🔒 Privacy Protected

Privacy Policy

Last updated: June 6, 2026 · Effective: June 6, 2026 · Version: 2.0

🗝 Plain-Language Summary (TL;DR)

🔒

No selling. Your child's data is never sold, rented, or traded to anyone. Ever.

🗄

Self-hosted. Data lives in an encrypted, private database. Not shared with ad networks.

🗑

Delete anytime. One click to export or permanently delete all your data.

📊

Optional research. Anonymous aggregated data for research only with your explicit consent.

1 Who We Are

GrowChart ("we", "us", "our") is a child growth tracking platform operated by Fayez Ahmed, a sole proprietor based in Bangladesh. Our service is available globally at www.growchart.app and www.growchart.app.

For the purposes of the General Data Protection Regulation (GDPR), we act as the Data Controller for personal data collected through GrowChart. For users in the European Economic Area, we comply with GDPR. For users in California, we comply with CCPA. For users globally, we apply the highest applicable standard.

Contact: For any privacy matter, email [email protected]. We respond within 72 hours.

2 Data We Collect

2.1 Account Data

Email address (for authentication and transactional email)
Display name (if provided during onboarding)
Language and unit preferences
Subscription tier and billing status (managed by our payment processor)

2.2 Child Health Data (Sensitive)

This is the most sensitive category. You provide this voluntarily to use the core service:

Child's name, date of birth, and sex assigned at birth
Gestational age (if the child was born preterm)
Growth measurements: weight (kg), height/length (cm), head circumference (cm)
Feeding logs: type, duration, amount
Sleep logs: start time, end time, quality notes
Diaper logs: type and frequency
Milestone and vaccination records
Health symptom notes
Photos (stored in encrypted private storage — never used for training AI models)

⚠ Medical note: GrowChart is not a medical device. Growth data you enter is used only to compute WHO/CDC standard scores for educational purposes. We do not transmit clinical health data to any electronic health record (EHR) system unless you explicitly configure an integration.

2.3 Technical Data

IP address (retained for 7 days for security and abuse prevention)
Browser/device type and operating system (anonymised, not linked to your identity)
App version and feature usage patterns (aggregated, not individual-level)
Error logs (stripped of personal data before storage)

2.4 Data We Do NOT Collect

We do not use Google Analytics, Facebook Pixel, or any behavioural advertising trackers
We do not collect precise GPS location
We do not collect payment card numbers (handled entirely by our payment processor)
We do not fingerprint your device for tracking across sites

3 How We Use Your Data

Purpose	Data Used	Legal Basis (GDPR)
Providing the growth tracking service	Account + child health data	Contract performance (Art. 6(1)(b))
Computing WHO/CDC z-scores and percentiles	Child age, sex, measurements	Contract performance (Art. 6(1)(b))
Generating PDF growth reports	All child data for selected child	Contract performance (Art. 6(1)(b))
Sending transactional emails (alerts, invitations)	Email address	Legitimate interest (Art. 6(1)(f))
Processing subscription payments	Email, subscription status	Contract performance (Art. 6(1)(b))
Anonymous research dataset (opt-in only)	Age in months, sex, measurements (de-identified)	Explicit consent (Art. 6(1)(a))
AI Growth Advisor (Premium)	Child's measurements, z-scores, feeding/sleep logs	Contract performance + consent
Security and fraud prevention	IP address, usage patterns	Legitimate interest (Art. 6(1)(f))
Legal compliance	Account data	Legal obligation (Art. 6(1)(c))

AI Advisor: When you use the AI Growth Advisor (Premium feature), your child's growth context (age, measurements, z-scores, feeding summary) is sent to an AI API for response generation. No raw photos are sent. You can disable the AI Advisor at any time in Settings → AI Features.

4 Data Storage and Security

4.1 Where Data Is Stored

Your data is stored in a self-hosted, private PostgreSQL database on secured infrastructure. Database files are encrypted at rest using AES-256. All data in transit is protected by TLS 1.3.

Primary database: Self-hosted PostgreSQL (Supabase stack)
File storage (photos, PDFs): Encrypted Backblaze B2 cloud storage
Database backups: Encrypted, retained for 30 days, then permanently deleted

4.2 Security Measures

Row-Level Security (RLS): Database policies ensure you can only access your own children's data
JWT-based authentication: All API requests require a valid session token
Client-side encryption option: Sensitive notes can be encrypted in your browser before upload
No direct database access: All writes go through validated API endpoints
Rate limiting: Prevents brute-force attacks on authentication and API endpoints

4.3 Data Retention

Data Category	Retention Period
Active account data (children, measurements, logs)	Until you delete your account
Deleted account data	Permanently purged within 30 days of deletion request
Backup copies	Overwritten within 30 days
IP address logs	7 days
Anonymised research data (if consented)	Indefinite (cannot be re-linked to you)
Payment records	7 years (legal requirement)

5 Who We Share Data With

We do not sell your data. We share data with the following trusted processors, under contractual data processing agreements, only to the extent necessary to provide the service:

Processor	Purpose	Data Shared	Privacy Policy
LemonSqueezy / Paddle	Payment processing	Email, subscription plan	Their respective policies
Resend	Transactional email delivery	Email address, email content	resend.com/privacy
Anthropic / Google (AI providers)	AI Growth Advisor responses (Premium only)	Child growth context (no PII, no photos)	Respective privacy policies
Backblaze B2	Encrypted file storage	Encrypted files only	backblaze.com/privacy

We may disclose data if required by law (e.g. a court order or regulatory requirement) in the jurisdiction where we operate. We will notify you of any such disclosure unless legally prohibited from doing so.

6 Cookies and Local Storage

What we use

Type	Name / Key	Purpose	Duration
Session Cookie	sb-auth-token	Authentication — keeps you logged in	Session / 7 days
LocalStorage	theme, language, unitWeight, unitHeight	Your app preferences	Until cleared
IndexedDB	offlineQueue	Offline measurement queue (PWA)	Until synced

We use zero advertising cookies and zero cross-site tracking cookies. No third-party analytics scripts run on our app pages.

Public marketing pages (www.growchart.app) may display Google AdSense banners in the future. These are limited to public calculator pages and are never shown inside the authenticated app.

7 Children's Privacy (COPPA / PDPA)

GrowChart is operated by adults — parents, guardians, and healthcare professionals — on behalf of children. We do not knowingly collect data directly from children under the age of 13.

All accounts must be created by a person aged 18 or older
Child growth data entered on the platform belongs to the adult account holder
We comply with the U.S. Children's Online Privacy Protection Act (COPPA)
We comply with applicable child protection regulations in Bangladesh (PDPA) and the EU (GDPR Art. 8)

If you believe a child under 13 has created an account directly, contact us at [email protected] and we will delete the account immediately.

8 Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

👁

Access

Request a copy of all data we hold about you.

✏️

Rectification

Correct inaccurate or incomplete data at any time in-app.

🗑

Erasure

Delete your account and all associated data permanently.

📦

Portability

Export all your data as JSON or CSV at any time.

🚫

Object

Opt out of processing for research or legitimate interest purposes.

⏸

Restriction

Request that we pause processing your data while a dispute is resolved.

To exercise any of these rights, email [email protected] or use the in-app Data & Privacy settings. We will respond within 30 days. EU/UK residents may also lodge a complaint with their national supervisory authority.

9 International Data Transfers

GrowChart is operated from Bangladesh. If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, please note:

Data may be processed in countries outside your jurisdiction, including where our sub-processors are based
We use Standard Contractual Clauses (SCCs) with all EU-regulated sub-processors
Our self-hosted infrastructure is configured to minimise cross-border transfers wherever possible

10 Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or for legal compliance. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Send an email notification to all registered users
Show an in-app banner for 14 days after the update

Your continued use of GrowChart after the effective date of an updated policy constitutes acceptance of the new terms.

Questions about your privacy?

We take privacy seriously. Reach out and we will respond within 72 hours.

✉ [email protected] 📋 GDPR Rights Portal 📄 Terms of Service