Back to home
πŸ”’Privacy Policy

Your privacy, in plain English

We built My Maternity Friend to support mums through pregnancy and to connect them with the health workers and clinicians who care for them β€” not to collect or profit from your data. This policy explains exactly what we collect, why, and what you can do about it. It applies to all user types: mums, health workers, and clinicians.

Last updated: April 2026Β·Operated by Sallan Holdings Ltd (UK)Β·ICO registered

Contents

  1. 1. Who we are
  2. 2. What we collect
  3. 3. Why we collect it and our legal basis
  4. 4. Who we share your data with
  5. 5. Where your data is stored
  6. 6. International data transfers
  7. 7. How long we keep your data
  8. 8. Your rights
  9. 9. Cookies and tracking
  10. 10. Children
  11. 11. Changes to this policy
  12. 12. Contact us

1. Who we are

My Maternity Friend is operated by Sallan Holdings Ltd, a company registered in England and Wales. When this policy says β€œwe”, β€œus”, or β€œour”, we mean Sallan Holdings Ltd.

We are the data controller for the personal data you provide when using My Maternity Friend. That means we decide how and why your data is processed, and we are responsible for keeping it safe.

My Maternity Friend is available in multiple countries across Africa, Europe, Asia, the Americas, and Oceania. Wherever you are, this policy applies. Where your country has its own data protection law, we comply with that law in addition to UK GDPR β€” the relevant laws are listed in Section 3 and Section 8.

We are registered with the UK Information Commissioner's Office (ICO). Depending on where you live, you may also have the right to contact your national data protection authority β€” see Section 8 and Section 12 for details.

2. What we collect

We only collect data that is genuinely needed to provide the app and keep it running. Here is what that includes:

Account information

Your name and email address when you register. A phone number if you choose to add one (used for OTP sign-in and optional reminders).

Pregnancy and health information

Your pregnancy due date or last menstrual period (to calculate your gestational age), and your responses to health check-in questions within the app. This is special category health data and we treat it with the highest level of protection.

Location (country level only)

We detect your country from your IP address to apply the right legal protections, route your health data to the correct server, and show relevant emergency services information (for example, the correct emergency number for your country). We do not track your precise GPS location, and we do not store IP addresses after country detection has been completed.

Payment information

If you subscribe to a paid plan, payment is handled by Stripe (card payments, most countries) or PawaPay (mobile money, available in Zambia and Uganda). We never see or store your card number or mobile money credentials. We only receive a transaction reference to confirm your payment succeeded.

Health worker and clinician information

If you register as a health worker or clinician (for example, a midwife, nurse, or doctor), we collect your professional details in addition to your account information:

  • Your name, role, and professional registration details (if provided)
  • Your facility or clinic name and address
  • Clinic contact details (phone and email)
  • Opening hours and registered staff list for your facility

This business profile information is not health data β€” it is equivalent to a professional directory listing. It is shown to mums who accept your connection invite, so they know which clinic or professional is linked to their account.

As a health worker, you will have limited, role-appropriate visibility of health data belonging to mums who have explicitly accepted your connection. You act as a data processor for that mum's health data under the terms of our clinician agreement.

Technical information

Browser type, device type, and app version β€” collected automatically to keep the app working correctly and to investigate errors. We do not build profiles from this data or use it for advertising.

We do not collect biometric data, financial account numbers, government ID numbers, or any data about your baby beyond what you choose to share with us.

3. Why we collect it and our legal basis

Data protection law requires us to have a valid reason β€” a β€œlegal basis” β€” for each type of data we process. The table below sets this out clearly.

What we collectWhyLegal basis
Name and email addressTo create and manage your account, and to send transactional messages (e.g. sign-in codes, appointment reminders)Contract / Consent
Phone number (optional)For OTP sign-in and optional reminders if you choose to enable themConsent
Pregnancy dates and due dateTo personalise your weekly content, milestone tracking, and health check-in questionsExplicit consent (special category health data β€” UK GDPR Art 9(2)(a); EU GDPR Art 9(2)(a); Zambia DPA 2021; Uganda DPPA 2019; Kenya DPA 2019; POPIA; NDPR; and equivalent national laws)
Health check-in responsesTo surface personalised wellbeing prompts, flag symptoms that may need attention, and give you a record of how you have felt throughout your pregnancyExplicit consent (special category health data β€” as above)
Country / region (derived from IP address)To apply the correct legal protections for your jurisdiction, route your data to the appropriate server, and show locally relevant emergency services informationLegitimate interests (legal compliance); Consent where required by local law
Device and session information (e.g. browser type, app version)To keep the app running correctly, diagnose errors, and improve performanceLegitimate interests
Payment informationTo process subscription payments. Card details are handled entirely by Stripe; mobile money details by PawaPay. We never see or store payment credentials β€” only a transaction referenceContract
Health worker / clinician business profile (facility name, address, contact details, opening hours, staff list)To build a verified clinic profile that is shown to mums when they accept a connection invite from that health workerContract / Legitimate interests
Health worker access to connected mum's health dataTo enable clinicians to support mums in their care β€” for example, reviewing check-in responses, flagging concerns, or coordinating appointments. Access is limited to mums who have explicitly accepted the connectionExplicit consent of the mum (special category health data); Legitimate interests of the health worker as a professional carer

A note on special category health data

Your pregnancy dates and health check-in responses are β€œspecial category” data because they relate to your health. We process this data only on the basis of your explicit consent. You give this consent when you create an account and agree to this policy. You can withdraw it at any time by deleting your account (see Your Rights below).

Applicable data protection laws by region

πŸ‡¬πŸ‡§
United Kingdom: UK GDPR / Data Protection Act 2018
πŸ‡ͺπŸ‡Ί
European Union / EEA: EU GDPR (Regulation 2016/679)
πŸ‡ΏπŸ‡²
Zambia: Data Protection Act 2021 (including s.70 data localisation β€” Zambian users' health data is stored on servers physically located in Zambia)
πŸ‡ΊπŸ‡¬
Uganda: Data Protection and Privacy Act 2019
πŸ‡°πŸ‡ͺ
Kenya: Data Protection Act 2019
πŸ‡ΏπŸ‡¦
South Africa: Protection of Personal Information Act (POPIA) 2013
πŸ‡³πŸ‡¬
Nigeria: Nigeria Data Protection Regulation (NDPR) 2019
πŸ‡¬πŸ‡­
Ghana: Data Protection Act 2012
πŸ‡ΉπŸ‡Ώ
Tanzania: Personal Data Protection Act 2022
πŸ‡±πŸ‡Έ
Lesotho: Data Protection Act 2012
πŸ‡ΈπŸ‡Ώ
Eswatini: Data Protection Act 2022
πŸ‡²πŸ‡Ώ
Mozambique: Law No. 3/2017 on Personal Data Protection
🌍
Other countries: We apply the principles of UK GDPR as a baseline and comply with applicable local data protection laws where they exist

Health workers and clinicians β€” a note on access

When a mum accepts a connection request from a health worker or clinician in the app, she explicitly consents to that professional having role-appropriate access to her health data. This access is:

  • Always initiated by the mum β€” she must accept the invite
  • Limited in scope β€” clinicians see only data relevant to care, not a mum's full account
  • Revocable at any time β€” mums can disconnect a health worker from their account settings
  • Subject to the same data protection laws as all other processing listed above

Health workers and clinicians who access mum data through the app are acting as data processors for that mum's health data. They are bound by our clinician terms of service, which include data protection obligations consistent with applicable law.

We never use your health data for advertising, and we never sell your data to any third party β€” full stop.

4. Who we share your data with

We share your data with as few third parties as possible, and only where it is necessary to run the service.

πŸ—„οΈ

Supabase β€” database and authentication

All your account data, pregnancy data, and health check-ins are stored in Supabase databases. For users outside Zambia, data is hosted on EU servers (Frankfurt, Germany β€” AWS eu-central-1). For users in Zambia, health data is stored on a self-hosted Supabase instance physically located in Zambia, in compliance with Zambia DPA 2021 s.70. Supabase acts as our data processor under a Data Processing Agreement.

βœ‰οΈ

Resend β€” transactional email

We use Resend to send transactional emails such as sign-in codes and appointment reminders. We share only your name and email address with Resend. We do not share any pregnancy data, health information, or other special category data.

πŸ’¬

Infobip β€” WhatsApp OTP

We use Infobip to deliver one-time sign-in codes via WhatsApp. We share only your phone number and the OTP code with Infobip. No health data is shared.

πŸ’³

Stripe β€” card payments (most countries)

Stripe processes card payments on our behalf. Your card details go directly to Stripe β€” we never see them. We share only what Stripe needs to identify the transaction (your name, email, and payment amount).

πŸ“±

PawaPay β€” mobile money payments (Zambia and Uganda)

Users in Zambia and Uganda who pay by mobile money have their payments processed by PawaPay. As with Stripe, we receive only a transaction reference; we do not store mobile money credentials.

πŸ’¬

Freshchat β€” in-app customer support

If you contact our support team through the in-app chat, your messages are processed by Freshchat. Only the content of your support conversation and your name/email are shared β€” no health data.

πŸ₯

Health workers and clinicians connected to your account

If you are a mum and you accept a connection request from a health worker or clinician in the app, that professional will gain limited, role-appropriate visibility of your health data. This sharing is entirely at your discretion β€” you initiate it by accepting their invite, and you can revoke it at any time from your account settings.

If you are a health worker or clinician, your business profile (clinic name, address, contact details, opening hours) is shown to mums who accept your connection request. Your personal account details (email, phone) are never shared with mums without your explicit consent.

βš–οΈ

Law enforcement or regulators

We may disclose data if required to do so by law, court order, or a regulator with lawful authority. We will tell you if this happens, unless we are legally prevented from doing so.

We do not sell your data. We do not share your data with advertisers. We do not use your data to train AI models or build advertising profiles.

5. Where your data is stored

We operate servers in multiple locations to comply with national data localisation laws and to reduce latency for users.

🌍

All users except Zambia β€” EU (Frankfurt, Germany)

Your health data is stored on Supabase infrastructure hosted in AWS eu-central-1 (Frankfurt). EU data protection standards apply. Your health data does not leave EU jurisdiction.

πŸ‡ΏπŸ‡²

Zambian users β€” Zambia (on-premises)

In compliance with Zambia Data Protection Act 2021, Section 70 (data localisation requirement for health data), Zambian users' health data is stored on a self-hosted server physically located in Zambia. If the Zambia server is temporarily unavailable, data is held on EU servers until the Zambia server recovers, at which point it is synchronised back. A status notice will appear in the app if this fallback is active.

6. International data transfers

As a global app, data may pass through international infrastructure when you sign in or use the service (for example, through Stripe or Resend). Where data is transferred internationally, we ensure appropriate safeguards are in place:

  • EU Standard Contractual Clauses (SCCs) are in place with all processors that receive data outside the EEA.
  • Zambia DPA 2021 cross-border transfer provisions are complied with β€” health data is kept in Zambia except during the fallback scenario described in Section 5.
  • Stripe is certified under the EU–US Data Privacy Framework and operates under SCCs for other international transfers.
  • Resend and Infobip are GDPR-compliant processors operating under SCCs.

For users in countries with their own cross-border transfer rules (including Kenya, South Africa, Nigeria, and others listed in Section 3), we apply equivalent safeguards consistent with the applicable national law.

7. How long we keep your data

While your account is active

We retain your account data, pregnancy data, and health check-in history for as long as your account remains active. This lets you look back at your full pregnancy journey, export your data, or share records with a healthcare provider.

After you request deletion

When you request erasure of your account or your data, we will complete that deletion within 30 days β€” the standard deadline under UK GDPR, EU GDPR, Zambia DPA 2021, and most equivalent national laws. Some information (such as payment transaction records) may be retained for up to 7 years where required by UK tax or financial regulations β€” but this is limited to transaction records only, not health data.

Backups

Encrypted database backups are retained for up to 30 days as part of disaster recovery. After your deletion is processed, your data will also be purged from backups within this window.

8. Your rights

You have meaningful rights over your personal data under UK GDPR and the equivalent national data protection law that applies to you. We take these seriously and will always respond within the legally required timeframe (30 days for most requests).

Right to access

Ask us for a copy of all the personal data we hold about you. We will provide it in a readable format, free of charge, within 30 days.

Right to rectification

If any of your data is inaccurate or incomplete, ask us to correct it. You can also update most information yourself in your profile settings.

Right to erasure (right to be forgotten)

Ask us to delete your account and all associated data. We will complete this within 30 days. You can also do this yourself from the app settings.

Right to restrict processing

Ask us to pause how we use your data while a dispute is being resolved β€” for example, while you check whether data we hold is accurate.

Right to data portability

Request a machine-readable export of your personal data so you can take it elsewhere β€” for example, to share with your midwife or another health app.

Right to object

Object to processing based on legitimate interests. If you object, we will stop unless we can show a compelling legitimate reason that overrides your interests.

Right to withdraw consent

Because we rely on your consent for health data, you can withdraw that consent at any time by deleting your account. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

Right to lodge a complaint

You have the right to complain to your national data protection authority. We would always prefer you speak to us first β€” we will try to resolve it promptly.

Your national supervisory authority

πŸ‡¬πŸ‡§UK: Information Commissioner's Office (ICO) β€” ico.org.uk
πŸ‡ͺπŸ‡ΊEU / EEA: Your national data protection authority (e.g. CNIL in France, BfDI in Germany, DPC in Ireland)
πŸ‡ΏπŸ‡²Zambia: Data Protection Commissioner, Ministry of Transport and Communications
πŸ‡ΊπŸ‡¬Uganda: Personal Data Protection Office (PDPO)
πŸ‡°πŸ‡ͺKenya: Office of the Data Protection Commissioner (ODPC) β€” odpc.go.ke
πŸ‡ΏπŸ‡¦South Africa: Information Regulator β€” inforegulator.org.za
πŸ‡³πŸ‡¬Nigeria: Nigeria Data Protection Commission (NDPC) β€” ndpc.gov.ng
πŸ‡¬πŸ‡­Ghana: Data Protection Commission β€” dataprotection.org.gh
πŸ‡ΉπŸ‡ΏTanzania: Personal Data Protection Commission (PDPC)
🌍All other countries: Contact your national data protection authority. We will cooperate fully with any inquiry.
To exercise any of these rights, email us at privacy@mymaternityfriend.app. We may need to verify your identity before processing the request. We will respond within 30 days and will not charge you.

9. Cookies and tracking

My Maternity Friend is a Progressive Web App (PWA). We use a small number of cookies and browser storage mechanisms β€” strictly those needed to make the app work.

Essential cookies

These keep you signed in, maintain your session securely, and remember your preferences such as language. The app cannot function without these.

No advertising cookies

We do not use advertising cookies, tracking pixels, or any third-party analytics that build profiles about you. We do not use Google Analytics, Meta Pixel, or similar advertising technologies.

Service worker and offline cache

As a PWA, we cache app assets locally on your device so the app works offline. This does not involve any personal data β€” it is equivalent to your browser caching a website.

You can clear cookies and cached data at any time through your browser or device settings. Clearing session cookies will sign you out of the app.

10. Children

My Maternity Friend is designed for pregnant women and new mums, who are adults. The app is not intended for anyone under the age of 13, and we do not knowingly collect data from children.

If you believe a child under 13 has created an account, please contact us at privacy@mymaternityfriend.app and we will promptly delete the account and all associated data.

11. Changes to this policy

We may update this privacy policy from time to time β€” for example, if we launch in new countries, add new features, change our third-party providers, or need to reflect changes in data protection law.

When we make significant changes, we will notify you by email and show a notice in the app before the changes take effect. The date at the top of this policy will always reflect when it was last updated.

If you do not agree with the updated policy, you can delete your account at any time. Continuing to use the app after a change takes effect means you accept the updated policy.

12. Contact us

If you have any questions, concerns, or requests about your data, please get in touch. We aim to respond to all privacy enquiries within 5 working days and all formal Subject Access Requests within 30 days.

βœ‰
🏒

Data controller

Sallan Holdings Ltd
Registered in England and Wales

πŸ‡¬πŸ‡§
πŸ‡ΏπŸ‡²

Supervisory authority (Zambia)

Data Protection Commissioner, Ministry of Transport and Communications

πŸ‡ΊπŸ‡¬

Supervisory authority (Uganda)

Personal Data Protection Office (PDPO)

πŸ‡°πŸ‡ͺ

Supervisory authority (Kenya)

Office of the Data Protection Commissioner (ODPC)

πŸ‡ΏπŸ‡¦

Supervisory authority (South Africa)

Information Regulator β€” inforegulator.org.za

🌍

All other countries

Contact your national data protection authority. We will cooperate fully.

This policy was last updated in April 2026. It applies to the My Maternity Friend PWA and any related services operated by Sallan Holdings Ltd. For questions about this policy, contact privacy@mymaternityfriend.app.