Privacy Policy

Olive My Stats (“Olive”, “we”, “us”) is a baby-tracking app operated by Brobata, LLC. This policy explains what we collect, how we use it, and the choices you have.

Information we collect

You give us: your email address, a display name, and the events you log for your baby (feeds, diapers, naps, weights, medications, temperatures, notes). If you choose, you can also add your baby's name and birth date.

Automatic: device type and OS version (so the app renders correctly), authentication tokens (so you stay signed in), and crash reports via Sentry (stack traces and device model). We do not currently run ad networks or third-party behavioral analytics inside the app. See Future changes below for how we'll handle changes to our data practices.

Push tokens (if you opt in): we register an Expo push token (Android) or APNs token (iOS) so we can send reminders (e.g. “feed overdue”) and red-flag heads-ups. Tokens are stored only as long as you have notifications enabled and are deleted when you turn them off.

Optional “About you” fields: if you choose to fill them in (during signup or later in Settings), we keep your US state, parent age range, household income range, partner situation, childcare situation, whether this is your first baby, and birth type. Every one of these is optional and can be cleared back to blank at any time. We use them to tailor suggestions and to make the anonymous patterns described below more useful.

Health information & disclaimers

Olive is not a medical device and is not intended for diagnosis, treatment, cure, or prevention of any disease. The insights surfaced in the app are educational summaries of guidance from public sources (AAP, CDC, KellyMom, NIH/NICHD, WHO). Always consult your pediatrician for medical advice.

We are not a HIPAA-covered entity and we do not accept Protected Health Information from healthcare providers.

How we use your data

To run the service: keep you signed in, sync your timeline across your devices and to other members of your account, compute insights on-device and in our backend, and send reminders you've enabled.

To keep the app working: aggregate, anonymized error reports help us fix crashes. These never include event contents.

Improvement data: to make Olive better for future parents, we use your data in fully anonymous, aggregated form — nothing that could identify you or your baby is included. Before we use it, we remove your name, email, baby's name, baby's birth date, and account ID. What remains is patterns (counts and averages across many babies), not people. This is on by default. You can turn it off any time in Settings → Privacy & security on the website.

Who can see your data

Only members of your account, plus any read-only share links you create. We use Postgres row-level security (RLS) to enforce this at the database layer — not just in app code.

We do not currently engage in the “sale” or “sharing” of personal information as those terms are defined under California (CCPA/CPRA) or other US state privacy laws. We currently share personal information only with the operational subprocessors listed below as needed to run the service. If our practices change — for example, if we introduce sponsored partner content, advertising, or analytics that meet a statutory definition of “sale” or “sharing” — we will update this Privacy Policy in advance and provide the disclosures and opt-out mechanisms required by applicable law (including a “Do Not Sell or Share My Personal Information” control for California residents). See Future changes below.

Subprocessors

Supabase (database, auth, realtime) — US data centers. Hosts your account row and event log. DPA: supabase.com/legal/dpa.

Vercel (web hosting, edge runtime) — runs olivestats.com. DPA: vercel.com/legal/dpa.

Sentry (crash reporting) — receives stack traces, device model, OS version. No event content. DPA: sentry.io/legal/dpa.

Expo / Apple / Google (push delivery) — relay the notification payload (without your baby's name on lock-screen messages, per our internal rule) from our server to your device. Apple Push: apple.com/legal/privacy · Google FCM: firebase.google.com/support/privacy · Expo: expo.dev/privacy.

Resend (transactional email) — delivers magic-link and account emails. DPA: resend.com/legal/dpa.

Your rights

Export: download every event you've logged as a CSV from Settings → Export.

Delete: delete your account from Settings → Account → Delete account. Soft-delete keeps your data for 30 days in case you change your mind. After 30 days, account and member rows are anonymized; raw events are kept only in aggregated form.

Correct: edit any event you've logged from the timeline.

California residents (CCPA), EEA/UK residents (GDPR): contact us at privacy@olivestats.com for a copy of, correction of, or deletion of your data.

Children

Olive is for parents and caregivers (adults). We do not knowingly collect data directly from children under 13. The events you log about your child are stored under your adult account and treated as your data, not theirs.

Security

Data is encrypted in transit (TLS 1.2+) and at rest (Supabase AES-256 disk encryption). We enforce row-level security at the database layer so even our backend can only return rows the requesting user is authorized to read. Mobile adds biometric + optional PIN locks with a 5-minute idle re-prompt. Auth options are email magic-links, Google sign-in, Sign in with Apple, and email + password (passwords are stored hashed by Supabase Auth; our app never sees the plaintext).

Breach notification

If we ever discover a security breach affecting your data we'll notify you by email within 72 hours of confirmation, in line with GDPR Article 33 and applicable US state breach-notification laws. The notice will describe what was accessed, what we've done in response, and the steps you can take.

Future changes and your consent

The product, the data we collect, the partners and subprocessors we work with, the way we monetize the service, and the advertising or sponsored content (if any) we show may evolve over time. Olive is currently in early access; we expect changes.

At signup and in Settings → Privacy & security, you can grant or withdraw permission for the following categories of data processing, which together describe Olive's current and contemplated future monetization activities: (a) product improvement and analytics; (b) personalization and tailored recommendations within Olive; (c) advertising and sponsored content (including any future in-app or website advertising, sponsored partner cards, and affiliate recommendations); (d) the sharing or sale of personal information for marketing, advertising, or analytics purposes (including disclosures that may meet a statutory definition of “sale” or “sharing” under CCPA/CPRA or comparable laws); (e) marketing communications by email, push, or in-app message; and (f) any other monetization or partnership activities reasonably ancillary to the foregoing.

We obtain this permission through an affirmative opt-in at signup that meets the strictest applicable consent standards (including GDPR, UK GDPR, and the Washington My Health My Data Act) so that the same consent is valid for every user regardless of where you currently live or where you may move in the future. The opt-in box is never pre-checked and you may choose to use Olive without granting it; your choice is recorded with a timestamp and is fully revocable at any time in Settings → Privacy & security.

Where you have granted permission, we may begin or change processing within the listed categories without separate advance notice. Where you have not granted permission — or where you later withdraw it — we will not perform that processing for you, and we will give you the opportunity to grant fresh consent before any specific new processing affects your account.

When our data practices change in a way that meaningfully affects you and exceeds the consents you have provided, we will:

• Update this Privacy Policy with the new practices clearly described, including any new categories of data collected, new purposes for use, new subprocessors, or new sharing arrangements.
• Give you advance notice by email at least 14 days before the change takes effect for users to whom it applies (30 days for changes that introduce advertising, sponsored content, or any new disclosure of personal information to a third party for their own use).
• Provide an opt-out at least as broad as applicable law requires (for example, a “Do Not Sell or Share My Personal Information” control for California residents, the right to object to processing for EEA/UK residents, and the consumer health data revocation right for Washington residents under the My Health My Data Act).
• Apply the affirmative-opt-in standard universally: we treat every user's consent choice as binding under the strictest applicable rules (GDPR, UK GDPR, Washington MHMDA, CCPA/CPRA), so the presence or absence of your consent travels with you even if you move between jurisdictions or your state enacts new requirements later. Advertising, sale, sharing, and marketing data uses will not take effect for any user who has not affirmatively opted in.
• Maintain your existing data choices where reasonably possible — turning on a new feature for new users will not silently change settings you previously configured.

Your continued use of Olive after the notice period (or, for permissions you have already granted, your continued use without withdrawing them) constitutes agreement to the updated practices, except where applicable law requires affirmative consent — in which case the change takes effect for you only after you opt in.

Changes

See Future changes above. We'll email you about meaningful changes to this policy at least 14 days before they take effect (30 days for changes that introduce advertising, sponsored content, or new third-party data disclosures).

Contact

General: hello@olivestats.com
Privacy / data requests: privacy@olivestats.com
Security: security@olivestats.com