24/7 Mom
HomeDemoAboutContactWhat It DoesJoin Waitlist →
Legal

Privacy Policy

24/7 Mom is a personal AI assistant for parents and caregivers, operated by Batoom LLC. This policy explains what data we collect, why, how we use it, and what choices you have.

Effective: June 4, 2026·Last updated: July 8, 2026
On this page
  • Who we are
  • What this policy covers
  • Data we collect
  • How we use each category
  • Google Limited Use
  • Sub-processors
  • Data retention
  • Your rights
  • Consents at onboarding
  • Children’s data
  • Health data
  • Security
  • Where data is stored
  • California privacy rights
  • Future integrations
  • Changes to this policy
  • Contact

Who we are

24/7 Mom is a personal AI assistant for parents and caregivers, operated by Batoom LLC (“we”, “us”, “24/7 Mom”). This policy explains what data we collect when you use the 24/7 Mom mobile app and web demo, why we collect it, how we use and share it, how long we keep it, and what choices you have.

arnav@247mom.ai
Batoom LLC
8 The Green, Suite B
Dover, DE 19901

What this policy covers

This policy covers your use of the 24/7 Mom mobile app (iOS, Android) and the 24/7 Mom web app. It does not cover third-party services you choose to connect (Google, your school’s Canvas/LMS, Instacart, your Crossmint wallet, and health/fitness sources you connect — Apple Health, Oura, WHOOP) — those services have their own privacy policies, which we link to under “Sub-processors” below.

Data we collect

We collect data from three sources: (1) what you tell us when you sign up and onboard, (2) what flows in from third-party services you choose to connect, and (3) what’s generated as you use the app. Each category is listed below.

1. Account data (source: Clerk authentication)

When you create a 24/7 Mom account we receive from Clerk: your email address, your name (from Google profile if you sign in with Google, or as you type it), your Clerk user ID, and authentication state (sign-in events, session tokens). We do not receive your Google password.

2. Onboarding & household data (source: you, in the app)

During onboarding and in Settings you can provide: your name, mailing/shipping address, household composition (spouse/partner name and food preferences if you choose to add a partner), and information about your children (names, ages, sizes, allergies, food preferences, school information). You provide this data on behalf of your household members; see “Children’s data” below.

3. Connected Google data (source: your Google account, with your consent)

If you connect Google in Settings, we request the following OAuth scopes. Each is requested only to power a specific user-facing feature:

ScopeWhat we read/writeFeature this powers
gmail.modifyRead messages and bodies; create drafts; send replies you’ve approved; add/remove labels; archive — all on your own mailbox. We do not permanently delete mail.Background email pipeline that extracts events, school notices, and reminders for the Today tab/Morning Brief; agent read, draft, approved-send, label, and archive in chat
calendar.eventsRead, create, update, and delete events on your primary calendarToday tab, Morning Brief, agent-created calendar events, school-extracted events
userinfo.emailYour connected Google account’s email address (and account identifier)Show which Google account is connected in Settings

We request a single Gmail scope, gmail.modify, which covers all of the above. We do not request full-mailbox access (https://mail.google.com/) or any scope that permanently deletes mail. We do not request access to Google Drive, Contacts, YouTube, Photos, Search history, or any other Google product, and we do not request the userinfo.profile scope (we never read your Google profile name, picture, or other profile fields).

4. Connected Canvas/LMS data (source: school portal, per-kid)

If you connect Canvas or another supported LMS provider for a specific child, we receive: course list, assignment titles, due dates, and grades for that child. This is minor data — see “Children’s data” below.

5. In-app generated data

  • Chat messages — what you send the agent and what it replies
  • Agent memory (“gbrain”) — facts the agent learns about your household, stored as a personal knowledge graph in your dedicated server-side workspace
  • Extracted events, reminders, and proactive notes — derived from your email and chat
  • Email reply drafts — proposed replies awaiting your approval
  • Email classifications and skip patterns — short-lived operational signals (retained 90 days) that decide what to surface vs. ignore
  • Sender memory and sender trust — long-running learned context per sender (retained while your account is active)
  • Pantry inventory and shopping history — items you’ve marked in your pantry, your shopping lists, and remembered product preferences
  • Audit logs — every action the agent takes on your behalf in Gmail or Google Calendar
  • Usage events — model and token counts for cost accounting
  • Content reports — if you report an agent message you find objectionable, we store the reported message text and any reason you provide so our team can review it and act on it

6. Device data

When you enable push notifications: your Expo push token and the timezone reported by your device (used to deliver the 7am Morning Brief in your local time).

7. Financial data

When you make a purchase through 24/7 Mom we receive and store: the order details, the merchant (Crossmint, Instacart, etc.), the status, and a record of the transaction. Stablecoin payment records (USDC-on-blockchain transactions handled by Crossmint) include on-chain transaction identifiers. We do not receive or store your credit-card number, bank-account details, or wallet private keys.

8. Connected health & fitness data (source: Apple Health, Oura, or WHOOP — with your explicit consent)

If you connect a health or fitness source in Settings, we read the metrics you authorize — steps and activity, sleep, heart rate and heart-rate variability, and workouts. On iOS this uses Apple HealthKit and is read on-device only after you grant permission for each category in Apple’s system Health prompt; Oura and WHOOP data is read from their APIs using a token you authorize. We use this data solely to show your in-app health trends and to personalize your daily brief. We never use health or fitness data for advertising, and we never share it with third parties for marketing. You can disconnect any source at any time in Settings, and this data is deleted when you disconnect the source or delete your account.

How we use each category

We use your data only to provide and improve user-facing features that are prominent in the 24/7 Mom app. We do not sell your data. We do not use it for advertising. We do not transfer it to third parties for any purpose other than operating the service or as required by law.

CategoryUsed for
Account dataAuthentication, account management, communication about the service
Onboarding/householdPersonalizing the agent’s responses; surfacing kid-relevant content
Google (Gmail/Calendar)Email triage, event extraction, reply drafting, calendar reads/writes — all visible features
Canvas/LMSShowing upcoming assignments and grades to the parent
Chat & memoryContinuing prior conversations; recalling facts you’ve shared
Audit logsShowing you what the agent did; debugging; security investigations
Usage eventsInternal cost accounting (no external sharing)
Push tokenDelivering Morning Brief and other notifications you’ve opted into
FinancialOrder tracking, transaction history, refund/dispute handling
Health & fitness (Apple Health / Oura / WHOOP)In-app health trends dashboard and personalizing your daily brief — never advertising, never shared for marketing
Content reportsReviewing and acting on messages you flag as objectionable

Google API Services User Data Policy — “Limited Use”

Our handling of data obtained from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements reproduced verbatim below:

Limited Use: Your use of data obtained via the product’s specified scopes must comply with the below requirements. These requirements apply to the raw data obtained from the scopes and data aggregated, anonymized, or derived from them.

  • Limit your use of data to providing or improving user-facing features that are prominent in the requesting application’s user interface;
  • Transfers of data are not allowed, except:
    • To provide or improve your appropriate access or user-facing features that are visible and prominent in the requesting application’s user interface and only with the user’s consent;
    • For security purposes (for example, investigating abuse);
    • To comply with applicable laws; or,
    • As part of a merger, acquisition, or sale of assets of the developer after obtaining explicit prior consent from the user.
  • Don’t allow humans to read the data, unless:
    • You first obtained the user’s affirmative agreement to view specific messages, files, or other data, with the limited exception of use cases approved by Google under additional terms applicable to the Nest Device Access program;
    • It is necessary for security purposes (for example, investigating a bug or abuse);
    • It is necessary to comply with applicable law; or
    • The data (including derivations) is aggregated and used for internal operations in accordance with applicable privacy and other jurisdictional legal requirements.

All other transfers, uses, or sales of user data are prohibited, including:

  • Transferring or selling user data to third parties like advertising platforms, data brokers, or any information resellers.
  • Transferring, selling, or using user data for serving ads, including retargeting, personalized or interest-based advertising.
  • Transferring, selling, or using user data to determine credit-worthiness or for lending purposes.

You must ensure that your employees, agents, contractors, and successors comply with this Google API Services User Data Policy.

Sub-processors

We rely on the following sub-processors to operate the service. Each receives only the categories of data necessary for its function.

Sub-processorWhat it receivesPrivacy policy
Clerk (authentication)Email, name, sign-in eventsView
Supabase (database hosting, us-east-1)All non-secret app data (users, kids, messages, events, etc.)View
Hostinger (application server hosting, Boston, US)Runs our API and per-user OpenClaw containers. Encrypted at rest within the server filesystem.View
OpenClaw (per-user agent runtime)Your in-app chat content, agent memory; runs in your dedicated container on our Hostinger VPS.Self-hosted — covered by Hostinger above
Anthropic (Claude LLM inference)The text we send to the model: system prompt with relevant context + your latest messageView
Google (Gmail, Calendar, OAuth)API requests authorized by your OAuth grant; outbound emails you’ve approvedView
Canvas / LMS providerRead-only API calls using the personal access token you providedVaries by provider
Instacart (grocery fulfillment)We hand off a shopping list URL; you transact with Instacart directly via their WebViewView
Crossmint (stablecoin payment processing)Wallet identifier and transaction parameters for purchases you approveView
Oura (health & fitness data source, if you connect it)Sleep, heart-rate/HRV, and activity metrics via the Oura API, using the token you authorizeView
WHOOP (health & fitness data source, if you connect it)Recovery, sleep, and activity metrics via the WHOOP API, using the token you authorizeView
Sentry (error monitoring)Server-side error reports with PII scrubbedView
Expo (push notifications, app distribution)Your Expo push token; push payload contents at send timeView

Data retention

We keep different categories of data for different periods. The windows below are what will apply in the published policy.

CategoryRetention
Account dataUntil you delete your account
Chat messagesRetained until you delete your account
Email classifications and skip patterns90 days
Sender memory and sender trustUntil you delete your account
Email drafts7 days (auto-expired; 90-day backstop)
Gmail audit log90 days
Calendar audit log90 days
Events, ordersEvents: until you delete your account, or 2 years past the event date. Orders: 2 years.
Pantry inventory and shopping historyUntil you delete your account
Morning briefs and proactive notes90 days
Health info you enter manually (allergies, dietary preferences)Until you delete your account or remove the record
Connected health & fitness metrics (Apple Health / Oura / WHOOP)Until you disconnect the source or delete your account
Content reportsUntil you delete your account
Google, LMS, Oura, WHOOP access tokensUntil you disconnect or delete your account
Usage events (model/cost telemetry)12 months

When you delete your account, all of the above categories are removed from our systems within the deletion cascade described under “Your rights” below.

Retention exception for data export requests: If you have requested a data export within the past 30 days, automated retention deletion is paused for your account until that window closes. Account deletion (which removes all your data immediately) is not affected by this exception.

Your rights

You have the right to:

  • Access and export your data — via Settings → Export my data, you can download a machine-readable JSON bundle of every row associated with your account (profile, kids, chat history, events, orders, health metrics, audit logs, etc.). Token and credential fields are stripped from the bundle for safety. This satisfies both your right of access and your right to data portability.
  • Delete your account and all associated data — via Settings → Delete account. The cascade revokes external OAuth tokens (Google), removes your agent container and all of its memory, deletes every database row referencing your account, and deletes your Clerk identity.
  • Correct inaccurate data — edit your profile in Settings, edit kid records, or contact arnav@247mom.ai.
  • Withdraw consent for a connected service at any time — Settings → Disconnect Google / Canvas. Disconnecting revokes the OAuth grant where the provider supports a revoke endpoint and nulls the local credential.

Consents we record at onboarding

When you sign up we record explicit, versioned grants for each of the following. The version is captured alongside the grant so that if the underlying document changes we will re-prompt you for a fresh acknowledgement:

  • Acceptance of these Terms of Service
  • Acknowledgement of this Privacy Policy
  • Your representation that you are 18 years of age or older
  • Parental authority and authorization to provide children’s information — required only if you add one or more children to your household
  • Household-member authorization to provide partner information — required only if you choose to add a partner

These consent records persist while your account is active and are included in any data export you request.

Children’s data

The 24/7 Mom app is designed for and directed to adult parents and caregivers, not children. We do not knowingly collect personal information directly from children under 13. Information about children (names, ages, school data via LMS, schedules) is provided by the account-holding parent or caregiver, who represents that they have legal authority to provide this information. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information. Parents can review, request deletion of, or refuse further collection of their children’s information at any time via the in-app account deletion flow or by contacting arnav@247mom.ai.

Health data

24/7 Mom collects health-related information from two sources, both only with your involvement: (1) information you enter yourself during onboarding or in Settings — your children’s allergies and your household’s dietary preferences — which we use to filter agent suggestions (meals, shopping lists, recipes) so they respect your family’s safety constraints; and (2) health and fitness metrics from a source you explicitly connect — Apple Health, Oura, or WHOOP — as described under “Connected health & fitness data” above (steps and activity, sleep, heart rate and heart-rate variability, and workouts), which we use to show your in-app health trends and personalize your daily brief.

24/7 Mom is not a medical device. Nothing the agent says about your or your family’s health constitutes a medical diagnosis or medical advice. We are not a HIPAA-covered entity; the health, fitness, dietary, and allergy data you choose to share with us is consumer health information, not Protected Health Information under HIPAA in this context. All of it is encrypted in transit (TLS) and at rest (Supabase managed storage), is never used for advertising and never shared with third parties for marketing, and is removed when you disconnect the source, delete the corresponding record (e.g., a child profile), or delete your account.

Security

  • In transit: All traffic between the app, our API, Supabase, and third-party services is encrypted with TLS.
  • At rest: All data in our Supabase database is encrypted at rest. Per-user OAuth tokens are stored as part of the user record and cleared on disconnect.
  • Database access control: Row-Level Security (RLS) on every Supabase table denies all direct client reads. Application access goes through our authenticated API only.
  • Admin access: Operator access to the admin dashboard is gated by Clerk authentication and a per-user allowlist. Destructive operations require a shared secret plus a typed confirmation phrase.
  • Agent isolation: Each user’s agent runs in a dedicated containerized workspace; one user cannot read another user’s memory or chat.
  • Breach notification: If a data breach occurs that affects your personal information, we will notify you and the relevant regulators as required by applicable law.

Where your data is stored and processed

Your data is stored and processed in the United States. Our database is hosted on Supabase in the us-east-1 region (North Virginia). Our application servers are hosted on Hostinger in Boston, United States. At this time we do not transfer or process user data outside the United States. If we add infrastructure in other regions in the future, we will update this policy and notify users in advance.

California privacy rights

California residents have additional rights including the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of sale or sharing (we do not sell or share personal information for cross-context behavioral advertising), and the right to non-discrimination. Exercise these rights via arnav@247mom.ai or the in-app account deletion flow.

Future integrations

The Apple Health, Oura, and WHOOP integrations described above are now available; you are asked to grant explicit consent (and, on iOS, per-category Apple Health permission) before any health or fitness data is collected from these sources. If we add further data integrations in the future, we will update this Privacy Policy with the applicable data categories, retention windows, and sub-processor handling before that integration ships.

Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top and, for material changes, notify you via the app and/or by email at the address on file. The current version of this policy is always available at batoom-legal.netlify.app/privacy-policy. Prior versions are available on request at arnav@247mom.ai.

Contact

For privacy questions, data requests, or to report a concern:

arnav@247mom.ai
Batoom LLC
8 The Green, Suite B
Dover, DE 19901

This Privacy Policy is effective June 4, 2026 and was last updated July 8, 2026.

Made with care. Built with purpose. © 2026 Batoom LLC · Privacy · Terms · About · Contact

24/7 Mom is a product of Batoom LLC.