1. Introduction
This Privacy Policy explains how Bracino oü (Estonian registry code: 12452492) ("we", "us", "our"), operating the Lapseleap service at https://lapseleap.com, collects, uses, stores, and protects your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Estonian Personal Data Protection Act (IKS), and other applicable data protection legislation.
2. Data Controller
The data controller responsible for your personal data is:
Bracino oü
Registry code: 12452492
Email: info@lapseleap.com
Republic of Estonia
3. Data We Collect
3.1 Account Data
When you create an account, we collect:
- Email address — provided directly or via Google OAuth sign-in.
- Name — if provided through Google OAuth.
- Authentication identifiers — user IDs assigned by AWS Cognito.
3.2 User Content
When you use the Service, we store:
- Captured images — webcam photos you capture, stored in Amazon S3.
- Generated media — time-lapse videos and animated GIFs created from your images.
3.3 Session and Usage Data
- Session metadata — session identifiers, timestamps, image counts, stored in Amazon DynamoDB.
- WebSocket connection data — temporary connection identifiers for real-time communication.
- Analytics data — we use Google Analytics (GA4) to collect anonymised usage data such as page views, session duration, browser type, and approximate location. Google Analytics uses cookies; see section 8 below.
3.4 Payment Data
We do not collect, process, or store any payment information. All payment processing is handled by Paddle.com Market Limited ("Paddle"), our Merchant of Record. Paddle collects and processes your payment details (credit card number, billing address, etc.) under their own privacy policy. Please review Paddle's Privacy Policy for details on how they handle payment data.
4. Legal Basis for Processing
Under GDPR Article 6, we process your personal data based on:
| Purpose | Legal Basis |
|---|
| Providing the Service (account, storage, video generation) | Performance of a contract (Art. 6(1)(b)) |
| Processing subscription payments (via Paddle) | Performance of a contract (Art. 6(1)(b)) |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Sending service-related notifications | Legitimate interest (Art. 6(1)(f)) |
5. How We Use Your Data
- To provide and maintain the Service — storing your images, generating time-lapse media, and managing your account.
- To authenticate your identity and secure your account.
- To communicate with you about your account, changes to the Service, or support requests.
- To monitor and improve the Service through anonymised analytics.
- To comply with legal obligations under Estonian and EU law.
6. Data Sharing
We do not sell your personal data. We share data only with the following categories of recipients:
- Paddle.com Market Limited — our Merchant of Record, for processing payments and managing subscriptions. Paddle acts as an independent data controller for payment data.
- Amazon Web Services (AWS) — our cloud infrastructure provider. Data is processed and stored in the EU (eu-west-1, Ireland) under AWS's Data Processing Addendum.
- Google — for Google OAuth authentication and Google Analytics. Google processes analytics data under their Privacy Policy.
We may also disclose data if required by law, regulation, or valid legal process.
7. International Data Transfers
Your data is stored and processed primarily in the EU (AWS eu-west-1, Ireland). Where data is transferred outside the EEA (e.g., to Google's infrastructure in the US), such transfers are protected by appropriate safeguards including EU Standard Contractual Clauses (SCCs) or adequacy decisions, in compliance with GDPR Chapter V.
8. Cookies
We use the following cookies:
- Authentication cookies — set by AWS Cognito to maintain your login session. These are strictly necessary and do not require consent.
- Google Analytics cookies (_ga, _ga_*) — used for anonymised usage analytics. These are set based on legitimate interest. You may opt out by using a browser extension such as the Google Analytics Opt-out Browser Add-on.
9. Data Retention
- User content (images, videos, GIFs): Automatically deleted after the retention period for your tier — 7 days (Free) or 30 days (Pro). You may delete content earlier via the Settings page.
- Account data: Retained as long as your account is active. Deleted within 30 days of account deletion.
- Session metadata: Retained for 90 days for service improvement, then deleted.
- Analytics data: Retained per Google Analytics default settings (14 months). See Google's documentation for details.
10. Your Rights under GDPR
As a data subject in the EU, you have the following rights:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18) — request that we limit how we use your data.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest, including analytics.
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at info@lapseleap.com. We will respond within 30 days as required by GDPR.
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) or with the supervisory authority in your EU member state of residence.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) and at rest (AWS S3 server-side encryption).
- Authentication via AWS Cognito with PKCE flow and secure token handling.
- Access controls — your content is isolated to your user account and not accessible to other users.
- Infrastructure hosted entirely on AWS with SOC 2, ISO 27001 compliance.
12. Children's Privacy
The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.
14. Contact
For questions, data subject requests, or complaints about this Privacy Policy:
Bracino oü
Registry code: 12452492
Email: info@lapseleap.com
Republic of Estonia