HannaH - Privacy Policy
Version 1.3 | Last updated: April 17, 2026 | Effective date: February 21, 2026
HannaH ("we," "us," "our," or the "App") is operated by MV Studio ("Company", "Data Controller"). This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use the HannaH mobile application, available on iOS and Android.
By using HannaH, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the App.
Summary: HannaH is a baby tracker, pregnancy tracker, period tracker, and parenting companion app. We collect data necessary to provide our services. We do NOT sell your personal data. We do NOT share your data with third parties for marketing purposes. Your health data and personal tracking information is stored securely on your device and in your private cloud account. Sensitive health data (period cycles, pregnancy data, baby logs) is encrypted and accessible only to you.
1. Data Controller
MV Studio
Email: hannah@mv-studio.net
For data protection inquiries, contact us at the email address above.
2. Data We Collect
2.1 Data You Provide
| Data Type | Purpose | Retention |
|---|
Account Information
Name, email address, profile photo | Authentication, account management, personalization | Until account deletion |
Authentication Tokens
Google Sign-In, Apple Sign-In | Secure login | Session duration |
Child Profiles
Name, date of birth, gender | Age-appropriate tracking, milestone recommendations | Until you delete them |
Period & Cycle Data
Cycle dates, period length, symptoms, flow intensity | Period tracking, cycle predictions, fertility window estimation | Until account deletion |
Fertility & TTC Data
Ovulation dates, fertility indicators | Fertility window tracking, conception planning | Until account deletion |
Pregnancy Data
Due date, week-by-week progress, kick counts, contraction timers, pregnancy notes | Pregnancy tracking, milestone reminders, health monitoring | Until account deletion |
Baby Tracking Data
Feeding logs (breast/bottle/solids), sleep sessions, diaper changes, growth measurements (weight, height, head circumference) | Daily care tracking, growth charts, pattern analysis | Until account deletion |
Health Conditions
Selected allergens, medical conditions, health notes | Personalized product safety warnings, health awareness | Until you delete them |
Milestones & Achievements
Custom milestones, developmental achievements | Developmental tracking, memory keeping | Until account deletion |
Photos & Memories
Photos uploaded by you, associated captions | Memory keeping, photo timeline, milestone documentation | Until you delete them or your account |
AI Chat Messages
Messages sent to the AI companion | Contextual parenting support, conversation continuity | Until you delete them or your account |
Hospital Bag Checklist
Checklist items and completion status | Birth preparation tracking | Until account deletion |
Appointments
Doctor appointments, reminders | Schedule management, reminders | Until account deletion |
Allergen Profiles
Selected allergens for product scanning | Personalized product safety warnings | Until you delete them |
Gratitude Journal
Journal entries | Parent wellness feature | Until account deletion |
2.2 Data Collected Automatically
| Data Type | Purpose | Retention |
|---|
Camera Images
Barcode scans, product label photos | Product identification, ingredient scanning | Processed in real-time, not stored on our servers |
HealthKit Data (iOS)
Data you explicitly choose to share (e.g., weight, heart rate) | Health data integration, growth tracking | On-device only; synced per your HealthKit permissions |
Device Information
Device model, OS version, app version | App compatibility, crash diagnostics | 90 days (analytics), 180 days (crash logs) |
Usage Analytics
Screens viewed, features used | App improvement, feature prioritization | 14 months (Google Analytics default) |
Advertising Identifiers
IDFA (iOS), GAID (Android) | Personalized advertisements (free tier) | As per Google AdMob policy |
Subscription Data
Purchase status, plan type | Entitlement verification | Until account deletion |
IP Address
Approximate location | Fraud prevention, regional content | Not stored by us; processed by Firebase |
2.3 Data Stored On-Device Only
The following data is stored exclusively on your device in a local database (Hive). It is never transmitted to our servers unless you have cloud sync enabled:
- App preferences and settings
- Cached scan history
- Local copies of tracking data (for offline access)
- HealthKit integration data
- Meditation playback history
3. How We Use Your Data
| Purpose | Lawful Basis (GDPR) |
|---|
| Provide baby, pregnancy, and period tracking features | Contract performance (Art. 6(1)(b)) |
| Authenticate your account | Contract performance |
| Display personalized health insights and milestone reminders | Contract performance |
| Generate AI lullabies and bedtime stories | Contract performance |
| Provide AI companion chat responses | Contract performance |
| Scan products for ingredient safety and allergen detection | Contract performance |
| Sync data across your devices via cloud backup | Contract performance |
| Show advertisements (free tier) | Legitimate interest (Art. 6(1)(f)) |
| Process subscription payments | Contract performance |
| App analytics and crash reporting | Legitimate interest |
| Prevent fraud and abuse | Legitimate interest |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Services
HannaH integrates with the following third-party services, each with their own privacy policies:
| Service | Provider | Data Shared | Purpose |
|---|
| Firebase Authentication | Google LLC | Email, name, auth tokens | User login |
| Firebase Firestore | Google LLC | User data (tracking logs, profiles) | Cloud data storage and sync |
| Firebase Storage | Google LLC | Photos, profile images | Photo and media storage |
| Firebase Analytics | Google LLC | Usage events, device info | App analytics |
| Firebase Crashlytics | Google LLC | Crash logs, device info | Crash diagnostics |
| Firebase Remote Config | Google LLC | None (config download only) | Feature flags |
| Firebase Cloud Functions | Google LLC | Product images (temporary), song generation requests | AI features processing |
| Google AdMob | Google LLC | Device ID, ad interactions | Advertising (free tier) |
| RevenueCat | RevenueCat Inc. | Purchase receipts, user ID | Subscription management |
| OpenAI | OpenAI Inc. | Chat messages, product images (via Cloud Functions) | AI companion chat, product identification |
| Suno AI | Suno Inc. | Song generation prompts (child name, theme, style) | AI lullaby and song generation |
| Perplexity | Perplexity AI Inc. | Product queries (via Cloud Functions) | Product scanner AI-powered web search |
| Apple Sign-In | Apple Inc. | Apple ID token | Authentication |
| Google Sign-In | Google LLC | Google account token | Authentication |
| Apple HealthKit | Apple Inc. | Health data you choose to share | Health data integration (iOS only) |
| Open Food Facts | Open Food Facts (non-profit) | Barcode numbers (lookup only) | Product data retrieval |
Links to third-party privacy policies:
5. AI-Powered Features & Third-Party AI Data Sharing
HannaH uses third-party AI services to power certain features. Before using any AI-powered feature for the first time, the app will ask for your explicit consent and clearly explain what data is shared. Below is a complete disclosure of all AI data sharing:
Your consent is required: The app displays a consent dialog before any data is sent to third-party AI services. You can decline and still use all non-AI features of the app (tracking, milestones, stories, etc.).
5.1 Product Scanner — AI Product Identification
| What data is sent | Photos you take of product packaging, ingredient lists, and nutrition tables (camera images) |
|---|
| Who receives it | OpenAI, Inc. (San Francisco, CA, USA) — via our Firebase Cloud Functions (server-side relay, never client-direct) |
|---|
| Purpose | Identify product name/brand from packaging photo; extract ingredient text and nutrition data from label photos via OCR |
|---|
| Data retention by OpenAI | Images are processed in real-time and are not stored by OpenAI beyond the API request. OpenAI's API data usage policy confirms API inputs are not used for model training. |
|---|
| What is NOT sent | Your name, email, health data, tracking data, or any personal information — only the product photo |
|---|
| Data protection | OpenAI is certified under the EU-US Data Privacy Framework and maintains SOC 2 Type II compliance |
|---|
5.2 AI Song Generation — Personalized Lullabies
| What data is sent | Song description/prompt, song title, custom lyrics (if provided), and selected music style — all as typed by the user |
|---|
| Who receives it | Step 1 — Lyrics: OpenAI, Inc. (generates song lyrics from your description)
Step 2 — Music: MiniMax (via fal.ai, Inc., San Francisco, CA, USA) generates audio from lyrics |
|---|
| Purpose | Create a personalized lullaby or children's song based on your description and chosen style |
|---|
| Data retention | Neither OpenAI nor fal.ai/MiniMax store your data beyond the API request. Generated audio is stored in your private Firebase Storage account. |
|---|
| What is NOT sent | Your email, health data, tracking data, photos, or any personal data beyond what you type in the song creation form |
|---|
| Content safety | All user input is moderated via OpenAI Moderation API before generation. Lyrics are generated with strict rules: "NO explicit, violent, or inappropriate content." MiniMax has built-in content safety filters. |
|---|
| Data protection | fal.ai maintains SOC 2 compliance. OpenAI is certified under the EU-US Data Privacy Framework. |
|---|
5.3 Ingredient Safety Scoring (Local — No AI Sharing)
- Ingredient safety scoring, allergen detection, and all food/cosmetic analysis is performed entirely on your device using a bundled SQLite database.
- No ingredient data is sent to any external server for scoring.
5.4 Third-Party AI Protection Confirmation
In compliance with Apple App Store Guidelines 5.1.1(i) and 5.1.2(i), we confirm that all third-party AI services used by HannaH provide the same or equal level of data protection as described in this Privacy Policy:
- OpenAI, Inc.: API data is not used for model training (per API Data Usage Policy). SOC 2 Type II certified. EU-US Data Privacy Framework certified. Privacy Policy
- fal.ai, Inc.: API data is processed in real-time and not retained. SOC 2 compliant. Privacy Policy
Important: AI-generated content (songs, stories) is for entertainment and informational purposes only. It does not constitute medical, health, or professional advice. Do not photograph personal documents, faces, or sensitive information when using the product scanner camera.
6. Health Data
6.1 Sensitive Health Information
HannaH collects and processes health-related data that may be considered sensitive under various privacy laws, including:
- Menstrual cycle and period data
- Fertility and trying-to-conceive data
- Pregnancy health data (kick counts, contractions, pregnancy notes)
- Baby health data (feeding, sleep, diapers, growth measurements)
- Allergen and health condition profiles
- Mood and wellness tracking
How we protect your health data:
- Health data is stored in your private, authenticated Firestore account accessible only to you.
- Local copies are stored in encrypted on-device databases for offline access.
- We do NOT share health data with advertisers, data brokers, or any third parties for marketing purposes.
- Health data is NEVER used for AI model training.
- Only you can access your health data through your authenticated account.
6.2 Apple HealthKit Integration (iOS)
- HannaH may request permission to read or write data from Apple HealthKit.
- HealthKit data access requires your explicit consent via iOS permission prompts.
- HealthKit data is used solely to enhance your tracking experience within the App.
- We do NOT transfer HealthKit data to our servers, third parties, or advertising platforms.
- HealthKit data is NOT used for advertising or marketing purposes.
- You can revoke HealthKit permissions at any time in iOS Settings > Health > HannaH.
6.3 Google Health Connect Integration (Android)
On Android devices, HannaH integrates with Google Health Connect to help expecting and new mothers track their personal wellness alongside their baby tracking. This integration falls within the "Fitness, Wellness & Coaching" approved use case under the Health Connect Permissions policy.
- Read-only access: HannaH only READS data from Health Connect. We never write data back to Health Connect.
- Explicit consent required: Each Health Connect permission must be granted by you through the system Health Connect permission screen. You can grant or deny any individual permission.
- Data types accessed (with purpose):
- Sleep — display sleep duration and quality trends to help new parents monitor recovery from disrupted nighttime feeds.
- Steps, Distance, Active Calories Burned, Total Calories Burned — show activity trends to encourage safe postpartum movement and gentle pregnancy activity, and to help breastfeeding mothers understand their increased caloric needs.
- Weight — display weight progression for healthy pregnancy weight gain and postpartum recovery tracking.
- Hydration — show daily hydration intake, which is especially important for breastfeeding mothers who require increased fluid intake.
- Local processing: Health Connect data is read on your device. The aggregated wellness summaries (e.g., "7,500 steps today", "7h 12min sleep last night") are stored only in your own private cloud account so you can see your trends across devices.
- No sharing or sale: We do NOT share, sell, transfer, or disclose your Health Connect data to any third party. We do NOT use Health Connect data for advertising, profiling, employment decisions, insurance eligibility, or any other prohibited purpose listed in the Health Connect Permissions policy.
- Revoke at any time: You can revoke any or all Health Connect permissions through Settings > Apps > Health Connect on your Android device, or from the in-app Health settings screen. Revoking immediately stops all data access.
- Data deletion: When you delete your HannaH account, all Health Connect–derived wellness summaries stored in your cloud account are permanently deleted. The original Health Connect data on your device is not affected.
6.4 Medical Disclaimer
HannaH is NOT a medical device. All health tracking features (period predictions, pregnancy week information, baby growth charts, kick counters, contraction timers) are for informational and personal tracking purposes only. They do not constitute medical advice, diagnosis, or treatment. Always consult qualified healthcare professionals for medical decisions. In case of emergency, contact your local emergency services immediately.
7. Advertising
The free tier of HannaH displays advertisements provided by Google AdMob. AdMob may collect device identifiers and usage data to serve personalized ads.
- Opt-out of personalized ads: You can adjust your ad preferences in your device settings (iOS: Settings > Privacy > Apple Advertising; Android: Settings > Google > Ads).
- Remove all ads: Subscribe to HannaH Premium to remove all advertisements.
- We comply with the EU ePrivacy Directive and display a consent dialog (GDPR Consent Management Platform) before collecting data for personalized advertising in the EEA/UK.
- No ads near health data: We take care to ensure advertisements are not displayed in contexts that could be misleading alongside health or medical information.
8. Children's Privacy (COPPA Compliance)
HannaH is NOT directed at children under 13. The App is designed for parents, guardians, and expectant parents to track their own health and their children's development.
- Child profiles are created and managed exclusively by parents/guardians, not by children themselves.
- We do not knowingly collect personal information from children under 13 (or under 16 in the EU).
- Child profile data entered by parents (name, date of birth, tracking data) is protected under the parent's authenticated account and is not accessible to any third parties.
- Photos of children uploaded by parents are stored securely in the parent's private cloud storage and are not used for AI training, advertising, or shared with third parties.
- If we learn that we have collected personal information from a child under 13 without parental consent, we will delete it promptly. Contact us at hannah@mv-studio.net.
9. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our service providers (Google/Firebase, OpenAI, Suno AI, RevenueCat, Perplexity AI) maintain servers.
- For transfers from the EU/EEA/UK: We rely on the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or other approved transfer mechanisms as applicable.
- Google LLC is certified under the EU-US Data Privacy Framework.
- We ensure that all data transfers comply with applicable data protection laws and that adequate safeguards are in place.
10. Data Retention
| Data Type | Retention Period |
|---|
| Account data | Until you delete your account |
| Child profiles and tracking data | Until you delete them or your account |
| Period, pregnancy, and health data | Until you delete your account |
| Photos and memories | Until you delete them or your account |
| AI chat history | Until you delete conversations or your account |
| AI-generated songs | Until you delete them or your account |
| Product scan history | On-device only; cleared when you uninstall or delete account |
| HealthKit data | On-device only; managed by iOS |
| Analytics data | 14 months |
| Crash logs | 180 days |
| Advertising data | As per Google AdMob retention policy |
| Subscription records | As required by tax/legal obligations (up to 10 years) |
11. Your Rights
11.1 Rights Under GDPR (EU/EEA/UK Residents)
You have the following rights regarding your personal data:
- Right of Access (Art. 15): Request a copy of your personal data.
- Right to Rectification (Art. 16): Correct inaccurate data.
- Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten").
- Right to Restriction (Art. 18): Restrict processing of your data.
- Right to Data Portability (Art. 20): Receive your data in a machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interest, including profiling for advertising.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time (e.g., for analytics, personalized ads, HealthKit access).
- Right to Lodge a Complaint: File a complaint with your local Data Protection Authority. For Croatia: AZOP (Agencija za zastitu osobnih podataka).
11.2 Rights Under CCPA/CPRA (California Residents)
- Right to Know: What personal information we collect, use, and disclose.
- Right to Delete: Request deletion of your personal information.
- Right to Correct: Correct inaccurate personal information.
- Right to Opt-Out: We do NOT sell or share your personal information for cross-context behavioral advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
- Sensitive Personal Information: Health data collected by HannaH is considered sensitive personal information under CPRA. We use it only for providing app functionality and do not use it for profiling or advertising.
In the preceding 12 months, we have collected the categories of personal information described in Section 2. We do not sell personal information. We share data with service providers listed in Section 4 solely for the purposes described.
11.3 Rights Under LGPD (Brazil)
Brazilian residents have rights under the Lei Geral de Protecao de Dados, including access, correction, deletion, anonymization, data portability, and information about sharing. Contact us to exercise these rights.
11.4 Rights Under PIPEDA (Canada)
Canadian residents have the right to access, correct, and challenge compliance. Contact us at the address in Section 1.
11.5 Exercising Your Rights
To exercise any of the above rights, contact us at hannah@mv-studio.net. We will respond within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.
12. Account Deletion
You can delete your account at any time:
When you delete your account, the following cascade deletion is performed:
- Cloud Documents: All Firestore documents associated with your account are permanently deleted, including child profiles, tracking data, pregnancy data, period data, milestones, achievements, appointments, chat sessions, gratitude entries, hospital bag data, and all other user-specific documents.
- Cloud Storage: All files in Firebase Storage (photos, profile images, AI-generated songs) are permanently deleted.
- Local Databases: All local Hive databases are cleared and deleted from your device.
- Authentication Account: Your Firebase Authentication account is permanently deleted.
- Subscription entitlements are handled by Apple/Google; cancellation must be done through their platforms.
- Anonymized, aggregated analytics data may be retained as it cannot be linked back to you.
13. Data Security
- All data in transit is encrypted using TLS 1.2+.
- Local data is stored in on-device databases (Hive) with app-level encryption.
- Firebase Firestore data is encrypted at rest using Google's default encryption.
- Firebase Storage files are encrypted at rest.
- Authentication uses industry-standard OAuth 2.0 (Google, Apple).
- Firestore Security Rules ensure users can only access their own data.
- We apply the principle of least privilege: the App only requests permissions it needs (camera for scanning, HealthKit for health integration, notifications for reminders).
- We conduct regular security reviews of our codebase and dependencies.
No system is 100% secure. If you discover a security vulnerability, please report it to hannah@mv-studio.net.
14. Cookies and Tracking
The HannaH mobile app does not use browser cookies. However:
- Firebase Analytics uses device identifiers for usage analytics.
- Google AdMob may use advertising identifiers for ad personalization.
- You can opt out of personalized tracking via your device settings or by subscribing to HannaH Premium (which removes all ads).
- In the EU/EEA/UK, we display a GDPR-compliant consent dialog before any non-essential data collection begins.
15. Product Scanner Disclaimer
The product scanner feature provides ingredient information for educational and informational purposes only.
- Ingredient safety ratings are based on publicly available databases (Open Food Facts, Open Beauty Facts, Open Pet Food Facts, UPCitemdb, Go-UPC). They do NOT constitute medical advice, safety guarantees, or professional health recommendations.
- Allergen detection is based on database information and AI analysis, which may not be 100% accurate. Always read product labels carefully, especially for severe allergies.
- Always consult healthcare professionals for medical decisions, especially regarding allergies, pregnancy, or infant nutrition.
- We make reasonable efforts to maintain accurate product data, but we cannot guarantee completeness or accuracy of all information. Product formulations may change without notice.
- The Company assumes no liability for decisions made based on product safety ratings or information provided by the App.
16. Do Not Track
Some browsers and devices offer a "Do Not Track" (DNT) signal. Due to the lack of a unified standard, the App does not currently respond to DNT signals. You can control tracking through your device privacy settings and our in-app consent mechanisms.
17. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last updated" date at the top of this page.
- We will notify you via an in-app notification or email (for material changes).
- Continued use of the App after changes constitutes acceptance of the updated policy.
18. Governing Law
This Privacy Policy is governed by the laws of the Republic of Croatia, without regard to conflict of law principles. For EU/EEA residents, this does not affect your rights under GDPR. For California residents, CCPA/CPRA rights are preserved regardless of governing law.
19. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:
MV Studio
Email: hannah@mv-studio.net
Support: hannah@mv-studio.net
For EU data protection matters, you may also contact the Croatian Personal Data Protection Agency (AZOP) at azop.hr.
© 2026 MV Studio. All rights reserved.
HannaH — Where Hope Begins