Privacy Policy

1. Introduction

Dear RoRo ("we", "our", or "us"), operated by Eunggyu Lee, Rehbergstrasse 4, 81479 Munich, Germany, is committed to protecting your privacy. DearRoRo is a parenting app designed exclusively for parents and guardians — it is not intended to be used by children. Parents use the app to journal memories, generate personalized stories, and manage family life. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your personal data. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). By using our service, you agree to the collection and use of information as described in this policy.

2. Information We Collect

2.1 Account Information

• Email address and password (for email registration)
• Apple ID or Google account data (when using social sign-in)
• Profile details (name, username, avatar)
• Parenting country (selected during onboarding)
• Language preferences

2.2 Children and Family Information

• Children's profiles (name, birthday, gender, developmental stage)
• Family member relationships (roles such as parent, grandparent, etc.)
• Family group identifiers and invitation codes
• Partner/couple sharing relationships
• Friend connections between families

2.3 Content You Create

• Memories (text, images, videos, mood indicators, dates)
• AI-generated stories (text, audio, cover images)
• Family board items (events, notes, to-dos, drawings)
• Playlists and bookmarks
• Habit tracker goals and progress
• Interest tracker entries and sessions
• Developmental milestones
• Item recommendations (products, places, tips) which may include addresses and geographic coordinates

2.4 Voice Recordings

When you choose to create a custom voice, we collect your voice recordings. Voice data is considered biometric information under certain laws (including GDPR and BIPA). See Section 5 for details.

2.5 Usage and Behavioral Data

• Story playback counts and listening history
• Likes, comments, and bookmarks
• Story creation credits and consumption data
• Content reports and user blocking actions
• Referral relationships and reward tracking

2.6 Device and Technical Data

• Push notification tokens (for delivering notifications)
• Device information (for diagnostics and beta feedback)
• App version and platform information

2.7 Subscription and Transaction Data

• Subscription tier and billing status (managed via RevenueCat and app stores)
• Story credit purchases and trial periods
• Story credit pack purchases

2.8 Marketing and Waitlist Data

• Email addresses submitted through the waitlist form on our website
• Beta feedback submissions (nickname, category, message, screenshots, device info)
• Website visitor analytics (country, city derived from IP via ipapi.co, browser user agent, referrer URL, anonymized visitor identifiers)

3. How We Use Information

We use your information to:

• Provide, maintain, and improve our services
• Generate personalized stories adapted to your child's age and interests
• Create custom voice narration for stories
• Enable family sharing and collaboration features
• Send push notifications about family activity, voice expiration, content tags, and other relevant updates
• Process subscriptions, add-on purchases, and referral rewards
• Moderate content and enforce community guidelines (via reporting and blocking)
• Analyze usage patterns to improve the service
• Provide customer support
• Comply with legal obligations

4. AI and Voice Technology

We use artificial intelligence to enhance your experience:

• Story Generation: We use Google Gemini AI to generate personalized stories based on your children's information, age, and preferences. Story prompts may include your child's name, age, and selected topics.
• Voice Cloning: When you create a custom voice, your voice recordings are processed by ElevenLabs to create personalized narration. Voice data is biometric information (see Section 5).
• Text-to-Speech: Story text is converted to audio using ElevenLabs voice synthesis, either with default voices or your custom cloned voice.
• Image Generation: Cover illustrations for stories may be generated using Google Vertex AI (Imagen). Only text descriptions are sent to the image generation service.

Our AI service providers process data according to their privacy policies and data processing agreements. Your personal data is not used to train third-party AI models.

5. Biometric Data

Voice recordings used for voice cloning are considered biometric data in many jurisdictions. We collect this data only with your explicit consent. You may:

• View your voice data in the Voices section of the app
• Delete your voice data at any time from the app
• Withdraw consent by deleting your custom voice

Voice data is stored securely and is used solely for creating personalized story narration. Free tier users' custom voices expire 7 days after creation. Basic and Pro subscribers' custom voices remain active for the duration of their subscription. When the subscription ends, custom voices expire. When you delete a voice or your account, we also request deletion of the corresponding voice data from ElevenLabs.

6. Push Notifications

We collect push notification tokens to deliver timely notifications, including:

• Family activity updates (new memories, stories shared)
• Voice expiration warnings (24 hours before expiry)
• Content interactions (tags, comments, likes)
• Family board updates
• Referral reward notifications

You can manage notification preferences in the app settings or through your device settings.

7. Public Content Sharing

Pro subscribers may choose to share stories publicly. Publicly shared stories (including title, audio, and cover image) may appear on our marketing website and in the app's Explore section. Public memories marked by users are also displayed. No personal identifiers are shown with publicly shared content.

8. Data Encryption

We use client-side encryption (AES-256) to protect private content. When you mark a memory as private, all associated data — including text, images, videos, and audio — is encrypted on your device before being uploaded to our servers. Encryption keys are derived on your device and stored primarily in the device's native secure storage (iOS Keychain / Android Keystore) when available, with a fallback to standard device storage if native secure storage is unavailable. The server only stores encrypted data and cannot decrypt your private content. This provides an additional layer of data protection beyond standard server-side security.

9. Third-Party Services

We use the following third-party services to provide our features:

• Supabase: Authentication and database
• ElevenLabs: Voice synthesis, text-to-speech, and voice cloning
• Google Gemini: AI-powered story generation
• Google Vertex AI: AI-powered cover image generation
• Cloudflare R2: Encrypted media storage and delivery (images, videos, audio)
• RevenueCat: Subscription and in-app purchase management
• Apple / Google: Social sign-in authentication and app store payments
• Expo: Push notification delivery
• ipapi.co: IP-based geolocation for website analytics (marketing site only)

Each service processes data according to their respective privacy policies and under contractual obligations to protect your information.

10. Data Sharing

We do not sell your personal information. We may share data with:

• Service providers listed in Section 9, only as necessary to operate the service
• Family members you have explicitly connected with through the app's sharing features
• Law enforcement or regulatory bodies when required by applicable law

11. Data Security

We implement administrative, technical, and physical safeguards to protect your data, including client-side encryption, secure key storage, and encrypted data transmission. No method of transmission or storage is 100% secure; we continuously improve our protections.

12. Data Retention

We retain information as long as necessary to provide the service, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention periods include:

• Free tier custom voice data: automatically deleted 7 days after creation
• Waitlist emails: retained until the user unsubscribes or the waitlist program ends
• Website visitor analytics: retained for up to 12 months

13. Account Deletion

You may delete your account at any time through Settings > Account > Delete Account. Upon deletion, we permanently remove your data including: profile information, memories, stories, voice recordings, family connections, playlists, habit and interest data, and all associated content. We also request deletion of your voice data from ElevenLabs. Account deletion is irreversible.

14. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of Access (Art. 15): Request a copy of your personal data we process
• Right to Rectification (Art. 16): Request correction of inaccurate personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time for consent-based processing

To exercise these rights, contact us at hello.dearroroapp@gmail.com. We will respond within 30 days as required by GDPR. If we need more time, we will inform you of the extension and the reasons within the initial 30-day period.

15. Children's Privacy

DearRoRo is a parenting tool built for adults. It is not a children's app — children are not intended to use or interact with the app directly. Parents and guardians are the sole users, and they control all child profiles, content creation, and playback. Information about children (such as names, birthdays, and developmental stages) is entered by parents to personalize stories and track milestones. We do not knowingly collect personal information directly from children. The app is intended for users aged 16 and older. If you believe a child has accessed the app without parental oversight, please contact us immediately.

16. International Transfers

Your information may be processed in countries outside the European Economic Area (EEA), including the United States, where our service providers operate. For transfers outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including EU Standard Contractual Clauses (SCCs) with our service providers, adequacy decisions by the European Commission where applicable, and additional technical and organizational measures where necessary.

17. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service, including account creation, memory storage, story generation, family sharing, and subscription management.
• Consent (Article 6(1)(a)): Processing of voice recordings for voice cloning (biometric data under Article 9(2)(a)), marketing communications, and optional analytics.
• Legitimate Interests (Article 6(1)(f)): Service improvement, security monitoring, fraud prevention, and usage analytics, where our interests do not override your rights and freedoms.
• Legal Obligation (Article 6(1)(c)): Compliance with applicable laws, regulations, and legal processes.

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

18. Beta Testing Data

During beta testing periods, including distribution through Apple TestFlight, we may collect additional information beyond what is described in Section 2, including:

• Crash reports and diagnostic logs
• Feature usage analytics and interaction patterns
• Feedback, bug reports, and suggestions you submit
• Device performance and stability data

This additional data is collected solely to identify issues, fix bugs, and improve the Service before public release. Beta testing data is not used for marketing or advertising purposes.

Upon conclusion of the beta testing period, your account data and content will be migrated to the production service where possible. If migration is not feasible, we will provide at least 14 days' notice before any data deletion. You may request deletion of your data at any time during or after the beta period by contacting us.

19. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the app or by email. Continued use of the service after changes constitutes acceptance of the updated policy.

20. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority (Datenschutzbehörde), in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

The competent supervisory authority for Bavaria is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
https://www.lda.bayern.de

A list of all German data protection authorities can be found at: https://www.bfdi.bund.de

21. Data Controller and Contact

If you have questions about this Privacy Policy, wish to exercise your data rights, or have GDPR-related inquiries, please contact us at the email above. We will respond within 30 days as required by GDPR.