At Wermom, we take your family's privacy and data security with utmost seriousness. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our baby health tracking app and website. We are incorporated in Ontario, Canada and comply with privacy laws globally, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union's General Data Protection Regulation (GDPR), and applicable U.S. state privacy laws.
Our mission is to support parents and caregivers with expert-reviewed insights into your child's health and development. To deliver personalized care plans and meaningful health recommendations, we need to understand your family's unique situation. We've designed our data practices to balance this need with your right to privacy and control over your information.
Information We Collect
We collect information you provide directly and information generated as you use our app. Here's what we gather:
Health and Development Data
When you use Wermom, you share your baby's health history, growth measurements, developmental milestones, vaccination records, dietary information, sleep patterns, and any health concerns you'd like to track. This health data forms the foundation of your personalized care plan and enables our AI-powered health assistant to provide relevant guidance. We handle this health data as special category data under applicable privacy laws.
Baby Information
We collect basic information about your child including name, date of birth, sex assigned at birth, and pregnancy/delivery details. This helps us deliver age-appropriate insights and recommendations tailored to your child's developmental stage.
Survey Responses
You may choose to complete optional surveys about your parenting experience, concerns, and preferences. These responses help us understand what matters most to you and improve our recommendations and features.
Chat and Message History
When you communicate with our AI health assistant, we store your messages and the assistant's responses. This chat history helps provide context for future conversations and allows us to improve our service quality.
Email Address and Account Information
We collect your email address to create your account, send notifications, and allow you to recover your account if needed. If you opt in, we may also use your email for relevant product updates and educational content about child health and development.
Usage Information
We automatically collect information about how you interact with our app, including which features you use, how often you visit, and pages or screens you access. This helps us understand what's working well and where we can improve the experience. This may include cookies and similar tracking technologies through our hosting provider Vercel.
How We Use Your Information
Your data enables us to deliver the core value of Wermom. We use the information you provide for these purposes:
- Personalized Health Reports: We analyze your baby's health data to generate insights, identify patterns, and create tailored recommendations aligned with pediatric best practices.
- AI-Powered Chat Assistant: Your health data and chat history power our conversational assistant, allowing it to provide contextually relevant guidance based on your baby's specific situation.
- Email Notifications: With your permission, we send milestone reminders, growth tracking alerts, and other important notifications to help you stay on top of your child's health journey.
- Service Improvements: We analyze usage patterns and feedback to improve our app, fix bugs, and develop new features that better serve parents and caregivers.
- Account Management: We use your email to verify your identity, handle login requests, and communicate important account-related information.
- Safety and Compliance: We may process your information to comply with legal obligations, enforce our terms of service, and protect against fraud or misuse.
Data Storage and Security
We recognize that your family's health information is highly sensitive. We've implemented enterprise-grade security measures to protect your data:
Database Encryption
All data is stored in encrypted databases through Supabase, a secure backend-as-a-service platform powered by PostgreSQL. Your health data is encrypted at rest using industry-standard encryption algorithms and never stored in plain text. Supabase infrastructure is hosted on AWS in secure data centers.
Transport Security
All communication between your device and our servers uses HTTPS encryption with TLS 1.2 or higher, protecting data in transit from interception. We use industry-standard TLS protocols to ensure secure data transmission.
Authentication
We use secure authentication tokens and session management to ensure only authorized users can access their account and data. Your password is never stored in plain text and is hashed using modern cryptographic algorithms.
Access Controls
Access to your data is strictly limited to authorized team members who need it to maintain our service. We follow the principle of least privilege and regularly audit access logs to detect and prevent unauthorized access.
Note: While we implement robust security measures, no system is 100% secure. We encourage you to use strong, unique passwords and keep your account credentials private. If you suspect unauthorized access to your account, contact us immediately at hello@wermom.com.
Third-Party Services
To deliver our service, we partner with trusted third-party providers. Here's how your data flows and how each provider handles it:
Anthropic AI (Claude)
Our conversational health assistant is powered by Claude, an AI model from Anthropic. When you chat with our assistant, your messages and your baby's relevant health data are sent to Anthropic's servers to generate personalized responses.
Key details: Anthropic does not use conversation data for training or improving Claude models (unless you explicitly opt in to research via a separate request). We only send data necessary for generating your response—we do not share unnecessary personal information like your full name or email. Your conversations may be retained by Anthropic according to their data retention policy. For full details, see Anthropic's Privacy Policy.
Resend (Email Service)
We use Resend to send email notifications and updates. Your email address and relevant notification content (such as milestone reminders) are processed by Resend's servers. Resend's Privacy Policy applies to their processing of this data. We configure Resend to minimize data retention and ensure emails are not used for secondary purposes.
Supabase (Database)
Supabase hosts our database and provides secure storage for your health data. Supabase uses PostgreSQL and applies encryption at rest and in transit. Supabase infrastructure runs on AWS and is subject to Supabase's privacy and security practices. See Supabase's Privacy Policy for details.
Vercel (Hosting and Analytics)
Our website is hosted on Vercel, which provides web hosting and basic analytics. Vercel may collect usage data such as pages visited, device information, and IP address to monitor site performance and security. This does not include health data. See Vercel's Privacy Policy for details on their analytics practices.
Apple App Store and Expo (Mobile Distribution)
If you download Wermom from the Apple App Store, Apple may collect app usage data and crash logs. These crash logs help us identify and fix bugs. We use Expo for development and push notification infrastructure—Expo may collect development analytics but does not have access to your health data. See Apple's and Expo's privacy policies for details on their data practices.
Other Service Providers
We may partner with other service providers to deliver analytics, error tracking, or similar services that help us maintain and improve the app. Any such partners are required to implement privacy protections equivalent to our own, sign Data Processing Agreements, and are prohibited from using your data for their own purposes.
Your Privacy Rights
You have important rights regarding your personal information. The specific rights available depend on your location, but we honor all applicable rights:
- Access Your Data: You can request a complete copy of the personal information we hold about you and your child.
- Correct Your Data: If any information is inaccurate, you can request that we correct it.
- Delete Your Data: You can request deletion of your account and associated data at any time. We will remove all health records, messages, and personal information from our active systems within 30 days, except where we're legally required to retain it.
- Export Your Data (Data Portability): You can request your data in a portable, machine-readable format to facilitate switching to another service or keeping a personal backup.
- Opt Out of Communications: You can opt out of marketing emails and notifications at any time through your account settings or by contacting us.
- Withdraw Consent: If we process your data based on your consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing before withdrawal.
- Restrict Processing: You can request that we limit how we use your data in certain circumstances.
- Object to Processing: You can object to our processing of your data for certain purposes, including direct marketing.
To exercise any of these rights, please contact us at hello@wermom.com with details of your request and which jurisdiction's laws apply. We will respond within 30 days (or the required timeframe under applicable law). For EU/UK residents, you can also lodge a complaint with your local data protection authority.
Children's Data Protection
Wermom is designed for parents and caregivers to manage their children's health information. We take special care to protect children's privacy in compliance with applicable laws, including the Children's Online Privacy Protection Act (COPPA) in the United States and similar laws globally.
- We do not collect data directly from children—only from parents and authorized caregivers on behalf of their children.
- We do not sell children's personal information to third parties for any purpose.
- We do not create profiles of children for commercial advertising or marketing purposes.
- Parents retain full control over their child's data and can request deletion at any time.
- We do not use children's health data to target behavioral advertising or manipulate children's behavior.
- We do not disclose children's data to data brokers or other unauthorized third parties.
Under COPPA, for children under 13, parental consent is required for collection of personal information. Wermom collects data only with parent/guardian consent. If you believe we have collected data from a child in violation of these principles or applicable laws, please contact us immediately at hello@wermom.com.
Data Retention
We retain your data for as long as necessary to provide our service and fulfill the purposes outlined in this Privacy Policy. Specifically:
- Active Accounts: We retain all health data, chat history, and account information while your account is active.
- After Account Deletion: Once you delete your account, we remove all personal data from our active systems within 30 days, except for data we're required to keep by law or for legitimate business purposes (such as fraud prevention or legal compliance).
- Backups: For data backup and recovery purposes, deleted data may be retained in encrypted backup systems for up to 90 days before being permanently purged.
- Legal Hold: If we receive a legal order, court order, or regulatory request, we may retain data longer than our standard retention period to comply with that obligation.
- Anonymous Data: We may retain anonymized, aggregated data (data that cannot identify you) indefinitely for research and service improvement purposes.
Canada (PIPEDA)
Wermom is incorporated in Ontario, Canada and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law. If you are a Canadian resident, the following rights and principles apply:
Consent Requirement
Under PIPEDA Principle 1, we obtain your informed consent before collecting or using your personal information, including your baby's health data. For sensitive health information, we require express (explicit) consent. You can withdraw consent at any time, though this may limit our ability to provide the service.
Purpose Limitation
We collect and use personal information only for the purposes identified and disclosed to you (Principle 2). We do not use your data for unrelated secondary purposes without your consent.
Accountability
Wermom is responsible for personal information in our control and has designated a Privacy Officer. We are accountable for implementing PIPEDA principles and can be contacted at hello@wermom.com regarding privacy inquiries.
Openness (Principle 4)
We are open and transparent about our privacy practices. This Privacy Policy details how we collect, use, protect, and manage personal information.
Individual Access (Principle 9)
You have the right to access and review your personal information. You may request corrections if information is inaccurate or incomplete. To exercise this right, contact us at hello@wermom.com.
Retention Limitation (Principle 7)
We retain personal information only as long as necessary for identified purposes. Once your account is deleted, we remove your data within 30 days (except where legally required to retain).
Right to Challenge Compliance
If you believe Wermom is not complying with PIPEDA, you may challenge our compliance practices. You can also lodge a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or call 1-800-282-1376.
United States Privacy Laws
If you are a resident of the United States, the following laws and rights apply:
COPPA (Children's Online Privacy Protection Act)
COPPA protects children under 13 online. Wermom collects health data about children through their parents/guardians only with verifiable parental consent. We do not sell personal information of children under 13. Parents can review, update, or request deletion of their child's information by contacting us at hello@wermom.com. For questions about COPPA, see the FTC's guidance at www.ftc.gov/coppa.
CCPA / CPRA (California Privacy Rights Act)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You can request what personal information we collect, use, and share about you.
- Right to Delete: You can request deletion of personal information we collected from you (subject to certain exceptions).
- Right to Opt-Out: You can opt out of the "sale or sharing" of personal information (though we do not sell health data for commercial purposes).
- Right to Correct: You can request correction of inaccurate personal information.
- Right to Limit Use: You can limit how we use sensitive personal information (like health data) to necessary purposes.
- Non-Discrimination: We will not discriminate against you for exercising CCPA/CPRA rights.
To exercise these rights, contact us at hello@wermom.com. We will respond within 45 days.
State Privacy Laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA)
Similar comprehensive privacy laws apply in Virginia, Colorado, Connecticut, and other states. These laws grant you rights including the right to know, delete, correct, opt-out of sale, and portability of personal information. We honor these rights for all U.S. residents regardless of which specific state law applies to you.
HIPAA Disclaimer
Wermom is not a HIPAA-covered entity and does not have a Business Associate relationship with healthcare providers. However, we follow HIPAA-inspired best practices for protecting health information, including encryption, access controls, and audit logging. If you share health information with us, we treat it with the same care and security standards used in the healthcare industry.
FTC Act Section 5
We comply with the U.S. Federal Trade Commission Act Section 5, which prohibits unfair or deceptive practices. Our privacy practices as described in this policy are accurate and enforceable.
GDPR and EU/UK Privacy
If you are located in the European Union, European Economic Area, United Kingdom, or other jurisdictions with similar privacy laws (such as GDPR equivalents), the following rights and protections apply:
Legal Basis for Processing
Under GDPR Article 6, we process your personal data only on one of these legal bases:
- Consent (Article 6(1)(a)): Your explicit, informed consent to process your data (especially health data under Article 9).
- Contract (Article 6(1)(b)): Processing is necessary to perform our service contract with you.
- Legitimate Interest (Article 6(1)(f)): Our legitimate interest in providing a secure, functional, and improved service (balanced against your rights).
- Legal Obligation (Article 6(1)(c)): Compliance with legal or regulatory obligations.
Special Category Data (Article 9)
Health data is a special category of personal information under GDPR Article 9. We process health information only with your explicit consent. You can withdraw consent at any time by contacting us. We do not process health data for automated decision-making or profiling that could affect you.
Data Protection Officer
We have appointed a Data Protection Officer (DPO) responsible for ensuring compliance with GDPR and similar laws. If you have privacy concerns or believe we've violated GDPR or similar laws, you can contact our DPO at hello@wermom.com. You also have the right to lodge a complaint with your local data protection authority (supervisory authority).
GDPR Rights (Articles 15-22)
You have the following rights under GDPR:
- Right of Access (Article 15): You can request a copy of the personal data we hold about you.
- Right to Rectification (Article 16): You can request correction of inaccurate data.
- Right to Erasure / "Right to Be Forgotten" (Article 17): You can request deletion of your data, subject to certain exceptions.
- Right to Restrict Processing (Article 18): You can request that we limit how we use your data.
- Right to Data Portability (Article 20): You can request your data in a portable, machine-readable format.
- Right to Object (Article 21): You can object to processing of your data for direct marketing, profiling, or other purposes.
- Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that could affect you.
To exercise these rights, contact us at hello@wermom.com. We will respond within 30 days.
Data Transfers Outside the EU/UK
Your data may be processed in the United States or other countries where our service providers (Anthropic, Supabase, Vercel) operate. By using Wermom, you consent to such transfers. We ensure transfers are protected by:
- Standard Contractual Clauses (SCCs) with our service providers.
- International Data Transfer Agreements (IDTAs) compliant with UK law.
- Adequate safeguards to protect your data during transfer.
Data Processing Agreements
We have Data Processing Agreements (DPAs) in place with all sub-processors (like Anthropic and Supabase) that outline how they handle personal data on our behalf. A summary of our sub-processors is available upon request.
Data Protection Impact Assessment (DPIA)
For high-risk processing activities involving health data, we conduct Data Protection Impact Assessments to identify and mitigate privacy risks.
Complaint to Supervisory Authority
If you believe we are not complying with GDPR or similar laws, you have the right to lodge a complaint with your local data protection authority (supervisory authority), such as:
- EU: Your national data protection authority (e.g., European Data Protection Board).
- UK: Information Commissioner's Office (ICO) at www.ico.org.uk.
UK-Specific: International Data Transfer Agreement (IDTA)
For UK residents, international transfers of personal data to the US and other countries are protected by International Data Transfer Agreements and UK adequacy decisions.
Global Privacy Laws
We respect privacy laws globally. If you are a resident of another country with data protection laws, those protections apply to you. Key global frameworks include:
| Jurisdiction | Law | Key Rights |
|---|---|---|
| Brazil | LGPD (Lei Geral de Proteção de Dados) | Right to access, correct, delete, opt-out of sale, data portability. Data protection authority (ANPD) oversight. |
| Australia | Privacy Act 1988 (Privacy Principles) | Right to access, correct, request limits on use, complain to Privacy Commissioner (OAIC). |
| South Korea | PIPA (Personal Information Protection Act) | Right to access, correct, delete. Processing requires consent for sensitive data. |
| Singapore | PDPA (Personal Data Protection Act) | Right to access, correct, withdraw consent. PDPC oversight. |
| Japan | APPI (Act on Protection of Personal Information) | Right to access, correct, delete. Prior consent required for health data. |
Health Data Provisions
Health data receives special treatment under privacy laws globally. We implement enhanced protections:
Explicit Consent for Health Data
We obtain explicit, informed consent before collecting or processing your child's health information. This consent is separate from general terms of service and is clearly explained. You can withdraw consent at any time.
Enhanced Security for Health Records
Health data is subject to the highest level of encryption, access controls, and audit logging. We implement security measures consistent with HIPAA standards, even though we are not a covered entity.
No Sale of Health Data
We do not sell, rent, or share your child's health data with third parties for commercial purposes, advertising, or any use outside our service. Health data is never used to profile, target, or manipulate.
HIPAA-Inspired Practices
Although Wermom is not a HIPAA-covered entity, we follow HIPAA principles including: (1) administrative safeguards (policies and training), (2) physical safeguards (secure infrastructure), and (3) technical safeguards (encryption, access controls, audit logs).
No Unauthorized Disclosure
We do not disclose health data to law enforcement, government agencies, or third parties except: (1) with your explicit consent, (2) as required by law or court order, (3) to protect health or safety in emergencies, or (4) to service providers under strict Data Processing Agreements.
Health Data Breach Notification
If we experience a breach of health data, we will notify you without unreasonable delay (typically within 30 days) and describe the nature of the breach, what data was affected, and steps we're taking. We will also notify relevant regulators as required by law.
Contact & Support
We're committed to being transparent about our privacy practices. If you have questions, concerns, or requests regarding your personal information, data rights, or this Privacy Policy, please reach out to us:
Email: hello@wermom.com
Mailing Address: Wermom, Inc., Ontario, Canada
Response Time: We will respond to all privacy inquiries within 30 business days (or as required by applicable law).
We take all privacy inquiries seriously and will work with you to address any concerns. Your feedback helps us improve our privacy practices and earn your continued trust.
Data Protection Authorities
If you believe we are not complying with privacy laws, you may contact:
- Canada: Office of the Privacy Commissioner of Canada (OPC) — www.priv.gc.ca
- EU: Your national data protection authority or the EDPB — www.edpb.eu
- UK: Information Commissioner's Office (ICO) — www.ico.org.uk
- US (FTC): Federal Trade Commission — www.ftc.gov/complaint
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We'll notify you of material changes by:
- Updating the "Last updated" date at the top of this page.
- Sending you an email notification to the address associated with your account (for material changes).
- Displaying a prominent notice in the app or on our website (for significant changes).
Your continued use of Wermom after any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your privacy. If you disagree with any changes, you can delete your account and request deletion of your data.