Your baby's room is not a data source.
The short version
- Live audio and video travel peer-to-peer, encrypted end-to-end (DTLS-SRTP). We never see or store them.
- Cry, motion and breathing detection all run on your device. No sound clip or frame leaves the phone for analysis.
- A LullaLink account is optional — only needed to monitor from outside your home Wi-Fi.
- Free tier shows Google AdMob ads — never on the baby phone and never with sound on the baby side. Pro users get no ads at all. No analytics on audio or video content. No data sold to anyone, ever.
- Delete your account and every server-side key with one tap in the app, or email us.
On this page
1. Who we are
LullaLink ("LullaLink", "we", "us") is the developer of the LullaLink baby-monitor app for
Android (package com.codejam.lullalink) and iOS. This Privacy Policy explains what
information the app and our optional cloud services collect, how they use it, and the choices
you have. It applies to the app, the LullaLink website, and any optional signaling or relay
servers we operate.
If you have a question about anything below, write to privacy@lullalink.com.
2. What we collect
LullaLink is designed to keep the minimum amount of data possible. The table below is the complete list — if it isn't here, we don't collect it.
| What | Why | Where it lives |
|---|---|---|
| Email + password Optional — only if you create an account to pair across networks |
To sign you in on multiple phones and relay WebRTC signaling when you're not on the same Wi-Fi. | Cloud Password hashed with bcrypt (cost 12) |
| Google Sign-In identifier Google's user-id + your email + display name, if you use "Continue with Google" |
To let you sign in without a password. We only receive what Google sends in the ID token — nothing else from your Google account. | Cloud |
| Device record Name you set, platform (Android/iOS), created-at timestamp |
So you can see which phones are paired to your account and remove old ones. | Cloud |
| Baby profile Name, nickname, avatar emoji, birthday, notes — all optional |
To personalize the app with your baby's name and age. | On device only Never uploaded to our servers |
| Pairing code / QR payload | An 8-character code (cloud pairing) or 6-digit PIN + QR (local pairing) used to link two phones. | On device Expires in ~10 min; single-use |
| Signaling messages SDP offers/answers + ICE candidates, exchanged to set up WebRTC |
Relayed between your two phones so they can negotiate a peer-to-peer connection when they aren't on the same Wi-Fi. | Cloud Deleted after 5 min or when consumed |
| Entitlement record Pro / free tier + source (Play Store, lifetime, activation code) |
So we know which features are unlocked on your account and can suppress ads for Pro users. | Cloud |
| Play Store receipts Product ID, purchase token, order ID, Google's verification response |
To verify your subscription or lifetime purchase server-side and prevent spoofing. | Cloud |
| Activation codes If you redeem one, we link it to your account |
To grant Pro access and prevent the same code from being used twice. | Cloud |
| Connection metadata ICE candidate types, session-duration counters, error codes |
To diagnose connection failures. Contains no audio or video content. | Cloud Discarded after 14 days |
| Ad personalization consent Your choice from the Google UMP privacy form (EEA / UK / Swiss users) |
To honour your preferences before requesting ads. | On device |
| Event clips 10 s pre-roll + 20 s post-cry video |
So you can review what woke the baby. | On device only Max 50 clips, auto-rotated |
| Crash & diagnostic logs | To find and fix bugs. Opt-out in Settings → Privacy. | Opt-out No audio/video content |
3. What we don't collect
We want to be explicit about this because it's the heart of the product:
- We never record or upload audio or video. The media stream is peer-to-peer between your two phones, encrypted with DTLS-SRTP. Our signaling server only relays session-setup messages (SDP offers/answers and ICE candidates); it never sees the media itself.
- Your baby's profile never leaves the device. Name, nickname, avatar emoji, birthday and notes are stored locally in AsyncStorage and never synced to our servers. They disappear when you uninstall the app.
- We don't analyse your baby's room. Cry detection, breathing analysis, motion detection and temperature sensing all run entirely on the baby-unit device.
- We don't collect contacts, calendars, photos, browsing history, precise location, health records, or advertising identifiers.
- We don't use third-party analytics SDKs on audio or video content. Crashlytics, if enabled, sees only code-level stack traces and device model.
- We don't read your Google account. Google Sign-In sends us only a signed ID token containing your sub-id, email, and display name. We do not request, store, or have access to anything else (contacts, Drive, calendar, etc.).
- We don't sell, rent or trade data to anyone. Ever. There is no business case where this would be acceptable.
4. How we use data
The data listed in Section 2 is used only for the following purposes:
- Provide the service — sign you in, pair your phones, route WebRTC signaling, deliver push notifications.
- Keep it working — reconstruct connection failures so we can fix them. Logs are anonymised at the network edge.
- Keep it safe — detect abuse of our signaling servers (rate limiting, brute-force protection on sign-in).
- Comply with law — respond to valid legal process. We will notify you unless prohibited by law.
We do not use your data for advertising, profiling, training AI models, or any purpose unrelated to operating the app.
5. Sharing & third parties
LullaLink runs a minimal backend. The only third parties that process data on our behalf are:
- o2switch — our hosting provider (France). Runs our signaling server
wapi.lullalink.comand the PostgreSQL database that stores accounts, devices, pairings, and entitlements. - Google Sign-In (Google Ireland Ltd.) — if you choose "Continue with Google", Google authenticates you and returns a signed ID token. Google's own privacy policy applies to the handshake itself.
- Google Play Billing & Android Publisher API (Google) — processes subscription and lifetime purchases, and verifies receipts server-side so we can unlock Pro only for real, non-refunded purchases.
- Google AdMob (Google Ireland Ltd.) — serves ads to free-tier users. AdMob may receive device identifiers and ad-event signals, subject to the consent choices you make in our privacy form the first time you launch the app. Ads are never shown on the baby phone, and never on any phone owned by a Pro user.
- Google UMP (User Messaging Platform) — presents the EEA/UK/Swiss ad-consent form on first launch.
We do not use analytics pixels, session replay tools, marketing platforms, or third-party CRMs. The list above is exhaustive.
If LullaLink is ever acquired or merged, this policy will continue to govern the data we already hold, and we will notify you before any change takes effect.
6. Storage & retention
- Account email & hashed password — kept until you delete your account.
- Google sub-id — kept while you have an account; removed on deletion.
- Device records — kept while you have the device registered; removed when you delete the device or your account.
- Pairings — status kept for 30 days for troubleshooting; pairing codes removed as soon as claimed or after 10 min.
- Signaling messages — each message is deleted as soon as the recipient has polled for it, or after 5 min, whichever comes first.
- Entitlement records & Play Store receipts — kept while the account exists (so we can reconcile refunds); removed on account deletion.
- Activation codes — unused codes are retained; redeemed codes keep the
redeemed_by_user_idlink until account deletion. - Connection metadata — retained 14 days, then permanently deleted.
- Crash reports — retained 90 days.
- Baby profile, event clips & recordings — stored only on your device; deleted when you remove the app.
7. Security
We apply the following protections:
- All media streams are end-to-end encrypted with DTLS-SRTP, the WebRTC standard.
- Signaling traffic uses TLS 1.3 between your app and our servers.
- Passwords are hashed with bcrypt (cost 12). We never see them in plaintext.
- Pairing codes are single-use and expire after five minutes.
- Servers run with hardened baselines; access is restricted to a small number of engineers and audited.
No system is perfectly secure, but we will notify affected users and relevant regulators within 72 hours if we ever discover a breach involving personal data.
8. Children's privacy
LullaLink is designed for parents and caregivers (adults 18+). We do not knowingly collect personal information from children, and the app's audio/video streams from the baby unit are never transmitted to LullaLink — they are peer-to-peer between your two phones and encrypted end-to-end.
Because the baby's environment is, by design, visible only to the account holder and any parent devices they have paired, no profile of the infant is ever created on our servers.
If you believe a child under 13 has provided us with personal information, contact privacy@lullalink.com and we will delete it immediately.
9. Your rights
Depending on where you live (GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, Australia Privacy Act, and others), you may have rights to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion ("right to be forgotten")
- Export your data in a portable format
- Object to processing or restrict it
- Withdraw consent at any time
- Lodge a complaint with your local data-protection authority
You can exercise every one of these rights without paying a fee by emailing privacy@lullalink.com. We will verify the request and respond within 30 days.
California residents: LullaLink does not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.
10. Account & data deletion
You can delete your account and all associated personal data at any time:
- In the app — open LullaLink → Settings → Account → Delete account. Confirm with your password.
- By email — send a request to privacy@lullalink.com from the address on your account.
- Via the web — complete the form at lullalink.com/delete-account.
Your account, push tokens and server-side keys are deleted immediately. Encrypted backups rotate out within 30 days. Anonymised, aggregate metrics (e.g. "how many accounts were active last month") may be retained for statistical purposes and cannot be used to re-identify you.
11. International transfers
Our servers are located in the European Union by default; you can select a US region at sign-up. When we transfer personal data from the EU/UK to countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum).
12. Changes to this policy
We will revise this policy when the product or the law changes. Material changes will be announced in-app at least 14 days before they take effect, and the "Last updated" date at the top of this page will always reflect the latest version. Your continued use of LullaLink after an update means you accept the revised policy; if you don't, you can delete your account as described above.
13. Contact us
Questions, concerns, data-subject requests — any of them, any time. A real human reads this inbox.
Privacy questions
For anything related to your data, deletion requests, or this policy.
privacy@lullalink.comYou can also write to us at our postal address, which we will provide on request by email.