Privacy Policy
Effective Date:
1. Who we are
Screen Time Hero ("Screen Time Hero," "we," "us," or "our") operates the Screen Time Hero mobile application (iOS) and the supporting website at screentimehero.com (together, the "Service"). This Privacy Policy explains what personal information we collect, how we use it, how long we keep it, who we share it with, and the rights you have over it.
For the purposes of the EU and UK General Data Protection Regulations ("GDPR") and the California Consumer Privacy Act as amended by the CPRA ("CCPA"), Screen Time Hero is the data controller / business for the personal information described in this policy.
Questions? Email support@screentimehero.com.
2. What we collect
We collect only the data we need to operate the Service. We do not use analytics SDKs, we do not track users across apps or websites, and we do not request or use the Advertising Identifier (IDFA).
From parents when you create an account
- Email address (required)
- Name (first and last)
- Authentication credentials (password stored as a salted hash via Supabase Auth, or a federated identifier if you choose Apple Sign-In or Google Sign-In)
- Phone number (only if you use the SMS option for parental consent delivery; otherwise not collected)
- Subscription receipt metadata processed by RevenueCat on our behalf (plan, renewal state, country)
From you about your child
- First name or nickname
- Birth month and year (used to determine whether COPPA verifiable parental consent is required)
- Optional avatar photo (only if you upload one)
Generated while using the Service
- Chores assigned, completed, approved, or rejected
- Rewards created and redeemed, points earned and spent
- Photos or other proof a child submits for a chore (stored as-is in Supabase Storage)
- Screen-time rules and aggregated usage summaries produced by Apple's FamilyControls framework. The app-usage tokens themselves are opaque on-device identifiers defined by Apple; we never receive or store real bundle IDs.
- Extension-of-time requests from a child and the parent's decision on each
- Messages your device exchanges with our backend for the Service to function (task approvals, push notifications, etc.)
Operational and security data
- Device push tokens so we can deliver Apple Push Notifications
- Login session tokens (JWT), password-reset codes, and session IP address
- Rate-limit counters and short-lived audit log rows so we can detect abuse
- Anonymous device fingerprint and the IP address / user agent recorded at the time a parent grants verifiable parental consent (required under 16 CFR §312.8)
3. Why we use your data and our legal basis (GDPR)
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Create and operate your account | Account information | Performance of a contract — 6(1)(b) |
| Deliver parental-control features (chores, rewards, screen time) | Child profile, usage data, proofs | Performance of a contract — 6(1)(b) |
| Obtain verifiable parental consent under COPPA | Parent contact (hashed), consent audit trail | Legal obligation — 6(1)(c) (U.S.); consent — 6(1)(a) (EEA/UK) |
| Process subscriptions and receipts | Purchase history via RevenueCat | Performance of a contract — 6(1)(b) |
| Prevent abuse, enforce rate limits, debug incidents | Session IP, device fingerprint, request logs | Legitimate interests — 6(1)(f) (fraud prevention and service security) |
| Respond to support requests | Anything you send us | Legitimate interests — 6(1)(f) |
We never use your data for behavioral advertising, profiling, or automated decision-making with legal or similarly significant effect.
4. Children's privacy (COPPA)
Screen Time Hero complies with the Children's Online Privacy Protection Act (COPPA, 16 CFR Part 312) for children under 13 in the United States.
Verifiable parental consent
When a child under 13 is introduced into the app — either by a parent adding them, or by the child attempting to sign up — we require verifiable parental consent before collecting, using, or disclosing the child's personal information. We currently offer the "email-plus" consent method under §312.5(b)(2): we send the parent a consent link via email (or SMS, at the parent's choice), and record the consent along with the time, parent IP, user agent, and the privacy-policy version in effect.
Parental controls
A parent (or legal guardian) can at any time, from inside the app:
- Review everything we hold about a specific child — open the child's Settings and tap Data & Privacy → Download.
- Correct information by editing the child's profile.
- Delete the child's account and all associated data — open the child's Settings and tap Data & Privacy → Delete. This is an immediate, hard delete, not a soft delete.
- Withdraw consent for any further collection by deleting the child's account.
What we do not do
- We do not serve advertising to children.
- We do not enable or permit children to make personal information publicly available.
- We do not disclose children's personal information to third parties for their own marketing.
- We collect only the personal information reasonably necessary to provide the parental-control features the parent signed up for.
5. Who we share data with
We share personal information only with the service providers who help us operate Screen Time Hero. Each is contractually bound by a Data Processing Agreement (or the equivalent under CCPA) to process the data only on our behalf and only for the purposes listed here.
| Provider | Role | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | All application data at rest |
| Railway | API server hosting | Transient request/response data and operational logs |
| Vercel | Website + consent-landing-page hosting | Web request metadata |
| RevenueCat | Subscription and purchase management | App user ID, purchase receipts, plan state |
| Apple | Sign in with Apple, Push Notifications, FamilyControls / Screen Time APIs | Apple-provided identifier and device push token; screen-time tokens remain on-device |
| Sign in with Google (optional) | Google-provided identifier and basic profile you authorize | |
| Resend | Transactional email (invitations, consent links, password resets) | Recipient email address and email contents |
| Twilio | SMS delivery (parental consent via SMS, if selected) | Recipient phone number and SMS body |
We do not sell personal information and we do not share personal information for cross-context behavioral advertising. We may disclose information when required by law, subpoena, or a court order, or to protect the rights, property, or safety of Screen Time Hero, our users, or the public.
6. International data transfers
Screen Time Hero operates from the United States, and our service providers (listed in Section 5) store and process data primarily in the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal information is transferred to the United States. We rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) as the lawful mechanism for those transfers, which we have in place with each service provider named above.
7. How long we keep your data
We keep personal information only for as long as we need it for the purposes in Section 3. The concrete windows are:
| Category | Retention |
|---|---|
| Parent and child accounts (profiles, chores, rewards, usage, proofs) | Until you delete the account. Deletion is immediate and hard — not a soft delete. |
| Verifiable parental consent records | 90 days after the consent request is resolved (granted, expired, or revoked). The consent outcome snapshot stays on the child's profile until the profile is deleted. |
| Password-reset codes and tokens | 7 days after the code or token expires |
| Rate-limit state | 30 days after the last action |
| Host-level logs (Railway) | 30 days rolling |
| Encrypted database backups (Supabase) | Supabase point-in-time-recovery window. Deleted data ages out of backups within that window. |
These windows are enforced automatically by purge jobs that run daily.
8. Your rights (GDPR / UK GDPR)
If the GDPR applies to your processing, you have the right to:
- Access the personal data we hold about you — tap Settings → Download my data in the app. For a specific child, use Data & Privacy → Download on that child's profile. Both return a machine-readable JSON bundle.
- Rectify inaccurate personal data — edit the profile in the app.
- Erase your personal data — tap Settings → Delete Account. For a specific child, use Data & Privacy → Delete.
- Restrict or object to certain processing — email us and we will honor the request where the law allows.
- Portability — the Download action above produces a portable JSON file.
- Withdraw consent where we rely on consent (primarily COPPA) — delete the child account.
- Lodge a complaint with your local supervisory authority. In the UK it is the Information Commissioner's Office (ico.org.uk).
We do not charge a fee for exercising these rights. We respond to requests within 30 days (extendable by up to two additional months for complex requests, with notice to you).
9. California residents (CCPA / CPRA)
This section applies if you are a California resident.
Categories of personal information collected in the last 12 months
- Identifiers — name, email, account ID, device ID, IP address
- Customer records (Cal. Civ. Code §1798.80(e)) — phone number (optional)
- Commercial information — subscription plan, purchase history (via RevenueCat)
- Internet or other electronic network activity — app request logs, rate-limit counters, consent-audit IP and user agent
- Audio, electronic, visual information — child-submitted chore photos (only if uploaded)
- Information about minors under 16 — the age and activity information a parent provides about a child
Sources
Directly from you when you sign up or use the app, and from the service providers listed in Section 5 when they act on our behalf (e.g., RevenueCat when you complete a subscription).
Business purposes
See Section 3 above. In CCPA terms: performing services, fraud prevention, security, and legal compliance.
Sale or sharing
We do not sell personal information and we do not share personal information for cross-context behavioral advertising. We have not done so in the last 12 months. We do not sell or share the personal information of anyone under 16.
Your California rights
- Right to know what personal information we collect, use, disclose, and retain
- Right to delete personal information we have collected
- Right to correct inaccurate personal information
- Right to limit the use of sensitive personal information (we do not use sensitive PI beyond the purposes allowed without a right-to-limit)
- Right to non-discrimination for exercising these rights
You can exercise the Right to Know and the Right to Delete directly in the app (see Section 8), or by emailing support@screentimehero.com. We verify requests by confirming you have access to the account email on file. Authorized agents may submit requests on your behalf with written authorization.
10. Security
We protect personal information with industry-standard measures, including TLS 1.2+ encryption in transit, encryption at rest for Supabase data and storage, salted password hashing, JWT-based session tokens, signed-URL access to stored files, server-side rate limiting, and least-privilege row-level security policies. No system is perfectly secure. If we experience a data breach that affects your personal information, we will notify you and the relevant regulators as required by applicable law.
11. Tracking and advertising
Screen Time Hero does not use third-party analytics SDKs, crash-reporting SDKs, or behavioral advertising tools. We do not request Apple's App Tracking Transparency permission because we do not track you across other apps or websites. We do not respond to any particular browser Do Not Track signal because none are applicable — there is no tracking to disable.
12. Changes to this policy
When we make a material change we will update the "Effective Date" at the top of this page and, where practicable, notify you in-app or by email before the change takes effect. We keep prior versions on request.
13. Contact us
For any question about this Privacy Policy, or to exercise any of the rights above:
Email: support@screentimehero.com
14. Where the Service is offered
Screen Time Hero is currently offered only in the United States, Canada, and Australia. The app is distributed through the Apple App Store in those territories only. We do not offer the Service, market the Service, or knowingly collect personal information from residents of the European Economic Area, the United Kingdom, or Switzerland at this time.
The GDPR and UK GDPR references in this policy (Sections 1, 3, 6, and 8) are retained as a defensive measure in case a resident of those regions accesses the Service despite the territory restriction. When we expand into the EEA, the UK, or Switzerland we will update this policy, designate a representative under Article 27 of the GDPR and UK GDPR, and publish the representative's contact information here before making the Service available in those regions.