Short version:We collect only what’s necessary to deliver a personalized plan for your baby. We never sell your data. You can see, export, correct, or delete your data at any time by emailing [email protected].
1. Who we are (Data Controller)
The controller of your personal data is Vireon Media OÜ, a company incorporated in the Republic of Estonia, trading as GentleMonths (“GentleMonths”, “we”, “our”, “us”).
- Legal name: Vireon Media OÜ
- Registered office: Tallinn, Estonia
- General contact: [email protected]
- Privacy enquiries: [email protected]
- Data Protection Officer: [email protected]
2. Scope of this policy
This Privacy Policy applies to the GentleMonths website (gentlemonths.com), the GentleMonths quiz funnels, our email and push communications, the MilaAI chat experience, and any service that links to this policy (collectively, the “Service”).
It describes how we process personal data under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA (“CCPA”). Some additional rights apply if you are a resident of the EU/EEA, the UK, California, Virginia, Colorado, Connecticut, Utah, or another state with comparable privacy laws.
3. What we collect
We only collect personal data that is necessary for the purposes described below. We categorise the data we collect as follows.
3.1 Information you provide
- Quiz responses — your answers to questions about sleep patterns, feeding approach, developmental milestones, parenting preferences, and current concerns.
- Contact details — your first name and email address.
- Child information— your baby’s first name (optional) and date of birth. We use this to tailor age-appropriate guidance. We do not collect your child’s government identifiers, biometric data, health records, or images.
- Account and billing information — if you purchase a product or subscribe to a paid tier, our payment processor (Stripe) collects your payment details. We receive only a tokenised confirmation, your email address, the last four digits of your card, and the country of the card issuer.
- Marketing preferences — whether you have opted into marketing communications, and your consent history.
- Communications — messages you send us, feedback you leave, and customer-support exchanges.
3.2 Information we collect automatically
- Usage data — pages viewed, buttons clicked, quiz progress, time spent, referral source (e.g. UTM parameters).
- Technical data — IP address (hashed before storage for fraud detection), device and browser type, operating system, approximate location (country/region), language.
- Cookies and similar technologies — see the Cookies section below.
3.3 Information from third parties
- Payment status from Stripe (success/failure of checkout, refund events).
- Email deliverability events from Resend (opened, clicked, bounced, complained, unsubscribed).
- Advertising platforms, if you reach us through a paid campaign (Meta, Pinterest, Google) — typically click identifiers used to measure conversions.
4. How we use your data and legal bases
Under the GDPR, we must have a lawful basis to process your personal data. The table below sets out each purpose and the corresponding basis.
| Purpose | Data used | Lawful basis |
|---|---|---|
| Generate and deliver your personalised plan / report | Quiz responses, baby age, name, email | Performance of a contract (Art. 6(1)(b) GDPR) |
| Process payments and prevent fraud | Billing details, IP hash, transaction metadata | Contract + legitimate interests (Art. 6(1)(b) & (f)) |
| Send service emails (report delivery, receipts, password reset) | Email, name, submission identifier | Contract (Art. 6(1)(b)) |
| Send marketing emails, tips, and product updates | Email, name, engagement signals | Consent (Art. 6(1)(a)); withdrawable at any time |
| Measure traffic, conversion, improve the Service | Usage and technical data, aggregated analytics | Legitimate interests (Art. 6(1)(f)); consent for non-essential cookies |
| Comply with legal obligations (tax, accounting) | Transaction records | Legal obligation (Art. 6(1)(c)) |
| Defend against legal claims / disputes | Account, billing, and communication records | Legitimate interests (Art. 6(1)(f)) |
5. Automated decision-making and profiling
When you complete a quiz, we use a weighted scoring system to classify your situation into one of several educational archetypes (for example, “The Gentle Resetter”). This scoring drives the personalisation of your report and which product offer you see.
This process is explained transparently throughout the Service, it has no legal or similarly significant effect on you within the meaning of Article 22 GDPR, and you can always contact us to request a manual review, to contest the outcome, or to obtain information about the logic involved.
The text content of your report is generated by a large language model operated by Anthropic, PBC (the “Claude” API). We send Anthropic the minimum information needed (quiz responses summary, archetype, baby age in weeks, first names) so it can produce your personalised text. Anthropic processes these inputs as our data processor, does not use them to train its models, and retains them only for a short abuse-prevention period. See Anthropic’s own privacy documentation for details.
6. Children’s privacy
GentleMonths is intended for parents and carers who are 18 years of age or older. We do not knowingly collect personal data directly from children. The baby-related information we process is provided by the parent/guardian, and we treat it as the parent’s personal data, collected on behalf of the child with the parent’s consent.
If you are under 18, please do not use the Service or provide information to us. If you believe a child has provided us with information without parental consent, contact [email protected] and we will delete it promptly.
7. Who we share your data with
We do not sell your personal data. We share it only with carefully selected service providers (data processors) who help us operate the Service. All of them are bound by data processing agreements that comply with Article 28 GDPR.
| Processor | Purpose | Location |
|---|---|---|
| Neon, Inc. | Managed PostgreSQL database (primary data store) | United States / EU |
| Hetzner Online GmbH | Application hosting (EU VPS) | Germany / Finland |
| Cloudflare, Inc. | CDN, DNS, DDoS protection, TLS termination | Global edge network |
| Stripe Payments Europe, Ltd. | Payment processing and anti-fraud | Ireland / United States |
| Anthropic, PBC | AI text generation for your report and Mila chat | United States |
| Resend, Inc. | Transactional and marketing email delivery | United States |
| Sentry / PostHog (where enabled) | Error monitoring and product analytics | EU / United States |
We may also disclose personal data where required by law, in response to valid legal process, to protect the rights, property, or safety of GentleMonths, our users, or others, or in connection with a reorganisation, merger, or sale of assets. If a transfer of assets takes place, we will notify you and you will retain the rights set out in this policy.
8. International data transfers
Some of our processors are located outside the European Economic Area. When we transfer personal data outside the EEA, we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and, where relevant, the EU-US Data Privacy Framework. You may request a copy of the safeguards by emailing [email protected].
9. How long we keep your data
We keep your personal data only for as long as necessary for the purposes described above:
- Quiz submissions and generated reports: 24 months after your last interaction with the Service, after which we delete or anonymise them.
- Email marketing data: until you unsubscribe, plus up to 12 months of dormancy before automatic suppression.
- Order and invoicing records: 7 years, as required by Estonian accounting law.
- Support communications: 3 years after the ticket is closed.
- Server logs: 30 days.
10. Your rights
Subject to applicable law, you have the following rights in respect of your personal data:
- Right of access — receive a copy of the personal data we hold about you.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure(“right to be forgotten”) — request deletion of your data.
- Right to restriction of processing — limit how we use your data in specific circumstances.
- Right to data portability — receive your data in a machine-readable format or have us transfer it directly to another controller where technically feasible.
- Right to object — object to processing based on legitimate interests, including profiling, and to any use of your data for direct marketing.
- Right to withdraw consent at any time — withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Right not to be subject to solely automated decisions producing legal or similarly significant effects — see section 5.
- Right to lodge a complaint with a supervisory authority — the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) or the authority in your country of residence.
To exercise any of these rights, email [email protected]. We respond within 30 days (extendable by up to two further months for complex requests). We may need to verify your identity before acting on a request.
11. California residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the CCPA as amended by the CPRA:
- Right to know what personal information we collect and how we use and share it.
- Right to delete personal information.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information.
- Right to limit use and disclosure of sensitive personal information.
- Right to non-discrimination for exercising these rights.
We do not sell personal information or share it for cross-context behavioural advertising without your consent. To exercise your California privacy rights, email [email protected] with the subject “California Privacy Request”. You may designate an authorised agent to submit a request on your behalf.
12. Cookies and similar technologies
We use cookies and similar technologies to make the Service work and to understand how it is being used. You will see a cookie consent banner on your first visit that lets you accept, reject, or customise non-essential cookies.
- Strictly necessary — session identifier, security tokens, cookie-preference storage. These cannot be switched off.
- Analytics — aggregated counts of pageviews and conversion events. Loaded only if you consent.
- Marketing — attribution tags from advertising platforms (Meta Pixel, Pinterest Tag, etc.). Loaded only if you consent.
You can change your cookie preferences at any time by clicking the “Cookie preferences” link in the footer of the site. Browser-level “Do Not Track” and “Global Privacy Control” (GPC) signals are honoured on our site for California residents.
13. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+), at rest for sensitive fields, principle-of-least-privilege access controls, audit logging, vulnerability management, and regular backups with offsite redundancy. No method of transmission or storage is 100% secure; if we become aware of a personal data breach affecting you, we will notify you and the relevant authorities as required by law.
14. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version here with a new “Last updated” date and, where changes are material, notify you by email or an in-product banner at least 30 days before they take effect.
15. Contact us
For any privacy questions, to exercise your rights, or to report a suspected privacy incident:
- Email: [email protected]
- Data Protection Officer: [email protected]
- Postal: Vireon Media OÜ, Tallinn, Estonia (full address on request)