Privacy Policy
Last updated: May 9, 2026
Tuck is built by Veronata, Inc., a Delaware corporation with its principal place of business in California ("Veronata," "we," "us," or "our"). This Privacy Policy ("Policy") describes the personal information we collect, how we use and share it, and the rights you have. It applies to the Tuck mobile application, the tuck.baby website, and related services (collectively, the "Service"). This Policy is incorporated by reference into the Tuck Terms of Use and is binding when you use the Service.
We treat your family's audio, video, and schedule data as private by default. We do not sell or share your or your family's personal information for cross-context behavioural advertising. We do not use your or your family's personal information to train third-party machine-learning models beyond the Service's own functionality.
1. Categories of personal information we collect
Within the categories defined by the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), we collect:
- Identifiers: a stable Apple-issued account identifier (Sign in with Apple), your email address (Sign in with Apple if you choose to share it, or email + password sign-up), an installation UUID, and household pairing identifiers we generate.
- Customer-record information (Cal. Civ. Code § 1798.80(e)): name (the baby's first name you choose to enter), date of birth or age range, and pronoun if provided, payment-status flags relayed from Apple (Veronata never sees your card number — Apple processes the payment).
- Commercial information: subscription purchase, renewal, and refund metadata received from Apple.
- Internet or other electronic network activity: crash logs, performance traces, feature flags, basic telemetry about app session length, and connectivity transitions (Wi-Fi ↔ cellular ↔ Bluetooth) — used to keep the Service running, not to profile you.
- Audio: cry-detection runs on-device. The raw audio stream is not uploaded; only model outputs (cry confidence scores, timestamps) and brief acoustic classifier features may be transmitted to render alerts on the parent device.
- Visual / video: live audio and video between your two iPhones is encrypted in transit (DTLS-SRTP via LiveKit's WebRTC relay or end-to-end over Bluetooth). The relay sees decrypted frames in order to forward them but does not retain them.
- Sensitive personal information (CPRA): account credentials (we store a salted scrypt hash of your password — the raw password never persists); precise geolocation is NOT collected; biometric information is NOT collected; the contents of in-home video and audio between the two iPhones may be considered sensitive personal information under the CPRA even though we do not retain them. Sensitive personal information is processed only as necessary to deliver the Service and is not used for cross-context behavioural advertising or for inferring characteristics about you.
2. Sources of personal information
- Directly from you when you create an account, configure the nursery, opt in to a feature, or contact us;
- From your devices when the Service runs (audio, video, sensors, telemetry);
- From Apple (Sign in with Apple identifier, subscription status), and from Resend (transactional email delivery metadata).
3. Purposes for which we use personal information
- To provide and operate the Service;
- To authenticate you, manage your account, and enforce the Terms of Use;
- To deliver verification and password-reset emails (via Resend);
- To process subscription billing (via Apple — we do not handle card data);
- To diagnose bugs and improve the Service;
- To prevent fraud, abuse, and misuse, and to protect the security and integrity of the Service and other users;
- To comply with law and respond to legal process; and
- To exercise or defend legal claims.
4. How we share personal information
We share personal information only as described in this Policy. Specifically:
- With Apple for authentication, payment processing, and Push Notification service.
- With Convex (our backend infrastructure provider) for account state, pairing state, and the sleep-diary index. Convex acts as our service provider / processor under the CCPA.
- With LiveKit for the WebRTC media relay that forwards live audio and video between your two iPhones. LiveKit is our service provider / processor. Media is encrypted in transit; the relay forwards decrypted frames but does not retain them.
- With Resend for transactional email delivery. Email metadata follows Resend's standard retention; email contents are not archived after delivery.
- No third-party AI processing of your video: AI scene descriptions run entirely on-device. The Service does not send video frames to Google or any other cloud AI provider for caption generation — your nursery video is never transmitted to a third-party AI service.
- With HuggingFace (
huggingface.co): a one-time connection, made only on your explicit consent, to download the open-source on-device AI model (MiniCPM-V 4.0 — about 3 GB) that powers scene captions on your iPhone. We send no user data with this request — just a standard HTTP GET for the model files. HuggingFace may log the request as it would for any anonymous download. After the download completes, the model lives entirely on your device and no further network calls are made for captioning. - With professional advisors (lawyers, accountants, auditors) under duties of confidentiality.
- In the context of a corporate transaction (merger, acquisition, financing, asset sale, bankruptcy) where personal information is among the transferred assets — subject to the receiving party agreeing to terms at least as protective as this Policy.
- To comply with law, including responding to subpoenas, court orders, or government requests; to enforce our agreements; and to protect the rights, property, or safety of Veronata, our users, or others.
5. We do not sell or share for cross-context behavioural advertising
We do not sell personal information. We do not share personal information for cross-context behavioural advertising. Because we do not sell or share, the CPRA's "Do Not Sell or Share My Personal Information" link is not displayed; if you submit such a request anyway via privacy@tuck.baby we will treat it as a deletion request under Section 9.
6. Retention
- Live audio and video are not stored. They are forwarded between your two iPhones and discarded in transit.
- Cry-moment and pose-change snapshots (still JPEGs): when enabled, retained encrypted with a 30-day TTL so the morning sleep diary can render thumbnails. You can disable in Nursery settings; existing snapshots auto-delete when the toggle is off. Favorited snapshots are retained until you unfavorite or delete them.
- Account, pairing, and sleep-diary metadata: retained for the life of your account plus a short period after deletion (typically 30 days) to handle reversals, disputes, and our legal obligations.
- Crash logs and performance traces: retained up to 90 days, then aggregated or discarded.
- Transactional email metadata: per Resend's standard retention policy.
- Backups: encrypted, retained no longer than 35 days.
7. Children's data
Tuck is intended for adults — parents, legal guardians, or other responsible adult caregivers — to monitor an infant or young child in their household. We do not knowingly collect personal information directly from children under 13. The Service collects audio, video, and metadata about a child within your household at your direction; you warrant that you have the legal authority (as the parent or legal guardian) to install Tuck and to provide that information.
The U.S. Children's Online Privacy Protection Act ("COPPA") restricts how online services may collect personal information from children under 13. Because Tuck is provided to and accepted by adult guardians for use within their own household — not directly offered to children — we treat the collection as parent-directed under COPPA. If you believe a child under 13 has provided personal information to us directly, contact us at privacy@tuck.baby and we will delete it.
8. Cookies and analytics on the website
The tuck.baby marketing website uses Vercel Analytics (privacy-friendly, no cookies, no fingerprinting) to measure aggregate page-view counts. The mobile app does not use cookies. We do not engage in cross-site tracking or interest-based advertising.
9. Your privacy rights (CCPA/CPRA, California residents)
As a California resident you have the right to:
- Know the categories and specific pieces of personal information we have collected about you;
- Delete personal information we have collected from you, subject to limited exceptions;
- Correct inaccurate personal information;
- Opt out of any sale or sharing of your personal information (see Section 5 — we do not sell or share);
- Limit use of sensitive personal information to what is necessary to provide the Service. We only use sensitive personal information as necessary to provide the Service — see Section 1 — so this right is already honored by default;
- Receive equal service and pricing even if you exercise any of these rights (we do not discriminate against users who exercise privacy rights).
To exercise any of these rights, email privacy@tuck.baby from the email address on your account, or use Settings → Privacy → Delete account in the app for deletion. We will respond within the timeframes required by the CCPA/CPRA. We may verify your request by confirming control of the account email; for sensitive requests we may ask additional questions tied to information already on file.
You may use an authorised agent to make a request on your behalf; we will require written proof that you have authorised the agent and may verify your identity directly.
If we deny your request, you may appeal by replying to our response email; we will reconsider in good faith and respond to the appeal within 60 days. If you remain unsatisfied, you may contact the California Privacy Protection Agency or the California Attorney General.
10. Other U.S. state privacy laws
Residents of other U.S. states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, and others) have rights similar to those described in Section 9. To exercise rights under those laws, contact privacy@tuck.baby.
11. EU/UK GDPR (if applicable)
If you use the Service from the European Economic Area, the United Kingdom, or Switzerland, you have the right to access, rectify, erase, restrict, port, or object to the processing of your personal information, and to lodge a complaint with your local data-protection authority. Our legal bases for processing are (i) the performance of the contract between you and Veronata (the Terms of Use); (ii) our legitimate interests in operating, securing, and improving the Service, where not overridden by your interests or fundamental rights; (iii) compliance with legal obligations; and (iv) your consent (for any feature we explicitly require it for, such as third-party AI processing). Personal information may be transferred to the United States; we rely on the EU–U.S. Data Privacy Framework, U.K. extension to the DPF, or Standard Contractual Clauses, as applicable.
12. Security
We use industry-standard technical and organisational measures (TLS in transit, AES-256 at rest, scrypt password hashing, role-based access, audit logging, vendor due-diligence) to protect personal information. No system is perfectly secure; you use the Service at your own risk subject to the limitations of liability in the Terms of Use.
13. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date above reflects the most recent revision. If the change is material, we will give you notice (in-app, by email, or by banner on the Service). Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
14. Contact
For privacy questions, deletion or access requests, or authorised-agent requests: privacy@tuck.baby. For legal notices: legal@tuck.baby. General questions: hello@tuck.baby.
Veronata, Inc.
Delaware corporation, principal place of business in California, U.S.A.
California consumers may also report complaints to the California Department of Consumer Affairs, Complaint Assistance Unit, 1625 N. Market Blvd., Sacramento, CA 95834, +1 (800) 952-5210, pursuant to California Civil Code § 1789.3.