Back to Home

Privacy Policy

Last Updated: February 6, 2026

Celrose Labs LLC (“Celrose Labs,” “we,” “us,” or “our”), doing business as MapMyMilk, is committed to protecting your privacy and safeguarding personal information. This Privacy Policy explains how we collect, use, disclose, and protect information when you access or use the MapMyMilk service (the “Service”).

This Privacy Policy forms part of, and is incorporated into, our Terms of Service.

1. Scope and Applicability

This Privacy Policy applies to information collected through:

  • The MapMyMilk mobile application
  • The MapMyMilk website
  • Related services and communications

The Service is intended solely for use by adults. Parents and legal guardians may enter information about their children as described below.

2. Information We Collect

A. Information You Provide Directly

Account Information (Required)

When you create an account, we may collect:

  • Email address
  • Encrypted authentication credentials
  • Profile information you voluntarily provide

Creating an account is required to access and use the Service.

Child-Related Health and Tracking Data

To provide the Service, we collect information entered by you about your child, including:

  • Food and feeding logs
  • Symptom observations and severity indicators
  • Notes, custom tags, and observations
  • Photos you choose to upload

This information may constitute sensitive personal data, including health-related data concerning a child.

You represent and warrant that you are the child’s parent or legal guardian, or otherwise have legal authority to provide this information.

B. Information Collected Automatically

When you use the Service, we may automatically collect:

  • Device type, operating system, and app version
  • IP address and general location (e.g., country or region)
  • Usage activity, feature interactions, and session data
  • Error logs and performance metrics

We use cookies, SDKs, and similar technologies for essential functionality, analytics, and service improvement. Where required by law, you may manage or opt-out of non-essential technologies through your device or browser settings.

C. Payment Information

Payment information is processed directly by third-party payment providers (such as Stripe, Apple, RevenueCat). We do not store full payment card details.

3. How We Use Information

We use information collected to:

  • Provide, operate, and maintain the Service
  • Process and display user-directed logs and visualizations
  • Sync data across devices via secure accounts
  • Analyze usage trends to improve functionality and reliability
  • Analyze anonymized, de-identified feeding and symptom patterns in partnership with third-party researchers, to identify statistical trends and improve the Service
  • Provide customer support and respond to inquiries
  • Process subscriptions and payments
  • Send service-related communications
  • Comply with legal obligations
  • Protect the security and integrity of the Service

All processing of child-related health data occurs solely at your direction and for informational self-tracking purposes only.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area, United Kingdom, or Switzerland, we process personal data under the following legal bases:

  • Consent (for health-related and child data)
  • Performance of a contract (to provide the Service)
  • Legitimate interests (service improvement, security, fraud prevention)
  • Legal obligation (compliance with applicable laws)

Where processing is based on consent, you may withdraw consent at any time by sending an email to privacy@celroselabs.com with the subject line "Consent Withdrawal".

5. Data Sharing and Disclosure

We do not sell personal information.

We may disclose information only in the following circumstances:

A. Service Providers

We share information with trusted vendors who process data on our behalf under contractual confidentiality obligations, including:

  • Supabase (authentication and data storage)
  • Stripe, Apple, RevenueCat (payment processing)
  • Google Analytics, Netlify (usage measurement and performance)
  • McGeeney Consulting Partners (statistical research and advanced data analysis)

We use third-party analytics providers, including McGeeney Consulting Partners, to perform statistical analysis on anonymized data. These providers are contractually restricted from re-identifying data or using it for their own purposes.

B. Legal and Safety Obligations

We may disclose information if required to comply with law, court orders, or lawful government requests, or to protect the rights, safety, and property of users or Celrose Labs.

C. Business Transfers

If Celrose Labs is involved in a merger, acquisition, or asset sale, user information may be transferred as part of that transaction, subject to this Privacy Policy.

D. Aggregated or De-Identified Data

We use and share aggregated, de-identified, anonymized feeding and symptom patterns with research partners to improve the understanding of infant food sensitivities. This data cannot reasonably identify any individual.

6. Data Retention

We retain your information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy. The table below details our retention periods and the methods used to dispose of data once it is no longer required.

Data CategoryRetention PeriodDeletion or Anonymization Method
Account Information (Email, Auth credentials) For the duration of your active account.Permanent Erasure: Deleted from our primary database (Supabase) within 7 days of account deletion.
Child Health & Tracking Data (Logs, Symptoms, Notes)Until deleted by the user or account deletion.Hard Deletion: All specific logs are purged within 7 days of account deletion. If data is retained for research, it is Irreversibly Anonymized (all identifiers removed).
Uploaded PhotosUntil deleted by the user or account deletion.Digital Shredding: Files are permanently deleted from our secure storage buckets.
Analytics & Usage Data (App interactions, MCP data)Up to 36 months from the date of collection.Aggregation:Individual session data is stripped of personal identifiers and moved into aggregated trend reports.
Support Communications (Emails to support, privacy, or legal)Up to 36 months after the last interaction.Archival Deletion:Support tickets and emails are purged from our service desk history.
Financial Records (Stripe, Apple Pay, RevenueCat transaction history)Generally 7 years, as required by tax and financial regulationsSecure Archival: Records are restricted to authorized financial personnel until the statutory period ends.

A. User-Initiated Deletion

You may delete specific logs or your entire account at any time through the Settings menu in the MapMyMilk app. Once you confirm deletion, the data is removed from our active production servers. Please note that some data may persist in our encrypted backups for up to an additional 30 days before being completely overwritten.

B. De-identification for Research

In some instances, we may "anonymize" health data—meaning we remove all links to your identity (name, email, child’s name)—to analyze broader trends in infant food intolerances. Once data is truly anonymized, it is no longer considered "personal data" and may be kept indefinitely for the purpose of improving breastfeeding support outcomes.

Upon account deletion, personal and child-related data is deleted or de-identified, subject to legal retention requirements.

7. Your Rights and Choices

Depending on your location (such as the EU/UK or specific US states like California), you have specific rights regarding your personal information. We provide the same high standard of data control to all users, regardless of location.

A. Description of Rights

  • Access and Portability: You may request a copy of the personal data we hold about you, including your food logs and symptom history, in a structured, machine-readable format.
  • Correction: You have the right to request that we correct inaccurate or incomplete information.
  • Deletion (Right to be Forgotten): You may request that we delete your account and all associated personal data.
  • Restriction and Objection: You may object to the processing of your data for research or analytics purposes.
  • Withdrawal of Consent: Where you have provided consent for specific data processing (such as health-related tracking), you may withdraw that consent at any time.

B. How to Exercise Your Rights

To submit a request, please contact us via email at privacy@celroselabs.com.

To protect your privacy and the security of your child’s data, we must verify your identity before fulfilling your request.

Verification Process: We verify requests by requiring you to contact us from the email address associated with your MapMyMilk account. We may ask for additional confirmation through the app interface to ensure you are the authorized account holder.

Authorized Agents: If you are using an authorized agent to submit a request (available in certain US states), we require written proof of your permission and will verify your identity directly.

C. Response Timelines and Appeals

Timelines: We will acknowledge your request within 10 business days. We aim to provide a substantive response or fulfill the request within 30 days (for GDPR compliance) or 45 days (for US State laws). If we require an extension (up to an additional 45 days), we will notify you of the reason in writing.

Appeals: If we decline to take action on a request, you have the right to appeal our decision. Please email us with the subject line "Privacy Rights Appeal." If your appeal is denied and you are a resident of a state with applicable privacy laws, you may contact your state Attorney General.

D. Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not deny you services, charge different prices, or provide a different level of quality because you made a rights request.

8. Children’s Data and Parental Rights

The Service is not intended for use by children, but it allows parents and legal guardians to enter information about their children.

We do not knowingly allow minors to create accounts or collect personal information directly from children.

All child-related data is provided by parents or guardians, is processed only with parental authorization and treated as sensitive personal data. All data relating to children is processed in anonymized form. Parents or legal guardians may request access to, correction of, or deletion of child-related information at any time.

9. Data Security

We implement commercially reasonable administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, or alteration, including:

  • Encryption in transit and at rest
  • Access controls and authentication mechanisms
  • Ongoing monitoring and security reviews

No system can be guaranteed 100% secure. In the event of a data breach, we will notify affected users and authorities as required by law.

10. International Data Transfers

Celrose Labs is based in the United States. If you access the Service from outside the U.S., your information may be transferred to and processed in the United States or other jurisdictions with different data protection laws.

Where required, we use appropriate safeguards to protect international transfers.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When changes are material, we will provide notice through the Service or by other appropriate means and update the “Last Updated” date.

Your continued use of the Service after changes become effective constitutes acceptance of the revised Policy.

12. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Celrose Labs LLC

971 US Highway 202N, #5775

Branchburg, NJ, 08876

Email: privacy@celroselabs.com