Privacy Policy

Umami Labs Limited is the controller for personal data processed through UmiCare unless specified otherwise. This Policy governs all UmiCare mobile applications, websites, and related services (the “Services”).

We process personal data in accordance with applicable data protection laws (including the PDPO and, where relevant, GDPR). Use of the Services constitutes acceptance of this Policy.

We follow the PDPO Data Protection Principles: (1) notice and purpose, (2) accuracy and retention, (3) use limitation, (4) security, (5) openness, and (6) access/correction rights.

Account data. Email, hashed credentials, authentication tokens, and contact preferences you provide.

Care and profile data. Names, birth dates, care logs (feeding, sleep, diapers), notes, media uploads, and caregiver sharing settings you or invited caregivers enter.

Device and usage data. Device type, OS, app version, diagnostic and performance logs, and short-lived IP data collected automatically to protect and operate the Services.

Support and communications. Messages, tickets, feedback, and related metadata you send to us.

Payment metadata. Subscription status and transaction references processed by payment providers. We do not store full card details.

Pre-signup checkout data. If you purchase a subscription before creating an account, our payment processor (Stripe) may collect your email and create a customer record and subscription. We use this to associate the subscription with your account when you sign up with the same email address.

Cookies and similar technologies. We use essential cookies for security and session continuity, analytics cookies to understand aggregate usage, and functional cookies to remember preferences. You can manage cookies through your browser settings; disabling some cookies may affect functionality.

Optional marketing preferences. If you opt in, we store your consent status and preferred channels for receiving product updates or offers.

We process personal data to deliver and maintain the Services (including syncing and caregiver sharing), to provide informational AI summaries (not medical advice), to respond to support requests, to improve reliability and security, to send essential service notices, to comply with legal obligations, and to enforce our terms.

Direct marketing. We do not use your personal data for direct marketing without your consent (or indication of no objection) as required under the PDPO. You can withdraw consent or object at any time via legal@umicare.co or the preference controls we provide.

Where GDPR applies, legal bases include performance of a contract, legitimate interests, legal obligations, and consent where required. We rely on legitimate interests only where your rights are not overridden.

We use AI services (currently OpenAI) to generate informational summaries you request. Prompts and outputs are processed under data processing terms that prohibit provider training on your data. AI outputs are not medical advice. We log limited metadata to secure and monitor the feature; you can opt out of AI use by not using the feature.

We disclose personal data to vetted service providers (e.g., DigitalOcean for hosting, OpenAI for AI processing, analytics, email delivery, support tools, and payment processors) under written data protection terms. Data you choose to share with caregivers follows your sharing settings. We may disclose data to comply with law, protect safety, enforce terms, respond to lawful requests, or in the context of corporate transactions. We do not sell personal data or use it for third-party advertising.

Classes of transferees (PDPO): IT infrastructure and cloud vendors, analytics providers, customer support tools, payment processors, professional advisers (legal/accounting), and prospective transaction counterparties subject to confidentiality.

Direct marketing transferees. If you consent to direct marketing, we may use email or in-app messaging tools to deliver those communications. You may opt out at any time.

We retain personal data only as long as needed for the purposes described or as required by law. Account and care data remain while an account is active and are deleted upon verified request unless retention is legally required. Backups are maintained on rolling schedules with limited retention. Diagnostics and logs are retained briefly to support security and reliability.

Retention schedules are reviewed periodically. Where deletion is requested or required, we will also apply deletion to backups when those backups naturally cycle out.

We apply appropriate technical and organizational measures, including encryption in transit (HTTPS/TLS) and at rest for sensitive data, role-based access controls with logging, hosting on DigitalOcean (Singapore) with segmentation and backups, AI processing via OpenAI under data processing terms (no training on submitted prompts or outputs), and incident response processes covering detection, containment, and legally required notifications.

We review vendors for security posture, restrict production access to trained personnel, and maintain secure coding and vulnerability management practices. If we become aware of a data incident that poses a real risk of harm, we will notify affected users and regulators where required.

We also maintain data minimization practices, masking where feasible, and apply secure disposal of media and hardware per industry standards.

Subject to applicable law, you may request access, correction, deletion, restriction, objection, portability, or withdrawal of consent where relied upon. Under the PDPO, you have rights of data access and correction and the right to opt out of direct marketing. We may decline requests where permitted by law, including where responding would adversely affect others or conflict with legal obligations.

Depending on your location, additional rights may apply (e.g., right to know/access, delete, correct, opt out of “sale”/“sharing” or targeted advertising where applicable, and limit use of sensitive data). We do not sell personal data or use it for third-party advertising.

To exercise rights, contact legal@umicare.co. We will verify identity before responding and will acknowledge requests within timeframes required by applicable law. We may charge a reasonable fee permitted by law for handling access requests.

EU/UK/EEA. Where GDPR/UK GDPR applies, you have rights to access, rectify, erase, restrict, object, and portability, and to lodge complaints with your supervisory authority. We rely on Standard Contractual Clauses (or equivalent) for cross-border transfers and apply technical measures to protect data.

United States (selected state laws). Where state laws apply (e.g., California, Colorado, Virginia), you may have rights to know/access, delete, correct, opt out of “sale,” “sharing,” or targeted advertising, and to limit sensitive data use. We do not sell personal data or use it for cross-context behavioral advertising. Appeals processes are available where required.

Other regions. We will honor local rights and requirements to the extent they apply to our processing. Please contact us to exercise region-specific rights.

Personal data may be processed outside your country (including storage in Singapore and processing in other regions by vetted vendors). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses and apply technical measures, including encryption in transit and at rest.

The Services are intended for parents and caregivers. We rely on parents or legal guardians to input and manage information about children. If we learn that personal data has been collected from a child without proper authority, we will delete it. We do not permit children to create their own accounts.

If you have questions or complaints about how we handle personal data, contact us first at legal@umicare.co. You may also lodge a complaint with your local data protection authority or privacy regulator.

We may update this Privacy Policy. We will post changes with an updated “Last updated” date and, where changes are material, provide additional notice. Continued use after the effective date constitutes acceptance.

Umami Labs Limited
Email: legal@umicare.co

Last updated: 2026-01-06