Privacy Policy
Last Updated: March 27, 2026
Legal Disclaimer: KidShield is designed to assist parents in monitoring children's digital activity. It is NOT a substitute for active parental supervision and is not guaranteed to detect all digital threats. Use at your own risk.
1. Introduction & COPPA Compliance
KidShield ("we," "us," or "our") provides a parental control system for Android devices (iOS coming soon). We are committed to the privacy of children and fully comply with the Children's Online Privacy Protection Act (COPPA) and applicable Australian privacy laws.
This policy describes exactly what data we collect, what we can monitor, and — equally important — what we cannot monitor.
2. What KidShield Can and Cannot Monitor
We believe in complete transparency. Many parental control apps mislead users about their capabilities. We do not.
What KidShield CAN do on the child's Android device:
| Feature | How it works |
|---|
| ✔ Track real-time GPS location | Android background location service |
| ✔ See which apps are currently open | Android Accessibility Service |
| ✔ Block specific apps | Accessibility Service redirects to home screen |
| ✔ Set daily screen time limits per app | Usage tracking via Accessibility Service |
| ✔ Filter websites by DNS | On-device VPN using Cloudflare Family DNS |
| ✔ SOS emergency alerts with location | Child presses SOS; parent gets push notification |
| ✔ On-device AI content detection | Pattern matching analyses visible screen text locally |
| ✔ Geofencing alerts | GPS coordinates checked against defined zones |
| ✔ Receive alerts for permission requests | Child requests extra time; parent approves/denies |
| ✔ Message Monitor — flag harmful text visible in messaging apps (opt-in, Android only) |
Reads text currently displayed on screen via Android Accessibility Service. Analysis is on-device. A short excerpt (max 120 characters) is sent to the parent only if a harmful pattern is detected. Parent must explicitly enable this feature per child. |
About Message Monitor — what it reads and what it does not:
The Message Monitor uses Android's Accessibility Service to read text that is
currently visible on screen when the child has a messaging app open. This is the same mechanism used by screen readers, password managers, and other accessibility tools.
It reads: Text displayed on the child's screen inside WhatsApp, Instagram DMs, Facebook Messenger, SMS (Messages), Discord, Telegram (standard chats), TikTok DMs, and Snapchat where accessible.
It does NOT:
- Decrypt or intercept messages in transit between sender and recipient.
- Access messages the child has not yet opened or that are in notification previews.
- Read messages in apps that enable FLAG_SECURE screen protection (e.g. Signal, Telegram Secret Chats).
- Access photos, videos, audio messages, or any non-text content.
- Store or transmit the full conversation. Only a short excerpt (max 120 chars) is stored in Firebase if a harmful pattern is detected.
- Run or transmit data when the feature is toggled OFF by the parent.
This feature is
off by default and must be explicitly enabled by the parent in the Parent Dashboard.
What KidShield CANNOT do (Technical Limitations):
- ✘ Decrypt messages in transit. End-to-end encrypted apps (WhatsApp, iMessage, Signal, Telegram Secret Chats) protect message content during transmission. KidShield cannot intercept or decrypt this data. The Message Monitor can only read what is already displayed on screen after the device has decrypted it for display.
- ✘ Read messages the child has not opened. Only content currently visible on screen is accessible.
- ✘ View photos or videos sent or received inside third-party apps. App content is sandboxed by Android and inaccessible to other apps.
- ✘ Read emails in Gmail, Outlook, or other email apps.
- ✘ Decrypt or inspect HTTPS web traffic content. DNS-level filtering blocks domains but cannot read the content of encrypted web pages.
- ✘ Monitor iPhone/iOS child devices with the same feature set. Apple's iOS platform does not permit third-party apps to use Accessibility Services. The Message Monitor is Android-only. Location tracking will be available on iOS; app blocking, screen monitoring, and Message Monitor are not available on iOS.
- ✘ Guarantee detection of all harmful content. The on-device pattern matching targets known categories (grooming language, self-harm, sexting, bullying) but may not detect all forms of harmful communication, coded language, or emerging slang.
Why we tell you this: You have the right to know exactly what you are paying for and what is happening on your child's device. The Message Monitor is a powerful safety tool, but it is not a full conversation logger. It is designed to surface specific red-flag language — grooming attempts, self-harm signals, bullying — not to give parents a transcript of their child's private communications.
3. Information We Collect
We distinguish between Parent Account Data and Child Device Data.
Parent Account Data:
- Email address — used for authentication and account recovery.
- Subscription / billing data — processed securely via RevenueCat and Google Play. We do not store credit card numbers.
Child Device Data:
- Precise GPS coordinates — collected in real-time and in the background to enable location tracking, geofencing, and SOS alerts. Stored in Firebase Firestore, accessible only to the registered parent.
- App usage records — which apps are open and for how long. Used to enforce screen time limits and provide usage reports. Stored in Firestore.
- Installed app list — the names and package IDs of apps installed on the child's device. Reported once on startup and used to populate the app blocking list in the Parent Dashboard. Stored in Firestore.
- Alert records — SOS events, content safety alerts, and access requests. Retained for 30 days.
- Anonymous device identifier — a randomly generated Firebase anonymous UID assigned to the child device at pairing time. Used to identify the device in security rules. Not linked to the child's personal identity.
- FCM push token — stored to enable push notifications to the parent device. Rotated automatically.
-
Message content excerpts (Message Monitor — conditional) — if the parent has enabled Message Monitor and the on-device scanner detects a harmful pattern, a short excerpt of the flagged text (maximum 120 characters) is stored in Firebase Firestore as part of an alert record. This excerpt is:
- Only created when a harmful pattern is actually matched — not for every message.
- Visible only to the registered parent in the Alerts tab.
- Automatically deleted after 30 days.
- Never transmitted to KidShield servers, staff, or any third party.
- Not collected at all if the parent has not enabled Message Monitor.
What we do NOT collect:
- Full message conversations or chat history from any app
- Photos or videos from the child's gallery or any app
- The child's real name, school, or any identity information beyond the nickname the parent enters
- Full browsing history (only blocked domain attempts are logged)
- Screen recordings or screenshots
- Message content excerpts when Message Monitor is disabled (the default)
- Audio content of any kind
4. On-Device AI Content Safety
KidShield's content safety system operates entirely on the child's device using a rule-based pattern matching engine (no third-party AI API calls are made for this purpose). The engine scans visible text for four harm categories:
- Grooming / predatory language (e.g. "keep our secret", "where do you live", "come alone")
- Self-harm / suicide language (e.g. "want to die", "cut myself", "end my life")
- Sexting / explicit content requests (e.g. "send nudes", "nude photo")
- Bullying / threats (e.g. "I will kill you", "nobody likes you", "kys")
The full text is never transmitted. Only a short excerpt (max 120 characters) of the flagged portion is stored as part of the alert. All scanning occurs locally on the child's device before any data is sent anywhere.
This feature requires the Android Accessibility Service to be enabled on the child's device. Parents are informed of this requirement during setup.
5. Parental Consent & Child Privacy
KidShield is installed and configured exclusively by parents and legal guardians. The child does not create an account and no data is collected directly from the child. All monitoring features are controlled by the parent through the Parent Dashboard.
We strongly recommend that parents inform their child that the device is monitored, including the use of the Message Monitor feature where enabled. Many jurisdictions legally require this disclosure. See Section 5 of our Terms of Service for your responsibilities as a parent user.
6. Third-Party Service Providers
- Google Firebase (Firestore, Authentication, Cloud Messaging): Secure cloud database, login, and push notifications. Data is stored on Google's servers. See Firebase Privacy Policy.
- RevenueCat: Subscription and in-app purchase management. See RevenueCat Privacy Policy.
- Cloudflare for Families (DNS): DNS-level web filtering. Cloudflare does not log individual DNS queries under their privacy-first commitment. See Cloudflare Privacy Policy.
- Google Maps Platform: Used to display child location on the parent dashboard. Location is rendered locally; coordinates are not shared with Google beyond what is required to display map tiles.
- Firebase Crashlytics: Crash reporting to help us fix bugs. No personal data, location, or message content is included in crash reports.
We do not sell, rent, or share any personal data with advertisers or data brokers.
7. Data Retention & Deletion
We minimise what we store and how long we keep it:
- Location history: rolling 7-day window (older records overwritten)
- Alert records (including any Message Monitor excerpts): 30 days
- App usage records: 30 days
- Account data: retained until account deletion
When a parent deletes their account through the Parent Dashboard, all associated child data — including location history, alerts, message excerpts, usage records, and child profiles — is permanently purged from our systems within 48 hours.
8. Your Rights & Account Deletion
Under COPPA and applicable Australian privacy law, you have the right to:
- Review all data collected about your child
- Request correction of inaccurate data
- Request deletion of all data
- Withdraw consent at any time by deleting the app and your account
- Disable specific features (such as Message Monitor) at any time without deleting the account
You can exercise these rights instantly via the Parent Dashboard → Settings → Delete Account, or by emailing info@kidshield.family from your registered address.
9. Security
All data in transit is protected by TLS 1.3 encryption. Firestore data is secured by Firebase security rules that cryptographically verify that only the registered parent UID can access their child's data. Child device identity is verified using anonymous Firebase Auth tokens — the child device cannot access another child's data. Message Monitor excerpts are stored under the same parent-only access rules as all other alert data.
10. Changes to This Policy
If we make material changes to this policy — especially to what data we collect or how we use it — we will notify you via the app and update the "Last Updated" date above. Continued use of the app after changes constitutes acceptance of the updated policy.
11. Contact & Support