PequeSleep

Privacy Policy

1. Introduction

This Privacy Policy explains how CRAFTBOX DIGITAL S.R.L. (“we,” “us,” or “our”) collects, uses, stores, shares, and protects personal data when you use the PequeSleep mobile application and related backend, AI, and support services (collectively, the Services).

Unless a supplemental notice says otherwise, CRAFTBOX DIGITAL S.R.L. is the data controller for the personal data described in this Privacy Policy.

PequeSleep is designed for parents, guardians, and other caregivers. It helps users track baby sleep, review sleep patterns, read educational content, receive reminders, export sleep data, and use an AI chat feature.

We aim to collect only the personal data reasonably needed to provide, secure, and improve the Services. We do not sell personal data. Free users may see ads through Google AdMob. In the European Economic Area (EEA), the United Kingdom, and Switzerland, we use Google’s User Messaging Platform (UMP) together with a Google-certified consent management experience so you can accept or refuse ad-related processing where required; if you do not consent to certain uses, ads may still be shown in a limited form that does not use personal data for ad personalization, as further described below (including Programmatic Limited Ads where enabled in our AdMob account).

2. Scope

This Privacy Policy applies to users who:

  • create or sign in to a PequeSleep account;
  • add and manage one or more baby profiles;
  • track, edit, and review sleep sessions;
  • browse educational content in the Learning Center;
  • use CSV export features;
  • interact with the AI chat feature;
  • receive local sleep reminders; and
  • use subscriptions, AI credits, or ad-supported free features.

3. Nature of the Service

PequeSleep is a wellness, educational, and tracking service. It is not a medical device and does not provide medical diagnosis, treatment, or emergency services.

Any information, recommendations, educational materials, or AI-generated responses available through the Services are provided for general informational and educational purposes only. Users remain responsible for how they interpret and act on information provided through the Services.

4. Information We Collect

We collect information you provide directly, information generated through your use of the Services, information received from the providers you choose to use for sign-in or purchases, and limited technical data needed to operate the app.

A. Account and Sign-In Information

When you register, sign in, or manage your account, we may collect:

  • email address;
  • password or authentication credentials;
  • login method, such as email, Google, or Apple sign-in where enabled;
  • basic profile data returned by the sign-in provider, such as email address, name, and profile image;
  • account preferences, such as first day of week and selected AI model; and
  • subscription or entitlement status.

B. Baby Profile Information

If you choose to create a baby profile, we may collect:

  • baby name;
  • date of birth;
  • gender;
  • optional baby photo;
  • current sleep situation; and
  • archived or available profile status.

Providing baby profile information is generally optional, but some personalization features may be limited if no baby profile is added.

C. Sleep Tracking Data

When you use PequeSleep’s sleep tracking features, we may collect:

  • sleep session start and end times;
  • sleep type, such as nap or bedtime;
  • manual entries and edits;
  • sleep quality ratings;
  • fell-asleep methods;
  • environment factors;
  • mood before sleep;
  • wake-up counts, durations, and timestamps;
  • free-text notes; and
  • derived sleep summaries, dashboard metrics, and trends shown within the Services.

D. Learning Center Activity and On-Device Preferences

When you use the Learning Center, we may process:

  • article bookmarks linked to your account;
  • article text-size preferences stored locally on your device; and
  • article recommendations generated in the app using your selected baby profile and content metadata.

Learning Center search queries are currently used in the app to filter content and are not stored by us as a separate server-side search history.

E. AI Chat Data and AI Usage Data

When you use the AI chat feature, we may collect and store:

  • chat titles, timestamps, and any associated baby profile context;
  • messages you send to the AI assistant;
  • AI responses generated for you;
  • conversation history so you can revisit prior chats;
  • rolling conversation summaries used to support continuity in longer conversations; and
  • token usage, model-selection, AI credit, hold, grant, and usage-ledger records used for service operation, billing, usage limits, security, and abuse prevention.

If you include sleep logs, notes, or other personal information in a prompt, that information becomes part of the AI chat content you choose to submit.

F. Purchases, Exports, and Reminders

When you use subscriptions, AI credits, exports, or reminders, we may process:

  • RevenueCat customer and entitlement data;
  • app-store purchase metadata needed to validate subscriptions or credit purchases;
  • export job metadata and generated CSV files when you request an export; and
  • notification permission status and locally scheduled reminder data.

PequeSleep currently uses local scheduled reminders on the device. We do not currently collect or store remote push-notification tokens.

G. Ads, Diagnostics, and Technical Information

To operate, secure, and monitor the Services, we may collect limited technical information such as:

  • device type and operating system;
  • app version;
  • language and region settings;
  • request, session, and tracing identifiers used for authentication, reliability, and debugging;
  • crash reports, diagnostics, logs, performance data, and user feedback reports; and
  • identifiers needed to sync authentication or subscription state.

If you use the free tier, Google AdMob may receive ad-request and measurement data needed to load and measure ads, which can include mobile advertising identifiers and related device-level technical metadata. In the EEA, UK, and Switzerland, we present a consent message (via Google UMP) before initializing ad serving where applicable; your choices are stored on the device by the consent tooling and communicated to ad systems using the IAB Transparency and Consent Framework (TCF) where applicable. Depending on your choices, ads may be personalized, non-personalized, or served as Limited Ads (including Programmatic Limited Ads when that mode is enabled in AdMob), which restricts personalization and some measurement features. Google may use invalid-traffic detection-only storage in connection with Programmatic Limited Ads as described in Google’s documentation for publishers in regulated regions.

H. Information You Choose to Share

You may also choose to share additional information with us, such as:

  • support requests and correspondence;
  • feedback you submit through support channels or the in-app feedback flow; and
  • any other information you voluntarily submit in the Services.

5. How We Use Information

We use personal data only where reasonably necessary to provide, maintain, secure, support, and improve the Services. Depending on how you use PequeSleep, we may use your information to:

  • create and manage your account;
  • authenticate users and maintain secure sessions;
  • support email/password sign-in, social sign-in, password reset, and profile management;
  • create, update, archive, switch, and delete baby profiles;
  • record and display sleep sessions, notes, trends, reminders, dashboards, and related insights;
  • sync Learning Center bookmarks across devices and store article text-size preferences on your device;
  • generate in-app article recommendations based on the selected baby profile and content metadata;
  • operate the AI chat feature, generate responses, maintain conversation history, and preserve continuity through rolling summaries;
  • allow users to delete chats and related stored chat context;
  • process subscriptions, AI credits, purchase validation, and export requests;
  • load and measure limited ads for eligible free-tier users;
  • send local reminders and transactional communications such as password reset emails;
  • monitor reliability, troubleshoot technical problems, improve service quality, and investigate incidents;
  • detect misuse, abuse, fraud, or illegal activity;
  • comply with legal obligations; and
  • establish, exercise, or defend legal claims.

We do not use baby profile data, sleep logs, notes, or AI chat content for advertising targeting.

Where required by applicable law, including the GDPR and other data protection laws of Romania and the European Union, we process personal data on one or more of the following legal bases:

  • Performance of a contract: to create accounts, authenticate users, provide sleep tracking, store baby profiles, sync bookmarks, operate AI chat, validate purchases, provide exports, and otherwise deliver the Services you request.
  • Legitimate interests: to secure the Services, prevent abuse and fraud, investigate incidents, maintain reliability, debug errors, keep internal records, and improve service quality, provided those interests are not overridden by your rights.
  • Consent: where consent is required, such as for device notification permissions and any ad-related or identifier-based processing that requires consent under applicable law.
  • Legal obligation: where processing is necessary to comply with applicable law, lawful requests, tax or accounting duties, consumer-protection obligations, or other mandatory recordkeeping requirements.

7. AI Chat and Automated Processing

PequeSleep includes an AI-powered assistant that processes user prompts and relevant app context to generate sleep-related guidance.

How AI Processing Works

When you send a message through AI chat:

  • your message and relevant conversation context are sent to the AI provider used for the selected model;
  • supported providers currently include OpenAI, DeepInfra, and Google Gemini;
  • the provider used for a specific request can change based on your selected model or our service configuration;
  • relevant app context may be included where needed to provide the feature, such as prior conversation history or information you choose to share from the app;
  • the generated response is returned and stored in your chat history; and
  • limited metadata is stored for usage measurement, billing, reliability, security, and abuse prevention.

Human Review of AI Conversations

AI conversations are not routinely monitored or manually reviewed. Human access to chat content is limited to exceptional situations where reasonably necessary, such as:

  • investigating abuse, fraud, or malicious use;
  • investigating security incidents or service failures;
  • complying with applicable law, regulation, court order, or lawful governmental request; or
  • protecting the rights, safety, and security of users, children, our personnel, or the public.

Deletion of AI Chats

When you delete a chat in PequeSleep, we delete the chat record, stored messages, and rolling summary from active application databases. Limited retention may still apply in backups or in records kept for legal, security, fraud-prevention, or technical reasons.

Provider Terms

Provider-side retention and model-improvement terms can vary by provider and configuration. Based on the providers’ published materials as of the “Last updated” date above:

  • OpenAI states that API data is not used to train or improve its models by default, unless the customer explicitly opts in, and that abuse-monitoring logs are generally retained for up to 30 days unless special retention controls apply.
  • Google states that Gemini Developer API paid-tier content is not used to improve Google’s products, while Google abuse-monitoring logs can retain prompts, context, outputs, and related metadata for a limited period.
  • DeepInfra states that standard inference inputs and outputs are not stored on disk and are deleted from memory after inference, while metadata and limited samples may still be logged when needed for debugging or security.

Once data is sent to a third-party AI provider, that provider handles the data under its own terms, privacy notices, and compliance commitments. We select providers with privacy commitments we consider appropriate, but we do not control and cannot independently guarantee each provider’s ongoing compliance with its own policies.

No Sale or Ad Targeting

AI chat content is not sold and is not used by us for ad targeting.

8. How Long We Keep Information

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and protect the Services.

Current retention rules and operating expectations include:

  • User account record: retained while your account remains active and deleted from active application storage when you delete your account.
  • Refresh tokens: expire 30 days after issuance unless revoked earlier. Revoked or expired refresh-token records are targeted for deletion within 30 days after expiry or revocation.
  • Password reset tokens: expire after 1 hour, are deleted after use, and otherwise are targeted for deletion within 30 days after expiry.
  • Baby profiles, baby media, sleep sessions, chats, and bookmarks: retained while your account remains active unless you delete the relevant item sooner through available app functionality.
  • AI rolling summaries: retained with the related chat history and removed from active application databases when that chat or account is deleted.
  • Account deletion: when you delete your PequeSleep account in the app, we delete the user profile, baby profiles, uploaded profile and baby media, sleep sessions, chat history, rolling summaries, bookmarks, auth tokens, export jobs, generated CSV files, AI credit records, and related subscription-credit records from active application storage.
  • Anti-abuse tombstone (RevenueCat app user id): we retain the pseudonymous internal user identifier that we previously used as the RevenueCat app_user_id for a deleted account, so that if you register again and restore the same App Store or Google Play subscription you do not receive a duplicate batch of monthly AI credits. This record contains no contact details, profile data, or content.
  • Article text-size preferences: stored locally on your device until you change the setting or clear app data.
  • Export jobs and generated CSV files: currently retained while your account remains active unless deleted sooner through account deletion.
  • RevenueCat webhook event ids: retained as an operational dedup record. The table stores only the event id and a processed-at timestamp and contains no user-identifying information.
  • Purchase, subscription, AI credit, usage-ledger, and related billing-support records in PequeSleep: retained while your account remains active. When you delete your account, these records are deleted from active application storage at the same time as the account. Aggregate, non-account-level revenue records needed for tax and accounting are retained separately by RevenueCat and by the Apple App Store or Google Play as the merchants of record.
  • Transactional-email delivery metadata and operational email records: retained for 90 days unless needed longer for abuse prevention, incident handling, or legal claims.
  • Support correspondence and privacy-rights case records: retained for 3 years after the request or support case is closed.
  • General application logs: retained for 30 days.
  • Sentry crash, performance, and feedback data: currently retained for 30 days. If that retention period changes, we will update this disclosure accordingly.
  • Security investigation and legal-claims evidence: retained for the duration of the investigation or claim and for up to 5 years after closure unless law or a legal hold requires longer retention.
  • OpenAI API content: OpenAI states API abuse-monitoring logs are generally retained for up to 30 days by default, unless different approved retention controls apply.
  • Gemini API logs: Google states logs for supported Gemini API calls in projects with billing enabled expire after 55 days by default.
  • DeepInfra-hosted inference: DeepInfra publicly describes its inference platform as operating under a zero-retention policy for inputs, outputs, and user data.
  • Other provider-side retention periods: for providers such as Sentry, RevenueCat, app stores, sign-in providers, and email providers, retention can depend on configured account settings, service tier, or the provider’s own operational policies. Where those provider-side periods are not fixed or publicly stated in a stable way, we describe them more generally rather than committing to a single vendor-side number.

When retention is no longer necessary, we delete, anonymize, or securely de-identify the data, unless applicable law requires longer retention.

9. How We Share Information

We do not sell your personal data.

We may share information only in the following limited circumstances:

A. Service Providers and Processors We Use

We currently use or support the following categories of third-party providers:

  • Cloudflare for hosting, API execution, database services, object storage, media storage, private export-file storage, and delivery of legal and learning content;
  • RevenueCat for subscription and in-app purchase state management;
  • Apple App Store and Google Play for in-app purchases and subscription transactions on their respective platforms;
  • Google AdMob for ad delivery and measurement in eligible free-tier experiences, together with Google User Messaging Platform (UMP) for consent and privacy choices where required;
  • Sentry for crash reporting, diagnostics, performance tracing, logging, and user feedback reports;
  • Resend for transactional emails such as password reset emails;
  • Google Sign-In and Apple Sign-In for optional account authentication; and
  • OpenAI, DeepInfra, and Google Gemini for AI model processing.

These providers receive only the personal data reasonably necessary for the service they perform for us or for the feature you choose to use.

We may disclose information where reasonably necessary to:

  • comply with applicable law, regulation, legal process, or enforceable governmental request;
  • enforce our Terms and Conditions or other agreements;
  • detect, investigate, or prevent fraud, abuse, security incidents, or illegal activity;
  • protect the rights, property, or safety of users, children, PequeSleep, or others; or
  • establish, exercise, or defend legal claims.

C. Business Transfers

If CRAFTBOX DIGITAL S.R.L. is involved in a merger, acquisition, investment, financing, reorganization, sale of assets, or similar corporate transaction, personal data may be transferred as part of that transaction, subject to applicable law.

10. International Data Transfers

Your information may be processed in countries other than your country of residence, including by providers located in or operating from the United States and other jurisdictions outside the EEA, UK, or Switzerland.

Because PequeSleep relies on cloud, diagnostics, billing, authentication, ad, email, and AI providers, international transfer destinations can vary depending on the feature you use and the AI model selected.

Where required by law, we take steps intended to provide appropriate safeguards for international transfers. Depending on the provider and destination, those safeguards may include:

  • an adequacy decision recognized by the European Commission, the UK, or another competent authority;
  • the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or the UK International Data Transfer Agreement; or
  • another transfer mechanism recognized under applicable data-protection law.

Some providers publish these safeguards through their business terms, data-processing terms, privacy documentation, or configurable account controls. We keep internal records of the providers we use and the transfer approach associated with each service.

11. Data Minimization and Privacy Commitments

We are committed to privacy-by-design principles. In particular:

  • we aim to collect only the data reasonably needed to provide and secure the Services;
  • optional fields stay optional where practical;
  • we do not sell personal data;
  • we do not use baby profile data, sleep logs, notes, or AI chat content for ad targeting;
  • AI chats are stored to operate the feature, preserve continuity, and support user deletion actions; and
  • access to personal data by our personnel is intended to be limited to authorized, need-based access.

12. Children’s Privacy

PequeSleep is intended for use by parents, guardians, and caregivers, not by babies or young children themselves.

Because the Services are designed around child-related information, the app does process personal data about a child when an authorized adult chooses to enter it. Users should only provide child-related information where they are authorized to do so and where it is appropriate for use of the Services.

We encourage users to avoid including unnecessary health or other sensitive information in free-text fields, notes, or AI chat messages.

13. Data Security

We use reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, disclosure, alteration, and destruction.

These measures may include access controls, authentication protections, encrypted transmission where appropriate, environment-level security controls, and role-based limitations on internal access.

However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

14. Your Rights and Choices

Depending on your location and applicable law, you may have rights regarding your personal data, including the right to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete personal data;
  • delete personal data;
  • object to or restrict certain processing;
  • withdraw consent where processing is based on consent;
  • receive a portable copy of certain data, where applicable; and
  • lodge a complaint with a supervisory authority.

Current product controls include:

  • updating account and profile information in the app;
  • deleting your account in the app, which removes core active application data and stored export files from active application storage;
  • creating, editing, archiving, and deleting baby profiles in the app;
  • creating, editing, and deleting sleep sessions in the app;
  • adding and removing Learning Center bookmarks in the app;
  • managing local reminder permissions through device settings and app flows; and
  • deleting AI chats in the app; and
  • for eligible free-tier users, reopening ad privacy choices from Profile when Google’s privacy-options form is available for your device.

Self-service account deletion does not by itself cancel app-store subscriptions. Apple App Store and Google Play subscriptions must be managed through the relevant store account.

To exercise privacy rights, contact us using the details listed below. We may ask you to verify your identity before processing certain requests.

15. Cookies, Similar Technologies, and Mobile Identifiers

PequeSleep uses local storage, secure storage, SDK identifiers, and similar technologies as reasonably necessary for authentication, session continuity, preferences, security, diagnostics, purchase validation, and service functionality.

If you use the free tier, Google AdMob may use mobile identifiers and related SDK data to serve and measure ads, subject to your consent choices where required (including through Google UMP and TCF signals in the EEA, UK, and Switzerland).

Where you refuse consent for purposes that require it, we may still request ads in Limited Ads modes supported by Google (including Programmatic Limited Ads when enabled), which are designed to disable personalization and limit certain measurement features; Google’s documentation describes additional technical measures (such as invalid-traffic detection-only storage) that may apply in those modes. You can review and change applicable choices when the app offers ad privacy choices or when the consent experience is shown again under Google’s rules.

16. Notifications and Communications

PequeSleep currently uses device-level local scheduled reminders for sleep tracking reminders and related service functionality.

We may also send transactional communications such as password reset emails, account or security notices, and other service-related messages.

We do not currently collect or store remote push-notification tokens.

You can manage notification permissions through your device settings and, where available, within the app.

The Services may rely on or link to third-party services, such as authentication providers, payment processors, AI providers, app stores, or external websites. When your data is sent to such a provider as part of a feature you choose to use, that provider processes the data under its own terms and privacy notices. We are not responsible for the privacy practices or independent compliance posture of third parties except as required by applicable law.

We encourage users to review the privacy policies of third-party services they interact with.

18. California and Similar U.S. Privacy Disclosures

Where applicable under laws such as the California Consumer Privacy Act (CCPA/CPRA), we provide the following additional disclosures:

  • We collect identifiers, account information, baby profile information, sleep tracking data, AI chat content, purchase and export data, diagnostics data, and ad-related technical data as described above.
  • We collect this information from you, your device, sign-in providers, purchase providers, and your use of the Services.
  • We use this information for the operational, security, support, billing, AI, export, communication, and limited ad-delivery purposes described in this Privacy Policy.
  • We do not sell personal information.
  • Additional state-specific disclosures or opt-out rights may apply to certain ad-related processing depending on applicable law and the advertising choices available in the app for your region.
  • If you are in California (or another U.S. state where Google’s consent tooling applies) and you use the free tier, you can revisit Ad privacy choices from Profile in the app when that option is shown.

19. European Privacy Disclosures

If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with similar privacy laws, you may have additional rights under applicable data protection laws.

For EEA, UK, and Swiss users on the free tier, ad-related processing is supported through Google UMP and AdMob as described in this Privacy Policy, including the ability to withdraw or update certain choices where the consent tooling provides that path.

If required, we will identify the relevant data controller and provide details necessary for data subject requests in our contact section or supplemental notices.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Services, legal requirements, or our data practices. When we do, we will update the “Last updated” date and, where required by law, provide additional notice.

21. Contact Us

If you have questions, requests, or concerns about this Privacy Policy or our privacy practices, please contact us at:

CRAFTBOX DIGITAL S.R.L.
contact@pequesleep.com
Bucuresti, Bulevardul Dacia, nr. 133, etaj D, Sector 2
Romania