← Back
Privacy Policy
Last updated: 13 July 2026
1. Controller
Meyer Digital
Martina Meyer (sole proprietorship)
Seefeldstrasse 178
8008 Zurich, Switzerland
Email:
2. EU Representative (Art. 27 GDPR)
For users residing in the European Union, we have appointed an EU representative under Art. 27 GDPR as the point of contact for supervisory authorities and data subjects.
Cornelius Matutis (Attorney at Law)
Email:
3. Overview
Nourli is an app for tracking feeds, sleep, diapers, and other daily data around babies. This privacy policy informs you about which personal data we collect, how we process it, and what rights you have.
We take the protection of your data and your child's data very seriously. Nourli shows no advertising and does not sell data. To improve the app and the website, we use Microsoft Clarity. Form inputs, baby names, health data and notes are technically masked. See Section 9 for details.
4. What data we collect
Account data
- Email address (when signing up via Magic Link, Apple Sign-In or Google)
- Display name (optional, only visible when sharing is enabled)
- User ID (internally generated)
An account is required to use the app (no guest mode). Without an account, no data storage or cloud sync is possible.
Baby profile data
- Baby's name or nickname
- Date of birth
- Birth weight, optionally birth length
- Feeding mode (breastfeeding, bottle, pumping, mixed)
Feeding and solids data
- Breastfeeding times (start, end, duration, side, pauses)
- Bottle feeds (amount in ml, milk type, time)
- Solids (type, amount, tolerance notes)
- Water (amount, time)
- Optional: notes and mood of the child after the meal
Pumping and stash data
- Pumping times and amounts, side
- Milk stash (fridge, freezer, fed, given away)
- Stash adjustments
Sleep data
- Sleep times and type (nap, night sleep, contact sleep, stroller)
Diaper and health data
- Diaper type (wet, stool, both)
- Stool color, notes on diaper rash, cream use
- Reflux / spit-up (amount, observations)
- Weight history
- Vitamin D administration
Data in the breastfeeding log export
When you create a breastfeeding log export for a midwife or pediatrician, you can optionally include your name, the child's name, date of birth and birth weight as header information in the PDF. These additional details are stored locally in your app settings.
Technical data
- Device type and operating system version (for app compatibility)
- App version, build number
- Local error logs (remain on your device)
- Anonymous usage telemetry (Microsoft Clarity): visited screens, tap/scroll interactions, device class, app version, anonymized IP. Form inputs, baby names, health data and notes are fully masked in session replays (Sensitive Data Masking). See Section 9 for details.
5. Note on special categories (health data)
Feeding, pumping, diaper, sleep, weight and vitamin D data may allow conclusions about the health of your child. This data is considered specially protected personal data under the GDPR (Art. 9 para. 1) and the Swiss FADP (Art. 5 lit. c).
The processing of this data is based on your explicit consent (Art. 9 para. 2 lit. a GDPR / Art. 6 para. 7 FADP), which you provide when using the app. As a parent or legal guardian, you also provide this consent on behalf of your child. Children under 16 cannot give their own effective consent (Art. 8 GDPR).
You can withdraw your consent at any time by deleting your account in the app (see Section 12).
6. Sharing with caregivers, midwives and professionals
Shared use with caregivers
You can invite partners, family members or other carers to view your child's data in real time and add new entries. The invitation is sent via an invitation link.
- Invited persons need their own Nourli account.
- Only data you have entered or explicitly shared is visible — access is technically protected by Row-Level Security rules.
- You can remove caregivers at any time; access is revoked immediately.
- You are responsible for informing the invited persons about this data processing.
Breastfeeding log export for professionals
You can create a breastfeeding log as a PDF or spreadsheet file (CSV, XLSX) and forward it yourself to your midwife or pediatrician. The export happens locally on your device.
7. Where the data is stored
Locally on your device
All data is primarily stored in a local database (SQLite) on your iPhone or iPad. The app works fully offline.
Cloud synchronization
With your account, data is synchronized with our backend provider so you can access it on multiple devices and caregivers can view it.
- Provider: Supabase Inc., San Francisco, USA
- Server location: Amazon Web Services (AWS), region eu-west-1 (Dublin, Ireland)
- Purpose: data backup, sync between devices, sharing with caregivers
Legal basis for transfer to the USA: EU Standard Contractual Clauses (SCCs) under Art. 46 para. 2 lit. c GDPR plus a Data Processing Addendum with Supabase. The physical data storage remains in the EU.
Apple Watch, Widgets and Live Activities
If you use the Apple Watch app, iOS widgets or Live Activities, the data needed for display (current session, latest entry, duration) is synchronized between devices via Apple's WatchConnectivity and WidgetKit. This synchronization runs locally via Apple's frameworks; no additional transfer to us or third parties occurs.
8. Push notifications
Nourli can remind you of scheduled times for feeds, pumping or diaper changes. These notifications are generated locally on your device via Expo Notifications and are not sent through our servers or Apple's push services.
You can disable notifications at any time in iOS system settings.
9. Sub-processors
| Service | Purpose | Location |
| Supabase Inc. | Authentication, database, cloud sync | USA (company), EU / AWS eu-west-1 Ireland (data) |
| Apple Inc. | Apple Sign-In, In-App Purchase (iOS subscription handling) | USA |
| Google LLC | Google Sign-In, Google Play Billing (Android subscription handling) | USA |
| Microsoft Corporation | App and web analytics via Microsoft Clarity (heatmaps, session replays, anonymized) | EU / USA |
| Expo / EAS | App build service, over-the-air updates | USA |
| OpenAI, L.L.C. | Speech-to-text conversion (Whisper API) for voice-based entry | USA |
| Anthropic, PBC | Content extraction from the transcript (Claude API) for voice-based entry | USA |
| Resend, Inc. | Transactional emails (Magic Link, invitations) | EU region |
Apple and Google receive only the data necessary for authentication (email or identity token). Beyond that, we only store the account data you have confirmed in our database.
Payment processing (Apple In-App Purchase / Google Play Billing)
Paid subscriptions and lifetime purchases are processed exclusively through the platform stores:
- iOS: Apple In-App Purchase (Apple Inc., USA / Apple Distribution International Ltd., Ireland for EU purchases)
- Android: Google Play Billing (Google LLC, USA / Google Ireland Ltd. for EU purchases) — once the Android version is available
We have no access to your payment data (card number, bank details, address). Apple and Google process payment, invoicing, taxes and refunds independently. From Apple/Google we only receive a pseudonymized confirmation (receipt/token) of your purchase, the product identifier and the start/expiry dates of a subscription, to validate the unlocked features server-side.
App analytics (Microsoft Clarity)
To improve the app user experience, we collect anonymized usage data using Microsoft Clarity.
- Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA
- What is collected: visited screens, tap/scroll interactions, session duration, device class, operating system, app version, anonymized IP, aggregated heatmaps and session replays
- What is NOT collected: form inputs, names, baby names, notes, health data, amounts, images. All content with personal or health data is automatically masked via Clarity's Sensitive Data Masking feature.
- Retention: Microsoft deletes Clarity data after no more than 13 months
- Legal basis: Legitimate interest in product improvement and error analysis (Art. 6 para. 1 lit. f GDPR)
- Opt-out: at any time in the app under Menu → Settings → Privacy
- USA transfer: Microsoft Corporation is certified under the EU-US Data Privacy Framework; EU Standard Contractual Clauses (SCCs) apply additionally.
Voice-based entry (AI services)
If you use the optional voice feature, your recording is transmitted to OpenAI (Whisper API) for speech-to-text conversion, and the resulting text to Anthropic (Claude API) for content extraction.
- What is transmitted: only the recording or the resulting text, plus the baby first name stored in the app (for matching when you manage several profiles). No account, name or device identifiers. The providers can only link the data to you if you record identifying details yourself.
- No training: both providers contractually do not use data submitted via their APIs to train their models; short-term retention only for abuse monitoring.
- Deletion: the audio file is deleted from your device once your review is complete; only the entries you confirm are stored permanently.
- Quality improvement (beta): to further develop the voice feature, we store the recording, the transcript, the automatically detected suggestions and your corrections on our servers (Supabase, see above) for a maximum of 2 months. This data is not public, is not shared with third parties and is not used to train third-party AI models; it is deleted automatically once the period expires.
- US transfer: both providers are certified under the EU-US Data Privacy Framework; EU standard contractual clauses (SCCs) apply in addition.
- Legal basis: performance of contract when using the feature (Art. 6 (1) (b) GDPR); for quality improvement, our legitimate interest in developing the feature further (Art. 6 (1) (f) GDPR).
Web analytics
On the nourli.app website we use exclusively Microsoft Clarity (see above). No other analytics tools (Google Analytics, Plausible, Matomo, etc.) are used.
10. Purpose and legal basis
| Purpose | Legal basis |
| Provision of app functions (tracking, sync, export) | Contract performance (Art. 6 para. 1 lit. b GDPR / Art. 31 para. 2 lit. a FADP) |
| Processing of health data | Explicit consent (Art. 9 para. 2 lit. a GDPR / Art. 6 para. 7 FADP) |
| Authentication (login) | Contract performance |
| Invitations to caregivers, breastfeeding log export | Contract performance, at your active request |
| Premium subscription / lifetime handling via Apple/Google | Contract performance (Art. 6 para. 1 lit. b GDPR) |
| App and web analytics (Microsoft Clarity, anonymized + masked) | Legitimate interest in product improvement (Art. 6 para. 1 lit. f GDPR) |
| Technical stability and error handling | Legitimate interest (Art. 6 para. 1 lit. f GDPR) |
| Local notifications | Contract performance / consent (iOS/Android notification permission) |
11. What we do NOT do
- We show no advertising
- We do not sell or share any data with third parties for marketing purposes
- We do not create advertising profiles and do not use cross-platform advertising identifiers
- We do not transmit any health data, baby names, notes or input contents to analytics providers or other third parties
- Microsoft Clarity records no input contents, no baby names, no amounts and no notes — all such content is masked in the app via Sensitive Data Masking
- We do not use Google Analytics, Firebase, Mixpanel, Amplitude or Sentry telemetry
12. Retention and deletion
- Local data: Deleted when you uninstall the app or use the data reset function.
- Cloud data: Deleted when you delete your account. Deletion occurs within 30 days.
- Delete account: At any time under Menu → Account → "Delete account and all data".
- Soft delete: Individual entries deleted in the app are permanently removed from the cloud after no more than 30 days.
- Voice recordings (beta): Recordings, transcripts and corrections from voice-based entry are deleted automatically after no more than 2 months (see section 9).
- Invitations and tokens: Time- or usage-limited; invalidated immediately upon revocation.
13. Your rights
- Access (Art. 15 GDPR / Art. 25 FADP)
- Rectification (Art. 16 GDPR)
- Deletion (Art. 17 GDPR / Art. 32 FADP)
- Data portability (Art. 20 GDPR) — export as CSV, XLSX or PDF in the app
- Restriction of processing (Art. 18 GDPR)
- Objection (Art. 21 GDPR)
- Withdrawal of consent (Art. 7 para. 3 GDPR)
To exercise your rights:
14. Right to lodge a complaint
- Switzerland: FDPIC, Feldeggweg 1, 3003 Bern — edoeb.admin.ch
- Germany: The data protection authority of your federal state. Overview: bfdi.bund.de
- Austria: Datenschutzbehörde, Barichgasse 40–42, 1030 Vienna — dsb.gv.at
As soon as our EU representative (Section 2) is appointed, the responsible lead supervisory authority in the EU will also be added here.
15. Medical disclaimer
Nourli is a documentation tool and not a medical device within the meaning of the EU Medical Device Regulation (MDR 2017/745) or the Swiss Therapeutic Products Act (HMG). The app does not replace medical advice, diagnosis or treatment. For health questions about your child, please contact your pediatrician, midwife, or parent counseling service.
16. Changes
We reserve the right to update this privacy policy as needed. The current version is always available in the app and at nourli.app/en/privacy. For material changes, we will inform you actively via the app.
Meyer Digital · Martina Meyer · Seefeldstrasse 178 · 8008 Zurich ·