Privacy Policy

What I collect and what I don't.

The short version

Rhythm keeps your data on your device by default. If you enable sync, your data is encrypted in transit (TLS) and my offsite backups are encrypted. I don't run ads, don't sell your data, and you can export everything anytime.

1. Local-first by default

Your data stays on your device unless you turn on sync. No cloud database storing your baby's feeds, sleep patterns, or health notes unless you want it to.

The app works fully offline and there's no server to breach if you don't sync.

2. Sync and encryption

If you sync with a partner or caregiver, your data goes through my servers to keep devices in sync. It's encrypted in transit (TLS), and my offsite backups are encrypted, but the database itself is not encrypted at rest on disk. I hold any keys involved, so I technically could access your synced data, even though I don't. I'd rather be upfront about that.

End-to-end encryption is planned. Once it ships, I won't be able to read your data even if someone compels me to.

3. What I collect

Account information

When you create an account, I collect your email address. I use it for login, password resets, and household invites. I don't send marketing emails.

Technical logs

I log technical errors and performance metrics to keep the app running. These logs contain no personal information and are automatically deleted after 14 days.

Audit logs

I log security events like logins, account deletions, and password changes. These are kept for up to a year.

Cookies

I use functional cookies for authentication (keeping you logged in). I don't use tracking cookies, analytics cookies, or third-party advertising cookies.

4. What I don't collect

No ads, no data sales, no AI training on your data. I don't use analytics services, ad networks, or data brokers.

5. Third-party services

  • Stripe processes payments. Your payment details go directly to Stripe. I never see or store your full card number.
  • Cloudflare provides DNS and CDN services. They may process your IP address and request metadata to route traffic and protect against attacks.
  • Resend sends transactional emails (password resets, verification, household invites). They process your email address to deliver those messages.
  • Backblaze B2 stores encrypted backups offsite. Your data is encrypted before it reaches B2.

6. Data retention and deletion

When you delete your account, your data is deleted immediately from all servers. If you're the last admin in a household, the entire household database is deleted. If other admins remain, your profile is deactivated and the household data is preserved for them.

Encrypted backups are retained on a rolling schedule: 7 daily, 4 weekly, and 3 monthly. A backup containing your deleted data will age out within 90 days at most.

7. Exports and your rights

You can download your entire history in JSON format at any time, without a subscription.

You have the right to:

  • Access all personal data I hold about you
  • Delete your account and all associated data
  • Export your data in a portable format (JSON)
  • Correct inaccurate personal data
  • Object to processing of your data

You can do most of this from your account settings. For anything else, email support@rhythm.baby.

For EU residents (GDPR)

Legal bases for processing: I need your email to run the service (contractual necessity), I keep audit logs to prevent fraud (legitimate interest), and auth cookies are required for the service to work (also contractual necessity). You can also lodge a complaint with your local data protection authority.

For California residents (CCPA)

I don't sell your personal information or share it for advertising. You have the right to know what I collect (see Section 3), to request deletion, and I won't treat you differently for exercising any of these rights.

8. Changes to this policy

This policy may change over time. For substantial changes, I'll email you at least 30 days' notice before they take effect.

Questions?

If you have questions about how I handle data, email support@rhythm.baby.

Rhythm App, LLC
Incorporated in the State of Delaware

Start free, no signup