Privacy Policy — Birthli

Last updated: 12 June 2026 · Effective: 12 June 2026

The short version. We collect only what Birthli needs to work. Your sensitive vault — documents, identity numbers, health records — is encrypted with AES-256-GCM so it is unreadable at rest. We do not run ads, embed third-party trackers, or sell your data to anyone. Ever.

🔒 AES-256-GCM encrypted vault 🚫 No ads · no trackers 📤 Export anytime 🗑️ Delete anytime 🇮🇳 DPDP Act 2023 aligned

1. Who we are

Birthli ("Birthli", "we", "us") is a privacy-first app for recording and safeguarding a child's early life — memories, photos, growth, vaccinations and important documents. This policy explains what data we collect, why, how we protect it, and the rights you have over it. It applies to birthli.com and the Birthli app.

2. What we collect

Category	Examples	Why
Account	Email address, password (stored only as a salted hash — never in plain text)	To create and secure your account
Child profile	Name, date of birth, gender	To personalise milestones, the vaccine schedule and growth tracking
Memories & media	Notes, photos, milestone entries	To build your baby book
Health	Growth measurements, vaccination records	To track development against the IAP schedule
Documents (vault)	Uploaded files; identity numbers stored as last-4 only (e.g. Aadhaar)	To keep important records in one safe place
Technical	Session cookie, minimal server logs (IP, timestamp)	To keep you signed in and to operate the service securely

We do not ask for more than the above, and many fields are optional. We do not store full identity numbers — only the last four digits you choose to enter.

3. How your data is protected

Encryption at rest. Your vault — documents and sensitive fields — is protected with AES-256-GCM envelope encryption: a master key wraps a unique per-user data key, so your records are unreadable on disk without it.
Encryption in transit. All traffic uses HTTPS (TLS) with HSTS enforced.
Passwords are stored only as salted hashes; we can never see or recover your password.
No third-party SDKs or trackers — there is no analytics pixel, ad network or social script embedded in Birthli.
Hardened operations — strict security headers (CSP, X-Frame-Options, Referrer-Policy), rate limiting, automated health monitoring and encrypted backups.

4. How we use your data

We use your data only to provide and improve the service you signed up for: to show your baby book, compute milestones and vaccine reminders, secure your account, and send you essential service emails (such as a one-time verification code or a vaccine-due reminder). We do not use your data for advertising or profiling, and we do not make automated decisions that produce legal effects about you.

5. What we never do

We never sell, rent or trade your personal data.
We never share your child's data with advertisers or data brokers.
We never display third-party ads inside Birthli.
We never read the contents of your encrypted vault for marketing.

6. Third parties we rely on

We keep these to the minimum needed to run the service, and we share only what each one requires:

Hosting — our server infrastructure provider stores the encrypted database and files.
Email delivery — a transactional email provider sends verification codes and reminders. It receives only the recipient address and message, never your vault.

These providers act as processors under our instructions and do not use your data for their own purposes.

7. Your rights & choices

You are in control of your data at all times. From Settings in the app you can:

Export — download everything Birthli holds for you (data portability).
Delete — permanently erase your account, children, photos, documents and memories. This is immediate and cannot be undone.
Correct — edit any profile, record or document directly.

You also have the right to withdraw consent, to object to processing, and to lodge a complaint with the Data Protection Board of India. To exercise any right we don't already expose in-app, email us (Section 11).

8. Children's data & parental consent

Birthli is designed to be used by a parent or legal guardian to record their own child's information. Accounts are for adults; the child is the subject of the records, not the account holder. By adding a child you confirm you are that child's parent or guardian and consent to processing the data you enter. We process children's data only to provide the features you ask for, and never for tracking, profiling, advertising or behavioural monitoring — consistent with the protections for children's data under India's Digital Personal Data Protection (DPDP) Act, 2023.

9. Data retention

We keep your data for as long as your account is active. When you delete your account, your personal data and vault contents are removed promptly. Routine encrypted backups may persist for a short rotation window before being overwritten; they are never used for any other purpose.

10. International users

Birthli is built India-first and our data is stored on infrastructure operated for the service. If you access Birthli from outside India, you consent to processing as described in this policy.

11. Contact us

Questions, requests, or a privacy concern? Email privacy@birthli.com. We aim to respond within a reasonable period.

12. Changes to this policy

If we make a material change, we'll update the date at the top of this page and, where appropriate, notify you in-app or by email. Continued use of Birthli after a change means you accept the updated policy.