Privacy Policy

Last updated: April 9, 2026

1. Introduction

Poppet (“we”, “us”, or “our”) is operated from Canada and is committed to protecting your privacy and the privacy of your children. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have over your data.

This policy applies to all users of our website and mobile application (together, the “Service”) regardless of where you are located. By using the Service, you agree to the collection and use of information as described in this policy, alongside our Terms of Service.

Because Poppet is used by parents and caregivers to log data about children, we treat all data entered into the Service with particular care and apply a higher standard of protection to information about minors.

2. Who We Are and How to Contact Us

Poppet is operated from Canada. If you have any questions about this Privacy Policy, your data, or wish to exercise your rights, you can contact us:

  • Through the in-app support feature
  • Via our support channels listed on our website

For GDPR-related requests, please clearly state this in your message and we will prioritize your request and respond within 30 days.

3. Information We Collect

We collect the following categories of personal information:

  • Account information: your name, email address, and authentication details, including when you sign in via Google or Apple.
  • Child profile data: information you voluntarily enter about your child, including their name, date of birth, food logs, allergen notes, meal photos, texture progression notes, and feeding milestones.
  • Family and caregiver information: names or email addresses of partners, grandparents, or caregivers you invite to share access through the family sharing feature.
  • Technical and usage data: device type, operating system, app version, IP address, browser type, and general usage logs collected automatically when you use the Service.
  • Payment information: if you subscribe to a paid plan, payment is processed by our third-party payment processor. We do not store your full payment card details.

We do not collect information directly from children. All child data is entered by the adult account holder.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

  • Contract performance: processing necessary to provide the Service you have signed up for, including storing your logs and syncing data across devices.
  • Legitimate interests: processing for security, fraud prevention, service improvement, and maintaining the reliability of the Service.
  • Legal obligation: processing required to comply with applicable laws.
  • Consent: where we rely on consent (for example, for optional communications), you may withdraw it at any time without affecting prior processing.

5. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate you and keep your account secure
  • Sync your data across your devices
  • Enable family sharing features when you invite caregivers
  • Process subscription payments and manage billing
  • Send account-related communications (such as receipts, security alerts, and material policy changes)
  • Comply with legal obligations

We do not use your data or your child's data for advertising purposes. We do not build advertising profiles. We do not sell your personal information to any third party.

6. Children's Privacy

Poppet is designed for use by adults (parents and caregivers) only. We do not knowingly collect personal information directly from children under the age of 13 (or the applicable age of digital consent in your jurisdiction). All information about a child in the Service is entered by the adult account holder who is responsible for that child.

If you believe a child has created an account or submitted personal information without appropriate parental consent, please contact us immediately and we will delete the information promptly.

For users in the United States, our practices are designed to comply with the Children's Online Privacy Protection Act (COPPA). For users in the EEA and UK, we comply with GDPR requirements relating to children's data.

7. Sharing of Information

We do not sell your personal information. We share data only in the following limited circumstances:

  • Service providers: we work with trusted third-party providers who help us host, operate, secure, and improve the Service (for example, cloud infrastructure and payment processing). These providers are contractually bound to protect your data and may only use it to provide services to us.
  • Family sharing: if you invite a partner, grandparent, or caregiver to access your child's profile, the data you share with them is governed by your actions within the app.
  • Legal requirements: we may disclose information if required by law, court order, or to protect the rights, safety, and security of our users or the Service.
  • Business transfers: if Poppet is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you before this occurs and give you the opportunity to delete your account.

We do not share your data with advertisers, data brokers, or any third party for marketing purposes.

8. Data Retention

We retain your personal information for as long as your account is active and as needed to provide the Service. Specifically:

  • Account and child profile data is retained until you delete your account
  • After account deletion, we retain data for 30 days to allow for recovery, after which it is permanently deleted from our systems
  • You may request immediate deletion of your data at any time by contacting us
  • We may retain certain information for longer periods where required by applicable law (for example, billing records)

You can export your data at any time using the export feature in the app before deleting your account.

9. Data Security

We implement reasonable and appropriate technical and organizational measures to protect your personal information against unauthorized access, loss, alteration, or disclosure. These measures include encryption of data in transit and at rest, access controls, and regular security reviews.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and applicable regulatory authorities as required by law.

10. International Data Transfers

Poppet is operated from Canada. Your data may be stored and processed in Canada or in other countries where our service providers operate. Canada is recognized by the European Commission as providing an adequate level of data protection for commercial organizations subject to PIPEDA.

If your data is transferred to countries outside Canada or the EEA that do not have equivalent data protection laws, we will ensure appropriate safeguards are in place (such as standard contractual clauses) to protect your information.

By using the Service, you acknowledge that your data may be transferred internationally as described in this policy.

11. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your personal data (“right to be forgotten”).
  • Data portability: request your data in a structured, machine-readable format.
  • Restriction: request that we limit how we process your data in certain circumstances.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, please contact us. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data appropriately.

Canadian users may also contact the Office of the Privacy Commissioner of Canada with any concerns.

12. Cookies and Tracking

Our website may use cookies and similar technologies to operate and improve the Service. These may include:

  • Essential cookies: required for the Service to function (for example, keeping you logged in).
  • Analytics cookies: help us understand how the Service is used so we can improve it. These are anonymized where possible.

You can control cookie settings through your browser. Disabling essential cookies may affect the functionality of the Service.

13. Third-Party Services

If you sign in using Google or Apple, those services may collect information in accordance with their own privacy policies. We encourage you to review the privacy policies of any third-party services you use in connection with Poppet. We are not responsible for the privacy practices of third parties.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service at least 14 days before the changes take effect. The updated policy will be posted on this page with a revised “Last updated” date. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Governing Law

This Privacy Policy is governed by the laws of Canada, including the Personal Information Protection and Electronic Documents Act (PIPEDA). Users in the EEA and UK are also protected by the General Data Protection Regulation (GDPR) and applicable national data protection laws.

Made with care for parents everywhere