Privacy Notice — LittleLeaps Waitlist
- Version
- v1.1
- Effective date
- Published at
/privacy
This notice explains how LittleLeaps collects, uses, and protects your personal data when you join the LittleLeaps waitlist. Please read it before signing up.
1. Who We Are
LittleLeaps is operated by Shwet Solanki as a sole proprietor, trading under the name “LittleLeaps.” There is no incorporated legal entity at this time.
For the purposes of India's Digital Personal Data Protection Act 2023 (DPDPA), Shwet Solanki is the Data Fiduciary. You, as the person signing up, are the Data Principal.
Grievance contact: shwetsolanki@gmail.com
Response SLA: 45 days from the date of your request.
Note on future incorporation. If LittleLeaps incorporates as a company, we will publish an updated version of this notice naming the entity as the new Data Fiduciary, and we will send you a transactional notification email with a link to the updated notice. Your existing consent will not need to be reissued unless we change the purposes for which we use your data. New signups from the date of incorporation will capture the updated consent version.
2. What We Collect
The table below lists every field stored when you join the waitlist, and why we store it.
| Field | Why we collect it |
|---|---|
email | To send you a confirmation link and, once confirmed, launch updates from LittleLeaps. |
age_stages | Optional. If you tell us which child age stage(s) you care about, we use this to send you more relevant content teasers before launch. |
country_code | Auto-detected from your IP address, and user-editable. Used to prioritise content relevant to your region and to calibrate pricing for Indian vs. diaspora users. |
locale | Your language/region setting (e.g. en-IN). Stored for forward-compatibility with multilingual content in Phase 2. |
consent_version | The version of this privacy notice you agreed to at the time of signup. Required as legal evidence under DPDPA § 6. |
consent_at | The exact timestamp when you gave consent (when you ticked the consent checkbox and submitted the form). This is your legal consent record. |
ip_hash | A one-way hash of your IP address (SHA-256 with a secret salt that is never stored in the database). Used only to detect and block abusive or automated signup patterns. Not used to identify or track you. |
user_agent | Your browser and device type, collected at signup. Retained only for abuse triage if needed. Not used to profile you. |
source | Which page or surface you signed up from (e.g. landing, blog). Used for internal analytics on where interest is coming from. |
utm_source, utm_medium, utm_campaign | Standard marketing attribution fields, populated only if you arrive via a tracked link (e.g. from an Instagram post or newsletter). Used to understand which channels are driving waitlist signups. Never shared with the source channel. |
created_at | Timestamp of your signup row being created. Standard audit field. |
confirmed_at | Timestamp of when you clicked the confirmation link in your email. Marks your signup as verified. |
unsubscribed_at | Timestamp of when you unsubscribed, if you do. Acts as a soft marker that stops us emailing you. |
confirmation_token_hash, confirmation_token_expires_at, unsubscribe_token_hash | Short-lived security tokens used to verify your email address and process unsubscribe requests. Each token exists only as a cryptographic hash (HMAC-SHA-256) on our side — the raw token is never stored. Confirmation tokens expire after 24 hours; unsubscribe tokens are single-use. They carry no personal information beyond the link back to your signup row. |
stash_token_hash, stash_token_expires_at | A short-lived token that lets you optionally add your child's age stage(s) within 30 minutes of signing up. It exists only as a cryptographic hash on our side — the raw token is never stored in the database, and it is only ever returned to your browser once, immediately after signup, as a temporary in-memory string. It is automatically invalidated as soon as you use it, or after 30 minutes, whichever comes first. It carries no personal information. |
We do not collect your name, phone number, or any data about your child directly. LittleLeaps emails go to parents and caregivers, not to children.
3. How We Use Your Data
What we use your data for:
- Sending you a one-time email confirmation link so we can verify your email address (double opt-in, required for GDPR compliance and email deliverability).
- Sending you launch notifications when LittleLeaps goes live.
- Segmenting content teasers before launch so that, if you told us which age stage you care about, the emails we send you are relevant to your child's stage.
- Detecting and blocking abuse and automated signups (IP hash, user agent).
- Understanding which marketing channels are driving signups (UTM fields, source field) so we can allocate our pre-launch effort sensibly.
What we do not do:
- We do not sell, rent, or share your personal data with third parties for their own use.
- We do not use cross-site tracking cookies or advertising pixels on the waitlist form or confirmation flow. Phase 1 has no advertising pixel of any kind.
- We do not use your data for any purpose beyond those listed above.
- We do not process data about your child. Age stages are a content preference you set about yourself, not data about your child.
4. Who We Share Your Data With
We use the following third-party service providers (processors) to operate the waitlist. Each has signed a Data Processing Agreement (DPA) with Shwet Solanki in a personal capacity.
| Processor | What they process | Location |
|---|---|---|
| Supabase | Stores the waitlist_signups table and runs the Edge Functions that handle signup, confirmation, and unsubscribe. | Primary region: ap-south-1 (Mumbai, India). |
| Vercel | Hosts the LittleLeaps website and Next.js application. Receives page requests and serves the landing page. | Edge network globally; origin compute in a Vercel-managed region. |
| Resend | Sends transactional emails (confirmation email, and future launch notifications). Receives your email address and the content of the email being sent. | United States. A DPA and Standard Contractual Clauses (SCCs) cover this transfer where required by law. |
We do not use any other processor for the waitlist in Phase 1. If we add one, this notice will be updated before they receive any data.
5. How Long We Keep Your Data
| Scenario | Retention |
|---|---|
| You signed up but never clicked the confirmation link. | Your row is automatically deleted after 7 days. A daily automated job runs this deletion, and the deletion count is audit-logged. |
| You confirmed your email. | Your data is retained until the LittleLeaps public launch date plus 2 years, at which point we will review whether continued retention is necessary. If we conclude it is not, we will delete it. |
| You unsubscribed. | Your unsubscribed_at timestamp is set and we stop emailing you immediately. Your row is retained for the same period as confirmed signups (for audit and abuse-prevention purposes), but you will receive no further marketing emails. |
| You submit a Data Subject Request (DSR) for erasure. | We will hard-delete or anonymize your row within 45 days of your request. |
6. Your Rights as a Data Principal (DPDPA § 11)
Under the Digital Personal Data Protection Act 2023, you have the following rights. To exercise any of them, email shwetsolanki@gmail.com with the subject line “Data Request — LittleLeaps”. We will respond within 45 days.
- Access — ask us to tell you what personal data we hold about you and provide a copy.
- Correction — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your personal data. We will do so within 45 days unless we have a legal obligation to retain it.
- Withdrawal of consent — withdraw your consent to receive emails at any time. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.
- Grievance — raise a formal grievance if you believe we have handled your data unlawfully.
Translation. Under DPDPA § 6(3), you have the right to request that this notice be provided in any language listed in the Eighth Schedule to the Constitution of India. Email the grievance contact with the language you need.
7. Grievance Officer
As required under DPDPA, our grievance officer details are:
Name: Shwet Solanki
Email: shwetsolanki@gmail.com
Response SLA: 45 days from receipt of your complaint or request.
This contact is also the grievance mechanism for users in the EU/UK (GDPR Article 77 complaint route), California (CCPA), Canada (PIPEDA), and Australia (Privacy Act 1988). For formal regulatory complaints, you may also contact your local data protection authority.
8. Lawful Basis for Processing
Our lawful basis for processing your personal data is your explicit consent, given at the time you ticked the consent checkbox and submitted the waitlist form.
We record the consent version (consent_version) and the exact timestamp (consent_at) for every signup as legally required evidence under DPDPA § 6 and GDPR Article 7.
You can withdraw your consent at any time by unsubscribing via the link in any email from us, or by emailing the grievance contact above.
9. Cross-Border Data Transfers and Data Residency
Primary storage: Your data is stored in Supabase's ap-south-1 region (Mumbai, India).
Users based in India: Your data stays in India. No cross-border transfer occurs.
Diaspora users: Your data is stored in ap-south-1 (India). This means your personal data is transferred from your country of residence to India when you sign up.
- EU/EEA or UK: Covered by Standard Contractual Clauses (SCCs) with each processor, supplemented by a Transfer Impact Assessment.
- California (US): Transfer disclosed; CCPA/CPRA rights apply.
- Canada: Transfer disclosed under PIPEDA; PIPEDA rights apply.
- Australia: Transfer disclosed under the Australian Privacy Act 1988.
Resend (email provider): US-based. DPA and SCCs cover the transfer of your email address when we send you transactional mail.
DPDPA § 16: No restricted-country list has been published as of the effective date. We will update this notice promptly if restrictions affect LittleLeaps users.
10. Cookies, Pixels, and Tracking
What we set:
| Technology | Purpose | Duration |
|---|---|---|
| CSRF session token | Protects the waitlist form submission from cross-site request forgery. Set as an HttpOnly, Secure, SameSite=Strict cookie by the Next.js server. | Session (cleared when you close your browser tab). |
| Vercel Analytics (first-party, if enabled) | Measures page performance and visitor counts. Does not use third-party tracking cookies. | See Vercel's privacy documentation. |
What we do not set in Phase 1:
- No advertising pixels (Meta Pixel, Google Ads tag, or similar).
- No cross-site tracking cookies.
- No third-party analytics (e.g. Google Analytics).
UK diaspora users (PECR): The CSRF cookie is strictly necessary for the security of the form and does not require consent under the Privacy and Electronic Communications Regulations (PECR).
IP geolocation: We auto-detect your country from your IP address at the time of form submission to pre-fill the country field. This is a one-time lookup at signup; we do not track your IP address over time, and we store only a salted hash of it for abuse-prevention purposes.
11. Consent Version and History
This notice is version v1.1, effective .
Every signup row in our database records the consent_version field, which identifies the version of this notice the user agreed to at the time of signup. If we update this notice in a material way, we will publish a new dated version, archive the previous version so it remains accessible, and notify existing confirmed signups by email if the change affects the purposes for which we process their data.
Previous versions: None. This is the first published version.