Privacy Policy

We respect your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use and share it, how long we keep it, and the choices and rights you have.

1) Controller & Contact

Controller: Laszlo Orosz, trading as "Ladybug App"
Service/Postal Address: 4481. Nyiregyhaza, Templom u. 3., Hungary
Contact Email: ladybug@ladybugapp.net
EU Lead Supervisory Authority: National Authority for Data Protection and Freedom of Information (NAIH), Hungary
EU Representative (GDPR Art. 27): Not required — controller is established in the EU (Hungary).

Representative

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:

• United Kingdom (UK)

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/12701061508

powered by Prighter

2) Data We Collect

• Account & Profile: Email, display name (optional), preferences (units, reset time), device identifiers.
• Wellness/Health Inputs (you choose to enter): e.g., weight, intake, supplements. These may be special category data; see lawful bases below.
• Usage & Diagnostics: app interactions, crash/performance logs (minimal; used to keep the service reliable).
• Billing (via Stripe): Stripe customer ID, subscription status, invoices/receipts. We do not receive or store your full card details.
• Support: messages you send us (e.g., email, contact form).
• Technical: IP address, timestamps, and security logs (for fraud/abuse prevention and compliance).

3) Purposes & Lawful Bases

• Provide the app & account (authentication, syncing, core features) — Contract (GDPR/UK GDPR Art. 6(1)(b)).
• Wellness/health inputs you choose to enter — Explicit Consent (Art. 9(2)(a)). You can withdraw consent in Settings; withdrawal may limit features that rely on this data.
• Subscriptions & billing via Stripe (access control, invoices, fraud prevention) — Contract; Legal obligation for tax/accounting (Art. 6(1)(c)); Legitimate interests for fraud/security (Art. 6(1)(f)).
• Operational communications (e.g., security alerts, important service changes) — Contract / Legitimate interests. These are not marketing.
• Tips & updates (non-essential) — Consent (or soft opt-in for existing customers where permitted). You can unsubscribe anytime.
• Diagnostics & reliability — Legitimate interests to keep the service stable and improve it; where ePrivacy requires consent (e.g., cookies on web), we seek it first.
• Security, abuse & compliance — Legitimate interests and Legal obligation.

4) Retention

• Account & profile data: kept while your account is active; we aim to delete production copies within 30 days of deletion; backups up to 90 days.
• Wellness/health data you enter: same schedule as above; if you withdraw consent, we stop processing and delete future entries after withdrawal. We may retain de-identified, aggregated statistics.
• Billing & tax records (Stripe): up to 8 years (or longer where required by law).
• Support communications: up to 24 months after resolution.
• Security/fraud/audit logs: up to 12 months (longer if investigating incidents or required for legal claims).
• Consent logs & preferences: while relevant, and up to 6 years for compliance proof.
• Backups: encrypted; retained up to 90 days; not used for normal operations.
• Dormant accounts: after 24 months of inactivity we may notify you and then delete or anonymise if you do not reactivate.

5) International Transfers

We primarily host and process data in the EEA/UK. Some providers may process data in other countries (including the United States) where necessary to deliver the service.

Where transfers occur to countries without an adequacy decision, we apply Art. 46 safeguards (e.g., Standard Contractual Clauses and the UK Addendum/IDTA) and additional measures (encryption in transit/at rest, access controls, logging, minimisation). Where a provider participates in an approved framework (e.g., EU-U.S. Data Privacy Framework / UK Extension), we may rely on that certification for covered transfers.

6) Your Rights & How to Complain

You can exercise your rights by emailing ladybug@ladybugapp.net or via the in-app Privacy & Data section (when available). We respond within one month (we may extend by up to two months for complex requests and will tell you why).

• Access to your data and processing information
• Rectification of inaccurate data
• Erasure in certain circumstances
• Restriction of processing in certain situations
• Portability of data you provided
• Object to processing based on legitimate interests (including minimal analytics/diagnostics) and to direct marketing at any time
• Withdraw consent at any time (for health data, tips/updates emails, push notifications)

Identity verification: we may request information to confirm your identity. No fee for normal requests; a reasonable fee or refusal may apply to manifestly unfounded or excessive requests.

Complaints: contact us at ladybug@ladybugapp.net. You may also complain to your authority:
• EU lead authority: NAIH (Hungary)
• Ireland: Data Protection Commission (DPC)
• United Kingdom: Information Commissioner's Office (ICO)

Automated decisions: we do not make decisions based solely on automated processing that produce legal or similarly significant effects.

7) Communications & Email Preferences

• Service/operational (not marketing): account/security, receipts/invoices, important service changes/outages, support replies. You cannot unsubscribe from essential service messages, but you can control certain notifications in the app.
• Tips & updates (marketing): occasional product tips, new features, and content highlights. Sent only with your consent (or soft opt-in for existing customers where permitted). Every message includes an unsubscribe link and a link to manage preferences.
• Push notifications (optional): sent only with your consent; you can change device or in-app settings at any time.

Unsubscribe & suppression: we honour unsubscribe requests immediately and keep a minimal suppression record (email + opt-out flag) solely to respect your choice.

Measurement & tracking: we avoid tracking pixels in essential service messages. For optional emails, limited measurement (opens/clicks) may be used where lawful; where required (e.g., cookies on the web), we seek consent first. Where supported, we include a List-Unsubscribe header for one-click unsubscribe.

8) Service Providers (Processors) & Security

Stripe acts as our processor for payments and, for certain activities (e.g., fraud prevention and regulatory compliance), as an independent controller—see Stripe's privacy notice.

Processors & categories: we engage third-party providers under Art. 28 DPAs and restrict processing to our instructions. Key categories include:

• Hosting, database, authentication & functions: Google Firebase / Google Cloud Platform
• Payments & subscriptions: Stripe
• Email delivery (operational): SMTP provider(s)
• Diagnostics & reliability (minimal): crash/performance telemetry (opt-out where available)

Security measures: encryption in transit and at rest; least-privilege access and MFA; logging and periodic reviews; secrets management; secure development practices; encrypted backups and resilience testing.

Incident response: where a personal-data breach is likely to result in a risk to individuals, we will notify the competent authority within 72 hours and inform affected users without undue delay, as required by law.

9) Children & Age Limits

The Service is intended for adults and, as stated in our Terms, you must be 18 years or older to use the app.

The service is designed for adults. We do not knowingly process personal data of children below the applicable digital age of consent without verified parental authorisation.

• Ireland / EEA: under 16 require parental consent.
• United Kingdom: under 13 require parental consent.

If we learn we have collected data from a child without the required consent, we will delete the account and associated data or obtain parental authorisation without undue delay.

10) Changes

We may update this Privacy Policy to reflect changes in our service or the law. We will notify you of material changes in-app or by email and indicate the effective date.

11) How to Contact Us

Questions or requests about this Policy or your data? Email ladybug@ladybugapp.net.

© 2025 Ladybug App