Privacy Policy
How we handle your data.
The full privacy policy for the Keeper mobile app — written to be readable, as well as legally watertight.
Compliant with: EU GDPR (2016/679) · Swiss nDSG 2023 · California CCPA/CPRA · COPPA · CAN-SPAM · Apple App Store Requirements
1. Introduction
This Privacy Policy ("Policy") describes how Keeper ("Keeper", "we", "us", "our") collects, uses, stores, shares, and protects information about you ("User", "you", "your") when you use the Keeper mobile application and any related services (collectively, the "Service").
Keeper is a family storytelling application that sends one question per day to a designated storyteller (typically a parent or grandparent), who responds with a voice note that is preserved and made available to designated listeners within a private family group.
This Policy is incorporated by reference into our Terms of Service and constitutes a legally binding agreement. Where you use the Service on behalf of a minor or another person, you represent that you have all necessary authority and consents to do so.
2. Who we are (Data Controller)
For the purposes of applicable data protection laws, including the EU General Data Protection Regulation ("GDPR"), the Swiss Federal Act on Data Protection ("nDSG"), and any other applicable legislation, the data controller is:
Contact: privacy@keeperapp.website
We are a small independent operator. As of this date, we do not meet the threshold requiring appointment of a formal Data Protection Officer (DPO) under Article 37 GDPR, however the contact above fulfils all DPO-equivalent functions and will respond to data subject requests within the legally mandated timeframes.
EU/EEA Representative
As we are based in Switzerland (a country with an adequacy decision from the EU Commission under GDPR Article 45), no separate EU representative is required at this time. Swiss law provides equivalent protections.
Swiss FDPIC notification
We are registered with and subject to the oversight of the Swiss Federal Data Protection and Information Commissioner (FDPIC) to the extent required under the revised nDSG effective 1 September 2023.
3. Data we collect
We collect only data that is strictly necessary to provide the Service ("data minimisation" principle). The categories below are exhaustive — we do not collect anything outside of this list without updating this Policy and providing fresh notice.
| Category | Specific data points | Source | Required? |
|---|---|---|---|
| Account | Email address, full name, role (Listener / Storyteller) | You at signup | Yes |
| Authentication | Hashed password (never plain text), session tokens | Supabase Auth | Yes |
| Profile | Profile photo (optional), display name | You (optional) | No |
| Voice recordings | Audio files (.m4a) of voice note responses. Duration. Associated question text. | Recorded by you | Yes |
| Family group | Family name, 6-character invite code, membership associations, roles | You or another member | Yes |
| Usage | Day count, recording timestamps, playback timestamps | Auto-generated | Yes |
| Custom questions | Text questions submitted by Listeners to Storytellers | Typed by you | No |
| Device permissions | Microphone; photo library (avatar — optional) | System-level permission | Mic: Yes. Photos: No |
| Technical logs | IP address, device OS, app version, crash logs | Automatic | Automatic |
| Reactions | Emoji reactions to voice notes, linked to user ID and note ID | You | No |
Voice data — special-category notice
Voice recordings may constitute biometric data under certain jurisdictions (including Article 9 GDPR in specific contexts). We treat all voice recordings with heightened protection equivalent to special category data. Recordings are stored encrypted, accessible only to members of the specific private family group, and are never used for voice recognition, AI training, advertising targeting, or any purpose other than playback within the family group.
4. Why we process your data
Primary purposes
- Service delivery: creating and managing your account; enabling voice note recording and playback; managing family group membership and invite flows; delivering daily questions to storytellers; storing and retrieving voice recordings.
- Service communication: sending essential transactional emails (account creation, password reset, email verification). We do not send marketing emails without separate, explicit opt-in consent.
- Security & integrity: detecting and preventing fraud, abuse, or unauthorised access; maintaining Row Level Security so users can only access their own family's data; verifying account authenticity.
- Service improvement: understanding aggregated usage patterns (e.g., how many families are active) to improve the product, on an anonymised/aggregated basis only.
- Legal compliance: complying with our obligations under applicable law, responding to lawful requests from authorities, and enforcing our Terms of Service.
Expressly excluded purposes
We will never use your data for:
- Sale or transfer to third parties for commercial purposes
- Targeted advertising or ad network participation of any kind
- Training artificial intelligence or machine learning models
- Profiling or automated decision-making with legal or similarly significant effects
- Voice recognition, speaker identification, or biometric matching
- Data brokerage
5. Legal basis for processing (GDPR / nDSG)
Under GDPR Article 6 and the Swiss nDSG, we must have a valid legal basis for each processing activity:
| Activity | GDPR basis (Art. 6) | Swiss nDSG |
|---|---|---|
| Account creation and management | Art. 6(1)(b) — Contract | Art. 31 — Contract |
| Voice note recording and storage | Art. 6(1)(b) Contract; Art. 6(1)(a) Consent (mic permission) | Art. 31; Consent |
| Family group and invite management | Art. 6(1)(b) — Contract | Art. 31 |
| Security monitoring & fraud prevention | Art. 6(1)(f) — Legitimate interests | Art. 31 — Legitimate interests |
| Technical log data & crash analytics | Art. 6(1)(f) — Legitimate interests | Art. 31 — Legitimate interests |
| Legal compliance obligations | Art. 6(1)(c) — Legal obligation | Art. 31 — Legal obligation |
| Optional profile photo | Art. 6(1)(a) — Consent | Consent |
| Push notifications (if enabled) | Art. 6(1)(a) — Consent | Consent |
Withdrawal of consent
Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. You may withdraw consent for microphone access via your device settings (iOS: Settings → Privacy → Microphone; Android: Settings → Apps → Keeper → Permissions). Withdrawal of microphone consent will prevent use of the core recording feature.
6. Data retention
We retain your data only for as long as necessary for the purposes for which it was collected, or as required by applicable law.
| Data | Retention period | Basis |
|---|---|---|
| Account data (email, name, role) | Duration of account + 30 days after deletion request | Service delivery; recovery buffer |
| Voice recordings | Until manually deleted by storyteller or family admin, OR 90 days after account deletion, whichever is sooner | Core service; permanent preservation is the purpose |
| Authentication tokens / session data | Expires per Supabase default (1 hour access token; 7-day refresh token) | Security |
| Technical log data / IP logs | Maximum 90 days (Supabase infrastructure logs) | Security monitoring |
| Deleted account data | Purged within 90 days of deletion request | Legal obligations; backup cycle |
| Legal hold data (if applicable) | Until resolution of legal proceedings | Legal obligation |
Account deletion
You may request full account deletion at any time via the Settings screen in the app or by emailing privacy@keeperapp.website. Upon deletion: your profile and account data will be purged; voice recordings you created will be purged from storage within 90 days; family membership associations will be removed. If other family members have downloaded or saved copies of recordings, we cannot control their use of those local copies. We will confirm completion of deletion in writing.
7. Data sharing & international transfers
Third-party service providers (data processors)
We engage the following third-party processors who act under our instruction and are contractually bound to protect your data:
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | USA (AWS) | SCCs; Supabase DPA; SOC 2 Type II |
| Apple Inc. | App distribution, in-app purchases | USA | Apple Developer Agreement |
| Google LLC | App distribution (Google Play) | USA | Google Play DDA |
| Expo Technology, Inc. | App build & distribution (EAS) | USA | Expo ToS; no personal user data shared |
International data transfers (EEA/Switzerland → USA)
Your data is stored on Supabase infrastructure hosted on AWS in the United States. This constitutes a transfer of personal data to a third country for EEA and Swiss users. Safeguards:
- Standard Contractual Clauses (SCCs): Supabase has executed the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) as the transfer mechanism for EEA users.
- Swiss SCCs: For Swiss users, transfers are governed by the equivalent Swiss standard data protection clauses recognised by the FDPIC under the revised nDSG.
- Supplementary measures: data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Row Level Security (RLS) is enforced at the database level, ensuring users can only access data belonging to their family group.
Permitted disclosures
We may disclose your data without your consent only in the following circumstances:
- Legal requirement: when compelled by a court order, subpoena, or other valid legal process. We will, where legally permitted, notify you before complying.
- Protection of rights: to enforce our Terms of Service, protect the safety or security of our users, or protect our legal rights.
- Business transfer: in the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the successor entity, with prior notice.
- Aggregate data: we may share anonymised, aggregated, non-personally identifiable statistical information publicly.
8. Security measures
We implement technical and organisational security measures appropriate to the risk:
- Encryption in transit: all data between your device and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: voice recordings and database contents are encrypted at rest using AES-256.
- Access controls: Row Level Security policies at the PostgreSQL level ensure users can only read or write data within their authorised family group.
- Signed URLs: voice recordings are not publicly accessible. Access requires a time-limited signed URL (valid for 3,600 seconds) generated on-demand.
- Password security: passwords are never stored in plain text. Authentication uses bcrypt hashing via Supabase Auth.
- Principle of least privilege: the app uses Supabase's anonymous public key, with all write and read operations gated by authenticated session tokens and RLS policies.
- No third-party analytics SDKs: we do not include analytics SDKs (such as Firebase Analytics, Mixpanel, or similar) that would transmit user data to third parties.
9. Your data subject rights
Depending on your jurisdiction, you have the following rights. We honour all of these equally regardless of jurisdiction, as a matter of principle:
- Right of access (GDPR Art. 15): request a copy of all personal data we hold about you, and information about how we process it.
- Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
- Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten") where no legitimate grounds for retention exist.
- Right to restriction (Art. 18): limit processing of your data while a dispute about accuracy or legitimacy is resolved.
- Right to portability (Art. 20): receive your data in a structured, machine-readable format and transmit it to another controller.
- Right to object (Art. 21): object to processing based on legitimate interests. We will cease unless we demonstrate compelling legitimate grounds.
- No automated decisions (Art. 22): we do not use automated decision-making or profiling with legal or similarly significant effects.
- Right to complain: lodge a complaint with your supervisory authority (see Section 20).
How to exercise your rights
Submit requests to privacy@keeperapp.website with the subject line "Data Subject Request". We will:
- Acknowledge your request within 72 hours
- Respond substantively within 30 days (extendable to 90 days for complex requests with notice)
- Verify your identity before processing the request
- Not charge a fee for reasonable requests
10. Children's privacy (COPPA & GDPR)
Keeper is not directed at children under the age of 13 (or 16 in EU/EEA jurisdictions where the applicable age of digital consent is higher). We do not knowingly collect personal information from children under these age thresholds.
If you are a parent or legal guardian and believe your child under 13 has provided us with personal information without your consent, please contact us immediately at privacy@keeperapp.website. Upon verification, we will delete the child's data.
Users must be at least 13 years of age to create an account. Users between 13 and 16 in the EU/EEA require verifiable parental consent before we may lawfully process their personal data under GDPR Article 8.
The Keeper App Store listing is rated for ages 4+ (family-appropriate content) but account creation and data processing applies only to users 13 and over.
11. Voice recordings — special provisions
Voice recordings are the core data type processed by Keeper and warrant specific disclosure.
Microphone permission
The app requests microphone access solely for the purpose of recording voice note responses to daily questions. The microphone is accessed only when you actively hold the record button. We do not access the microphone in the background, while the app is closed, or for any purpose other than voice note recording initiated by you.
Recording indicator
A visible recording indicator is displayed within the app at all times during recording. Recordings cannot be initiated without your active, affirmative, sustained physical interaction.
Ownership and access
Recordings you create are stored in a private, access-controlled storage bucket. Access is restricted exclusively to members of your specific family group. No Keeper employee, contractor, or administrator can access your recordings for any purpose other than (a) resolving a specific technical support request you have initiated, (b) responding to a lawful legal request, or (c) security investigations in the event of a suspected breach.
AI / machine learning prohibition
Your voice recordings will never be used to train artificial intelligence models, improve speech recognition systems, create voice profiles, or for any purpose beyond the Service's core function of family storytelling playback.
Recording by non-account holders
If you invite a family member who is not a registered account holder to join a family group, you represent and warrant that you have obtained their informed consent to the collection and storage of their voice recordings under this Policy before they use the Service.
12. Cookies, analytics & tracking
The Keeper mobile application does not use cookies (which are a web browser technology). The app does not use any third-party advertising networks, tracking SDKs, or behavioural analytics platforms.
If you access a Keeper website (e.g., keeperapp.website), that website may use essential cookies required for functionality. No third-party advertising or tracking cookies are used on any Keeper web properties.
We do not use Apple's IDFA or any equivalent advertising identifier. We do not check the Tracking Preference for advertising purposes because we do not serve advertising.
App Store analytics (aggregated, differential-privacy-protected data provided by Apple) may be used to understand general app performance. This data is anonymised and does not identify individual users.
13. California residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides additional rights:
Right to know
Disclosure of categories of personal information collected, sources, purposes, categories of third parties with whom we share, and specific pieces collected about you.
Right to delete
Request deletion of personal information collected from you, subject to certain exceptions.
Right to correct
Request correction of inaccurate personal information.
Right to opt-out of sale or sharing
We do not sell or share personal information for cross-context behavioural advertising. There is nothing to opt out of. We confirm we have not sold or shared California consumers' personal information in the preceding 12 months.
Right to limit use of sensitive personal information
Voice recordings may qualify as sensitive personal information under CPRA. We use them only for the purpose of providing the core Service (storage and playback within your family group).
Right to non-discrimination
We will not discriminate against you for exercising your CCPA/CPRA rights.
Submit requests to privacy@keeperapp.website. We will respond within 45 days (extendable to 90 days with notice).
14. Swiss users — revised nDSG
The revised Swiss Federal Act on Data Protection (nDSG / LPD / DSG), in force since 1 September 2023, provides Swiss residents with data protection rights substantially equivalent to GDPR:
- Right to information (Art. 25): request information about data we hold, free of charge, at any time.
- Right to rectification (Art. 32): request correction of inaccurate personal data.
- Right to erasure (Art. 32): request erasure subject to applicable retention obligations.
- Right to object (Art. 30): object to certain types of data processing.
- Privacy by design and by default (Art. 7): our Service is built with privacy-protective defaults.
- Cross-border transfer safeguards (Art. 16–17): transfers to the USA are governed by Swiss Standard Contractual Clauses.
- Data Protection Impact Assessment: processing of voice recordings as potentially sensitive data has been assessed. Encryption, access controls, and RLS policies have been implemented commensurate with the risk level.
Swiss residents may contact the FDPIC at edoeb.admin.ch with complaints regarding our data processing.
15. Limitation of liability
Maximum legal protection — read carefully
To the maximum extent permitted by applicable law, including but not limited to the laws of Switzerland, the European Union, the United States, and any other jurisdiction, Keeper and its operator expressly disclaim all liability, whether in contract, tort (including negligence), statutory duty, or otherwise, in connection with or arising from your use of the Service.
No warranty
THE SERVICE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS WITHOUT ANY WARRANTY OF ANY KIND, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. We disclaim all warranties including, without limitation: implied warranties of merchantability, fitness for a particular purpose, and non-infringement; warranties that the Service will be uninterrupted, error-free, or secure; warranties regarding the accuracy, reliability, or completeness of any data; and warranties that any defects will be corrected.
Exclusion of consequential damages
To the maximum extent permitted by law, Keeper shall not be liable for any: indirect, incidental, special, consequential, punitive, or exemplary damages; loss of profits, revenue, data, goodwill, or anticipated savings; loss of or corruption of data, including voice recordings; costs of substitute services; or any other pecuniary or non-pecuniary loss, whether based on contract, tort, or any other theory, even if we have been advised of the possibility of such damages.
Aggregate liability cap
To the maximum extent permitted by law, our total aggregate liability to you for all claims arising out of or related to the Service shall not exceed the greater of: (a) the total amount you have paid to us in the twelve (12) months preceding the claim; or (b) one hundred Swiss francs (CHF 100). If you have not paid us anything, our maximum liability is CHF 100.
Data loss
We are not liable for any loss, corruption, or unavailability of your voice recordings or other data arising from technical failures, server outages, data centre incidents, cyberattacks, or any other cause beyond our reasonable control. You are responsible for maintaining your own backup copies of recordings that are important to you.
Force majeure
We shall not be liable for any failure or delay in performance resulting from causes beyond our reasonable control, including: acts of God, natural disasters, pandemic, war, government actions, internet infrastructure failures, third-party service provider outages (including Supabase or AWS), or cyberattacks.
Applicable-law limitations on exclusions
Some jurisdictions do not allow the exclusion of certain warranties or the limitation of certain types of damages. In such jurisdictions, our liability is limited to the greatest extent permitted by law. Nothing in this section limits liability for death or personal injury caused by our proven gross negligence or wilful misconduct, or for fraudulent misrepresentation.
IP infringement disclaimer
We are not liable for any intellectual property infringement arising from: user-generated content, including voice recordings; questions answered by users that reference third-party materials; or any content shared or transmitted by users within family groups. Users are solely responsible for ensuring that content they upload or record does not infringe the intellectual property rights of any third party.
16. User indemnification
To the fullest extent permitted by applicable law, you agree to indemnify, defend, and hold harmless Keeper and its operator, affiliates, officers, directors, employees, agents, licensors, and service providers from and against any and all claims, liabilities, damages, judgments, awards, losses, costs, expenses, and fees (including reasonable legal fees) ("Claims") arising out of or relating to:
- Your use of, or inability to use, the Service;
- Your violation of this Policy or our Terms of Service;
- Your violation of any applicable law, regulation, or third-party right;
- Any content you upload, record, transmit, or otherwise make available through the Service;
- Any claim by a third party that your content infringes their intellectual property rights or other legal rights;
- Any claim by an end user or third party arising from your use of the Service, including claims related to voice recordings of third parties;
- Any misrepresentation made by you in connection with the Service;
- Your failure to obtain legally required consents from third parties whose data you submit to the Service;
- Any claim related to your invitation of third parties to join a family group and the processing of their personal data.
This indemnification obligation survives termination of your use of the Service.
17. User-generated content
The Service enables users to create, upload, and share voice recordings and other content ("User Content"). You retain ownership of your User Content. By using the Service, you grant us a limited, non-exclusive, royalty-free, worldwide licence to store, process, transmit, and make available your User Content solely to the extent necessary to provide the Service.
Your responsibilities
You are solely and exclusively responsible for all User Content. You represent and warrant that:
- You own or have all necessary rights, licences, consents, and permissions to submit the User Content;
- Your User Content does not infringe any intellectual property rights, privacy rights, or other rights of any third party;
- Your User Content does not contain any unlawful, harmful, threatening, abusive, harassing, defamatory, or otherwise objectionable material;
- You have obtained the informed consent of any person whose voice, likeness, or personal information is captured in your User Content.
Our rights regarding User Content
We reserve the right (but not the obligation) to remove any User Content that we determine, in our sole discretion, violates this Policy, our Terms of Service, or applicable law. We are not liable for any failure to remove User Content.
No operator liability
We are not responsible or liable for any User Content or for any claims, damages, or losses arising from or related to User Content. Users rely on User Content at their own risk. To the maximum extent permitted by applicable law, we expressly disclaim all liability in connection with User Content.
18. Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will comply with our notification obligations as follows:
- Supervisory authority notification (GDPR Art. 33; nDSG Art. 24): we will notify the relevant supervisory authority (FDPIC for Swiss/EEA processing) within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in such a risk.
- User notification (GDPR Art. 34; nDSG Art. 24): we will notify affected users without undue delay when a breach is likely to result in a high risk to their rights and freedoms. Notification will be via email and/or in-app notification.
- US state breach laws: where applicable, we will comply with applicable state breach notification laws.
- Breach notification content: notifications will describe the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address it.
Breach liability limitation
Notwithstanding our notification obligations above, to the maximum extent permitted by applicable law, we shall not be liable for any damages, losses, costs, or expenses suffered by you as a result of any data breach, cyberattack, unauthorised access, or security incident, whether arising from our negligence, third-party actions, or otherwise, except where such liability cannot be excluded under mandatory applicable law. Our obligation is limited to notification and reasonable remediation steps. We are not your insurer against data loss or breach.
19. Changes to this Policy
We reserve the right to update or modify this Policy at any time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this Policy;
- Provide in-app notification of material changes;
- Send an email notification to your registered email address for changes that materially affect your rights or our data processing practices;
- Where legally required, obtain fresh consent.
Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance. If you do not agree, you must cease using the Service and delete your account. Prior versions will be archived and available upon request.
20. Contact, complaints & supervisory authorities
Contact us
We respond within 72 hours for acknowledgement; 30 days for substantive response.
Supervisory authorities
You have the right to lodge a complaint with the relevant supervisory authority:
| Jurisdiction | Authority | Website |
|---|---|---|
| Switzerland | Federal Data Protection and Information Commissioner (FDPIC) | edoeb.admin.ch |
| EU / EEA | Supervisory authority in your country of residence or place of work | EDPB members list |
| USA — California | California Privacy Protection Agency (CPPA) | cppa.ca.gov |
| USA — Federal | Federal Trade Commission (FTC) | ftc.gov |
Governing law
This Policy is governed by and construed in accordance with the laws of Switzerland, without regard to its conflict of law provisions. To the extent mandatory provisions of GDPR or other applicable laws apply, those mandatory protections shall apply regardless of this choice of law clause.
Dispute resolution
Any dispute arising from this Policy shall first be addressed through good-faith negotiation. If not resolved within 30 days, disputes shall be submitted to the exclusive jurisdiction of the courts of Geneva, Switzerland, subject to mandatory consumer protection laws that may grant users rights in their country of residence.