Privacy Policy

Effective date: February 8, 2026

1. Introduction

cradleOS ("cradleOS," "we," "us," or "our") operates the website at cradleos.com (the "Marketing Site") and the application at app.cradleos.com (the "Application," and together with the Marketing Site, the "Service"). This Privacy Policy explains how we collect, use, disclose, store, and protect information when you use the Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the Service. This Privacy Policy is incorporated into and subject to our Terms of Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: When you create an account, we collect your name, email address, organization name, role, and authentication credentials.
  • Childcare data: Providers (administrators and staff) may enter information about children, families, attendance records, billing details, and staff information into the Application ("Provider Data"). This data is entered by authorized adults in the course of childcare center operations.
  • Guardian information: Parents and guardians may provide contact information, emergency contacts, and child-related details through the Service.
  • Communications: When you contact us for support, provide feedback, or otherwise communicate with us, we collect the content of those communications.
  • Waitlist & contact forms: When you sign up for our waitlist or download resources on the Marketing Site, we collect your name and email address.
  • Payment information: If you subscribe to a paid plan, we collect billing information such as your payment method details. Payment processing is handled by third-party payment processors, and we do not directly store your full credit card number.

2.2 Information Collected Automatically

  • Usage data: We collect information about how you interact with the Service, including pages visited, features used, actions taken, and timestamps.
  • Device information: We may collect information about the device you use to access the Service, including device type, operating system, browser type, and screen resolution.
  • Log data: Our servers automatically record information ("Log Data"), including your IP address, browser type, referring/exit pages, and request timestamps.
  • Analytics: We use Cloudflare Web Analytics on the Marketing Site, which collects aggregated, anonymous usage data without using cookies or tracking individual visitors.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain the Service: To operate, maintain, and improve the Service, including processing transactions and sending related information such as purchase confirmations.
  • Account management: To create and manage your account, authenticate users, and provide customer support.
  • Communications: To send you technical notices, updates, security alerts, support messages, and administrative messages. With your consent, we may also send product announcements and marketing communications.
  • Improvement and development: To understand how users interact with the Service so we can improve, develop, and optimize it.
  • Safety and security: To detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities, and to protect the rights, property, and safety of cradleOS and our users.
  • Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Data Processing on Behalf of Providers

4.1 Processor Role

When Providers use the Service to manage their childcare center operations, cradleOS acts as a data processor on behalf of the Provider (the data controller) with respect to Provider Data. We process Provider Data solely as directed by the Provider and in accordance with these Terms and our contractual obligations.

4.2 Provider Responsibilities

Providers are responsible for:

  • Ensuring they have a lawful basis (such as consent from parents and guardians) to collect and process personal data through the Service
  • Providing any required privacy notices to individuals whose data they enter into the Service
  • Ensuring the accuracy of data entered into the Service
  • Complying with all applicable data protection laws and regulations, including those specific to the childcare industry
  • Responding to data subject rights requests from individuals whose data they control

4.3 Data Processing Agreement

Our processing of Provider Data is governed by our standard data processing terms, which are incorporated into our Terms of Service. If a Provider requires a separate Data Processing Agreement, please contact us at feedback@cradleos.com.

5. Data Sharing & Third Parties

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

  • Service providers: We share information with third-party service providers who perform services on our behalf, such as cloud hosting (Cloudflare, Supabase), payment processing, email delivery, and analytics. These providers are contractually bound to use your information only as necessary to provide services to us and in accordance with this Privacy Policy.
  • Within the Service: Provider Data may be shared between authorized users within the same childcare center organization as necessary for the operation of the center. Guardian information may be shared with the Provider associated with their child's enrollment.
  • Legal requirements: We may disclose your information when required by law, subpoena, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
  • Business transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.
  • With your consent: We may share your information with third parties when you have given us explicit consent to do so.

6. Data Storage & Security

We implement multiple layers of technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Data encrypted in transit (TLS/SSL) and at rest (AES-256)
  • Application-level encryption on sensitive medical and health data
  • Row-level data isolation — each center's data is completely separated and inaccessible to other centers
  • Secure cloud infrastructure hosted in the United States
  • Role-based access controls and authentication mechanisms

Marketing Site data (e.g., waitlist signups) is stored in a Cloudflare D1 database. Application data is stored in secure, encrypted databases managed by Supabase.

While we strive to protect your information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your data.

7. Cookies & Tracking

The Marketing Site does not use cookies. The Application uses essential cookies only for the following purposes:

  • Session management: To maintain your login session and authentication state.
  • Security: To help detect and prevent security threats.
  • Preferences: To remember your application settings and preferences.

We do not use third-party advertising or behavioral tracking cookies. We do not participate in ad networks or cross-site tracking.

8. Children's Privacy

cradleOS is designed for use by childcare center administrators, staff, and parents/guardians. The Service is not directed to children under the age of 13, and we do not knowingly collect personal information directly from children under 13.

Any child-related data entered into the Application (such as names, dates of birth, attendance records, and health/allergy information) is provided by authorized adults — specifically, childcare Providers and parents/guardians — in the course of childcare center operations. This data is entered and controlled by the Provider organization and parents/guardians, not by the children themselves.

Sensitive medical and health data (such as allergies, medications, and immunization records) is protected by application-level encryption in addition to standard at-rest database encryption.

If we become aware that we have inadvertently collected personal information directly from a child under 13, we will take steps to delete such information promptly. If you believe we have collected information directly from a child under 13, please contact us immediately at feedback@cradleos.com.

9. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

  • Account data: Retained for the duration of your active account. Upon account deletion, personal data is permanently removed within 30 days, except as required for legal compliance, dispute resolution, or enforcement of our agreements.
  • Provider Data: Retained for the duration of the Provider's active account. Upon account termination, Provider Data is deleted in accordance with our data retention schedule unless the Provider requests earlier deletion or applicable law requires longer retention.
  • Waitlist data: Retained until the waitlist program concludes or until you request removal.
  • Log and usage data: Retained for up to 12 months for security and operational purposes, then aggregated or deleted.
  • Analytics data: Aggregated and anonymous; not tied to identifiable individuals.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information, subject to certain legal exceptions.
  • Opt-out: Opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us.
  • Data portability: Request a copy of your data in a structured, commonly used, and machine-readable format.
  • Restriction: Request that we restrict the processing of your personal information in certain circumstances.
  • Objection: Object to processing of your personal information where we rely on legitimate interests as the legal basis.

To exercise any of these rights, please contact us at feedback@cradleos.com. We will respond to your request within a reasonable timeframe and in accordance with applicable law.

11. International Data

The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where our servers are located and our central database is operated. The data protection laws of the United States may differ from those of your country of residence.

By using the Service, you consent to the transfer of your information to the United States and the processing of your information in the United States as described in this Privacy Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. If we make material changes, we will provide notice through the Service, by email, or by other reasonable means prior to the changes becoming effective. The "Effective date" at the top of this page indicates when this Privacy Policy was last revised.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you must stop using the Service.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us at: