Privacy Policy

1. Who we are

anambaby ("we", "us") is the data controller for personal data we process about Parents and Instructors using the platform at anambaby.com. We are based in Ireland and comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the Irish Data Protection Act 2018. Contact: privacy@anambaby.com.

Where an Instructor uses the platform to manage their own bookings and parent communications, the Instructor is an independent controller of that data and is responsible for their own GDPR compliance towards their customers.

2. What we collect

• Account data: name, email, password (hashed), role (parent or instructor), profile photo.
• Instructor data: business details, class listings, photos, qualifications, Garda vetting and insurance documents (and extracted expiry dates), Stripe Connect identifiers, payout history.
• Booking data: classes booked, attendance, messages exchanged in class chats, reviews.
• Child information: child's first name and approximate age, where you provide it for a booking. Do not provide more child data than necessary.
• Payment data: processed by Stripe — we do not store card numbers or CVCs.
• Technical data: IP address, device, browser, pages viewed, approximate location, cookies. See our Cookie Policy.

3. Why we use it (lawful bases)

• To deliver the Service (Art. 6(1)(b) — performance of a contract): creating accounts, processing bookings, sending booking confirmations and reminders, hosting class chats, generating receipts.
• Compliance reminders and AI features (Art. 6(1)(b) and (f) — legitimate interests of running a useful product): vetting and insurance expiry reminders, suggested class descriptions, captions and re-engagement emails for Instructors to review.
• Safety and fraud prevention (Art. 6(1)(f)): detecting abuse, protecting children and other users, defending claims.
• Legal obligations (Art. 6(1)(c)): tax, accounting, responding to lawful requests.
• Marketing (Art. 6(1)(a) — consent, or soft opt-in under the ePrivacy Regulations): only with your consent, with an unsubscribe link in every message.

We do not knowingly process special-category data about children's health. If you share medical or allergy information with an Instructor to keep a child safe, that is provided to the Instructor and processed by them on the lawful basis of vital interests / explicit consent — we host it on the Instructor's behalf only.

4. Who we share it with

• The Instructor you book with (and vice versa, the parents who book your class) — to fulfil the booking.
• Service providers ("processors") under written contracts: Supabase (database and authentication, EU region), Stripe (payments), Resend (transactional email), Cloudflare (hosting and security), Google (analytics and maps), and our AI providers (Google Gemini, OpenAI) for AI features. We pick providers that offer GDPR-compliant terms and, where relevant, EU-region processing or Standard Contractual Clauses for transfers outside the EEA.
• Authorities where we are legally required to.

We do not sell your personal data.

5. International transfers

Where personal data is transferred outside the EEA (for example, to the United States for AI processing), we rely on the EU Commission's adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms.

6. How long we keep it

• Account data — for as long as your account is active, then deleted within 90 days of closure (or sooner on request).
• Booking and payment records — 6 years, to meet Irish tax and accounting record-keeping obligations.
• Class chat messages — for the lifetime of the relevant class series, then archived for 12 months.
• Marketing preferences — until you withdraw consent or unsubscribe.

7. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict or object to processing of your personal data, the right to data portability, and the right to withdraw consent at any time. To exercise any of these rights email privacy@anambaby.com.

You also have the right to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie), Lo-Call 1800 437 737.

8. Security

We protect personal data with encryption in transit (TLS), encryption at rest, role-based access controls, row-level security on the database, and reasonable administrative measures. No system is perfectly secure — please use a strong, unique password and tell us immediately if you suspect your account has been compromised.

9. Changes

We may update this policy. Material changes will be notified by email or in-app at least 14 days before they take effect.