Privacy Policy
This English translation is provided for convenience. In case of any discrepancy, the German version is legally binding.
This privacy policy explains how personal data is processed when you use the iOS app napsip and our website napsip.de. We take the protection of your data seriously and treat it confidentially, in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
1. Controller
The controller within the meaning of the GDPR is:
Fabian Littmann
Meyerhofstraße 29A
40589 Düsseldorf
Germany
Email: napsip@fabianlittmann.de
2. What data we process
The following personal data is processed when you use napsip:
- Email address — for registration and signing in to your family account.
- Sleep, feeding, diaper and growth data of your children — this data contains only the nicknames you enter (no full legal names), date of birth, timestamps and measurements (e.g. sleep duration, feed amount, weight, height). Under Art. 4 No. 15 GDPR this information may qualify as health data and is therefore subject to the special protection of Art. 9 GDPR.
- Device push token — if you enable push notifications, an anonymous token generated by the operating system is stored.
- Technical connection data — IP address, date/time, user agent, requested URL, transferred data volume and status code, generated in server log files when operating the website and backend.
- Purchase data — when you buy the Family Unlock via Apple in-app purchase, only the signed purchase receipt (StoreKit JWS) and the Apple account ID are processed briefly for verification and unlocking.
3. Purposes of processing
The collected data is processed exclusively for the following purposes:
- Operating the napsip app and providing the tracking features.
- Real-time synchronization of logged data between both parents’ devices.
- Sending push notifications (e.g. sleep reminders) if you have enabled them.
- Verifying in-app purchases and unlocking the premium features.
- Secure operation of the website and prevention of abusive requests.
4. Legal basis
We process your data on the basis of Art. 6(1)(b) GDPR (processing necessary for the performance of a contract or for pre-contractual measures), as it is required to provide the services of the app and the website.
Insofar as the children’s tracking data mentioned above qualifies as health data within the meaning of Art. 9(1) GDPR, it is processed on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR. You give this consent by creating the family and voluntarily entering the respective data. You may withdraw your consent at any time with effect for the future — simply send a message to napsip@fabianlittmann.de.
Because the data concerns children under 16 years of age, Art. 8 GDPR additionally applies: processing is carried out by the parents holding parental responsibility or with their explicit consent; the app is not intended for direct use by children.
The push token is processed on the basis of Art. 6(1)(a) GDPR (consent), which you give by enabling notifications.
Server log files are processed on the basis of Art. 6(1)(f) GDPR (legitimate interest) for the technical delivery of content and the security of our systems.
5. Website hosting & server log files
The website napsip.de is hosted by:
Vercel Inc.
340 S Lemon Ave #4133, Walnut, CA 91789, USA
vercel.com/legal/privacy-policy
When you visit our pages, Vercel processes technical connection data (IP address, user agent, referrer, date/time, requested resource) to deliver the content and to ensure security. This data is recorded in server log files and deleted or anonymized after 30 days at the latest. A data processing agreement (DPA) is in place with Vercel. As Vercel is based in the USA, data may be transferred to a third country; such transfers are based on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
6. Backend & real-time synchronization (Supabase)
For the database, authentication, edge functions (including verification of App Store purchases) and real-time synchronization we use:
Supabase Inc.
970 Trestle Glen Rd, Oakland, CA 94610, USA
supabase.com/privacy
A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with Supabase. As Supabase Inc. is headquartered in the USA, data is transferred to a third country; this transfer is based on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR and, where applicable, the EU-US Data Privacy Framework (adequacy decision of July 10, 2023).
7. Apple App Store, in-app purchases & push notifications
The app download and in-app purchases (e.g. the one-time Family Unlock for €14.99) are technically handled through the Apple App Store, provided by:
Apple Distribution International Ltd.
Hollyhill Industrial Estate, Hollyhill, Cork, Republic of Ireland
apple.com/legal/privacy
When you purchase or download, Apple processes Apple account and device data under its own responsibility. From Apple we receive only the signed purchase receipt (JWS) and the opaque Apple account ID, in order to verify the Family Unlock entitlement server-side. No credit card or address data is transferred to us.
Push notifications are delivered via the Apple Push Notification service (APNs). The push token generated by the operating system is transmitted to Apple; Apple forwards the notification to your device. This processing only takes place if you have actively allowed push notifications in iOS (Art. 6(1)(a) GDPR).
8. Fonts
This website uses exclusively self-hosted fonts (Nunito, Outfit, Cormorant Garamond, DM Sans), served from our own server (Vercel, see section 5). No connection to Google Fonts or other external font services is established; accordingly, no IP addresses are transmitted to Google or other third parties.
9. Cookies and local storage
This website sets no cookies, uses no analytics, no ad tracking, no social media plugins and no comparable tracking technologies. Neither cookies nor local storage entries are created. Consent pursuant to Section 25(1) of the German Telecommunications Digital Services Data Protection Act (TTDSG) is therefore not required.
10. Encryption (TLS/HTTPS)
All content transferred between your device and our servers is encrypted via HTTPS (TLS). This protects the data against interception and manipulation in transit.
11. Retention & account deletion
Your app data is stored for as long as your user account is active. After you delete your account, all associated data is permanently deleted within 30 days, unless statutory retention obligations (e.g. Section 257 of the German Commercial Code (HGB), Section 147 of the German Fiscal Code (AO)) require otherwise. Server log files are deleted or anonymized after 30 days at the latest.
You can delete your account directly in the app under Settings → Account → Delete account. The following applies:
- If you are the only family member, all family data (children, sleep sessions, meals, diaper/solids/growth entries) is permanently deleted as well.
- If you share the family with a partner, the shared family data remains so that your partner can continue using the history. Only the personal attribution of your entries (who logged what and when) is anonymized.
Alternatively, you can still request deletion by email to napsip@fabianlittmann.de.
12. Your rights
You have the following rights regarding your personal data regarding your personal data:
- Access (Art. 15 GDPR) — you may request information about the data we store about you.
- Rectification (Art. 16 GDPR) — you may request the correction of inaccurate data.
- Erasure (Art. 17 GDPR) — you may request the deletion of your data.
- Restriction of processing (Art. 18 GDPR) — you may request that processing be restricted.
- Data portability (Art. 20 GDPR) — you may request your data in a common, machine-readable format.
- Objection (Art. 21 GDPR) — you may object to processing based on legitimate interests.
- Withdrawal of consent (Art. 7(3) GDPR) — you may withdraw any consent you have given at any time with effect for the future.
To exercise these rights, contact: napsip@fabianlittmann.de.
You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). Our competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia:
LDI NRW · Kavalleriestraße 2–4, 40213 Düsseldorf, Germany
ldi.nrw.de
13. No automated decision-making
We do not use fully automated decision-making, including profiling, within the meaning of Art. 22 GDPR. Prediction features such as the sleep-window calculation (“Sleep Prediction”) serve solely as a hint in the UI and have no legal or similarly significant effect.
14. Changes to this privacy policy
We reserve the right to amend this privacy policy as needed to reflect changes in the legal situation or changes to the app and website. The current version is always available at this URL. In the event of significant changes, we will inform you via the app.