OttrClub · Legal

OttrClub — Privacy Policy

Effective date: 1 June 2026

Londas Tech Ltd ("we", "us", "our") operates the OttrClub mobile app. This Privacy Policy explains what personal data we collect, why, and your rights under UK GDPR.

1. Data Controller

Londas Tech Ltd (company no. 17148940), registered in England & Wales. Contact: legal@ottrclub.com

EU Representative

OttrClub is currently offered in the United Kingdom, and we do not at present target or offer the service to individuals in the EU/EEA.

If and when we begin offering OttrClub to users in the EU/EEA, Article 27 of the EU GDPR will require us to designate a representative established in the EU/EEA for EU data-protection matters. We will appoint such a representative and publish their name, address and contact details in this section before we do so. In the meantime, EU/EEA residents may contact us directly at legal@ottrclub.com regarding any data-protection matter.

2. Data We Collect

Category	Examples	Why	Legal basis
Account identity	First name, last name initial, email, phone, profile photo	Create and manage your account	Contract
Profile & preferences	Country, parenting stage, lifestyle interests, bio	Personalise your experience	Contract / Legitimate interests
Children's data	Each child's date of birth, and (optional) first name and sex	Power age-based tracker insights and content	Contract
Health & reproductive data	Pregnancy / trying-to-conceive status; your child's feeding, sleep and pumping logs, including any allergen reactions you record	Power your personal trackers and the AI assistant	Explicit consent (Art. 9(2)(a) GDPR)
Voice recordings	Voice messages you record, sent to Google Cloud Speech-to-Text for transcription	Convert speech to text for posts, messages and tracker entries	Contract
Location	Approximate location (city-level geohash)	Enable Local Chat discovery	Consent
Community content	Posts, comments, direct messages, voice notes, images	Operate the community platform	Contract
Tracker data	Feeding logs, sleep logs, pump session logs	Power your personal trackers	Contract + Explicit consent (see "Health & reproductive data" above)
Device & technical	Device type, OS, crash reports, push token	Deliver notifications, fix bugs (Crashlytics)	Legitimate interests
Usage analytics	Screen views, feature usage (anonymised)	Improve the app (Firebase Analytics)	Consent (EEA/UK) / Legitimate interests (elsewhere)
Marketing consent	Whether you opted in at registration	Send optional marketing communications	Consent

We do not collect full payment card numbers (held by Apple or Google), or private message content for advertising purposes.

Pregnancy/trying-to-conceive status, and your child's feeding, sleep and pumping logs (including allergen reactions), are "special category" data concerning health under Article 9 GDPR. We only process this data with your explicit, granular, and revocable consent:

You are asked for this consent before this data is first stored — e.g. when you select "Pregnancy" or "Trying to conceive" as your parenting stage, or before you open the feeding, sleep, pumping trackers or the AI assistant.
You can use core community features (forums, chat, Local Chat) without giving this consent.
You can withdraw consent at any time via Settings → Safety & legal → Health & tracking data consent. Withdrawing does not delete tracker data you already recorded, but the trackers and AI assistant become unavailable until you consent again.
Because this is high-risk processing, we maintain a Data Protection Impact Assessment (DPIA) for these features.

3. How We Use Your Data

Providing the Service: authentication, community, trackers, personalisation, content delivery.
Safety & moderation: AI and human review of public content to prevent abuse.
Push notifications: activity alerts (likes, comments, messages) and subscription/trial notifications, plus optional marketing/re-engagement notifications if you opted in at registration (see "Marketing consent" in §2). We do not send marketing emails. Turn marketing notifications off at any time via Settings → Notifications — this won't affect activity alerts.
Advertising (free tier): device advertising IDs shared with Google AdMob for interest-based ads. Opt out via device settings or upgrade to Premium.
Analytics: anonymised, aggregated usage data (Firebase Analytics) to improve features. Crash reporting (Firebase Crashlytics) is separate and runs on a strictly-necessary basis to keep the app stable and secure.
Legal obligations: compliance with law and law enforcement requests where legally required.

Automated moderation and account decisions

We use an AI moderation system (Google Gemini) to help review content posted to the community (forums, chat, comments). This system can automatically:

Block or hide a post, comment or message that appears to breach our Community Guidelines, before any person sees it; and
Suspend an account once it has received a set number of reports from other users (an "automated account decision").

Where an automated decision has a significant effect on you — such as suspending your account — we will tell you this in the app and you have the right to:

Request human review of the decision,
Express your point of view, and
Contest the decision,

by emailing legal@ottrclub.com within 30 days. We will respond within 30 days of your request. This does not affect your right to lodge a complaint with a supervisory authority (see §8) or, for EU users, your rights under the EU Digital Services Act.

Cookies, SDKs & tracking technologies

If you're in the UK or EEA, when you first open the app we ask for your consent (via the same prompt used for advertising) before Firebase Analytics reads or writes any identifier on your device. If you decline, or before you respond, Analytics stays off — only Crashlytics (strictly necessary) and the core app functions continue. You can change this choice at any time via Settings → Safety & legal → Privacy & ad preferences (shown where Google determines this choice applies to you). Outside the UK/EEA, Analytics operates on a legitimate-interests basis as described in §2.

OttrClub is a native mobile app, not a website, so it doesn't use traditional web cookies. The table below is the mobile-app equivalent of a cookie policy — it lists the software development kits ("SDKs") built into the app that can access identifiers on your device or read/write local storage, what each is for, and how to control it (supporting the PECR/ePrivacy and CPRA "notice at collection for tracking technologies" requirements).

SDK / technology	Purpose	What it accesses	Status	How to control
Firebase Authentication	Signs you in and keeps you signed in	Authentication tokens (stored locally on your device)	Strictly necessary	Always on — required to use the app
Firebase Firestore / Storage / Cloud Functions / Realtime Database	Stores and syncs your account, posts, messages, and tracker data	App data only — no separate device identifier	Strictly necessary	Always on — required to use the app
Firebase Cloud Messaging (FCM)	Delivers push notifications	A device push token	Strictly necessary for the notification you've requested	Turn individual notification types on/off in Settings → Notifications, or disable notifications entirely at the OS level
Firebase App Check (Play Integrity / Device Check)	Confirms requests to our backend come from a genuine copy of the app, to prevent abuse	A device-attestation token — not used for tracking or advertising	Strictly necessary (security)	Cannot be disabled — required to protect the service
Firebase Analytics	Anonymised, aggregated product-usage analytics, to help us improve the app	Device/app identifiers, screen-view and feature-usage events	Requires your consent in the UK/EEA; operates on a legitimate-interests basis elsewhere, with an opt-out	Settings → Safety & legal → Privacy & ad preferences
Firebase Crashlytics	Crash and stability diagnostics, so we can fix bugs	Device identifiers and crash logs (no account content)	Strictly necessary (security & stability)	Cannot be disabled; retained for 90 days (see §5)
Google AdMob + Google User Messaging Platform (UMP)	Shows advertising to free-tier users; UMP manages your consent choices	Advertising identifier, coarse device/usage signals for ad targeting	Requires your consent in the UK/EEA; in the US, you can opt out of "sharing" for cross-context advertising (CPRA)	Settings → Safety & legal → Privacy & ad preferences — or remove ads entirely with OttrClub Premium
RevenueCat	Keeps your subscription/entitlement status in sync across devices	Your app user ID and purchase/entitlement tokens (no card details)	Strictly necessary for Premium features	Always on if you have, or have had, a subscription

Your overall controls: In the UK/EEA, the Google UMP consent form (shown on first launch and reopenable any time) controls Firebase Analytics and AdMob together. In the US, the same Settings → Safety & legal → Privacy & ad preferences entry point surfaces the "Do Not Sell or Share My Personal Information" control described in §10. Notification-related SDKs (FCM) can be controlled per-category in Settings → Notifications. For the full list of third parties that process personal data on our behalf (not just SDKs), see our Subprocessor List.

4. Third-Party Processors

We use a small number of trusted service providers ("subprocessors") to operate OttrClub — for authentication and database hosting, AI features, voice transcription and translation, advertising, subscription management, and search. All processors are subject to GDPR-compliant data processing agreements (DPAs).

For the full, up-to-date list — including what each processor does, what data it sees, where it's located, and how international transfers are safeguarded — see our Subprocessor List.

5. Data Retention

Data type	Retention
Account & profile	Until account deletion, then within 30 days
Community posts & comments	Until account deletion or user deletion
Direct messages	Until either participant deletes their account
Tracker data	Until account deletion
Voice recordings (audio)	Same as the post, message or tracker entry they were attached to (see rows above) — the transcribed text becomes part of that content
Moderation & safety records (reports, enforcement actions, blocked-content log)	Retained for 12 months after creation — including after the reported or reporting account is deleted — for safety, audit and legal-compliance purposes
Analytics (anonymised)	Up to 14 months (Firebase Analytics default)
Crash reports	90 days

6. Children's Privacy

OttrClub is intended for adults aged 18 and over. By creating an account, you confirm that you are at least 18 years old, and we ask you to confirm this during sign-up. OttrClub is not directed at, and does not knowingly permit use by, anyone under 18. We do not knowingly collect personal information directly from children.

Where you add information about your own child (such as a date of birth, and optionally a first name and sex) for use of our parenting tools, that information is provided by you, the adult account holder, exercising your parental responsibility to use the app on your child's behalf. It is about your child but controlled by you: it is stored under your account, is not used to create a separate account or profile for your child, and your child is not a user of, or data subject interacting directly with, the Service. It is processed under the same explicit consent that covers health/tracker data — see "Special-category (health) data and your consent" above — and you can delete it at any time by editing or removing the child from your profile, or by deleting your account.

We apply data-minimisation principles to this data: only date of birth is required, name and sex are optional, and we do not use a child's data for profiling or marketing, or share it beyond what is needed to provide the tracker and AI assistant features to you.

7. Location Data

Approximate location (not GPS coordinates) is collected only when you join a Local Chat channel. You can decline this permission; all other features remain available.

You have the right to:

Access — request a copy of your data via Settings → Safety & legal → Download my data, or by emailing legal@ottrclub.com.
Rectification — correct inaccurate data via Settings → Edit Profile.
Erasure — delete your account and all data via Settings → Delete Account & Data.
Restriction — request we limit processing in certain circumstances.
Portability — receive your data in a structured, machine-readable format (via the export above).
Object — object to processing based on legitimate interests.
Withdraw consent — unsubscribe from marketing via Settings; withdraw location consent via device settings; withdraw health & tracking data consent via Settings → Safety & legal → Health & tracking data consent; change your analytics/advertising consent via Settings → Safety & legal → Privacy & ad preferences.

Contact: legal@ottrclub.com. We will respond within 30 days.

If something goes wrong: breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within the legally required timeframe (e.g. 72 hours under UK/EU GDPR) and, where required, notify affected users without undue delay.

You may also lodge a complaint with a data protection regulator:

UK — the Information Commissioner's Office (ICO), ico.org.uk.
EU/EEA — your local data protection authority (the supervisory authority in the EU/EEA country where you live, work, or where any alleged infringement occurred).
Australia — the Office of the Australian Information Commissioner (OAIC), oaic.gov.au.
New Zealand — the Office of the Privacy Commissioner, privacy.org.nz.

9. International Transfers

All app data (your account, profile, children's, tracker and community data) is stored in the EU (europe-west1).

Some of our processors — Google Gemini, Google Cloud Speech-to-Text and Translation, Google AdMob, and RevenueCat — operate globally and may process data outside the UK/EEA as part of providing their service (see our Subprocessor List for details on each). Where this occurs, the transfer is protected by the UK International Data Transfer Agreement (IDTA) and/or the EU Standard Contractual Clauses with the UK Addendum, as applicable.

10. US Privacy Rights

If you are a resident of the United States, the following additional disclosures apply, alongside the rights described in §8.

California (CCPA/CPRA)

You have the right to:

Know what personal information we collect, use, disclose, and (where applicable) "sell" or "share," and to request a copy of it.
Delete personal information we hold about you, subject to limited exceptions (e.g. information we need to retain for security, fraud-prevention, or legal-compliance purposes).
Correct inaccurate personal information.
Portability — receive your data in a portable format (see §8, "Access").
Non-discrimination — we will not deny you goods or services, charge you a different price, or provide a different level of quality because you exercised any of these rights.

"Selling" and "sharing": We do not sell your personal information for money. However, sharing your device's advertising identifier with Google AdMob for interest-based advertising (free tier — see §3, "Advertising") is "sharing" for cross-context behavioural advertising under the CPRA. You can opt out at any time via Settings → Safety & legal → Privacy & ad preferences ("Do Not Sell or Share My Personal Information"). If you opt out, you'll still see ads, but they won't be personalised using cross-context data.

Sensitive personal information: Your health and reproductive data (pregnancy/TTC status, and your child's feeding, sleep and pumping logs, including allergen reactions) is "sensitive personal information" under the CPRA. We do not process it unless you give opt-in, explicit consent — see "Special-category (health) data and your consent" in §2 and Settings → Safety & legal → Health & tracking data consent. Because our default is "off" until you opt in, this already meets (and exceeds) the CPRA's "Limit the Use of My Sensitive Personal Information" baseline, which is normally an opt-out right.

Notice at collection: This Privacy Policy is our notice at collection — it's available before, or at the point of, collecting personal information (linked from the registration screen and from Settings).

"Shine the Light": California residents may ask, once a year, whether we've disclosed personal information to third parties for those third parties' own direct-marketing purposes. We do not make such disclosures.

Other US state privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others)

If you live in a US state with a comprehensive consumer privacy law (e.g. the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Texas Data Privacy and Security Act, or similar laws in Oregon, Montana, and elsewhere), you generally have the right to:

access, delete, correct, and obtain a portable copy of your personal data (see §8);
opt out of processing your personal data for targeted advertising, "sale," or profiling that produces legal or similarly significant effects — see "Selling and sharing" above for how to opt out of advertising-related sharing; and
give opt-in consent before we process sensitive data, including health data — already our default approach, as described above.

Appeals: If we decline a privacy request you've made under one of these laws, you can appeal by emailing legal@ottrclub.com with "Privacy rights appeal" in the subject line. We'll respond within the timeframe your state's law requires (typically 45–60 days). If we don't resolve your appeal, some states (e.g. Colorado, Connecticut) let you refer the matter to your state Attorney General.

Children (COPPA)

OttrClub is not directed at children under 13, and we do not knowingly collect personal information from children under 13 — see §6, "Children's Privacy," for our full position on age and children's data.

11. Australia

If you're in Australia, this Privacy Policy is also intended to meet our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Because OttrClub processes health information (feeding, sleep, pumping and allergen data, and pregnancy/TTC status), the Privacy Act applies to us regardless of our annual turnover.

Open and transparent management (APP 1): this Privacy Policy is our APP 1 policy — it sets out what we collect, why, how it's used, and how to contact us (§1, §12).
Collection of sensitive information (APP 3): we only collect health and reproductive information with your explicit, opt-in consent — see "Special-category (health) data and your consent" in §2.
Use and disclosure (APP 6): see §3 for how we use your data; we don't use or disclose it for purposes beyond what's described in this policy.
Direct marketing (APP 7): marketing notifications are opt-in, and you can turn them off at any time — see "Marketing consent" in §2 and §3.
Cross-border disclosure (APP 8): some of our processors operate overseas — see §9, "International Transfers," and our Subprocessor List, for who, where, and under what safeguards.
Security (APP 11): see §13.
Access and correction (APPs 12-13): see §8.

Complaints: You can complain to us at legal@ottrclub.com, or to the Office of the Australian Information Commissioner (OAIC), oaic.gov.au.

Watch item: Australia's 2024-25 Privacy Act reforms introduced a statutory tort for serious invasions of privacy and mandated a forthcoming Children's Online Privacy Code. We'll update this policy once that Code is finalised.

12. New Zealand

If you're in New Zealand, this Privacy Policy is also intended to meet our obligations under the Privacy Act 2020 and its Information Privacy Principles (IPPs).

Collection (IPPs 1-4): this policy tells you what we collect, why, and who it may be disclosed to (§2-§4).
Disclosure outside New Zealand (IPP 12): some of our processors operate overseas. Before disclosing your information to an overseas recipient, we either rely on contractual safeguards (e.g. the EU Standard Contractual Clauses, which we use as our baseline transfer mechanism — see §9) to ensure they're subject to privacy obligations comparable to the Privacy Act 2020, or the disclosure is otherwise permitted under IPP 12. See §9 and our Subprocessor List for the relevant processors and safeguards.
Notifiable breaches (Part 6): see "If something goes wrong: breach notification" in §8 — we'll notify the Privacy Commissioner and affected individuals of any breach that has caused, or is likely to cause, serious harm.
Complaints: you can complain to us at legal@ottrclub.com, or to the Office of the Privacy Commissioner, privacy.org.nz.

Consumer guarantees: Nothing in our Terms of Service excludes your rights under the Consumer Guarantees Act 1993 or the Fair Trading Act 1986 — see Terms of Service §15.

13. Security

We use Firebase Authentication, TLS encryption in transit, Firebase App Check, and role-based access controls. Biometric app lock is stored locally on your device only and never transmitted to our servers.

14. Changes to This Policy

We will notify you by push notification and email when we make material changes.

15. Contact

Londas Tech Ltd (company no. 17148940) · legal@ottrclub.com