In short
babysteps is an app built in the Netherlands that allows parents to capture the early years of their child, share them privately with loved ones and relive them through a personal timeline or printed photo books. We securely store your stories, photos, and videos in the European Union. We use trusted infrastructure providers to ensure reliability and security. The app is free to use, without subscriptions and contains no advertisements.
This Privacy Policy explains how babysteps processes personal data in accordance with the General Data Protection Regulation (GDPR), with a focus on minimal data collection, parental control and EU-based storage.
Data Controller
babysteps (“babysteps”, “we”, “us”), based in the Netherlands, is the data controller. We do not process data outside the European Union and operate without advertisements or subscriptions. This policy applies to the app and related services.
We are not required to appoint a Data Protection Officer (DPO). For any questions, please contact info@babysteps-app.com.
Data We Collect
We only collect the minimum data necessary:
Profile data: first name, last name, date of birth, gender, profile photo and banner (visible only to invited followers)
Account data: email address and password (stored salted and hashed)
Child profile data: first name, last name, date of birth, gender, profile photo and banner (visible only to invited followers)
Moment data: title, location, media (photos and videos), description, date, time and associated children
Interactions: likes and comments
Technical data: device type, operating system, app version, screen size, language or region, time zone, IP address and connection type (used for app improvement)
Photo book data: payment and shipping information
Analytics and usage data: in-app events such as clicks, screen views and interactions, used to improve the app and optimize the user experience. Where possible, this data is aggregated or pseudonymised
Data relating to children is only processed with explicit parental consent and remains private.
Purposes and Legal Basis
We process data for the following purposes:
Providing the service (capturing, sharing, timeline, photo books): performance of a contract
Improving the app: analyzing usage and behavior data (where possible aggregated or pseudonymised) to improve functionality (legitimate interest)
Security and fraud prevention: legitimate interest
Service messages (updates or changes): consent
Marketing (newsletters): consent
We do not use profiling or automated decision-making.
Sharing of Data
Data remains within the European Union and is only shared with:
Invited followers (only the content you choose to share)
Processors under GDPR agreements, including EU-based hosting providers, photo book printers, payment providers and analytics and product improvement tools
Analytics and product improvement tools to understand usage and improve the service
Google Firebase (authentication, storage and analytics; US-based subprocessor using Standard Contractual Clauses)
Authorities, if required by law or legal order
We do not sell data to third parties. A full list of subprocessors is available upon request via info@babysteps-app.com.
Error Reporting
Firebase Crashlytics collects technical data in case of app crashes, such as stack traces and device information. It does not collect personal content such as photos or names. This can be disabled via Settings > Account.
Security and Storage
We apply appropriate security measures, including:
Encryption of communication (HTTPS and TLS) and storage
Access controls and regular audits
Secure storage using Google Cloud
Data retention:
As long as the account is active
30 days after deletion (backups up to 90 days)
Financial records up to 7 years as required by law
Data Breaches
In case of a security incident, we follow the guidelines of the Dutch Data Protection Authority. Where required, we will notify the authority within 72 hours and inform you if there is a risk to your rights.
Your Rights under GDPR
You have the right to:
Access, correct or delete your data, including account and child data
Restrict processing, object to processing and request data portability
Withdraw consent at any time
You can submit requests via info@babysteps-app.com. We will respond within one month and may require identity verification.
You also have the right to file a complaint with the Dutch Data Protection Authority via autoriteitpersoonsgegevens.nl.
Cookies, Children and Push Notifications
We use functional and analytical cookies only. No tracking cookies are used. You can manage cookies via your browser or app settings.
The app is intended for users aged 16 and older. Parents are responsible for the data of their children. We do not knowingly collect data from children under 16 without parental consent.
Push notifications, such as new moments or comments, are only sent with your consent and can be disabled in app or device settings.
Changes
We may update this Privacy Policy via the app or email. Continued use of the Service implies acceptance.
Contact: babysteps, Netherlands, info@babysteps-app.com
Last updated: April 2026