Last updated: May 14, 2026 · Effective date: May 14, 2026
This Privacy Policy explains how Bygga (“Bygga”, “we”, “us”, or “our”) collects, uses, discloses, and protects information when you use the Lullu mobile application, the website at lulluapp.com, and any related services (collectively, the “Service”). By using the Service, you agree to this Policy. If you do not agree, please do not use the Service.
Bygga is the “data controller” (under the EU/UK GDPR) and “business” (under the California Consumer Privacy Act, as amended by the CPRA) responsible for personal information processed through the Service.
The Service is intended for adults (18+) who are parents, legal guardians, or authorized caregivers tracking information about a child or pregnancy. The Service is not directed to children, and we do not knowingly collect personal information directly from children under 13 (or the equivalent minimum age in your jurisdiction).
Information about a child entered into the Service is provided by the parent, guardian, or authorized caregiver acting on the child's behalf. By entering information about a child, you represent and warrant that you have the legal authority to do so and to consent to our processing of that information as described in this Policy. If you become aware that a child under 13 has created an account directly with us, please contact us at hello@lulluapp.com and we will delete the account.
We collect the following categories of information:
(a) Account information.When you create an account, we collect your name, email address, authentication identifier (e.g., Apple ID or Google ID via Sign in with Apple / Sign in with Google), and password (hashed; we never see your plaintext password). If you opt to hide your email via Apple's private relay, we receive only the relay address.
(b) Child and pregnancy information you log. Information you choose to enter, including: child's name (or nickname), date of birth, sex, weight, height, head circumference, feeding events (breast, formula, mixed, solids), diaper changes, sleep events, medications and supplements, allergies and reactions, milestones, photos, notes, prenatal data (e.g., due date, appointments), and any other information you record. You decide what to log; we do not require any specific data.
(c) Family and caregiver information. When you invite partners, family members, or caregivers, we collect the email or identifier needed to send the invitation and to associate them with your shared data.
(d) Subscription and billing data. Subscriptions are processed by Apple (App Store) and managed via RevenueCat. We receive limited information such as subscription status, product identifier, renewal date, and a pseudonymous user identifier. We do not receive or store your full payment-card details.
(e) Device and usage data. Information automatically collected when you use the Service, such as device type and model, operating system and version, app version, language and locale, IP address (used at the time of the request and not stored long-term in user-identifiable form), crash and diagnostic logs, and basic usage events (e.g., features used, screens viewed, errors).
(f) Communications. If you contact us (e.g., support emails, feedback), we collect the contents of those communications and our responses.
What we do not collect. We do not use third-party advertising SDKs in the Lullu mobile app, and we do not collect precise geolocation. On the lulluapp.com marketing website, we use a Reddit advertising pixel to measure ad performance, but only after you accept it via our cookie banner. See Section 10 (Cookies and Similar Technologies) for details.
We use the information described above to:
We do not use your information, your child's information, or any health-related information you log to train any artificial intelligence or machine learning models for use outside of providing the Service to you.
If you are in the EU, UK, or another jurisdiction with similar laws, we rely on the following legal bases under the GDPR / UK GDPR: (a) performance of a contract, to provide the Service you requested; (b) legitimate interests, to secure, debug, and improve the Service, prevent fraud, and respond to support requests; (c) consent, where required, including for any optional features that involve sensitive personal data, which you can withdraw at any time; and (d) legal obligation, to comply with applicable law.
We treat the child and pregnancy data you log as special-category data. We process it on the basis of your explicit consent (Article 9(2)(a) GDPR), provided by you on behalf of yourself and the child. You may withdraw consent at any time by deleting the data or your account.
We share information only as described below:
(a) With caregivers you invite.When you invite an Invited User to view or contribute to your child's data, the information you have shared with them is visible to them and they may add, edit, export, or delete entries. Invited Users may retain copies of information they viewed even after access is revoked. You are responsible for managing whom you invite and revoking access promptly when appropriate.
(b) With service providers (processors). We share information with vetted third parties that process data on our behalf under contractual confidentiality and security obligations, including:
(c) Legal and safety. We may disclose information if required by law, subpoena, court order, or other legal process, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Bygga, our users, a child, or the public, or to investigate fraud or security incidents.
(d) Business transfers. If Bygga is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to the protections of this Policy or with notice to you.
We do not sell your personal information and we do not rent it to third parties.On the lulluapp.com marketing website, if you accept our cookie banner, a Reddit advertising pixel may share basic visit data with Reddit so we can measure ad performance and reach similar audiences. This may be considered “sharing” for cross-context behavioural advertising under the CCPA/CPRA. You can opt out at any time by clicking “Reject” on the cookie banner or by clearing site data. We do not engage in any other sale or sharing of personal information. This statement is made for purposes of the California Consumer Privacy Act (as amended by the CPRA) and similar state privacy laws.
We are based in the United States, and our service providers may process information in the United States or other countries that may not provide the same level of data-protection law as your country of residence. Where we transfer personal information outside the EU, UK, or other regulated regions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) or other lawful transfer mechanisms.
We retain your account and User Content for as long as your account is active or as needed to provide the Service. When you delete your account, we will delete or de-identify your account information and User Content within 30 days, except where retention is required to: (a) comply with legal, tax, accounting, or audit obligations; (b) resolve disputes or enforce our agreements; (c) prevent fraud or abuse; or (d) maintain backups for a limited period before they are overwritten in the ordinary course. Aggregated or de-identified data that cannot reasonably be used to identify you may be retained indefinitely.
We use reasonable and appropriate technical and organizational measures designed to protect your information, including encryption in transit (TLS), encryption at rest where supported by our infrastructure providers, access controls, authentication safeguards, and monitoring. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for the security of the device on which you use the Service. If you suspect unauthorized access, contact us immediately at hello@lulluapp.com.
The Service is not a HIPAA-covered service; Bygga is not a covered entity or business associate. Although you may use the Service to log information that you consider sensitive, the Service is not designed to satisfy HIPAA, HITECH, or any specific clinical-recordkeeping standard.
Depending on where you live, you may have rights under applicable law to: access the personal information we hold about you; correct inaccurate information; delete your information; obtain a portable copy; restrict or object to certain processing; withdraw consent; and lodge a complaint with a supervisory authority.
You can exercise most of these rights directly in the Service (by editing or deleting entries, removing Invited Users, or deleting your account). For any other request, email hello@lulluapp.com. We will verify your request and respond within the time required by applicable law. We will not discriminate against you for exercising your rights.
California residents: Under the CCPA/CPRA, you have the right to know what personal information we collect, use, disclose, and (if applicable) sell or share; the right to delete; the right to correct; the right to limit use of sensitive personal information; the right to opt out of sale or sharing for cross-context behavioural advertising (we do not sell your information; we share limited visit data with Reddit for advertising only when you accept our cookie banner on lulluapp.com, and you can click “Reject” on the banner to opt out); and the right to non-discrimination. You may submit a request via hello@lulluapp.com. An authorized agent may submit a request on your behalf with proof of authorization.
EU/UK residents: You have the GDPR / UK GDPR rights summarized above. You may also contact your local data-protection authority.
The Lullu website uses strictly necessary cookies and similar technologies required to operate the site (e.g., to maintain a session or remember preferences). With your consent, given via our cookie banner, we also load a Reddit advertising pixel from redditstatic.com on the lulluapp.com marketing website. The pixel records that a visit occurred and (in combination with information Reddit already holds about its logged-in users) allows us to measure the performance of our Reddit ad campaigns and build similar audiences. The pixel is not loadeduntil you click “Accept” on the cookie banner, and you can withdraw consent at any time by clicking “Reject” on the banner (clear your site data first if the banner is dismissed) or by clearing your browser's storage for lulluapp.com. We do not use any other advertising cookies or third-party tracking pixels. The Lullu mobile app uses standard local storage to enable offline functionality and to cache your data on the device.
Our website does not respond to “Do Not Track” browser signals (the DNT standard has been deprecated by most major browsers). Cross-site tracking on lulluapp.com is limited to the Reddit advertising pixel described in Section 10, and it is loaded only after you accept our cookie banner. Click “Reject” on the banner to opt out.
If we become aware of a personal-data breach that affects your information, we will notify you and the relevant authorities as required by, and within the time periods set by, applicable law.
The Service may include links to or interoperate with third-party services (e.g., the App Store, Apple ID, Google account). Those services are operated by third parties under their own privacy policies. We are not responsible for the privacy practices of those third parties, and we encourage you to review their policies.
We may update this Policy from time to time. We will post the updated Policy with a new “Last updated” date and, for material changes, will provide reasonable advance notice (such as in-app notice or email). Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not agree, please stop using the Service and delete your account.
Bygga, California, USA
Email: hello@lulluapp.com