Data Protection

Privacy Policy

Effective date: 22 February 2026  ·  Version 1.0

At Tylu, your family's privacy is foundational — not an afterthought. This policy explains exactly what data we collect, why we collect it, and how we protect it in plain English, in compliance with the UK GDPR and the Data Protection Act 2018.

All personal data is end-to-end encrypted at rest

We never sell identifiable data to any third party

You can request full deletion of your data at any time

1. Data Controller

The data controller responsible for your personal data is Cyborg Group, a sole trader operating the Tylu service from Penarth, Wales, United Kingdom. Contact: support@tylu.uk

2. What Data We Collect

2.1 Account Data

  • Name — stored encrypted; used to personalise your experience
  • Email address — stored encrypted; used for login, OTP verification, and transactional emails
  • Country — used for content targeting (e.g., region-specific notices)
  • Profile photo — stored encrypted; displayed only within your account

2.2 Child Data

  • Child name — stored encrypted
  • Date of birth — used for age-appropriate content and developmental tracking
  • Formula brand & feeding preferences — used to manage formula containers and alerts
  • Child photo — optional; stored encrypted

2.3 Tracking Logs

All logs are associated with your encrypted account and stored securely:

  • Feed logs (time, volume, type — breast or formula)
  • Weight records (date, weight in kg)
  • Nappy change logs (time, type, notes)
  • Sleep session logs (start and end times, duration)
  • Wind / burp session logs
  • Formula container usage (scoops remaining, brand)

2.4 Usage Data (Non-Personal)

  • Session activity (e.g., which views were accessed)
  • Offer interaction events (views and clicks, associated only with an anonymous user token)
  • Push notification delivery and open events

2.5 Communication Data

  • Messages sent via our contact form
  • Support correspondence

3. Why We Collect Data (Legal Basis)

  • Contract performance — to provide the core tracking features you signed up for
  • Legitimate interests — to improve the service, detect fraud, and ensure security
  • Legal obligation — to comply with UK law where required
  • Consent — for push notifications and marketing communications (you may withdraw at any time)

4. How We Protect Your Data

All sensitive personal information — including names, emails, child details, and photos — is encrypted using AES-256 encryption before storage. Encryption keys are stored separately from the encrypted data. Data in transit is protected by HTTPS/TLS.

Tracking logs are stored in a relational database with access restricted to authenticated users of the relevant family group only. Tylu staff do not routinely access individual user logs.

5. Data Sharing

5.1 What We Share & With Whom

  • SendGrid (Twilio) — your email address is transmitted to send transactional emails (OTP codes, invites, monthly summaries). SendGrid does not use this data for any other purpose.
  • Aggregate Data Reports — we provide anonymised, aggregated trend reports to approved partners, which may include baby product brands and academic or public health researchers (e.g., universities). These reports contain only statistical insights (e.g., "average feeding volumes by age group") — never anything that could identify you or your child.
  • Affiliate Offers — the app may display discount codes and links to third-party stores. If you choose to make a purchase through one of these links, we may receive a small commission at no extra cost to you. No personal data is shared with affiliate partners as part of this process.

5.2 What We Will Never Share

  • Identifiable personal or health data with insurance companies
  • Any data with pharmaceutical companies for drug development or targeting
  • Any data with legal firms or litigation services
  • Any data with government agencies, except where required by a lawful court order
  • Any data with social media platforms or advertising networks

6. Data Retention

  • Account and child data: retained while your account is active
  • Tracking logs: retained for the life of the account to enable reporting and trends
  • Deleted child records: logs are anonymised (child_id set to NULL) rather than deleted, preserving statistical integrity
  • Deleted accounts: all personal data is permanently purged within 30 days of account deletion
  • Contact form submissions: retained for 24 months for support continuity

7. Your Rights (UK GDPR)

Under UK data protection law, you have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your account and all personal data
  • Restriction — request that we limit processing of your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw Consent — for notifications and communications at any time

To exercise any of these rights, contact support@tylu.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies

Tylu uses only essential session cookies required for authentication and to maintain your login state. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

9. Children's Data

Tylu is an app for parents and caregivers, not for children. All child data entered is entered by and controlled by the adult account holder. We do not knowingly allow children to create accounts on the platform. Child data is stored encrypted and subject to the same protections as all other personal data.

10. NHS Content & Trend-Based Recommendations

Tylu displays freely accessible health articles sourced from the NHS Website Content API. This content is owned by NHS England. Tylu is not affiliated with or endorsed by the NHS. No personal data is shared with the NHS when you access this content.

Tylu may also use your tracking data locally to suggest relevant NHS articles when patterns or trends are identified (e.g., recommending an article on winding techniques after several below-average winding sessions). This analysis happens within the Tylu platform only — no tracking data is sent externally as part of this feature. These recommendations are informational only and do not constitute medical advice.

11. Changes to This Policy

We will notify you of any significant changes to this Privacy Policy via the app or email before they take effect. The "Effective date" at the top of this page will be updated accordingly.

12. Contact & Complaints

Data protection enquiries: support@tylu.uk — or use our contact form selecting "Data / Privacy Request".

Related Documents

Review our other legal pages

Terms of Service Contact Us