Privacy Notice

Last updated: April 9, 2026

This Privacy Notice for Poppycal (“we,” “us,” or “our”) describes how and why we access, collect, store, use, and share (“process”) your personal information when you use our services (“Services”), including when you:

  • Visit our website at https://poppycal.com or any website of ours that links to this Privacy Notice
  • Use Poppycal, a family calendar and household organization web application. Account holders can manage shared family calendars, assign chores and routines, plan meals, create grocery lists, track homeschool progress, and display family photos. The Services are accessed through a web browser on any device.
  • Engage with us in other related ways, including any marketing or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have questions, please contact us at [email protected].

Summary of Key Points

What personal information do we process? When you visit, use, or navigate our Services, we process personal information depending on how you interact with us, the choices you make, and the features you use. This includes account information you provide (such as your name and email address), information you enter about members of your household (including minors in your care), and information that is automatically collected when you use the Services (such as your IP address, device information, and login activity).

Do we process any sensitive personal information? We do not intentionally solicit sensitive personal information. However, account holders may voluntarily enter limited health-related notes about household members (for example, allergy or medication information stored on a family member’s profile for the account holder’s own reference). This information is only displayed within the account holder’s own household and is not used for any other purpose.

Do we collect any information from third parties? If you connect a third-party calendar service (Google, Microsoft, or Apple), we exchange calendar data with that service. We do not purchase personal information from data brokers.

How do we process your information? We process your information to provide, improve, and administer our Services, to communicate with you, to detect and prevent fraud and unauthorized access, and to comply with applicable law.

In what situations and with which parties do we share personal information? We share personal information with a limited set of service providers (hosting, email delivery, payment processing, and connected calendar services) and in specific legal situations described below. We do not sell personal information.

How do we keep your information safe? We have organizational and technical processes in place to protect your personal information. However, no electronic transmission over the internet can be guaranteed to be 100% secure.

What are your rights? Depending on where you are located, applicable privacy law may give you certain rights regarding your personal information, including the right to access, correct, delete, or obtain a copy of it.

How do you exercise your rights? The easiest way is by contacting us at [email protected].

Table of Contents

  1. What Information Do We Collect?
  2. How Do We Process Your Information?
  3. What Legal Bases Do We Rely On to Process Your Personal Information?
  4. When and With Whom Do We Share Your Personal Information?
  5. Do We Use Cookies and Other Tracking Technologies?
  6. How Long Do We Keep Your Information?
  7. How Do We Keep Your Information Safe?
  8. Information About Children and Other Household Members
  9. What Are Your Privacy Rights?
  10. Controls for Do-Not-Track Features
  11. Do United States Residents Have Specific Privacy Rights?
  12. Do We Make Updates to This Notice?
  13. How Can You Contact Us About This Notice?
  14. How Can You Review, Update, or Delete the Data We Collect From You?

1. What Information Do We Collect?

Personal information you disclose to us

We collect personal information that you voluntarily provide to us when you register for the Services, express interest in our products, participate in activities on the Services, or contact us.

Account information. When you create an account, we collect your name, email address, and password.

Household information. As part of using the Services, you may enter information about members of your household. This is a core feature of Poppycal: the product is designed to help one account holder (typically a parent or guardian) manage a shared household calendar and related information. Household information you may enter includes:

  • Names and profile details of household members, including children in your care
  • Dates of birth (used to display ages and to power age-appropriate features such as chore suggestions)
  • Optional profile notes, which may include limited health-related information such as allergies or medications that you choose to record for your own reference
  • Photos you upload for profile images or for display in the family photo screensaver
  • Tasks, chores, routines, meal plans, grocery lists, calendar events, and homeschool records that you create or assign

All household information is entered by the account holder. Children and other household members do not create or hold accounts, do not log in, and do not interact with Poppycal directly. The account holder is responsible for the accuracy of the information they enter and for having the authority to enter it.

Payment data. We collect the data necessary to process your payment, such as your payment instrument number and associated security code. All payment data is handled and stored by Stripe. You may review Stripe’s privacy notice at https://stripe.com/privacy. We do not store full payment card details on our own systems.

Information automatically collected

We automatically collect certain information when you visit, use, or navigate the Services. This information generally does not reveal your specific identity on its own but may include device and usage information.

Log and usage data. Our servers automatically collect service-related, diagnostic, usage, and performance information when you access or use our Services. This includes your IP address, browser type and version, device characteristics, operating system, language preferences, referring URLs, pages viewed, and the dates and times of your requests.

Login and security metadata. Each time you successfully sign in to your account, we record the date and time of the login, the IP address from which the login originated, and a description of the device and browser used. We store this information on your account for security purposes, including to detect suspicious login activity, to help you recognize unfamiliar sign-ins, to respond to security incidents, and to protect your account and our Services from unauthorized access.

Location data. We may infer approximate location from your IP address for security and service-delivery purposes. We do not collect precise device location.

Cookies and similar technologies. We use cookies and similar technologies as described in Section 5.

Information received from connected services

If you choose to connect a third-party calendar service (currently Google Calendar, Microsoft Outlook, or Apple iCloud), we exchange calendar data with that service on your behalf. This is a bidirectional sync: events that exist in the connected calendar can be displayed in Poppycal, and events you create or modify in Poppycal can be written back to the connected calendar. We only access the calendar data you authorize when you connect the service, and you can disconnect at any time from your account settings.

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2. How Do We Process Your Information?

We process your personal information for the following purposes:

  • To provide and operate the Services. Creating and managing your account, displaying and syncing your household’s calendar, storing the tasks, meals, groceries, and other information you enter, and delivering the core features of Poppycal.
  • To communicate with you. Sending transactional messages (such as password resets, account notifications, and billing receipts), responding to your requests, and (where you have not opted out) sending product updates and marketing communications.
  • To process payments. Through our payment processor, Stripe.
  • To secure our Services and prevent fraud. Detecting and preventing unauthorized access, suspicious login activity, abuse of the Services, and other security threats. This includes our use of login and security metadata described in Section 1.
  • To improve the Services. Understanding how the Services are used in aggregate and diagnosing performance issues and bugs.
  • To comply with legal obligations. Responding to lawful requests, enforcing our terms, and complying with applicable law.
  • To protect vital interests. In exceptional circumstances, to protect the vital interests of a user or another person.

3. What Legal Bases Do We Rely On to Process Your Personal Information?

We only process your personal information when we believe it is necessary and we have a valid legal reason to do so under applicable law.

If you are located in the EU or UK, we rely on the following legal bases:

  • Consent. Where you have given us permission to process your information for a specific purpose. You may withdraw your consent at any time.
  • Performance of a contract. Where processing is necessary to deliver the Services you have signed up for.
  • Legitimate interests. Where processing is necessary for our legitimate interests (such as securing our Services against unauthorized access, including through the login and security metadata described in Section 1, preventing fraud, and improving our product), and those interests are not overridden by your rights.
  • Legal obligations. Where processing is necessary to comply with applicable law.
  • Vital interests. Where processing is necessary to protect your vital interests or those of another person.

If you are located in Canada, we may process your information with your express or implied consent, or in exceptional cases permitted by applicable law without consent.

4. When and With Whom Do We Share Your Personal Information?

We share personal information with the following categories of recipients:

Service providers (processors). We share personal information with third-party vendors that help us operate the Services. Each of these providers is contractually obligated to process personal information only on our instructions. Our current providers include:

  • Stripe: payment processing. When you subscribe, Stripe receives and processes your payment information on our behalf.
  • Resend: email delivery. When we send you transactional messages (password resets, notifications, receipts) or any marketing emails you have not opted out of, Resend processes your email address and the contents of those messages in order to deliver them.
  • Railway: cloud hosting infrastructure. Our application and database are hosted on Railway, which means personal information you provide to us is stored on infrastructure operated by Railway on our behalf.
  • Cloudflare: DNS, content delivery, and network security. Cloudflare handles traffic to and from our website and application and may process IP addresses and request metadata as part of delivering the Services.

Connected calendar services. If you choose to connect a third-party calendar, we exchange calendar data with that service at your direction:

  • Google (Google Calendar): bidirectional sync of calendar events
  • Microsoft (Outlook Calendar): bidirectional sync of calendar events
  • Apple (iCloud Calendar): bidirectional sync of calendar events

Connecting a calendar is optional. You control which service, if any, is connected to your account, and you can disconnect at any time.

Legal and safety disclosures. We may disclose personal information where required to do so by law or legal process, to respond to lawful requests from public authorities, to enforce our terms, or where we believe in good faith that disclosure is necessary to protect our rights, the safety of our users, or the safety of others.

Business transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

We do not sell personal information, and we do not share personal information with third parties for their own independent advertising or marketing purposes.

5. Do We Use Cookies and Other Tracking Technologies?

We use cookies and similar tracking technologies to maintain the security of the Services, to keep you signed in, to save your preferences, and to support basic site functions. We may also use cookies and similar technologies for analytics to understand how the Services are used in aggregate.

You can set your browser to refuse cookies or to alert you when cookies are being sent. If you do so, some parts of the Services may not function properly. Specific information about how we use such technologies is set out in our Cookie Notice.

6. How Long Do We Keep Your Information?

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (for example, for tax, accounting, or other legal requirements).

In general, we retain your account information and the household data you have entered for as long as you maintain an active account with us. When you delete your account, we will delete or anonymize your personal information within a reasonable period, except where we are required to retain it to comply with legal obligations, resolve disputes, or enforce our agreements. Login and security metadata is retained only for as long as it is useful for its security purpose and is then deleted or overwritten.

7. How Do We Keep Your Information Safe?

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. These include encrypted transmission of data in transit, access controls, secure password hashing, and monitoring for suspicious activity. However, no electronic transmission over the internet or method of electronic storage can be guaranteed to be 100% secure. You are responsible for choosing a strong password and keeping your account credentials confidential.

8. Information About Children and Other Household Members

Poppycal is a service intended for adults. Account holders must be at least 18 years of age. We do not allow children to create accounts, we do not direct our marketing to children, and we do not knowingly permit children to sign up for or log in to the Services.

However, Poppycal is, by design, a tool that helps an adult account holder manage information about the members of their household. As part of ordinary use of the Services, an account holder may voluntarily enter information about other members of their household, including minor children in their care. This may include the child’s name, date of birth, profile photo, and optional notes such as allergy or medication information that the account holder chooses to record for their own reference. Account holders may also assign tasks, chores, and routines to household members and log activities such as homeschool hours.

Children do not create accounts, do not log in, do not provide information to Poppycal directly, and do not interact with the Services. All information about a child in Poppycal is entered by their parent or guardian, who is solely responsible for deciding what information to enter and for having the authority to enter it.

COPPA and parental control

The U.S. Children’s Online Privacy Protection Act (“COPPA”) regulates the online collection of personal information from children under 13 by operators of websites and online services that are directed to children or that have actual knowledge that they are collecting information from children. Poppycal is not directed to children, does not offer child-facing accounts or features, and does not knowingly collect personal information from children directly. When an account holder enters information about a child in their household, the account holder (as the child’s parent or legal guardian) is the party providing that information and controlling how it is used within their own household’s private account. We process that information solely on the account holder’s behalf, to provide the features they have asked us to provide.

Parental rights

If you are a parent or guardian and you have entered information about a child into your Poppycal account, you may review, correct, or delete that information at any time through your account settings. You may also delete your entire account, which will delete the household data you have entered. If you have questions about how information about a child in your household is handled, please contact us at [email protected].

Accounts created by minors

If we become aware that a person under 18 has created an account for themselves (as distinct from being added to a parent’s household as a household member), we will deactivate the account and delete the associated information. If you believe a minor has created an account, please contact us at [email protected].

9. What Are Your Privacy Rights?

Depending on your location, you may have rights that give you greater access to and control over your personal information. In some regions (including the EEA, UK, Switzerland, and Canada), these may include the right to:

  • Request access to and obtain a copy of your personal information
  • Request correction or erasure of your personal information
  • Restrict the processing of your personal information
  • Data portability, where applicable
  • Object to the processing of your personal information
  • If processing is based on consent, withdraw that consent at any time

You may exercise these rights by contacting us at [email protected]. If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority.

Withdrawing your consent

If we are relying on your consent to process your personal information, you have the right to withdraw that consent at any time by contacting us or updating your preferences. Withdrawal will not affect the lawfulness of any processing carried out before withdrawal.

Opting out of marketing communications

You can unsubscribe from our marketing communications at any time by clicking the unsubscribe link in our emails or by contacting us. We may still send you service-related messages (such as billing receipts, security alerts, and important account notifications) that are necessary to provide the Services.

Account information

You may review or change the information in your account at any time by logging into your account settings. On request, we will deactivate or delete your account and the household information you have entered, subject to any legal retention requirements.

10. Controls for Do-Not-Track Features

Most web browsers include a Do-Not-Track (“DNT”) feature you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. Because no uniform technology standard for recognizing DNT signals has been finalized, we do not currently respond to DNT browser signals. California law requires us to let you know how we respond to these signals. We do not respond to them at this time.

11. Do United States Residents Have Specific Privacy Rights?

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have specific rights regarding your personal information, including the rights described below.

Categories of personal information we collect

In the past twelve months, we have collected the following categories of personal information:

  • Identifiers: such as name, email address, account username, and IP address.
  • Personal information as defined in the California Customer Records statute: such as name and payment information (processed by Stripe on our behalf).
  • Commercial information: such as records of subscriptions and transactions.
  • Internet or other electronic network activity information: such as device information, browser characteristics, log data, and login metadata.
  • Geolocation data: approximate location inferred from IP address, for security purposes. We do not collect precise device location.
  • Inferences: limited inferences drawn from the information above for the purpose of operating and securing the Services.

We have not collected the following categories in the past twelve months:

  • Protected classification characteristics under California or federal law
  • Biometric information
  • Audio, electronic, visual, thermal, olfactory, or similar information (other than profile photos you voluntarily upload)
  • Professional or employment-related information
  • Education information as defined by FERPA

Sensitive personal information. We do not intentionally solicit sensitive personal information as defined under applicable U.S. state privacy laws. Account holders may voluntarily enter limited health-related notes about members of their own household (for example, allergy or medication notes stored on a profile for the account holder’s own reference). We do not use this information for any purpose other than displaying it within the account holder’s own household, and we do not use it for profiling, targeted advertising, or any inference about the account holder or any household member.

Sources of personal information

We collect personal information directly from you, automatically from your device when you use the Services, and (if you choose to connect a calendar) from Google, Microsoft, or Apple.

How we use and share personal information

We use and share personal information for the purposes described in Sections 2 and 4 of this Privacy Notice. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We do not use or share sensitive personal information for purposes other than those permitted under applicable law.

Your rights

Depending on your state of residence, you may have the following rights:

  • Right to know whether we are processing your personal information
  • Right to access your personal information
  • Right to correct inaccuracies in your personal information
  • Right to request deletion of your personal information
  • Right to obtain a copy of the personal information you previously shared with us
  • Right to non-discrimination for exercising your rights
  • Right to opt out of the processing of your personal information for targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in any of these activities)
  • Right to limit the use and disclosure of sensitive personal information

How to exercise your rights

To exercise these rights, contact us at [email protected]. We will verify your request by confirming you control the email address on the account before taking action. You may also designate an authorized agent to make a request on your behalf, subject to verification.

Appeals

If we decline to take action regarding your request, you may appeal our decision by emailing us at [email protected] with “Privacy Appeal” in the subject line. If your appeal is denied, you may submit a complaint to your state attorney general.

California “Shine The Light” law

California residents may request information about categories of personal information (if any) we disclosed to third parties for their own direct marketing purposes in the preceding calendar year. We do not disclose personal information to third parties for their own direct marketing purposes.

12. Do We Make Updates to This Notice?

We may update this Privacy Notice from time to time. The updated version will be indicated by a revised “Last updated” date at the top of this notice. If we make material changes, we may notify you by posting a prominent notice on the Services or by sending you a direct notification. We encourage you to review this Privacy Notice periodically to stay informed about how we are protecting your information.

13. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us at [email protected] or contact us by post at:

Poppycal
808 N Glenwood Trail
Southern Pines, NC 28387
United States

14. How Can You Review, Update, or Delete the Data We Collect From You?

You have the right to request access to the personal information we collect from you, details about how we have processed it, corrections to inaccuracies, or deletion of your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. To submit a request, please email us at [email protected].