Last updated: March 2026
1. Introduction
BabyBinge GmbH ("BabyBinge", "we", "us") is committed to protecting the privacy of children and families. This Privacy Policy explains what data we collect, how we use it, how we store it, and your rights under the General Data Protection Regulation (GDPR), the Children's Online Privacy Protection Act (COPPA), and other applicable laws.
BabyBinge is the data controller. Our registered address is in Frankfurt am Main, Germany.
2. Data We Collect
We collect only the minimum data necessary to provide the Service:
- Account information: email address (from Google/Apple sign-in), display name, country (optional)
- Child profiles: first name, age group (0–2, 2–4, or 4–5)
- Avatar preferences: text-based prompts describing desired avatar appearance
- Episode data: prompts, generation settings, watch history, ratings
- Usage data: feature interactions, session duration, screen views
- Device information: OS version, device model, app version (for crash reports and compatibility)
- Subscription data: plan type, billing status (payment details are handled entirely by Apple/Google/Stripe/Razorpay)
3. Data We Never Collect
- Photographs of children or any person
- Biometric data of any kind (face geometry, fingerprints, voice prints)
- Precise location data (GPS coordinates)
- Microphone or camera input
- Contact lists, call logs, or social media accounts
- Advertising identifiers or cross-app tracking data
4. How We Use Your Data
- To generate personalised cartoon episodes for your children
- To create and render 3D avatars from text descriptions
- To improve content quality based on ratings and watch patterns
- To provide customer support when you contact us
- To send notifications about new episodes, features, and account activity
- To comply with legal obligations (e.g. COPPA consent records)
- To detect and prevent abuse of our safety systems
5. Legal Basis for Processing (GDPR Art. 6)
- Consent (Art. 6(1)(a)): processing of child data, avatar generation, optional analytics
- Contract performance (Art. 6(1)(b)): account management, subscription billing, episode delivery
- Legitimate interest (Art. 6(1)(f)): fraud prevention, service improvement, crash reporting
- Legal obligation (Art. 6(1)(c)): tax records, COPPA compliance records
6. Data Storage & Security
All data is stored in the European Union, specifically in the AWS eu-central-1 region (Frankfurt, Germany).
Security measures include:
- Encryption in transit using TLS 1.3
- Encryption at rest using AES-256
- Role-based access control with principle of least privilege
- Regular security audits and penetration testing
- Automated vulnerability scanning
7. Data Processors
We use the following third-party data processors:
| Processor |
Purpose |
| Amazon Web Services (AWS) | Cloud hosting and storage (EU region) |
| Firebase (Google) | Authentication and crash reporting |
| Stripe | Payment processing (EU/international) |
| Razorpay | Payment processing (India) |
| Apple / Google | In-app purchase processing |
| Hetzner | GPU rendering infrastructure (EU) |
| xAI (Grok Aurora) | Avatar image generation |
| RunPod | GPU infrastructure for AI rendering workloads |
| ElevenLabs | Voice profile creation for narration voices |
| Anthropic (Claude, Haiku) | Content moderation, safety filtering, and translation |
Each processor operates under a Data Processing Agreement (DPA) that meets GDPR requirements. No child data is transferred outside the EU except where necessary for authentication (Firebase) under Standard Contractual Clauses.
Self-hosted AI services: In addition to third-party processors, BabyBinge operates self-hosted AI models on our own infrastructure for video generation, lip-sync animation, and music composition. These services run entirely within our EU data centres and no data leaves our infrastructure during processing. Self-hosted models are not third-party processors and are covered by BabyBinge's own data protection obligations as data controller.
8. Children's Privacy (COPPA Compliance)
BabyBinge is designed for children under 13. We comply with COPPA worldwide, regardless of the user's location.
- We obtain verifiable parental consent before collecting any data related to a child
- Parents can review all data collected about their child at any time
- Parents can request deletion of their child's data at any time
- We do not condition a child's participation on disclosing more data than is reasonably necessary
- Consent records are stored in an immutable ledger
9. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access: request a copy of all data we hold about you and your children
- Rectification: correct any inaccurate data
- Erasure: request deletion of all your data ("right to be forgotten")
- Data portability: receive your data in a machine-readable format
- Restriction: request that we limit processing of your data
- Objection: object to processing based on legitimate interest
- Withdraw consent: withdraw any consent at any time without affecting prior processing
To exercise any of these rights, visit Settings → Privacy & Data in the app, or contact anirban@babybinge.app.
We will respond to all data subject requests within 30 days.
10. Data Retention
- Active accounts: data is retained while your account is active
- Deleted accounts: all personal data is permanently removed within 30 days of deletion, including episodes, avatars, ratings, and watch history
- Account closure: data is retained for a maximum of 5 years after account closure for legal compliance, then permanently deleted
- Consent records: retained for the duration required by applicable law (typically 5 years after last activity)
- Anonymised analytics: may be retained indefinitely as they contain no personal data
11. Cookies & Tracking
The BabyBinge mobile app does not use cookies. We do not engage in cross-app tracking, behavioural advertising, or sale of personal data.
The BabyBinge website (babybinge.app) uses only essential cookies required for authentication and session management.
12. Contact & Complaints
Data Protection Officer: anirban@babybinge.app
General Support: anirban@babybinge.app
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Hessian Data Protection Commissioner (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit).