you add is intended for your private keepsake experience within the product design. Please still treat your account credentials as sensitive.

Our websites may use cookies or similar technologies that are necessary for the site to work, to remember preferences, or to support analytics as described above. You can control many cookies through your browser settings.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Material changes may also be communicated through the app, by email where appropriate, or by a notice on our website.

If you have questions about this policy or our practices, contact us at support@mybabytales.com.