Privacy Policy

Effective date: [DATE TO BE SET BY ATTORNEY ON FINAL APPROVAL]

Last updated: 2026-05-07

This Privacy Policy describes how Onzenna ("we," "us," or "our") collects, uses, and shares information when you use our parenting application and related services (the "Service").

1. Information We Collect

1.1 Information You Provide

Account information — name, email address, password, profile photo
Family information — child names, birthdates, household members you invite
Tracking data — feeding logs, sleep records, diaper changes, milestones, photos, and other entries you create
Surveys — responses to onboarding questions about your parenting situation, support network, and preferences
Conversations with Orby — messages you send to our AI assistant

1.2 Information Collected Automatically

Device information — browser type, operating system, IP address
Usage information — pages visited, features used, timestamps
Location — approximate location (city, country) inferred from your browser, with your permission

1.3 Information Inferred by Orby (AI Features)

With your consent (see Section 3), Orby may analyze your conversations and infer information about your family to personalize your experience. The categories Orby may infer are:

Functional signals (used for personalization, visible to admins on a per-user basis):

Country (current and origin if you've moved)
Language preference
Household size
Work status (working parent, stay-at-home, etc.)
Parenting preferences (parenting style, philosophy)
Partner involvement (active, occasional, single parent)
Support networks (extended family, friends, daycare)

Sensitive signals (used for personalization, but admins only see aggregate counts):

Ethnicity
Religion
Communities (church, temple, mosque, cultural organizations)

For sensitive signals, Onzenna admins never see your individual data. They only see aggregate counts (for example: "12% of users are Buddhist"). Only you and Orby see your individual sensitive signals.

We use a "layered identity" model: if you tell Orby you were born in Russia and now live in the US, both facts are stored separately so Orby can understand both your cultural background and your current context.

2. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service
Personalize Orby's responses to your family's specific situation
Communicate with you about your account, updates, and support
Comply with legal obligations
Protect against fraud, abuse, and security incidents

3. Consent Choices

Onzenna asks you for three separate consent decisions during onboarding. They are kept distinct so each is freely given, informed, and specific — not bundled together.

3.1 Acceptance of Terms and Privacy Policy (required to use the Service)

You are asked to accept these Terms of Service and Privacy Policy before creating an account. This is the baseline agreement to use Onzenna.

3.2 Distinct consent for third-party AI processing (required only to use Orby chat)

To respond to your messages, Orby transmits information about your family — including your child's first name (or a privacy-preserving token), age, recent non-health log entries, your message text, your approximate city, and your conversation history — to Anthropic, our third-party AI processing partner. This is a separate consent decision from your acceptance of this Privacy Policy, as required by the Children's Online Privacy Protection Rule as amended effective June 23, 2025.

The full disclosure of what we send to Anthropic, how Anthropic handles it, their retention policy, and our Data Processing Agreement is presented to you separately at [Third-Party AI Processing Disclosure](/policies/third-party-ai) during onboarding and is also viewable in Settings → Privacy & Data.

You may decline this consent and continue to use Onzenna for logging, photos, calendar, stats, and the shop without Orby chat. You may revoke this consent at any time. Revocation takes effect immediately for new messages; previously transmitted data remains subject to Anthropic's retention policy until it ages out of their 30-day retention window.

We do not transmit health-category log entries (symptom, medicine, vaccination, measurement, appointment) to Anthropic under any circumstance.

3.3 AI personalization (optional)

Independent of the disclosure consent above, you can choose whether Orby may store what it learns about your family across conversations to personalize future responses. If you decline AI personalization, Orby chat still works (subject to §3.2), but Orby will not retain memories or inferences between sessions. You can change this preference at any time in Settings → Privacy & Data.

4. How We Share Your Information

We share information only as described below:

Service providers — We use third-party services that help us operate the Service:
Anthropic (AI processing) — Your conversations with Orby are processed by Anthropic's Claude API. We have a Data Processing Agreement with Anthropic.
Supabase (database) — Your data is stored in Supabase, which we administer.
Vercel (hosting) — The Service runs on Vercel's infrastructure.
Shopify (storefront) — Our shop checkout uses Shopify.
Legal compliance — We may disclose information when required by law, subpoena, or court order.
Business transfers — In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before this happens.

We do not sell your personal information. We do not use your data or conversations to train AI models.

5. Data Retention

This section describes, for each category of personal information we collect, (a) why we collect it, (b) the business need that justifies keeping it, and (c) when it is deleted. This policy is published here in the Privacy Notice and is also maintained internally as our written data retention policy.

When you delete your account, we initiate erasure of all categories below within 30 days, with the limited exceptions noted in the table.

|---|---|---|---|

| Account information (name, email, password hash, profile photo) | Authenticate you and let you log in | Required to provide the Service while your account exists | While account active; deleted within 30 days of account deletion request |

| Family information (child names, birthdates, household members) | Let you track and personalize for your child(ren); enable household sharing | Required to provide the Service while your account exists | While account active; deleted within 30 days of account deletion request |

| Non-health log entries (feeding, sleep, diaper, bath, meal, activity, mood, milestones, photos, journal text) | Allow you to keep a record of your child's daily activities; show you your own data over time | Retained until you delete entries individually or your account | While account active; deleted within 30 days of account deletion request. Individual entries can be deleted at any time. |

| Health-category log entries (symptom, medicine, vaccination, measurement, appointment) | Allow you to keep a personal record of health-related notes about your child | Retained until you delete entries individually or your account. Never transmitted to AI services. | While account active; deleted within 30 days of account deletion request. Individual entries can be deleted at any time. |

| Photos you attach to log entries or send to Orby | Visual record of moments you choose to save; visual context for Orby chat when you opt in | Retained until you delete the photo or your account | While account active; deleted within 30 days of account deletion request. Individual photos can be deleted at any time. |

| Onboarding survey responses (concerns, routine, support network, preferences) | Personalize the Service to your family's situation | Retained while your account is active to keep personalization consistent | While account active; deleted within 30 days of account deletion request |

| Conversations with Orby (your messages and Orby's replies) | Provide chat responses; maintain conversation continuity within a session | Recent conversation history is retained to give Orby context across turns. You can clear chat history at any time from settings. | Cleared whenever you reset Orby's memory or delete your account; otherwise retained while your account is active. Anthropic, our AI processing partner, separately retains transmitted data for up to 30 days under their standard retention policy. |

| Orby's persistent memories about your family (facts Orby has learned, e.g. preferences, routines) | Personalize Orby's responses across sessions | Old memories naturally lose relevance; bounded retention reduces accumulation of stale or sensitive data | Auto-purged 365 days after creation. You can also view, edit, or delete individual memories at any time from settings, or reset all memories at once. |

| Inferred signals about your family (from Orby conversations, only if you opt in to AI personalization — see Section 3) | Personalize Orby's responses; offer relevant content | Retained while your account is active and you remain opted in to AI personalization | Deleted when you opt out of AI personalization, when you reset Orby's memory, or within 30 days of account deletion |

| Device and usage information (browser, OS, IP address, pages visited) | Operate the Service, debug issues, defend against abuse | Required for security and operations | Aggregated usage data retained for up to 24 months; raw IP/log data deleted after 90 days |

| Approximate location (city, country) | Provide location-relevant content (e.g. nearby resources in chat) | Retained only at session-level for the current request | Not persisted; recomputed per request |

| Order records (purchases from the Onzenna shop) | Fulfill orders, process payments, support returns | Required by US tax and accounting law | Anonymized within 30 days of account deletion (your name and email are removed); transaction records retained for 7 years for tax compliance, then deleted |

| Consent audit log (records of which Privacy Policy / Terms / disclaimers you accepted, when, and from where) | Prove that we honored your consent and erasure choices if questions arise later | Required as legal proof of compliance with COPPA, CCPA, and similar laws | Retained indefinitely as legal proof. This is the only category that is not deleted on account deletion. |

If a court order, subpoena, or active fraud investigation requires us to preserve specific records longer than the timelines above, we will do so only for as long as required by that legal process.

6. Your Rights

You have the following rights regarding your information:

Access — View your account information and what Orby has learned about you in the "What Orby Knows About Me" page in settings.
Edit — Update your profile information, edit Orby's inferences, or correct inaccuracies.
Delete — Delete individual Orby memories or inferences, reset Orby's memory entirely, or permanently delete your account.
Opt out of AI personalization — Toggle AI personalization off at any time in settings.
Export — Download your tracking data as CSV from the Stats page.

To exercise these rights, use the controls in your account settings or contact us at [PRIVACY EMAIL TBD].

7. CCPA Disclosures (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to know — You can request a list of the categories of personal information we have collected about you in the past 12 months.
Right to delete — You can request deletion of your personal information.
Right to correct — You can request correction of inaccurate personal information.
Right to opt out of sale or sharing — We do not sell your personal information.
Right to limit use of sensitive personal information — Our AI personalization opt-in covers this for AI-inferred sensitive data. You can opt out at any time.

8. Children's Privacy

The Service is designed for parents and caregivers. The children whose data you track are not users of the Service. Their data is treated as part of your household's tracking data and is subject to the same protections described above.

We do not knowingly collect information directly from children under 13. If you believe a child under 13 has used the Service directly, please contact us so we can take appropriate action.

9. Security

We use industry-standard security practices to protect your information, including encryption in transit (HTTPS) and at rest (Supabase database encryption). However, no system is completely secure. Notify us immediately if you suspect unauthorized access to your account.

10. International Users

The Service is currently designed for users in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the United States.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will notify you via the Service and you will be required to accept the updated Policy before continuing to use Orby and certain other features.

12. Contact Us

Questions about this Privacy Policy or our data practices? Contact us at [PRIVACY EMAIL TBD].