Privacy Policy
Last updated: 19 May 2026
PERSONAL DATA PRIVACY POLICY
This Personal Data Privacy Policy (the “Policy”) is issued by Pebbles to inform users about how Pebbles collects, records, stores, analyzes, uses, shares, transfers, retains, deletes, and carries out other processing activities in relation to personal data when users register an account, use the app, interact with Pebbles features, or use services provided directly by Pebbles or through partners on the Pebbles platform.
This Policy is developed based on the Law on Personal Data Protection No. 91/2025/QH15, Decree No. 356/2025/ND-CP, and other relevant legal regulations. For matters not specifically provided for in this Policy, Pebbles will apply the prevailing laws and/or provide separate notice at the time of data collection and processing.
Article 1. Subjects and scope of application
1.1. This Policy applies to individuals who create accounts, access, explore, or use Pebbles’ app, website, features, content, tools, services, or other official transaction channels (“Users”).
1.2. To the extent necessary for providing services to Users, this Policy also governs the processing of personal data relating to children, dependents, family members, or other individuals whose information is provided to Pebbles by the User during use of the app.
1.3. This Policy forms an integral part of the Terms of Use, booking terms, transaction terms and conditions, data processing notices, and other agreements between Pebbles and the User.
Article 2. Definitions
2.1. “Pebbles” means the brand, app, platform, website, and/or legal entity that owns, operates, develops, or provides products and services under the Pebbles name.
2.2. “Personal Data” means data in the form of symbols, writing, numbers, images, sound, or a similar form in the electronic environment that is associated with a specific individual or helps identify a specific individual, including basic personal data and sensitive personal data as prescribed by law.
2.3. “Personal Data Processing” means one or more activities affecting personal data, such as collection, recording, storage, analysis, confirmation, editing, combination, access, retrieval, sharing, transmission, provision, transfer, encryption, decryption, copying, deletion, destruction, or other related activities.
2.4. “Children’s Data” means the personal data of persons under 16 years of age; the processing of children’s data shall be carried out in accordance with law and the specific provisions set out in this Policy.
2.5. “Sensitive Data” means personal data associated with an individual’s privacy that, if infringed, would directly affect that individual’s lawful rights and interests, including categories of data defined by law as sensitive personal data.
2.6. “Third Party” means any organization or individual other than Pebbles and the User, including but not limited to technical service providers, payment providers, third-party login providers, map/location partners, notification service providers, operating partners, analytics providers, customer care providers, cloud service providers, security providers, booking service providers, and/or service providers selected by the User through Pebbles.
2.7. “Pebbles Transaction Channels” include the mobile app, web app, website, landing pages, email, hotline, chatbot, official social media pages, customer support channels, and other interaction channels announced by Pebbles from time to time.
Article 3. Principles for processing personal data
3.1. Pebbles processes personal data only to the extent necessary, consistent with the purposes notified to the User and/or as permitted or required by law.
3.2. Pebbles endeavors to ensure that the personal data collected is appropriate, relevant, and limited to what is necessary for each feature, service, and specific processing purpose.
3.3. Pebbles applies appropriate technical, organizational, and internal governance measures to protect personal data, and reviews and updates these measures according to risk levels and legal requirements from time to time.
3.4. For sensitive data or higher-risk situations, Pebbles may provide separate notice, require additional confirmation steps, or apply additional control layers before processing.
Article 4. Types of personal data Pebbles may process
4.1. Account and login data:
full name, display name, phone number, email address, account identifiers, authentication information, login information via Apple ID, Facebook, or other third-party login providers, data necessary for account verification, OTP codes, access logs, and information related to account security.
4.2. Mandatory onboarding data:
information the User provides when creating a profile, such as name, role (mother/father/other caregiver), number of children, parenting stage, expected due date or date of birth of the baby/child, and other basic information necessary to set up the initial app experience.
4.3. Optional onboarding and personalization data:
top priorities, content preferences, preferred content formats, preferred timing for receiving content, desired frequency, tone of voice, or other choices proactively configured by the User to allow Pebbles to personalize the experience.
4.4. Children and family profile data:
baby/child name, gender, date of birth/expected due date, number of children, caregiving role, and other information proactively declared by the User in the Child Profile or other setup steps within the app.
4.5. Parenting Profile/Spiderweb data:
answers, scores, scales, slider inputs, tags, profile segments, tendencies, priorities, or data inferred from Parenting Identity, Parenting Style, and other assessments, surveys, or profile tools of Pebbles.
4.6. Data from child care tracking and support tools:
data entered or confirmed by the User when using developmental milestones, growth index, vaccination tracker, or similar features, including check history, displayed results, height and weight data, developmental milestones, vaccination history, reminders, and related notes. Although some of this data arises as part of the User’s use of the tools, Pebbles may still collect, store, and process such data to operate the feature, display history, personalize the experience, and/or respond to the User’s support needs.
4.7. Conversation and support data:
chat history with Ami, question content, answers, messages sent to customer support, support feedback, attachments, images, documents, and data voluntarily provided by the User in conversations or during support requests.
4.8. Wisdom Hub interaction and in-app behavior data:
articles viewed, reading duration, content saved/shared, CTA buttons clicked, content liked/disliked, navigation flows, usage sessions, features used, notification settings, notification interaction history, app behavior data, and usage statistics and analytics.
4.9. Location and address data:
addresses entered by the User when booking services, approximate or precise location data if the User grants device permission, and information necessary to personalize maps, suggest suitable providers, or support service delivery.
4.10. Booking and transaction data:
booking information, order/booking codes, selected providers, time, location, service notes, contact information used for appointment confirmation, booking status, history of rescheduling/cancellations/no-shows, post-service feedback, and other information necessary to operate the transaction.
4.11. Payment data:
amount, payment method, payment status, transaction code, transaction time, e-wallet information, invoice/supporting document information, and other data necessary to process, reconcile, or resolve payment complaints. In some cases, Pebbles may not directly store full sensitive payment details if the transaction is carried out through a payment partner; in that event, Pebbles may receive only the necessary data such as payment outcome, transaction code, or reconciliation information provided by the payment partner.
4.12. Technical and system data:
device type, operating system, browser, language, app settings, IP address, cookies, SDK identifiers, log data, crash logs, performance data, anti-fraud data, and other technical data generated when the User accesses or uses Pebbles transaction channels.
4.13. Depending on the circumstances, the above data may include, reveal, or allow inferences about sensitive data, especially data related to children, health, family information, living habits, conversation content, or other private information provided by the User.
Article 5. Purposes of personal data processing
5.1. To create, verify, manage, and protect User accounts; support sign-in, authentication, account recovery, and prevent unauthorized access, fraud, or identity impersonation.
5.2. To set up user profiles, child profiles, and the initial experience within the app; operate onboarding, Child Profile, Parenting Profile, and other personalization features.
5.3. To provide, maintain, and improve developmental milestones, growth index, vaccination tracker, interaction history, reminder tools, content suggestions, and other child care support features.
5.4. To operate Ami and other conversational support, customer care, or in-app assistance features; process requests, answer questions, store interaction history, control response quality, detect errors, investigate incidents, and improve the system’s accuracy, safety, or usefulness to the extent permitted by law.
5.5. To personalize content, article recommendations, learning journeys, content recommendations, service recommendations, reminders, wording, or interaction pace based on profile data, configured preferences, usage behavior, parenting stage, or other relevant data.
5.6. To process bookings, confirm appointments, coordinate service delivery, share necessary information with service providers selected by the User, support rescheduling/cancellation, handle complaints, and provide post-service care.
5.7. To process payments, reconcile transactions, issue transaction/invoice/supporting information (if any), detect fraud, resolve chargebacks or payment-related issues, and handle refunds.
5.8. To send operational notices, account notifications, appointment reminders, milestone/vaccination reminders, transaction confirmations, service notifications, support responses, or other information necessary for app use.
5.9. To carry out research, internal analytics, statistics, feature effectiveness measurement, content/service quality assessment, product improvement, and new feature development based on personal data, aggregated data, or de-identified data where appropriate.
5.10. To carry out communications, marketing activities, promotional programs, customer care, or surveys within the scope of the User’s consent and/or as provided by law.
5.11. To fulfill legal obligations and requests from competent state authorities, protect the lawful rights and interests of Pebbles, Users, or related parties; and establish, exercise, or defend complaints, claims, defenses, and other lawful interests.
5.12. Pebbles may provide additional notice of other processing purposes at the time of data collection or before processing begins if a new feature, product, campaign, or operating model is launched.
Article 6. Methods of personal data collection
6.1. Pebbles may collect data directly from the User when the User registers an account, fills in forms, sets up profiles, enters data into tools, books services, makes payments, chats with Ami, contacts support, or interacts with Pebbles through any official transaction channel.
6.2. Pebbles may collect data automatically when the User uses the app or website, including system data, cookies, SDK data, log data, crash reports, access history, and in-app behavior data.
6.3. Pebbles may receive data from third parties based on the User’s choice or service operation needs, including third-party login providers (such as Apple, Facebook, or similar services), payment partners, map/location partners, notification partners, analytics partners, cloud service providers, customer support providers, security service providers, and service providers selected by the User through Pebbles.
6.4. Where necessary to comply with the law or handle disputes, Pebbles may receive data from competent state authorities, legal advisers, professional advisers, auditors, or lawful public sources.
Article 7. Legal basis for processing, mandatory scope, and User choices
7.1. Some data is necessary for Pebbles to create accounts, verify Users, operate core features, process bookings, handle payments, ensure security, or comply with legal obligations. In such cases, if the User does not provide the required data, Pebbles may be unable to provide some or all of the relevant features or services.
7.2. Other data is voluntarily provided by the User to enable better personalization, such as content priorities, tone of voice, address for map personalization, or additional profile preferences. Failure to provide such data may reduce the level of personalization but will not necessarily affect overall usability of the app.
7.3. Some data arises during feature use, such as milestone history, growth history, vaccination history, chat history, app behavior, or usage statistics. Such data may not be entered by the User at the initial step, but it may still be processed by Pebbles when the User uses tools or interacts with the app.
7.4. For features that involve a higher level of sensitivity, Pebbles may provide separate notices, privacy management tools, device permission requests, or consent-recording mechanisms in accordance with law.
Article 8. Sharing personal data with third parties
8.1. Pebbles may share personal data with third parties or allow third parties to process personal data to the extent necessary to fulfill the purposes stated in this Policy and in accordance with law.
8.2. Categories of data recipients may include:
(i) providers of infrastructure, storage, security, analytics, customer support, email/SMS/Zalo/push notification delivery, map/location, authentication, and anti-fraud services; (ii) payment and reconciliation partners; (iii) service providers selected by the User through Pebbles; (iv) consultants, auditors, lawyers, accountants, or other professional service providers; and (v) competent state authorities or other organizations/individuals as required by law.
8.3. When the User books a service through Pebbles, Pebbles may share with the service provider the information necessary to confirm and fulfill the booking, such as name, phone number, appointment time, location, service notes, and other reasonably related data. In each case, Pebbles will endeavor to limit the scope of sharing to the minimum necessary.
8.4. Pebbles requires processors acting on its behalf to apply appropriate security measures, process data only for the assigned purposes, and comply with personal data protection obligations under the law and agreements with Pebbles.
8.5. Pebbles may use aggregated, de-identified, or anonymized data for analytics, service improvement, internal research, or management reporting to the extent permitted by law.
Article 9. Data processing in certain Pebbles-specific features
9.1. Social login:
When the User chooses to create or sign in to an account using Apple ID, Facebook, or a similar service, Pebbles may receive certain data from that provider, such as display name, email address, account identifiers, authentication tokens, or other data according to the settings authorized by the User.
9.2. Child Profile and child care tools:
When the User creates a child profile or enters data into developmental milestones, growth index, or vaccination tracker, Pebbles may store usage history, results, input data, and related information to display it back to the User, send reminders, support progress tracking, and personalize the experience.
9.3. Ami chat:
Conversations with Ami or the support team may contain personal data, sensitive data, or children’s data voluntarily provided by the User. Pebbles recommends that Users limit the sharing of unnecessary sensitive data. To the extent permitted by law, Pebbles may store and process chat history to operate the feature, support Users, control quality, investigate incidents, improve accuracy, or strengthen system safety. If Pebbles implements the use of chat history for purposes beyond what is necessary to provide the service, Pebbles will notify Users and/or seek consent in accordance with law and the internal mechanisms applicable at that time.
9.4. Wisdom Hub and content behavior:
Pebbles may track how the User reads, saves, shares, rates, or clicks content in order to understand needs, improve the content system, and recommend more suitable content for each stage and priority of the User.
9.5. Location and maps:
If the User grants location access or proactively enters an address, Pebbles may use this information to personalize maps, arrange the display of suitable providers, calculate distance, support bookings, or improve location-related features.
9.6. Booking and payment:
Booking and payment data is processed to confirm transactions, reconcile records, support refunds/exchanges/cancellations, handle disputes, record transaction history, and ensure safe operations. In some cases, this data may be cross-checked with account data, customer support data, or anti-fraud data to protect Users and the system.
Article 10. Children’s data and sensitive data
10.1. Pebbles respects and protects children’s personal data. Before processing children’s personal data, Pebbles may apply age verification measures, verify the status of the person providing the data, and record the necessary consent or confirmation in accordance with law.
10.2. The User should provide children’s data only if the User is the parent, legal guardian, or a person with lawful authority/valid permission to provide such data to Pebbles.
10.3. Some data in Child Profile, growth index, developmental milestones, vaccination tracker, Parenting Profile, Ami chat, or support requests may constitute sensitive data or may reveal sensitive data, for example data related to health, living habits, family information, or other private content. For such data, Pebbles may apply separate notices, additional protection measures, internal access restrictions, or other controls depending on the risk level.
10.4. Where the law or a competent authority requires Pebbles to stop processing, delete, or restrict the processing of children’s data or sensitive data, Pebbles will comply in accordance with the law and its internal procedures applicable at that time.
Article 11. Personal data retention period
11.1. Pebbles retains personal data only for as long as necessary to fulfill the notified processing purposes, maintain the relationship with the User, resolve complaints/disputes, comply with legal obligations, or for any period permitted by law.
11.2. Retention periods may vary by category of data. For example, account data may be retained while the account remains active and for a reasonable period thereafter; booking/payment data may be retained longer for reconciliation, accounting, tax, audit, or dispute resolution purposes; and technical, log, or behavior data may be retained according to Pebbles’ operational, security, or internal analytics lifecycle.
11.3. When the processing purpose has been completed, when the applicable retention period expires, or when there is a valid request from the data subject in accordance with law, Pebbles will delete, destroy, anonymize, de-identify, or stop processing the relevant data, unless the law permits or requires continued retention.
Article 12. Personal data security and potential risks
12.1. Pebbles applies multiple measures to protect personal data against unauthorized access, loss, destruction, disclosure, modification, or misuse, including but not limited to internal governance measures, access controls, vendor controls, system logging, encryption, backups, and other appropriate information security measures.
12.2. However, no technical system can guarantee absolute security. Risks may include software errors, hardware failures, connectivity incidents, security vulnerabilities, cyberattacks, fraudulent acts, or Users’ own disclosure of account information, OTP codes, devices, or their data.
12.3. Users are responsible for safeguarding their accounts, passwords, OTPs, login devices, authentication links, and for providing personal data only to the extent necessary. Users should sign out when using shared devices and should contact Pebbles immediately upon detecting any unusual signs related to personal data or accounts.
Article 13. Cookies, SDKs, and tracking technologies
13.1. When the User uses Pebbles’ website, web app, or app, Pebbles and/or its technical partners may use cookies, pixels, SDKs, local storage, or similar technologies to recognize sessions, remember settings, measure performance, analyze usage behavior, improve the experience, detect issues, and ensure system security.
13.2. Depending on the platform, the User may manage certain choices related to cookies or device permissions through browser settings, operating system settings, or settings within the app. Blocking some technologies may reduce the experience or cause some features not to function fully.
Article 14. Cross-border data transfers
14.1. To operate the app, store data, use technology infrastructure, send notifications, analyze data, support customers, or use cross-border technical services, Pebbles may transfer, store, or allow access to personal data on servers or systems located outside Vietnam to the extent consistent with law.
14.2. When carrying out personal data processing with a foreign element, Pebbles will apply or require appropriate safeguards and implement the procedures, filings, or governance measures required by applicable law.
Article 15. Rights and obligations of the User
15.1. Users have the rights provided by law, including the right to be informed, the right to consent or refuse consent where required by law, the right of access, the right to correction, the right to withdraw consent, the right to delete or request deletion, the right to request restriction of processing, the right to request provision of data, the right to object to processing for certain purposes, the right to complain, denounce, initiate legal proceedings, and other rights as provided by law.
15.2. Pebbles will receive and process valid requests from data subjects within the time limits and according to the procedures prescribed by law. Before fulfilling a request, Pebbles may apply reasonable measures to verify the identity or authority of the requester in order to protect personal data.
15.3. Users are obliged to provide accurate and complete data to the extent necessary; update information when it changes; protect their accounts and data; respect the personal data of others; provide children’s data or the data of others only where there is a lawful basis; and cooperate with Pebbles when incidents, disputes, or requests related to personal data arise.
Article 16. Contact information and general provisions
16.1. If the User has any questions, requests, or complaints relating to this Policy or the processing of personal data, the User may contact Pebbles through the official channels announced from time to time.
16.2. Before official publication, Pebbles needs to complete the following information in the public version of this Policy:
full legal name of the entity owning/operating Pebbles; enterprise number or tax code (if published); headquarters address; personal data protection/customer care contact email; hotline; official website; and the effective date of the Policy.
