Privacy Policy

Last updated: 2026-04-25

DRAFT — for counsel review only. Not a final, published document.

1. Who we are

What Would Dad Say LLC, a Pennsylvania limited liability company ("Company," "we," "us," or "our") operates the website located at https://whatwoulddadsay.app (the "Site") and the related "What Would Dad Say?" service (the "Service").

For privacy-related inquiries, data subject access requests, and breach notifications, contact us at:

Email: legal@whatwoulddadsay.app
Mailing address: What Would Dad Say LLC, 6587 The Hideout, Lake Ariel, PA 18436, United States

Data Protection Officer: Not appointed — not required under current scope (confirm with counsel once GDPR applicability is determined).

EU/UK representative: {{TODO: Confirm with counsel whether GDPR Art. 27 representative is required once compliance-scope.md GDPR applicability is determined. If not required, replace this line with "Not applicable."}}

2. Scope of this policy

This policy applies to personal information collected through:

The marketing website at https://whatwoulddadsay.app (the "Site")
Any email communications initiated from the Site (e.g., waitlist or early-access capture forms)
Cookies and similar tracking technologies placed on the Site
The authenticated iOS mobile application ("App"), including the Recording Studio feature, account management, and any other authenticated features of the App

DRAFTING NOTE — The authenticated web application is not yet in production. When it launches, confirm whether this policy is extended to cover it or whether a separate notice is published. Update this scope paragraph accordingly before the web app is opened to users.

COUNSEL FLAG — This policy has been extended from marketing-site-only scope to cover the authenticated mobile app (iOS) based on PRD-04.1 shipping. Counsel should confirm: (a) a single unified policy covering both the marketing site and the authenticated app is appropriate for a PA LLC of this scale, or whether a layered/app-specific notice is preferable; (b) whether Apple App Store privacy nutrition label requirements (App Store Review Guidelines §5.1) require a separate or supplemental in-app notice beyond what this policy provides; (c) whether the addition of recorded video/audio content to scope triggers any additional disclosure obligations (e.g., Illinois BIPA §15(a) collection notice, CPRA §1798.100(a) at-collection disclosure).

3. What personal information we collect

IMPORTANT DRAFTING NOTE: The data inventory at legal/context/data-inventory.md contains only a template row as of 2026-04-25. Every row in the table below is sourced from what is technically observable in the codebase (the cookie consent banner names GA4, PostHog, Meta Pixel, and Google Ads as active subprocessors) and from the structure of the email capture form visible in the marketing application. All rows are marked {{TODO}} pending a completed data-inventory.md. Counsel must verify each row against the live data inventory before publishing.

Data category	How collected	Purpose	Legal basis (GDPR)	Legal basis (US)	Retention	Subprocessors
Email address	User input — waitlist / early-access signup form on the Site	Sending pre-launch communications; account creation on launch	{{TODO: Confirm — likely GDPR Art. 6(1)(a) consent or Art. 6(1)(b) steps prior to contract}}	{{TODO: Confirm legal basis under applicable US state law(s) once compliance-scope.md is populated}}	{{TODO: Specify retention period, e.g., "Until unsubscribe + 30-day backup tail"}}	{{TODO: Name email delivery subprocessor, e.g., AWS SES, Resend, Mailchimp}}
Analytics data (page views, click events, session duration, approximate location derived from IP, device/browser metadata)	Automatic collection via cookies and SDKs on the Site	Understanding how visitors engage with the Site; improving content and performance	{{TODO: GDPR Art. 6(1)(a) consent (EU visitors) / Art. 6(1)(f) legitimate interests (where consent not required) — confirm with counsel}}	{{TODO: Confirm under applicable US state law(s)}}	{{TODO: Specify — e.g., "26 months (GA4 default); PostHog: until account deletion"}}	GA4 (Google LLC), PostHog
Marketing / advertising data (ad click identifiers, conversion signals, cookie identifiers linked to ad accounts)	Automatic collection via cookies and SDKs on the Site	Measuring advertising campaign effectiveness; retargeting	{{TODO: GDPR Art. 6(1)(a) consent — marketing cookies require opt-in under ePrivacy Directive}}	{{TODO: Confirm under applicable US state law(s)}}	{{TODO: Specify — e.g., "As determined by Meta/Google Ads platform; up to 180 days"}}	Meta Platforms Ireland Ltd. (Meta Pixel), Google LLC (Google Ads)
Functional / session data (consent preference cookie `wwds_consent`, session state)	Automatic collection	Remembering your cookie preferences; ensuring the Site functions correctly	GDPR Art. 6(1)(c) (legal obligation to record consent) / Art. 6(1)(f) (legitimate interest in site operation)	Legitimate business purpose	395 days (consent cookie TTL)	None (first-party cookie)
Recorded video messages	Device camera (user-initiated recording in the mobile app)	Store user-created video messages for future delivery to recipients you designate	GDPR Art. 6(1)(b) — performance of contract	Contract / CCPA business purpose	Until you delete + 30-day permanent deletion window; account-deletion Storage cleanup within 30 days; future opt-in posthumous delivery retention (see §8)	Supabase Storage (`recordings` bucket)	Supabase
Recorded audio messages	Device microphone (user-initiated recording in the mobile app)	Store user-created audio messages for future delivery to recipients you designate	GDPR Art. 6(1)(b) — performance of contract	Contract / CCPA business purpose	Same as recorded video messages	Supabase Storage (`recordings` bucket)	Supabase
Written text messages	User input in the mobile app	Store user-created text messages for future delivery to recipients you designate	GDPR Art. 6(1)(b) — performance of contract	Contract / CCPA business purpose	Same as recorded video messages	Supabase Postgres (`messages.text_body`)	Supabase
Message metadata and technical processing metadata (title, note, prompt association, child association; checksum, duration, size, upload status, error codes, device timestamp, storage backend)	User input + app context + device telemetry	Message organization, recipient delivery, upload integrity verification	GDPR Art. 6(1)(b) — performance of contract	Contract / CCPA business purpose	Same retention as the associated message	Supabase Postgres (`messages` table)	Supabase
Text drafts (in-progress text messages not yet finalized)	User input in the mobile app	Cross-device draft continuity	GDPR Art. 6(1)(b) — performance of contract	Contract / CCPA business purpose	Until finalized or deleted; cascade-deleted on account deletion	Supabase Postgres (`text_drafts` table)	Supabase
Upload job operational telemetry (device-local file path, bytes uploaded, TUS resumable URL, error codes, attempt counts)	Device + app	Resume interrupted uploads; operational health monitoring	GDPR Art. 6(1)(b) — performance of contract	Contract / CCPA business purpose	Deleted on upload completion or cascade-deleted with the parent message	Supabase Postgres (`upload_jobs` table)	Supabase

4. Cookies and tracking technologies

We use cookies and similar technologies on the Site. For a full list of cookies, their purpose, the third parties that set them, and your choices, see our Cookie Notice.

The cookie consent banner on the Site is shown to visitors identified as being in the European Union. For EU visitors, analytics and marketing cookies are off by default until you click "Accept all" or save custom preferences. Functional cookies necessary for the Site to operate are always active.

Non-EU visitors are subject to {{TODO: Confirm whether opt-out mechanism is provided for non-EU visitors, particularly US visitors under applicable state law(s)}}.

We honor the Global Privacy Control (GPC) browser signal as an opt-out mechanism for the sale or sharing of personal information for cross-context behavioral advertising. If your browser sends the GPC signal, we will suppress non-essential analytics, advertising, and marketing cookies and tags for your session.

5. How we use your information

We use the personal information described in Section 3 to:

Send you pre-launch updates and communications you requested by submitting your email address.
Understand how visitors interact with the Site in order to improve it.
Measure the effectiveness of our marketing and advertising campaigns.
Remember your cookie preferences so we do not ask repeatedly.
Comply with legal obligations and enforce our Terms of Service.
Operate the Recording Studio: store and organize your recorded video, audio, and text messages; verify upload integrity (checksum comparison); sync text drafts across your signed-in devices; and, in the future, deliver your messages to recipients you designate.

We do not sell, rent, or share your personal information with third parties for their own independent marketing purposes.

AI training and retrieval. We do not use your personal data, conversations, or content to train, fine-tune, or pre-train AI models, nor do we use your stored personal content as retrieval context to generate responses for other users. Human reviewers may review flagged conversations solely for safety, moderation, or legal-compliance purposes; such review is not AI training and is governed by our data-handling practices described elsewhere in this policy.

6. How we share your information

We share personal information only in the following circumstances:

Service providers and subprocessors: We share data with the subprocessors listed in Section 3 solely to operate the Site and provide the Service. Each subprocessor is bound by data processing agreements that restrict their use of your data.
Legal compliance: We may disclose information when required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of the Company, our users, or others.
Business transfers: In the event of a merger, acquisition, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice before such a transfer and the acquiror will be bound by terms no less protective than this policy.
With your consent: We may share information for any other purpose with your explicit consent.

7. International transfers

{{TODO: This section cannot be completed until company.md is populated with hosting/data residency information and compliance-scope.md is populated with applicable regimes.}}

If you are located in the European Economic Area, United Kingdom, or another jurisdiction with data transfer restrictions, we will transfer your personal information to {{TODO: Insert hosting region, e.g., "servers located in the United States"}} only under appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission; or
{{TODO: List any other applicable transfer mechanism, e.g., UK International Data Transfer Agreement (IDTA)}}

8. Data retention

We retain personal information only as long as necessary for the purposes described in Sections 3 and 5, unless a longer retention period is required or permitted by law.

Account information. We retain your account email address and related authentication data for as long as your account exists. Upon account deletion, account data is removed from our active systems within 30 days.

Recorded video and audio messages. We retain your recorded video and audio messages for as long as your account exists and you have not deleted them. When you delete a message, it is removed from the vault view immediately. We will permanently delete the message — including any copy stored by our infrastructure subprocessors — within 30 days of your delete action (CCPA §1798.105 alignment). {{TODO: backup retention window — confirm whether the 30-day external commitment is measured from user-initiated delete action or from expiry of any grace period; update once confirmed with counsel.}}

"Recently deleted" recovery period. Deleted messages may be recoverable by you for a period of up to 30 days following deletion. After that window closes, permanent deletion proceeds and the message cannot be restored.

Account deletion and Storage cleanup. When you delete your account, all messages, text drafts, and media files associated with your account are queued for permanent deletion. Storage cleanup — removal of media files from our cloud storage subprocessor — completes within 30 days of the account-deletion request.

Future posthumous-delivery preservation. If you opt in to a future posthumous-delivery feature (not yet available), messages you designate for delivery after your death may be retained beyond the ordinary deletion timeline pursuant to the terms of that feature. We will update this policy before any such feature is launched.

Written text messages and drafts. Finalized text messages follow the same retention schedule as recorded messages above. Text drafts (in-progress messages you have not finalized) are retained until you finalize or delete them, or until your account is deleted.

Message metadata and technical processing metadata. Metadata associated with a message (title, prompt, checksum, duration, size, upload status, timestamps) is retained for as long as the message itself. It is deleted when the message is permanently deleted.

Upload job operational telemetry. Records of in-progress or completed upload jobs are deleted upon upload completion or, if completion never occurs, upon account deletion.

Analytics and marketing data. Retention periods for analytics and marketing data are set by the applicable subprocessors (GA4, PostHog, Meta Platforms, Google Ads) and are listed in Section 3.

COUNSEL FLAG — The privacy policy commits externally to a 30-day maximum deletion window. The internal pg_cron schedule runs the hard-delete job at deleted_at + 60 days (per PRD-04.1 §10.1). Any row that crosses the 30-day mark without being hard-deleted constitutes a policy breach. Counsel should confirm (a) the external 30-day commitment is correctly stated, (b) the internal 60-day grace is disclosed sufficiently or needs an explicit grace-period disclosure, and (c) whether counsel recommends aligning the internal and external periods.

9. Your rights

{{TODO: This section cannot be properly scoped until compliance-scope.md is populated. The paragraphs below are placeholders that cite regimes tentatively; each bracketed regime must be confirmed as in-scope before publication.}}

Depending on where you are located, you may have some or all of the following rights regarding your personal information:

If you are in the European Economic Area or United Kingdom (if GDPR / UK GDPR confirmed in-scope):

Right of access (GDPR Art. 15)
Right to rectification (GDPR Art. 16)
Right to erasure (GDPR Art. 17)
Right to restriction of processing (GDPR Art. 18)
Right to data portability (GDPR Art. 20)
Right to object (GDPR Art. 21)
Right to withdraw consent at any time, where processing is based on consent (GDPR Art. 7(3))
Right to lodge a complaint with a supervisory authority (GDPR Art. 77)

If you are a California resident (if CCPA/CPRA confirmed in-scope):

Right to know what personal information is collected, used, shared, or sold (CCPA §1798.100)
Right to delete personal information (CCPA §1798.105)
Right to correct inaccurate personal information (CPRA §1798.106)
Right to opt out of the sale or sharing of personal information (CCPA §1798.120)
Right to limit use of sensitive personal information (CPRA §1798.121)
Right to non-discrimination for exercising rights (CCPA §1798.125)

If you are in another US state with a comprehensive privacy law (if any such regime confirmed in-scope):

{{TODO: Add state-specific rights as compliance-scope.md is completed for VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, DPDPA, and other state laws}}

To exercise any applicable rights, contact us at legal@whatwoulddadsay.app. We will respond within the timeframe required by applicable law.

10. Children's privacy

{{TODO: COPPA applicability is unconfirmed in compliance-scope.md. The product name "What Would Dad Say?" may implicate minors as subjects of recordings (e.g., a child whose parent is creating a legacy message). Counsel must confirm whether COPPA, and the heightened protections for ages 13–17 under CPRA and other state laws, apply before this section can be finalized.}}

The Site is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information as quickly as possible.

If you believe we may have information from or about a child under 13, contact us at legal@whatwoulddadsay.app.

11. Third-party links

The Site may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party sites you visit.

12. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If we make material changes, we will provide more prominent notice (such as an email notification to subscribers or a banner on the Site). Your continued use of the Site after the effective date of any changes constitutes your acceptance of the updated policy.

13. Contact us

For questions about this policy or to exercise your rights, contact:

What Would Dad Say LLC 6587 The Hideout Lake Ariel, PA 18436 United States Email: legal@whatwoulddadsay.app Website: https://whatwoulddadsay.app

{{TODO: Insert EU/UK representative contact block, if applicable under GDPR Art. 27 — confirm with counsel once compliance-scope.md GDPR applicability is determined}}