Privacy Policy
Last updated: May 4, 2026
PebbleCare ("we", "our") connects families with home daycare providers. This policy explains what data we collect, how we use it, and the choices you have. By using PebbleCare you agree to this policy.
1. Information we collect
- Account: name, email, password hash, role (provider or guardian), and authentication identifiers (e.g. Google sub).
- Provider profile: daycare name, address, hours, capacity, rates, photos, amenities — content you choose to publish.
- Family profile: child names, ages, allergies, emergency contacts, custody/pickup info, and other care-relevant details you provide.
- Operational data: messages, daily logs, attendance records, invoices, applications, ratings.
- Technical: IP address (hashed for waitlist abuse prevention), browser/device info, log data, and cookies needed for authentication.
2. How we use information
- To run the service: matching families with providers, processing enrollments, sending notifications, generating invoices.
- To authenticate and secure accounts (including via Google OAuth, when you choose to use it).
- To send transactional and product emails (invitations, alerts, confirmations) — never marketing without your opt-in.
- To investigate abuse, enforce our terms, and comply with legal obligations.
3. Sharing
We share information only where necessary to operate the service:
- With other users: when you enroll or apply, the relevant provider and the family's authorized guardians see the child and family profile data they need to provide care.
- With service providers: Supabase (database/auth/storage), Resend (transactional email), Vercel (hosting), Sentry (error monitoring). They process data on our behalf under their own privacy commitments.
- For legal reasons: when required by law, court order, or to protect rights and safety.
- We do not sell personal information.
4. Google user data
If you sign in with Google, we receive your email address, profile name, and Google account ID. We use these solely to authenticate your PebbleCare account. We do not access Gmail, Drive, Calendar, or any other Google service data, and we do not share Google-derived data with third parties except the infrastructure providers listed above.
5. Retention
We keep account data while your account is active. After deletion, operational records (invoices, audit logs) may be retained for up to 7 years to satisfy tax, accounting, and dispute-resolution obligations. Backups are rotated within 30 days.
6. Your choices
- Access & correction: view and edit most data inside the app.
- Deletion: request account deletion by emailing support@pebblecare.app. We will remove your personal data subject to the retention rules above.
- Email: transactional emails (invites, alerts) are required for the service; we will add a marketing opt-out before any marketing email is sent.
7. Security
Data is encrypted in transit (TLS) and at rest. Database access is gated by row-level security and service-role tokens. We do not store plaintext passwords. Despite reasonable safeguards, no system is perfectly secure — promptly report suspected incidents to support@pebblecare.app.
8. Children
Children do not use PebbleCare directly. Their information is submitted by their guardian and shared only with the providers and guardians authorized in that family's account. We do not knowingly collect data directly from children under 13.
9. Changes
We may update this policy. Material changes will be announced in-app or via email. The "Last updated" date above reflects the latest revision.
10. Contact
Questions or requests: support@pebblecare.app.
See also our Terms of Service.