haguTerms

Privacy Policy

Effective 2 July 2026 · Version 2026-07-02

Hagu ("we", "us") helps parents and caretakers log a baby's feeds, diapers, sleep, pumping and weight, shared privately between the people caring for that child. This policy explains what personal data we collect, why, the legal bases we rely on, who we share it with, how long we keep it, and the rights you have over it.

We take a data-minimising approach: we collect only what the app needs to work, we do not sell your data, and we show no advertising and run no third-party analytics or tracking.

Who is responsible for your data

The data controller is Daniel Cheng, operator of Hagu (hagubaby.app). For any privacy question or to exercise your rights, contact us at privacy@hagubaby.app.

What data we collect

Account data. Your email address (used for sign-in) and an optional display name so other caretakers can see who logged what.

Child and care data. The baby's name and (optional) birth date, and the entries you log: feeds (breastfeeding, bottle), diapers, sleep, pumping and weight, each with a time and optional note. Some of this — for example weight and feeding — is information about an identifiable infant's health, which is treated as a special category of data (see legal bases below).

Caretaker relationships. Which babies you can access and your role (owner or caretaker), and invite links you create or accept.

Notification data. If you enable push reminders, the push subscription details your browser provides (an endpoint and keys) so we can deliver a notification.

Technical data. Standard server and security logs (such as IP address, timestamps and device/browser information) generated by our hosting and database providers when you use the app.

Why we use your data, and our legal bases

Under the GDPR and Singapore's PDPA we rely on the following bases:

To provide the service (contract). Creating your account, storing and syncing the entries you log, sharing them with the caretakers you invite, and sending the sign-in email. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

To process health-related child data (explicit consent). Logging and displaying feeding, weight and related information about your baby. Legal basis: your explicit consent (GDPR Art. 9(2)(a)), which you give as the child's parent or guardian when you set up the baby and which you can withdraw at any time by deleting the data or your account.

To keep the service secure and working (legitimate interests). Preventing abuse, debugging, and protecting the service and its users. Legal basis: our legitimate interests (GDPR Art. 6(1)(f)), balanced against your rights.

To meet legal obligations. Where we must retain or disclose data to comply with the law. Legal basis: legal obligation (GDPR Art. 6(1)(c)).

Children's data

Hagu is designed for adults (parents, guardians and the caretakers they invite) to record information about a baby. The account holder must be an adult. The data about the child is entered and controlled by the adult caretakers, who confirm they are the parent or guardian, or are authorised by them, when they set up or join a baby.

Who we share data with

We share your data only with the caretakers you invite to a baby, and with the service providers (sub-processors) we use to run Hagu. We never sell your data or share it for advertising. Our sub-processors are:

Supabase. Database, authentication and realtime sync. Hosting region: Singapore. (supabase.com/privacy)

Vercel. Application hosting and content delivery. (vercel.com/legal/privacy-policy)

Resend. Sends the sign-in (magic link) email. (resend.com/legal/privacy-policy)

Web push services. If you enable reminders, notifications are delivered through your browser/OS push service (for example Apple, Google or Mozilla).

International transfers

Our database is hosted in Singapore and some providers (such as our hosting and email) may process data in the United States or other countries. Where data of users in the EEA or UK is transferred outside those areas, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses. You can ask us for more detail using the contact address above.

How long we keep it

We keep your account and the entries you log for as long as your account is active. When you delete an entry it is removed from the live database; when you delete your account we delete your personal data as described in “Your rights” below. Residual copies in encrypted backups are overwritten on our providers' normal backup rotation, generally within 30 days. We may retain the minimum necessary for legal or security reasons.

Your rights

Subject to applicable law, you have the right to:

  • Access — get a copy of the personal data we hold about you. You can export your data at any time from Settings.
  • Rectification — correct inaccurate data. You can edit or delete any entry directly in the app.
  • Erasure — delete your account and personal data. Use “Delete account” in Settings, or contact us.
  • Portability — receive your data in a structured, machine-readable format (the in-app export provides JSON).
  • Restriction and objection — ask us to limit or stop certain processing.
  • Withdraw consent — where we rely on consent, withdraw it at any time (this does not affect processing already carried out).
  • Complain — lodge a complaint with your data protection authority (in the EEA/UK, your local supervisory authority; in Singapore, the PDPC).

To exercise a right that isn't self-service in the app, email privacy@hagubaby.app. We aim to respond within 30 days.

Cookies and similar technologies

We use only the cookies and local storage the app needs to function — we do not use advertising or third-party tracking cookies:

Authentication (strictly necessary). Keeps you signed in securely. The app will not work without these.

Preferences (functional). Remembers your chosen language, and stores an in-progress feed or sleep timer on your device so it survives a refresh.

How we protect your data

Data is encrypted in transit (HTTPS). Access to each baby's data is enforced at the database level with row-level security, so only the caretakers of a baby can read or write that baby's entries. We keep the number of people and systems that can access data to a minimum.

Changes to this policy

We may update this policy as the service evolves. Material changes will be reflected here with a new effective date, and where required we will ask for your consent again.