Privacy Policy
Last updated: 14 June 2026
TinyStepper (“we”, “us”, “our”) is the data controller for the personal data described in this policy. This page explains what data we collect, why, who we share it with, how long we keep it, and what rights you have. We aim to collect as little as possible and to be plain about what we do.
Two ways to use TinyStepper
Most of TinyStepper is free and needs no account — you can browse activities, behaviour guides, development information, and SEND support without giving us any personal data at all.
If you choose to, you can also create an account and a householdto save favourites across devices, add a profile for each child, keep a private record of what you’ve tried, and (with a Premium subscription) receive a personalised weekly plan and daily idea. The sections below marked account only apply if you create one.
What we collect
Everyone (no account needed)
- Newsletter sign-up (optional): your email address, if and when you subscribe.
- Anonymous analytics: aggregate, cookieless usage statistics that do not identify you (see Cookies and tracking).
Account holders
If you create an account, we collect and store:
- Account details: your email address, a securely hashed password (we never see or store it in plain text), and the dates your account was created and last used.
- Children’s profiles you add:a display name (a first name or nickname — we ask you not to use a full legal name), your child’s birth month and year (month/year only, never a full date of birth), an optional energy preference, and optional short routine notes you choose to add. See Children’s data below.
- Household sharing: if you invite another carer to your household, we store the email address you invite and the membership that results. Invitations carry a one-time link and expire after 7 days.
- How you use your account: the activities you save as favourites, a private log of activities you mark as tried (with the date and any optional note you add), and which suggestions you were shown or chose.
- Subscription and payments: if you take a Premium subscription, our payment processor (Stripe) handles your card details — we never receive or store them. We store only Stripe’s references to your customer and subscription, your plan, status, and trial or renewal dates.
- Communication settings: your time zone and your choices about which emails you want (such as the daily suggestion).
- Security record: a minimal audit log of key account actions (for example, sign-in, email verification, or deleting a child profile). This records what happened and when, using identifiers only — we do not log IP addresses, device fingerprints, or browsing history.
Why we collect it, and our lawful basis
- Running your account and household(sign-in, favourites, children’s profiles, activity logs, household sharing) — to provide the service you asked us for. Lawful basis: performance of a contract (UK GDPR Article 6(1)(b)).
- Personalised weekly plans and daily suggestions— to tailor activity ideas to your child’s age and preferences. You turn the daily email on or off yourself. Lawful basis: performance of a contract, and your consent for the daily email (Article 6(1)(a)).
- Account, household, and billing emails (verification, password reset, invitations, trial reminders) — to operate the service securely. Lawful basis: performance of a contract.
- Taking payment via Stripe and keeping the resulting billing records. Lawful basis: performance of a contract, and our legal obligations (Article 6(1)(c)) for tax and accounting records.
- Newsletter emails — sent only to send you the newsletter. Lawful basis: your consent (Article 6(1)(a)). You can unsubscribe from any email at any time.
- Security and keeping the service working (the audit log, error monitoring, preventing abuse). Lawful basis: our legitimate interests (Article 6(1)(f)) in keeping accounts safe.
Where we rely on consent, you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
Children’s data
TinyStepper is designed for parents and carers, not for children, and children do not use it or hold accounts. However, if you add a child’s profile we do process a small amount of personal data about your child, which you provide as their parent or carer, so that we can tailor activity suggestions.
We have deliberately minimised this:
- We ask for a first name or nickname only — not a full legal name.
- We ask for birth month and year only — never a full date of birth — because an approximate age is all we need to suggest age-appropriate activities.
- Energy preference and routine notes are optional and entirely up to you.
We use this data only to personalise activity ideas for you. We do notuse it for advertising, we do not market to children, and we do not share it for any such purpose. We have regard to the ICO’s Age Appropriate Design Code (Children’s Code) and have carried out a Data Protection Impact Assessment for this processing. You can edit or remove a child’s profile, or export and delete all of your data, at any time from your account.
Who we share it with
We do not sell or rent your personal data. We use a small number of trusted service providers to process data on our behalf, under contract:
- Stripe — processes subscription payments. Your card details go directly to Stripe and are never stored by us.
- Resend — delivers our account, household, and billing emails (such as verification links, invitations, daily suggestions, and trial reminders).
- Buttondown (Portland, Oregon, US) — processes newsletter subscriptions and sends the newsletter, if you opt in.
- Amazon Web Services (AWS)(EU West — London region) — hosts our website and database.
- Umami — provides cookieless, anonymous website analytics. It does not collect personal data.
- Sentry — error monitoring that helps us fix faults. We configure it to strip personal data (request bodies, cookies, and authentication headers) before anything is sent.
International transfers
Some of our providers (including Stripe, Resend, Buttondown, and Sentry) process data outside the UK, including in the United States. Where they do, the transfer is protected by an appropriate safeguard recognised under UK data protection law — such as the UK International Data Transfer Agreement, Standard Contractual Clauses, or the UK extension to the EU–US Data Privacy Framework. You can ask us for details of the safeguard that applies to a particular provider.
How long we keep it
- Account and household data(including children’s profiles, favourites, and activity logs): kept while your account is open. If your Premium subscription ends, your account data stays safe and available to you on the free tier — we do not delete it. When you delete your account, this data is permanently removed.
- Household invitations: expire after 7 days.
- Billing records: retained for as long as we are required to keep them for tax and accounting purposes.
- Security audit log: a minimal record of account actions, kept to protect accounts; entries are de-identified if the related account is deleted.
- Newsletter email: retained until you unsubscribe, then removed from our mailing list.
Cookies and tracking
We do not use any advertising or tracking cookies, and our analytics (Umami) are fully cookieless. The only cookie we set is a strictly necessary session cookie when you are logged into an account — it keeps you signed in and protects forms against cross-site request forgery. Strictly necessary cookies do not require a consent banner, so we don’t show one. If you never log in, no cookies are set at all.
Automated decision-making
Our weekly plans and daily suggestions are personalisation: we use your child’s age and any preferences you set to recommend suitable activities. This is not automated decision-making that produces legal or similarly significant effects — there is no profiling for advertising, and you (the parent) always decide what to do. You can turn the daily suggestion off at any time.
Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you
- Correct any inaccurate data
- Deleteyour data (“right to be forgotten”)
- Restrict how we process your data
- Port your data to another service
- Object to processing
- Withdraw consent at any time
If you have an account, you can export all of your data as a file, and delete your account and everything in it, directly from your account settings — no need to ask. You can also email us at hello@tinystepper.co to exercise any of these rights, and we will respond within one month.
Complaints
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
ico.org.uk
Changes to this policy
If we make changes, we will update this page and the “last updated” date above. For significant changes, we will notify account holders and newsletter subscribers by email.
Contact
For any questions about this privacy policy or your data, email hello@tinystepper.co.