Privacy Policy

Last updated: February 2026

Birch is a messaging-based service that helps parents support their children's learning at home. This Privacy Policy explains how we collect, use, and protect your information when you use Birch via WhatsApp, Telegram, or other messaging platforms. Birch operates under the General Data Protection Regulation (GDPR) and applicable Spanish data protection law (LOPDGDD).

1. Data Controller

The data controller responsible for your personal data is Birch, operated from Madrid, Spain. You can contact us at hello@withbirch.com. This policy will be updated when our legal entity registration (Spanish Sociedad Limitada) is complete.

2. Information We Collect

When you use Birch, we collect:

• Information you provide: Your child's age, school year, language setup, school name, and any learning context you share with us (such as what they are currently working on at school or concerns you have raised).
• Conversation content: Messages you send to the Birch bot and responses we provide. We retain the most recent messages to personalise your ongoing experience. We do not retain your full conversation history indefinitely.
• Contact information: Your phone number or Telegram account identifier, which we use to send your daily messages and respond to your questions.
• Usage information: Message timestamps, delivery status, and engagement signals (such as whether you replied to a message), which we use to maintain service quality and monitor account health.

3. Lawful Basis for Processing

We process your personal data on the following lawful bases under GDPR Article 6:

• Contract performance (Article 6(1)(b)): Processing your contact information and conversation content to deliver the service you signed up for.
• Legitimate interests (Article 6(1)(f)): Maintaining service reliability, preventing abuse, and improving response quality — where those interests are not overridden by your rights.
• Consent (Article 6(1)(a)): Where you have provided explicit consent for specific processing activities, such as sharing information about your child's learning context.

If you share information that touches on a child's health, learning difficulties, or developmental concerns, we treat this as sensitive data requiring your explicit consent, which is given by your voluntary act of sharing it with the service.

4. Information About Your Children

Birch is a service for parents and caregivers, not children. Children do not interact with Birch directly and are not registered as users.

When you share information about your child — such as their age, school year, or learning context — this information is used solely to personalise the suggestions and guidance we provide to you. This data belongs to your account and is deleted when your account is deleted.

Where you share information that relates to a child's health, development, or special educational needs (for example, concerns about attention, reading development, or a teacher's observations), we apply the same care as we would to sensitive personal data under GDPR Article 9. We do not share this information with third parties, and we do not use it for any purpose other than generating your personalised daily messages and responses.

We recommend against sharing your child's full name or other information that would identify them beyond what is necessary to personalise your experience.

5. How We Use Your Information

• To deliver your personalised daily activity messages
• To respond to questions you ask about your child's learning and development
• To maintain records of what activities have been suggested (so we don't repeat them)
• To send service-related messages (such as reminders or check-ins during your first weeks)
• To monitor service health and identify issues affecting delivery

We do not use your data for advertising, profiling for commercial purposes, or sale to third parties.

6. Automated Decision-Making

Birch uses artificial intelligence to generate personalised daily messages and responses to your questions. These responses are generated automatically without human review before delivery. They are not binding advice and should not replace professional guidance from teachers, paediatricians, or educational specialists.

No automated decisions are made that produce legal effects or similarly significantly affect you or your child. You have the right to request human review of any automated response by contacting us.

7. Data Sharing and Sub-Processors

We do not sell your personal information. We share data only with the following service providers, each bound by GDPR-compliant data processing agreements:

• Anthropic (United States): Conversation content is processed by Anthropic's Claude API to generate personalised responses. Anthropic does not use your data to train their models. Data transfers to the US are made under Standard Contractual Clauses (SCCs) as provided in Anthropic's Data Processing Agreement.
• Hetzner Online GmbH (Germany, EU): Your profile data and conversation history are stored on servers operated by Hetzner in Germany. No data leaves the EU for storage purposes.
• Telegram / Meta (WhatsApp): Messages are routed through the Telegram or WhatsApp Business platform infrastructure to reach you. These platforms process message metadata and content under their own privacy policies as independent controllers.

8. International Data Transfers

Your profile data is stored in the European Union (Germany). When you send messages via Birch, conversation content is transmitted to Anthropic in the United States for AI processing. This transfer is made under Standard Contractual Clauses approved by the European Commission, as part of Anthropic's commercial data processing terms.

9. Data Retention

We retain your profile information and recent conversation context for as long as you are an active Birch user. If your account has had no activity for 24 months, we will automatically delete your data.

You can request deletion of your data at any time — see Section 10 below. We will complete deletion within 30 days of your confirmed request.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access (Article 15): Request a copy of the personal data we hold about you.
• Right to rectification (Article 16): Correct inaccurate or incomplete data.
• Right to erasure (Article 17): Request permanent deletion of all your data. You can do this by sending /deletedata to the Birch bot, or by emailing hello@withbirch.com. Deletion is completed within 30 days.
• Right to restriction of processing (Article 18): Ask us to restrict how we use your data while a dispute is resolved.
• Right to data portability (Article 20): Request your data in a machine-readable format.
• Right to object (Article 21): Object to processing based on legitimate interests.
• Right to lodge a complaint: If you believe your rights have been violated, you can lodge a complaint with Spain's data protection authority, the Agencia Española de Protección de Datos (AEPD).

To exercise any of these rights, contact us at hello@withbirch.com. We will respond within 30 days.

11. Security

We take reasonable steps to protect your information from unauthorised access, including encrypted data storage, HTTPS for all web communications, and secure API authentication. No method of transmission over the internet is 100% secure, but we work to protect your data using industry-standard practices.

12. How We Use WhatsApp and Telegram

Birch sends messages via WhatsApp Business API and/or Telegram. We only contact users who have explicitly opted in by starting a conversation with the Birch bot. We do not send unsolicited messages and do not share your contact information with third parties beyond the sub-processors listed above.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the Birch bot before changes take effect. The date at the top of this page indicates when the policy was last updated.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: hello@withbirch.com

Supervisory authority: Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan, 6, 28001 Madrid.