Privacy Policy

Effective date: February 22, 2026 · Last updated: March 4, 2026

At CaraLink Inc. ("CaraLink," "we," "us," or "our"), your family's privacy is our top priority. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data.

This policy applies to all users of the CaraLink website, mobile applications, and related services (the "Service"). By using the Service, you agree to the practices described in this policy.

1. Information We Collect

Information you provide

  • Account information: Name, email address, profile photo (optional)
  • Address: Your home address for proximity-based matching (validated via Google Places)
  • Children's information: First name, date of birth, and gender of your children
  • Preferences: Activity interests, indoor/outdoor preference, travel mode and distance, venue memberships
  • Communications: Messages you send through the Service
  • Bio: Optional profile biography

Information collected automatically

  • Usage data: Pages visited, features used, and interactions with other users
  • Device information: Browser type, operating system, device identifiers
  • Location data: Approximate location derived from your address (we do not track real-time GPS location)

2. How We Use Your Information

We use your information to:

  • Create and maintain your account
  • Match you with nearby families based on location, children's ages, and shared interests
  • Facilitate communication between connected families
  • Send service-related notifications (connection requests, messages, playdate reminders)
  • Improve the Service through analytics and product development
  • Ensure the safety and integrity of our community
  • Comply with legal obligations

We do not sell your personal information. We do not use your data for advertising.

3. Children's Privacy (COPPA Compliance)

CaraLink takes children's privacy seriously. We comply with the Children's Online Privacy Protection Act (COPPA) and take the following measures:

  • Children under 13 cannot create accounts or directly interact with the Service
  • We collect limited children's information (first name, date of birth, gender) only from email-verified parents or guardians
  • Children's information is used solely for age-appropriate matching between families
  • We do not share children's information with third parties for marketing purposes
  • Children's date of birth is displayed only as an age range (e.g., "4 years old"), never as an exact date
  • Parents may review, correct, or delete their children's information at any time

To exercise any rights regarding your child's data, contact us at privacy@caralink.com.

4. How We Share Your Information

We share your information only in the following circumstances:

  • With other users: Your profile information (name, bio, children's ages, activity interests) is visible to other CaraLink users in your area. Your exact address is never shared. Messages are visible only to conversation participants.
  • Service providers: We use trusted third-party services to operate the platform (see Section 5).
  • Legal requirements: We may disclose information when required by law, subpoena, or to protect the safety of our users.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

5. Third-Party Services

We use the following third-party services to operate CaraLink:

ServicePurposeData Shared
SupabaseDatabase and authenticationAccount data, profile data
Google MapsAddress validation and geocodingAddress input
VercelHosting and deploymentStandard web request data
PostHogProduct analyticsAnonymous usage events
Google AnalyticsWeb traffic analyticsAnonymous pageview and traffic source data
AxiomApplication logging and monitoringRequest metadata, performance metrics (no PII)
UpstashRate limiting and abuse preventionAnonymized request identifiers (IP hashes)
Anthropic (Claude)AI assistant for activity recommendationsFirst names and city-level location only (no email, phone, or full address)

6. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Row-level security (RLS) on all database tables to ensure users can only access authorized data
  • Secure authentication via Google OAuth
  • Input validation on all API endpoints to prevent injection attacks
  • Rate limiting on all sensitive operations to prevent abuse
  • Authorization checks on every API endpoint
  • Minimal data exposure: API responses return only the specific fields required for each operation
  • PII minimization for AI features (first names and city-level location only)
  • Regular internal security assessments and penetration testing

No system is 100% secure. While we take every reasonable precaution, we cannot guarantee absolute security of your data.

7. Data Retention

  • Account and profile data: Retained while your account is active. Deleted immediately upon account deletion.
  • Children's data: Deleted immediately upon request or when the associated parent account is deleted.
  • Messages: Retained while your account is active. Deleted upon account deletion.
  • Activity logs: Retained for 24 months from creation, then automatically deleted.
  • AI insights: Regenerated daily; previous versions are overwritten.
  • Safety reports: Anonymized upon account deletion, retained for audit purposes.

When you delete your account, all personal data is removed immediately. Anonymized safety records may be retained for community protection purposes.

8. Your Rights

Depending on your location, you may have the following rights. Many of these can be exercised directly from your profile settings:

  • Access: View all your personal data through your profile. You can also download a complete copy of your data in JSON format from your profile settings.
  • Correction: Edit your profile information at any time through your profile settings
  • Deletion: Delete your account and all associated data directly from your profile settings. This action is immediate and irreversible.
  • Portability: Export your data in a machine-readable format (JSON) from your profile settings
  • Objection: Object to certain processing of your data

For any rights you cannot exercise through the app, or for questions, contact us at privacy@caralink.com. We will respond within 30 days.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your data, and the right to opt out of the sale of personal information.

We do not sell personal information. We have never sold personal information.

10. Cookies

We use essential cookies to maintain your session and authentication state. We use analytics cookies (PostHog and Google Analytics) to understand how the Service is used and where our traffic comes from. We do not use advertising or tracking cookies.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and, where appropriate, sending you an email notification. The "Last updated" date at the top indicates when the policy was most recently revised.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us at:

CaraLink Inc.
Privacy Team
Email: privacy@caralink.com