Privacy Policy

Piccolo is a family organization app published by Ctrl Software Labs, LLC (“we,” “us,” or “Piccolo”). This Privacy Policy explains what information we collect from parents and guardians who use Piccolo, how we handle data about their children, and the rights you have under applicable privacy laws including the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and, where applicable, the EU and UK General Data Protection Regulation (GDPR / UK GDPR).

For the purposes of GDPR and similar frameworks, Ctrl Software Labs, LLC is the data controller of personal information processed through Piccolo. For purposes of COPPA, Ctrl Software Labs, LLC is the “operator.” Our contact information appears at the end of this Privacy Policy.

Piccolo collects only the information needed to provide its family organization features, entered by parents or legal guardians. We do not collect data directly from children.

Parent / account information:

• Email address and display name
• Subscription and billing status (via Apple StoreKit)
• Device type and iOS version (for compatibility and support)
• Consent records — timestamps and policy versions for your parental consent and AI-feature consent

Information parents add about their children:

• First name, nickname, date of birth, and optional photo
• School name, grade, teacher name (optional)
• Allergies, blood type, pediatrician contact, emergency contacts (optional)
• Medicines, dosage schedules, refill information (optional)
• Growth entries, memories, milestones, journal photos (optional)
• Calendar events, chores, shopping lists, meal plans

Because Piccolo collects personal information about children under 13, we comply with COPPA (16 CFR Part 312). Before any children’s information is collected, Piccolo obtains verifiable parental consent through the onboarding flow. You must affirmatively attest that:

• You are 18 years of age or older
• You are the parent or legal guardian of the children you add
• You consent to the categories of collection listed above

Our verification method combines three elements, designed to satisfy the spirit of 16 CFR §312.5:

• In-app parental attestation. You actively tap each consent checkbox during onboarding. Attestations are recorded with a timestamp and policy version and are retained with your account.
• Apple ID account. Piccolo is distributed only through the Apple App Store. Downloading the app requires an Apple ID that Apple itself has age- and payment-verified (or a Family Sharing organizer with a verified account).
• Payment transaction. When you subscribe (after the 7-day free trial), Apple StoreKit processes a payment method on file with Apple. This provides an additional verifiable parental consent signal consistent with §312.5(b)(2)(ii).

For AI features specifically, Piccolo shows a separate parental consent prompt the first time you use any AI feature. This covers the case where minimized data may be sent to a third-party AI provider on devices that do not support Apple Intelligence (see “Artificial Intelligence (AI) Processing” below). You can decline this AI consent and continue using the rest of the app — AI features will simply be disabled for your account.

If we materially change our collection practices or our AI provider, we will re-prompt for fresh consent before continuing to collect or process under the changed terms. You can withdraw consent at any time by deleting your account or by emailing us at the address below (see “Your Rights”).

Your data is stored with the following protections:

• Locally on your device with iOS file-level encryption (data-at-rest protection)
• On our encrypted Supabase backend hosted on Amazon Web Services in the United States
• Transmitted only over TLS 1.2+ with certificate pinning between the app and our servers
• Row-level security ensures each account can only access its own family’s data
• Optional biometric lock (Face ID / Touch ID) adds an additional access layer
• No third-party analytics, advertising, or cross-site-tracking SDKs are integrated into the app

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include access controls, encryption in transit and at rest, row-level security policies in our database, least-privilege access for the operator, and periodic review of our infrastructure.

No security program is perfect. If we discover a security breach that affects your personal information, we will notify you without undue delay and, in any event, within the timeframes required by applicable law (including, where applicable, within 72 hours of becoming aware of a breach that poses a risk to the rights and freedoms of natural persons under Article 33 GDPR). Notification will describe the nature of the breach, the categories of information involved, the likely consequences, and the steps we are taking in response.

If you believe your account has been compromised, email us immediately at contact@heypiccolo.com.

You can sign in to Piccolo using either of the following methods:

• Email and password — we store your email address and a salted password hash (never the password itself)
• Sign in with Apple — Apple provides us with a stable user identifier and, if you choose, a proxy email address. Apple does not share your real Apple ID with us.

Authentication is managed by Supabase Auth. We do not share your authentication details with advertisers or any third party other than the providers listed below.

Piccolo uses the following iOS system features with your permission:

• Camera — to capture photos of school flyers for on-device text recognition
• Photo Library — to import images for flyers, child avatars, and memory entries
• Notifications — to send you reminders you’ve configured (medicine doses, events, chores)
• Face ID / Touch ID — optional, to unlock the app locally
• Apple Calendar (EventKit) — optional two-way sync between Piccolo and your Apple Calendar. You choose which calendars to sync, and you can opt out at any time. Events synced to your Apple Calendar may be carried by iCloud under Apple’s privacy policy if you have iCloud enabled.

Each of these requires a system permission prompt that you can grant or deny independently.

Piccolo uses artificial intelligence to power the following features:

• Natural-language event creation (“Add Emma’s soccer practice Tuesday at 4pm”)
• School-flyer parsing — turning text extracted from a flyer image into structured calendar events
• Email event parsing — extracting events from an email you paste into the app
• Natural-language grocery list entry
• Daily family summary — a short digest of today’s events and tasks shown on the home screen
• Meal planning — weekly meal suggestions that respect each child’s allergies
• Chore suggestions — age-appropriate chore ideas

AI runs in one of two modes depending on your device:

• On devices that support Apple Intelligence (iPhone 15 Pro and newer, M-series iPads), AI runs entirely on your device using Apple’s Foundation Models framework. No data leaves your device for AI processing.
• On devices that do not support Apple Intelligence, AI runs through Anthropic, PBC (Claude Haiku 4.5) — our contracted third-party AI sub-processor. Anthropic is bound by a written Data Processing Addendum that prohibits training on your data or using it to improve their models, and requires the same confidentiality and security protections we apply ourselves. Under Anthropic’s standard commercial terms, inputs and outputs are retained for up to seven (7) days for abuse monitoring and then automatically deleted. OpenAI, LLC (GPT-4o-mini) is a possible alternate sub-processor; if we activate it we will update this Privacy Policy and re-prompt for AI consent before the switch takes effect. We will not route requests to any third-party AI provider unless a compliant data-processing agreement is in force between us and that provider at the time of the request.

Separate AI consent. The first time you use any AI feature in Piccolo, we show a separate parental-consent screen that explains the provider, the retention terms, and the data-minimization rules below. You can decline this consent and keep using every non-AI feature of the app; AI features simply stay disabled until you consent. Your AI consent is stored with a timestamp and policy version. If we change providers or materially expand what AI is used for, we re-prompt.

Separately, text recognition (OCR) on school flyer images is always performed on your device using Apple’s Vision framework, regardless of Apple Intelligence support. The original flyer image never leaves your device. Only the OCR’d text (and never the image itself) is handed to the AI layer for structured event extraction.

What we send to the AI provider, per feature:

• Natural-language event creation: the text you type, nothing else
• School-flyer parsing: the OCR’d text from the flyer (the image stays on your device)
• Email event parsing: the text of the email you paste
• Natural-language grocery entry: the text you type
• Daily family summary: your children’s first names, age range, and today’s scheduled item titles and times
• Meal planning: your children’s first names, age ranges, and allergy strings
• Chore suggestions: a single child age range

What we never send to any third-party AI provider, regardless of device: your children’s birthdates, photos, full names, school addresses, home address, pediatrician or doctor contact information, medical records, medication names or dosages, medication schedules, growth metrics, emergency contact names or phone numbers, or the QR-encoded emergency card data. AI features that would otherwise require this information (for example, medication insights, growth analysis, or emergency card generation) are kept on rule-based or on-device-only paths and are not sent to any cloud provider.

You can link a co-parent by generating a 6-character invite code inside the app. The invite code expires after 24 hours and can be shared as a short code or as a link on heypiccolo.com (for example, https://heypiccolo.com/invite/A7F3K9). The invite URL contains only the random code; it does not contain your children’s names, photos, events, medical information, or any other personal data. Linking is completed inside the app after the code is redeemed.

When you link a co-parent account, the following data is shared between the two linked accounts:

• Children’s profiles and schedule items you choose to share
• School events, chores, and medicines marked as shared
• Each co-parent maintains independent completion tracking

You are solely responsible for confirming that the other parent or guardian has the legal right to access the children’s information you share. Piccolo does not verify custody arrangements, parental rights, court orders, or family-court status, and Piccolo makes no representation about the legal propriety of any co-parent link you create. If your jurisdiction or a court order restricts the other parent’s access to a child’s information, you must not share that information through Piccolo. Either party can unlink at any time, which revokes the other party’s access to shared data going forward, but unlinking does not retrieve information the other party has already viewed or retained locally on their own device.

Piccolo uses the following third-party services, each bound by a data-processing agreement:

• Supabase — database, authentication, and sync infrastructure (hosted on AWS)
• Apple — App Store, StoreKit billing, iCloud sync, optional Sign-In

We do not sell, rent, share, or provide your personal data (including any information about your children) to advertisers, data brokers, or AI training datasets.

Piccolo collects a limited amount of usage telemetry to operate pricing experiments and improve the product. This telemetry is stored in our Supabase backend alongside the rest of your account data and is governed by this Privacy Policy.

What we collect:

• Subscription pricing experiment events — which price variant you saw, whether you converted, and which plan you chose
• Product usage events — session start and explicit sign-out, onboarding step completion, AI feature consent decisions (granted or declined), AI feature usage counts, school-flyer parse success and correction rates, co-parent invite sent and accepted, and trial start and conversion events
• Account-level metadata already described under “Information We Collect”

What we do not collect in analytics:

• Your children’s names, birthdates, photos, or medical information
• The contents of events, notes, memories, or messages
• Medication names, dosages, or doctor contact details
• The contents of anything you type into AI features (we record that the feature was used, not what you typed)
• Any third-party advertising identifiers — we do not use the iOS Advertising Identifier (IDFA), request App Tracking Transparency permission, or integrate any ad-attribution SDK

We use analytics solely to improve Piccolo and operate our subscription service. We do not share analytics with advertisers, data brokers, or AI training datasets.

We retain personal information only as long as necessary for the purposes for which it was collected.

Per-category retention:

• Children’s profile data, calendar events, memories, medicines, growth entries, chores, shopping lists, meal plans — retained while your account is active; removed on account deletion
• Account information (email, display name, subscription status) — retained while your account is active; removed on account deletion
• Consent records — retained for the life of your account plus a reasonable period thereafter to evidence compliance with COPPA record-keeping expectations
• Analytics events (price experiments, usage telemetry) — retained for up to 24 months, after which individual events are either deleted or aggregated
• Transactional records required for tax or accounting (subscription invoices, refund records) — retained for as long as required by applicable law, typically up to 7 years
• Encrypted backups — rotated out of our backup systems within 90 days of account deletion

Deletion actions:

• You can delete individual records (children, events, medicines, memories, etc.) at any time from within the app
• You can delete your entire account and all associated data from Settings > Account > Delete Account
• Account deletion removes all local data immediately and server-side active data within 30 days, subject to the retention windows listed above for categories required by law

As the parent or guardian of children whose information is in Piccolo, you have the right to:

• Review the personal information collected about your children at any time (visible throughout the app)
• Refuse to permit further collection or use by deleting a child or closing your account
• Request correction of inaccurate personal information
• Request deletion of your or your children’s personal information
• Receive a copy of your data in a portable, machine-readable format
• Withdraw consent at any time; Piccolo will cease further collection in the services
• Lodge a complaint with a privacy or data-protection supervisory authority in your jurisdiction

To exercise any of these rights, use the in-app controls or email us at contact@heypiccolo.com. We will respond to verifiable requests within the time required by applicable law (typically 30 days, extendable by up to 60 days where permitted). We do not discriminate against users who exercise their rights, and we do not condition Piccolo’s services on the waiver of any right.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), provides you with the following rights:

• Right to know what personal information we collect, use, disclose, and retain
• Right to delete personal information we have collected from you, subject to legal exceptions
• Right to correct inaccurate personal information
• Right to data portability
• Right to opt out of the “sale” or “sharing” of your personal information
• Right to limit the use and disclosure of “Sensitive Personal Information”
• Right to non-discrimination for exercising any of these rights

We do not “sell” personal information as that term is defined in the CCPA and we do not “share” personal information for cross-context behavioral advertising. In the preceding twelve (12) months, Piccolo has not sold or shared personal information belonging to any consumer, including any California resident or their children. Because we do not engage in these activities, there is nothing to opt out of.

Piccolo collects categories that qualify as “Sensitive Personal Information” under CPRA, including account log-in credentials, precise geolocation (if any is entered), health information (allergies, medications, growth), and children’s personal information. We use and disclose Sensitive Personal Information only for the limited purposes permitted under CPRA §1798.121 — to provide the services you request, to ensure security and integrity, and to comply with law — and not for additional inference-based profiling. Because our use is already limited to these purposes, no separate “Limit the Use of My Sensitive Personal Information” action is required; however, you may email us at contact@heypiccolo.com to formally record such a request.

Shine the Light (California Civil Code §1798.83): we do not disclose personal information to third parties for their direct marketing purposes.

To exercise any California right, email contact@heypiccolo.com. We will verify your request by matching the email to your account and may ask you to confirm specific account details.

Piccolo’s servers are located in the United States. If you access Piccolo from outside the United States, your personal information will be transferred to, stored in, and processed in the United States, which may not offer the same level of protection as your jurisdiction.

For users located in the European Economic Area, the United Kingdom, or Switzerland:

• Ctrl Software Labs, LLC is the data controller
• Our lawful basis for processing your and your children’s personal information is your consent under Article 6(1)(a) GDPR, and for data concerning health (special category data), your explicit consent under Article 9(2)(a) GDPR
• International transfers to the United States are made under Standard Contractual Clauses with our sub-processors and, where a sub-processor is itself self-certified under the EU–US Data Privacy Framework (including the UK Extension and the Swiss–US DPF), in reliance on that sub-processor’s certification. Piccolo itself is not DPF-self-certified at this time
• You have the rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent set out in Articles 15–22 GDPR
• You have the right to lodge a complaint with your national data-protection authority; a list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en

We do not conduct automated decision-making that produces legal or similarly significant effects about you or your children within the meaning of Article 22 GDPR.

To exercise your GDPR rights, email contact@heypiccolo.com with a description of your request. We will respond within one month, extendable by up to two additional months for complex or numerous requests as permitted by Article 12(3) GDPR.

Piccolo is intended for use by parents and legal guardians. We do not allow children under 13 to create accounts. All accounts must be created by an adult who completes the parental-consent flow described above.

Parents may allow their children to interact with certain features of Piccolo on the parent’s device under the parent’s supervision — for example, a child marking a chore as complete, or viewing their own schedule. These interactions update records the parent has already configured and are limited to interface elements the parent controls. They do not constitute direct collection of personal information from a child under COPPA, and we do not target or market to children.

We apply COPPA’s minimization principle: we collect only the categories of information about children that are reasonably necessary to operate the family-organization features described above. We do not condition a child’s participation on disclosing more information than is reasonably necessary.

If we learn that a child under 13 has provided personal information directly to us without verifiable parental consent (for example, by creating their own account through an attempted bypass), we will delete that information promptly. Parents who believe a child has created an account without consent should email us at contact@heypiccolo.com.

We may update this Privacy Policy as our practices change. For minor, non-material changes (such as clarifying language, adding contact details, or fixing typos) we will update the “Last updated” date above. For material changes (such as new categories of information collected, new third-party sub-processors, or changes that affect how we handle children’s information), we will notify you in-app and require you to affirmatively accept the updated policy before continuing to use the affected features. If the update materially expands the categories of information collected about children, we will obtain fresh verifiable parental consent before collecting under the new terms.

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how your children’s information is handled, contact us at:

For matters specifically involving children’s privacy or COPPA, please include “COPPA inquiry” in your subject line. We aim to respond to all inquiries within 30 days.