1. Data controller

POPPY is owned and operated by:

POPPY ApS
CVR no.: DK46004116
Email: support@poppyapp.dk

We are the data controller for the information we process about you.

2. What information do we collect?

When you use POPPY, we only collect the information necessary to provide and improve the app. This includes:

Profile information — e.g. name, email, gender, and date of birth.
Your child’s information — e.g. the child’s name, gender, and date of birth. This information is used solely to match you with relevant groups and is only shown to users you are matched with.
Location information — e.g. street name, postal code, and country, used to find groups in your area. This information is never shown to other users.
Usage data — information about how you use POPPY, e.g. logins, clicks, and group participation.
Technical information — e.g. IP address, device type, operating system, and app version.
Communication — e.g. messages you send in the app and inquiries to our support.

We do not collect sensitive health information without your explicit consent.

3. Purposes of processing

We use your information to:

create and maintain your account,
match you with relevant groups,
enable communication with other users,
send notifications and service messages,
analyze usage of POPPY and improve the experience,
ensure operations, security, and prevention of misuse.

4. Legal basis (GDPR Art. 6)

We only process your data when we have a lawful basis, including:

Consent — e.g. when you allow push notifications or location data.
Contract — to deliver the app to you once you have created an account.
Legitimate interests — e.g. to improve POPPY, prevent misuse, or produce statistics.
Legal obligation — where we are required by law to store data.

5. Sharing with third parties

We only share your information with:

Hosting and operations (Hetzner, AWS),
Analytics and error reporting (PostHog, Sentry),
Notification and email services (Pusher).

All vendors act as data processors and are covered by data processing agreements (DPAs) to ensure your data is protected.

We never sell your personal data.

6. Transfers to third countries

If your data is transferred outside the EU/EEA (e.g. to the US via cloud providers), we ensure a valid transfer mechanism, typically using the EU Standard Contractual Clauses (SCCs).

7. Retention period

We only store your information as long as necessary for the purposes it was collected for.

Your account and associated data are deleted when you request it or after 12 months of inactivity.
Legally required data is retained in accordance with applicable rules.

8. Your rights

As a user, you have the right to:

access the personal data we hold about you,
have inaccurate information corrected,
have your data deleted (“right to be forgotten”),
receive your data in a structured format (data portability),
object to our processing,
withdraw your consent (e.g. for notifications or location).

Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

To exercise your rights, contact us at support@poppyapp.dk.

9. Data security

We protect your information through technical and organizational measures, including:

encryption of data in transit and at rest,
access controls,
ongoing monitoring for misuse and security breaches.

10. Right to complain

If you disagree with how we process your information, you have the right to complain to:

Datatilsynet
Carl Jacobsens Vej 35, 2500 Valby
Email: dt@datatilsynet.dk
Website: www.datatilsynet.dk

11. Changes

We may continuously change this privacy policy. For material changes, we will notify you in the app or by email.

Privacy policy