Privacy Policy
Effective Date: February 15, 2026 · Last Updated: February 15, 2026
Introduction
Hatchbox ("we," "us," or "our") operates the Hatchbox mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the App. By downloading, installing, or using the App, you agree to this Privacy Policy. If you do not agree, please do not use the App.
We are committed to protecting your privacy and handling your data with transparency and care. Hatchbox is designed with a privacy-first, offline-first architecture — your data stays on your device by default, and we collect only what is necessary to provide our services.
1. Information We Collect
1.1 Information You Provide Directly
User Profile Information
- Preferred activity settings (e.g., indoor, outdoor, backyard, car, anywhere)
- Activity type preferences (e.g., quick games, bedtime stories, weekend adventures, learning activities, active play)
- Onboarding preferences and completion status
Child Profile Information
- Child age ranges (e.g., 0–6 months, 1–2 years, 3–4 years, etc.)
- Child interests (e.g., animals, dinosaurs, space, music, art/crafts, sports, building, superheroes, vehicles, nature, fairy tales)
- Optional display name (stored on-device only and never transmitted to our servers)
- Optional birth month
Account Information (when you create an account)
- Apple ID authentication token (if you choose Sign in with Apple)
- Optional display name and handle (for social features)
- We also support anonymous account creation using a randomly generated identifier
1.2 Information Collected Automatically
Usage and Interaction Data
- Activity cards viewed, skipped, saved, or played
- Time spent viewing activity cards
- Time of day and day of week when activities are used
- Activity setting context (e.g., indoor, outdoor)
Event Interaction Data
- Events you save, express interest in, mark as attending, or dismiss
- Event category preferences
Device and Technical Information
- Device type and model
- Operating system version
- App version
- A randomly generated device or user identifier (UUID) — this is not tied to your Apple ID, advertising identifier, or any other persistent device identifier unless you explicitly sign in
1.3 Location Information
If you grant permission, we collect your approximate location (accurate to approximately 1 kilometer) to show family-friendly events and activities near you. Location data is:
- Used only to query for nearby events at the time of the request
- Never stored on our servers
- Never shared with third parties
- Never used for tracking or profiling
You may deny or revoke location permission at any time in your device Settings. The App will continue to function, but the Local Discovery feature will be unavailable.
1.4 Information We Do NOT Collect
- We do not collect precise GPS coordinates for storage or tracking
- We do not collect your name, email address, phone number, or mailing address (unless provided voluntarily for account features)
- We do not collect photos, contacts, calendar data, health data, or browsing history
- We do not use the Apple advertising identifier (IDFA)
- We do not use fingerprinting or any other means to track you across apps or websites
- We do not collect children's names on our servers — display names are stored locally on your device only
2. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose |
Data Used |
Legal Basis |
| Personalize activity recommendations to your children's ages and interests |
Child age ranges, interests, interaction history |
Legitimate interest / consent |
| Provide on-device activity recommendation engine |
Interaction data (views, skips, saves, plays) |
Legitimate interest |
| Show nearby family-friendly events |
Approximate location (when permitted) |
Consent |
| Improve content quality and relevance |
Aggregated, anonymized usage statistics |
Legitimate interest |
| Manage your account and subscription |
Account identifiers, subscription status |
Contract performance |
| Enable social features (e.g., friends, shared events) |
Optional display name, handle, invite codes |
Consent |
| Prevent abuse and ensure service integrity |
Device/user identifiers, usage patterns |
Legitimate interest |
| Comply with legal obligations |
As required by law |
Legal obligation |
We process child profile data (age ranges and interests) solely to personalize activity suggestions for the parent or guardian using the App. This data is anonymized before any server transmission — only numeric age values and interest category strings are sent, never names or other identifying information about children.
3. Data Storage and Security
3.1 On-Device Storage
Hatchbox is built with an offline-first architecture. The following data is stored locally on your device using Apple's SwiftData framework:
- User profile and preferences
- Child profiles (including optional display names)
- Activity interaction history
- Saved events and activity history
- On-device recommendation model weights
This data remains on your device and is protected by your device's built-in security (passcode, Face ID, Touch ID, and hardware encryption).
3.2 Server-Side Storage
When you use features that require network connectivity (such as event discovery or account sync), limited data may be transmitted to and stored on our servers:
- Anonymous or Apple-authenticated user identifier
- Anonymized child data (age ranges and interest categories only — never names)
- Activity interaction data (card identifiers, interaction types, timestamps)
- Event feedback (interested, going, attended, not for us)
- Subscription status
Server-side data is:
- Encrypted in transit using TLS 1.2 or higher
- Stored in encrypted databases
- Hosted on Amazon Web Services (AWS) infrastructure within the United States
- Accessible only to authorized personnel on a need-to-know basis
3.3 Data Retention
- On-device data is retained until you delete the App or manually clear your data within the App
- Server-side data is retained for as long as your account is active or as needed to provide services
- Anonymized, aggregated analytics data may be retained indefinitely, as it cannot be used to identify any individual
- Upon account deletion, all personally identifiable server-side data is deleted within 30 days, except where retention is required by law
4. Third-Party Services
4.1 Event Data Providers
To power the Local Discovery feature, we aggregate public event listings from the following third-party services:
- Ticketmaster (Discovery API)
- Eventbrite (API)
- Google Places (API)
- PredictHQ (API)
- Public open data portals and RSS feeds
When we query these services, we send an approximate location (city-level or coordinate rounded to reduce precision) and event category filters. We do not send any personal information, user identifiers, or child data to these services.
Each third-party service has its own privacy policy:
4.2 Analytics
We may use privacy-focused analytics services (such as TelemetryDeck or PostHog) to understand how the App is used in aggregate. These analytics services:
- Do not collect personally identifiable information (PII)
- Do not use cookies or advertising identifiers
- Are compliant with GDPR and other applicable privacy regulations
- Collect only anonymized, aggregated usage data (e.g., feature usage counts, session durations, crash reports)
4.3 Advertising
The free tier of the App may display advertisements provided by Google AdMob. If ads are displayed:
- We will request your consent via Apple's App Tracking Transparency (ATT) framework before any tracking occurs
- If you decline tracking, you will still see ads, but they will not be personalized
- Google AdMob's privacy policy: https://policies.google.com/privacy
- You can manage ad preferences in your device's Settings > Privacy & Security > Tracking
4.4 Apple Services
- Sign in with Apple: If you choose to authenticate, Apple provides us with a unique, app-scoped identifier. We do not receive your Apple ID email address unless you choose to share it. See Apple's privacy policy.
- App Store / StoreKit: Subscription purchases are processed by Apple. We receive a transaction receipt to verify your subscription status but do not have access to your payment information. See Apple's privacy policy.
- Apple Push Notification Service (APNs): If you enable push notifications, Apple delivers notifications on our behalf using a device token. We do not use this token for any purpose other than delivering notifications you have opted into.
4.5 AI and Machine Learning
- On-device recommendation engine: Hatchbox uses an on-device machine learning model to personalize activity suggestions. This model runs entirely on your device. No personal data is sent to external servers for recommendation processing.
- On-device content generation (planned): Future versions may use on-device language models to generate personalized activities. These models will run entirely on your device with no data transmitted externally.
- Server-side content generation (planned, premium only): Premium users may have access to server-generated content. In such cases, only anonymized child age ranges and interest categories are sent to our servers. No child names or identifying information is transmitted.
5. Data Sharing and Disclosure
5.1 We Do Not Sell Your Data
We do not sell, rent, lease, or trade your personal information to third parties for their commercial purposes. We have never sold personal information and will never do so.
5.2 Limited Sharing
We may share information only in the following circumstances:
- With your consent: When you explicitly opt into social features (e.g., sharing event interest with friends)
- Service providers: With trusted vendors who assist in operating the App (e.g., cloud hosting, analytics), bound by contractual obligations to protect your data and use it only for the services they provide to us
- Legal requirements: When required by law, regulation, legal process, or governmental request
- Safety and rights: To protect the safety, rights, or property of Hatchbox, our users, or the public
- Business transfers: In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy
5.3 Social Features
If you use social features (such as the friends system), the following information may be visible to your friends:
- Your display name (if you choose to set one)
- Your handle (if you choose to set one)
- Your interest status on events (e.g., "going" or "interested")
You control whether your name is visible to friends through the showNameToFriends privacy setting. Social features are entirely optional.
6. Your Rights and Choices
6.1 Access and Portability
You have the right to request a copy of the personal data we hold about you. Contact us at the address below to make a request.
6.2 Correction
You can update your profile information, child profiles, and preferences at any time within the App.
6.3 Deletion
- On-device data: Delete the App to remove all locally stored data, or use the in-app data management settings
- Server-side data: Use the "Delete My Account" option within the App, or contact us at the email below. We will delete your account and associated data within 30 days
- Right to be forgotten: Under applicable law, you may request complete erasure of your personal data from our systems
6.4 Location Permission
You can enable or disable location access at any time through your device's Settings > Privacy & Security > Location Services > Hatchbox.
6.5 Push Notifications
You can enable or disable push notifications at any time through your device's Settings > Notifications > Hatchbox.
6.6 Ad Tracking
You can control ad tracking through your device's Settings > Privacy & Security > Tracking. You may also reset your advertising identifier or enable "Limit Ad Tracking" at any time.
6.7 Opt Out of Analytics
You may opt out of anonymized analytics collection through the App's settings (where available) or by contacting us.
7. Children's Privacy (COPPA Compliance)
Hatchbox is designed for adult users — specifically parents and guardians — and is not directed at children under 13. We comply with the Children's Online Privacy Protection Act (COPPA) and similar international regulations.
7.1 How We Handle Child-Related Data
- The App allows parents to create child profiles to personalize activity recommendations
- Child display names are optional, stored only on the parent's device, and are never transmitted to our servers
- Only anonymized, non-identifying data about children is processed server-side: numeric age ranges (e.g., "3–4 years") and broad interest categories (e.g., "dinosaurs," "sports")
- This anonymized data cannot be used to identify any individual child
- We do not collect personal information directly from children
7.2 Parental Controls
- Parents have full control over child profile data within the App
- Parents can add, edit, or delete child profiles at any time
- Parents can request deletion of all data by deleting their account
7.3 No Direct Child Interaction
- Children are not intended users of the App
- The App does not include features that allow children to interact with it directly (e.g., no child login, no child-facing content input, no social features for children)
- All content is curated for parents to use with their children during shared activities
7.4 If We Learn of Unauthorized Collection
If we learn that we have collected personal information from a child under 13 without parental consent, we will take immediate steps to delete that information. If you believe we have collected information from a child, please contact us immediately.
8. International Data Transfers
If you are located outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where our servers are located. By using the App, you consent to this transfer. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable law.
9. European Economic Area (EEA) / UK Residents — GDPR
If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):
- Right of access — You may request a copy of your personal data
- Right to rectification — You may request correction of inaccurate data
- Right to erasure — You may request deletion of your personal data
- Right to restrict processing — You may request that we limit how we use your data
- Right to data portability — You may request your data in a structured, machine-readable format
- Right to object — You may object to processing based on legitimate interests
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time
- Right to lodge a complaint — You may file a complaint with your local data protection authority
Legal bases for processing:
- Consent: Location data, optional analytics, ad tracking, social features
- Contract performance: Providing the App's core functionality, managing subscriptions
- Legitimate interests: Improving the App, preventing abuse, aggregated analytics
To exercise any of these rights, contact us using the information in Section 12.
10. California Residents — CCPA / CPRA
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know — You may request information about the categories and specific pieces of personal information we collect, use, and disclose
- Right to delete — You may request deletion of your personal information
- Right to correct — You may request correction of inaccurate personal information
- Right to opt out of sale or sharing — We do not sell or share your personal information for cross-context behavioral advertising
- Right to non-discrimination — We will not discriminate against you for exercising your privacy rights
Categories of personal information collected (per CCPA categories):
- Identifiers (anonymous user ID, optional display name)
- Internet or electronic network activity (app usage data, interaction history)
- Geolocation data (approximate, when permitted)
- Inferences (activity recommendations based on usage patterns)
To exercise your rights, contact us using the information in Section 12, or use the in-app data management features.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify you through the App or other appropriate means (such as an in-app notification or email, if available)
- Continued use of the App after the effective date of changes constitutes acceptance of the updated policy
We encourage you to review this Privacy Policy periodically.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Hatchbox
Email: privacy@hatchbox.app
For data protection inquiries or to exercise your privacy rights, please include "Privacy Request" in the subject line. We will respond to your request within 30 days (or sooner where required by applicable law).
13. Apple App Store Compliance
This App is distributed through the Apple App Store and complies with Apple's App Store Review Guidelines and Apple Developer Program License Agreement. In particular:
- We comply with Apple's requirements for privacy nutrition labels (App Privacy details on the App Store)
- We use Apple's App Tracking Transparency framework before any tracking
- We support Apple's "Sign in with Apple" for authentication
- We support the "Delete Account" functionality as required by Apple
- We handle subscription data in accordance with Apple's StoreKit guidelines
- We do not use any private or undocumented Apple APIs to collect user data
14. App Privacy Details (App Store Nutrition Label)
The following summarizes the data we report in the App Store privacy nutrition labels:
Data Used to Track You
- None (we do not track you across other companies' apps or websites)
Data Linked to You
- User ID (anonymous identifier)
- Subscription status (if applicable)
Data Not Linked to You
- Usage data (interaction statistics)
- Diagnostics (crash logs, performance data)
- Coarse location (approximate, for event discovery)
Data Not Collected
- Contact information (name, email, phone — unless voluntarily provided for account features)
- Financial information
- Health and fitness data
- Browsing history
- Search history
- Sensitive information
- Photos or videos
- Audio data
- Contacts
- Messages