Privacy Policy
Last updated: April 21, 2026
Introduction
This Privacy Policy describes how Novi Homines Software Oy ("we", "us", or "our") handles information when you use the Vaava mobile application.
By using Vaava, you agree to this Privacy Policy. We do not sell your data. Our business model is built on providing value through our app, not through data monetization.
Local Data
Vaava does not have user accounts and does not ask you to create one. We do not collect your email address or password for normal app use. Vaava runs locally on your devices, and your baby tracking data stays on-device by default instead of being uploaded to our servers in basic use.
What stays on your device:
- All baby event data (feedings, diaper changes, sleep, etc.)
- Device pairing information
- App preferences and settings
Local Wi-Fi family sync:
When you use local Wi-Fi family sync, synchronization happens directly between your devices over your local network via peer-to-peer connections. No baby data passes through our servers. Local Wi-Fi family sync requires Vaava Plus on the device that starts pairing by showing the QR code. Once paired, both devices can sync.
Privacy Promise: By default, your baby event history stays on your devices. The limited exceptions described below are transient dictation or OCR processing, Vaava Plus purchase handling, and optional crash diagnostics.
Voice dictation and OCR
When you use voice dictation, a short audio snippet is sent to the Vaava service server, which forwards it to an AI service provider (including Google Gemini) for transcription and structuring. The audio is not stored after processing.
When you scan growth measurements, the photo is sent to the Vaava service server, which forwards it to an AI service provider (including Google Gemini) for OCR. The image is not stored after processing.
These payloads are used only to return structured results to your device. Vaava does not use them to train any model, and they are not linked to a Vaava account because Vaava does not use user accounts. Upstream provider terms (AI service provider APIs) apply to transit handling.
Backend infrastructure is hosted in the EU.
Vaava Plus purchase handling
Vaava Plus is purchased through the Apple App Store or Google Play. Vaava uses RevenueCat on the device for entitlement checks and to support restoring a purchase on the same platform.
For that purpose, RevenueCat may receive purchase-related information from the store platform together with an app-specific identifier provided by Vaava so the app can determine whether Vaava Plus is unlocked on that device or restored on another device on the same platform.
In the current setup, Vaava does not send your email address, password, or baby event content to RevenueCat.
Optional Crash Reporting
Vaava includes an optional crash reporting feature powered by Firebase Crashlytics to help us diagnose technical failures and improve reliability.
- Disabled by default - Crash reporting starts only if you enable it
- User-controlled - You can enable or disable it at any time in Vaava Settings
- No baby tracking data - Crash reports do not include your baby event content
What may be collected when enabled:
- Crash stack traces and technical error details
- App version, bundle or package identifier, and crash timestamp
- Device and operating system details such as model, OS version, memory, and storage state
- Crashlytics installation identifiers and Firebase session identifiers used to group crash reports
- Technical app state around the crash, such as whether the app was in the foreground or background
What Vaava does not attach:
- No custom user ID is attached to Crashlytics reports
- No custom logs or custom keys are added by Vaava
- No analytics breadcrumb events are sent with crash reports in the current setup
Crash diagnostics are used only for app stability and debugging, not for advertising or marketing.
Third-Party Services
Vaava uses the following third-party services:
- AI service provider (including Google Gemini) (via the Vaava service server): used only for transient voice dictation parsing and OCR scanning. Audio and images are not stored after processing.
- Apple App Store / Google Play: used for processing the one-time Vaava Plus in-app purchase.
- RevenueCat: used for client-side entitlement verification and same-platform restore support for Vaava Plus. RevenueCat may receive purchase-related information and an app-specific identifier, but Vaava does not send email, password, or baby event content to RevenueCat in the current setup.
- Firebase Crashlytics: optional crash diagnostics, disabled by default and user-controlled in Settings. Crash reports do not include baby event content.
These services have their own privacy policies. We only share the minimum necessary data with each service to provide the stated functionality.
Data Security
We implement industry-standard security measures:
- TLS encryption
- Local network data sharing is encrypted with industry-standard encryption methods (such as AES-256)
- No baby data collection in Local Mode (zero data to protect)
- Industry-standard security practices for app infrastructure
Your Rights
You can:
- Export your data from supported app features
- Delete local app data from your device
- Manage your in-app purchase via the App Store or Google Play account that purchased it
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes through the app. Continued use of Vaava after changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Email: [email protected]
Company: Novi Homines Software Oy