Privacy Policy
Last updated: 2026-04-25
DRAFT — for counsel review only. Not a final, published document.
1. Who we are
What Would Dad Say LLC, a Pennsylvania limited liability company ("Company," "we," "us," or "our") operates the website located at https://whatwoulddadsay.app (the "Site") and the related "What Would Dad Say?" service (the "Service").
For privacy-related inquiries, data subject access requests, and breach notifications, contact us at:
- Email: legal@whatwoulddadsay.app
- Mailing address: What Would Dad Say LLC, 6587 The Hideout, Lake Ariel, PA 18436, United States
Data Protection Officer: Not appointed — not required under current scope (confirm with counsel once GDPR applicability is determined).
EU/UK representative: {{TODO: Confirm with counsel whether GDPR Art. 27 representative is required once compliance-scope.md GDPR applicability is determined. If not required, replace this line with "Not applicable."}}
2. Scope of this policy
This policy applies to personal information collected through:
- The marketing website at https://whatwoulddadsay.app (the "Site")
- Any email communications initiated from the Site (e.g., waitlist or early-access capture forms)
- Cookies and similar tracking technologies placed on the Site
This policy does not apply to personal information collected through the authenticated web application, the iOS application, or the Android application. Separate notices govern those surfaces.
3. What personal information we collect
IMPORTANT DRAFTING NOTE: The data inventory at
legal/context/data-inventory.mdcontains only a template row as of 2026-04-25. Every row in the table below is sourced from what is technically observable in the codebase (the cookie consent banner names GA4, PostHog, Meta Pixel, and Google Ads as active subprocessors) and from the structure of the email capture form visible in the marketing application. All rows are marked {{TODO}} pending a completed data-inventory.md. Counsel must verify each row against the live data inventory before publishing.
| Data category | How collected | Purpose | Legal basis (GDPR) | Legal basis (US) | Retention | Subprocessors |
|---|---|---|---|---|---|---|
| Email address | User input — waitlist / early-access signup form on the Site | Sending pre-launch communications; account creation on launch | {{TODO: Confirm — likely GDPR Art. 6(1)(a) consent or Art. 6(1)(b) steps prior to contract}} | {{TODO: Confirm legal basis under applicable US state law(s) once compliance-scope.md is populated}} | {{TODO: Specify retention period, e.g., "Until unsubscribe + 30-day backup tail"}} | {{TODO: Name email delivery subprocessor, e.g., AWS SES, Resend, Mailchimp}} |
| Analytics data (page views, click events, session duration, approximate location derived from IP, device/browser metadata) | Automatic collection via cookies and SDKs on the Site | Understanding how visitors engage with the Site; improving content and performance | {{TODO: GDPR Art. 6(1)(a) consent (EU visitors) / Art. 6(1)(f) legitimate interests (where consent not required) — confirm with counsel}} | {{TODO: Confirm under applicable US state law(s)}} | {{TODO: Specify — e.g., "26 months (GA4 default); PostHog: until account deletion"}} | GA4 (Google LLC), PostHog |
| Marketing / advertising data (ad click identifiers, conversion signals, cookie identifiers linked to ad accounts) | Automatic collection via cookies and SDKs on the Site | Measuring advertising campaign effectiveness; retargeting | {{TODO: GDPR Art. 6(1)(a) consent — marketing cookies require opt-in under ePrivacy Directive}} | {{TODO: Confirm under applicable US state law(s)}} | {{TODO: Specify — e.g., "As determined by Meta/Google Ads platform; up to 180 days"}} | Meta Platforms Ireland Ltd. (Meta Pixel), Google LLC (Google Ads) |
Functional / session data (consent preference cookie wwds_consent, session state) | Automatic collection | Remembering your cookie preferences; ensuring the Site functions correctly | GDPR Art. 6(1)(c) (legal obligation to record consent) / Art. 6(1)(f) (legitimate interest in site operation) | Legitimate business purpose | 395 days (consent cookie TTL) | None (first-party cookie) |
4. Cookies and tracking technologies
We use cookies and similar technologies on the Site. For a full list of cookies, their purpose, the third parties that set them, and your choices, see our Cookie Notice.
The cookie consent banner on the Site is shown to visitors identified as being in the European Union. For EU visitors, analytics and marketing cookies are off by default until you click "Accept all" or save custom preferences. Functional cookies necessary for the Site to operate are always active.
Non-EU visitors are subject to {{TODO: Confirm whether opt-out mechanism is provided for non-EU visitors, particularly US visitors under applicable state law(s)}}.
We honor the Global Privacy Control (GPC) browser signal as an opt-out mechanism for the sale or sharing of personal information for cross-context behavioral advertising. If your browser sends the GPC signal, we will suppress non-essential analytics, advertising, and marketing cookies and tags for your session.
5. How we use your information
We use the personal information described in Section 3 to:
- Send you pre-launch updates and communications you requested by submitting your email address.
- Understand how visitors interact with the Site in order to improve it.
- Measure the effectiveness of our marketing and advertising campaigns.
- Remember your cookie preferences so we do not ask repeatedly.
- Comply with legal obligations and enforce our Terms of Service.
- {{TODO: Add any additional uses disclosed in the completed data-inventory.md}}
We do not sell, rent, or share your personal information with third parties for their own independent marketing purposes.
AI training and retrieval. We do not use your personal data, conversations, or content to train, fine-tune, or pre-train AI models, nor do we use your stored personal content as retrieval context to generate responses for other users. Human reviewers may review flagged conversations solely for safety, moderation, or legal-compliance purposes; such review is not AI training and is governed by our data-handling practices described elsewhere in this policy.
6. How we share your information
We share personal information only in the following circumstances:
- Service providers and subprocessors: We share data with the subprocessors listed in Section 3 solely to operate the Site and provide the Service. Each subprocessor is bound by data processing agreements that restrict their use of your data.
- Legal compliance: We may disclose information when required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of the Company, our users, or others.
- Business transfers: In the event of a merger, acquisition, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice before such a transfer and the acquiror will be bound by terms no less protective than this policy.
- With your consent: We may share information for any other purpose with your explicit consent.
7. International transfers
{{TODO: This section cannot be completed until company.md is populated with hosting/data residency information and compliance-scope.md is populated with applicable regimes.}}
If you are located in the European Economic Area, United Kingdom, or another jurisdiction with data transfer restrictions, we will transfer your personal information to {{TODO: Insert hosting region, e.g., "servers located in the United States"}} only under appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission; or
- {{TODO: List any other applicable transfer mechanism, e.g., UK International Data Transfer Agreement (IDTA)}}
8. Data retention
We retain personal information only as long as necessary for the purposes described in Section 3 and Section 5, unless a longer retention period is required or permitted by law. Specific retention periods for each data category are listed in Section 3. {{TODO: Populated retention periods are all TODO — complete data-inventory.md before publishing.}}
9. Your rights
{{TODO: This section cannot be properly scoped until compliance-scope.md is populated. The paragraphs below are placeholders that cite regimes tentatively; each bracketed regime must be confirmed as in-scope before publication.}}
Depending on where you are located, you may have some or all of the following rights regarding your personal information:
If you are in the European Economic Area or United Kingdom (if GDPR / UK GDPR confirmed in-scope):
- Right of access (GDPR Art. 15)
- Right to rectification (GDPR Art. 16)
- Right to erasure (GDPR Art. 17)
- Right to restriction of processing (GDPR Art. 18)
- Right to data portability (GDPR Art. 20)
- Right to object (GDPR Art. 21)
- Right to withdraw consent at any time, where processing is based on consent (GDPR Art. 7(3))
- Right to lodge a complaint with a supervisory authority (GDPR Art. 77)
If you are a California resident (if CCPA/CPRA confirmed in-scope):
- Right to know what personal information is collected, used, shared, or sold (CCPA §1798.100)
- Right to delete personal information (CCPA §1798.105)
- Right to correct inaccurate personal information (CPRA §1798.106)
- Right to opt out of the sale or sharing of personal information (CCPA §1798.120)
- Right to limit use of sensitive personal information (CPRA §1798.121)
- Right to non-discrimination for exercising rights (CCPA §1798.125)
If you are in another US state with a comprehensive privacy law (if any such regime confirmed in-scope):
- {{TODO: Add state-specific rights as compliance-scope.md is completed for VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, DPDPA, and other state laws}}
To exercise any applicable rights, contact us at legal@whatwoulddadsay.app. We will respond within the timeframe required by applicable law.
10. Children's privacy
{{TODO: COPPA applicability is unconfirmed in compliance-scope.md. The product name "What Would Dad Say?" may implicate minors as subjects of recordings (e.g., a child whose parent is creating a legacy message). Counsel must confirm whether COPPA, and the heightened protections for ages 13–17 under CPRA and other state laws, apply before this section can be finalized.}}
The Site is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information as quickly as possible.
If you believe we may have information from or about a child under 13, contact us at legal@whatwoulddadsay.app.
11. Third-party links
The Site may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party sites you visit.
12. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If we make material changes, we will provide more prominent notice (such as an email notification to subscribers or a banner on the Site). Your continued use of the Site after the effective date of any changes constitutes your acceptance of the updated policy.
13. Contact us
For questions about this policy or to exercise your rights, contact:
What Would Dad Say LLC 6587 The Hideout Lake Ariel, PA 18436 United States Email: legal@whatwoulddadsay.app Website: https://whatwoulddadsay.app
{{TODO: Insert EU/UK representative contact block, if applicable under GDPR Art. 27 — confirm with counsel once compliance-scope.md GDPR applicability is determined}}