Privacy policy.

KidTag is a parent-facing coordination tool. This policy covers what we collect, how it's stored, who can see it, and what we refuse to do with it, all in plain English. Questions: [email protected].

What we collect.

To sign you in and make the app work, we collect:

• Phone number. Required. Used for one-time-password sign-in. We do not send marketing SMS.
• Display name. Required. Shown to other members of your household and to parents in households you're connected to.
• Home address. Required for the neighborhood map and for context on tag events. Stored encrypted (see How data is stored).
• Profile photo. Optional, for adults. Uploaded to Firebase Storage and only visible to members of your household and connected households.

For each child you add to your household, parents may provide:

• First name (required).
• Birth month and year (optional).
• Photo (optional).
• Allergy or medication notes (optional). These are treated as sensitive and are end-to-end encrypted.

As you use the app, we also store:

• Tag-in and tag-out events. Which kid, which household, who tagged them, the timestamp, and any optional note.
• Trusted household relationships. Who's in your circle and who invited whom.
• Notification preferences. What you want to be pinged about and how.
• Basic app telemetry. Crash reports, sign-in success/failure, and similar operational logs from Firebase. No third-party analytics SDKs.

How data is stored.

KidTag runs on Firebase. Auth handles phone verification, Firestore stores household and event data, and Storage holds photos. Data is scoped per household. Cross-household visibility only exists once both sides accept an explicit trust connection.

Sensitive fields are end-to-end encrypted. Each household generates a 256-bit encryption key on-device when it's created and stores it in the iOS Secure Enclave. Children's names and notes, tag notes, allergies, and home address are encrypted on your phone with that key before they leave the device. Our servers see only ciphertext. When a second adult joins your household, the existing member's phone re-wraps the key for them. We never hold a master copy.

What's not end-to-end encrypted, by design: fields the system structurally needs to read (phone number for Auth, relationship graph for routing, event timestamps). These are stored in Firestore under access rules that scope them to you and your connected households. Photos in Firebase Storage are additionally encrypted at rest with Google-managed keys.

Where data is processed.

KidTag is operated from the United States. Firebase, our hosting platform, may process data in multiple regions around the world. By using the service, you consent to your data being transferred to and processed in the United States and other jurisdictions where Firebase operates. The end-to-end encryption described above travels with the data: ciphertext stored in another region is still ciphertext, and our guarantees don't change based on where a particular server sits.

What we do not do.

• We do not run personalized or behavioral advertising. The free tier shows contextual-only ads (see below); the paid tier has no ads.
• We do not use third-party analytics beyond Firebase's built-in operational telemetry (crash reports, auth events).
• We do not sell data. To anyone. Ever.
• We do not share user or household information with carriers, insurers, data brokers, or ad networks.
• We do not train machine-learning models on user data.
• We do not allow any cross-household visibility that isn't gated by an explicit, accepted trust invite.

Advertising on the free tier.

The free tier of KidTag shows ads provided by Google AdMob. The paid tier has no ads.

We run contextual ads only (also called non-personalized ads). Google chooses which ad to show based on the app's category, your device's language, and a rough country-level location derived from your IP address. Nothing else.

What we do not send to the ad network:

• Your name, phone number, email, or home address.
• Anything about your household, your trusted connections, or any child.
• Your advertising ID (IDFA on iOS, AAID on Android). Google does not build a behavioral profile of you for KidTag ads.
• Anything from the end-to-end encrypted fields. Those never leave your phone unencrypted, let alone reach an ad network.

Ads appear only to adult account-holders, and no ad surfaces are placed near child content. If you'd rather have no ads at all, upgrade to the paid tier.

Who can see what.

• You see everything in your household, plus the specific kids and events that connected households have shared with you.
• Other adults in your household see the same as you.
• Parents in a connected household see only the kids and events that have been shared with them via the trust connection. Typically that means the child who's currently at their house, and the tag events for that child.
• KidTag, the company can see phone numbers (Firebase Auth), relationship structure, and operational logs. We cannot read the end-to-end-encrypted fields. We have no customer-support backdoor.
• Nobody outside your trusted circle sees anything. There is no public directory, no neighborhood feed, no "discover" tab.

Children's privacy.

KidTag is a tool for parents. Children do not have accounts and do not sign in. All information about children (first name, optional birth month/year, optional photo, optional allergy or medication notes) is provided by a parent and is visible only to the child's own household and to parents in households that have an accepted trust connection with them.

We do not collect any data directly from children. We do not sell, transfer, or otherwise share children's information outside the parent's trusted circle. We do not build advertising or behavioral profiles on children. The product is designed to be COPPA-aligned even though it isn't used directly by children.

Your rights.

You can delete your account, your household, and all associated data at any time from Settings → Account → Leave & Delete. Deletion cascades across Firestore and Firebase Storage. Any remaining artifacts are cleaned up by a scheduled job, and all user data is removed within 30 days of account deletion.

Data export is planned post-launch. Until then, if you need a copy of your data before deleting, email [email protected] and we'll get you one.

Retention: data lives as long as your account does. Everything is removed within 30 days of account deletion, subject to the same encryption guarantees until it's gone.

California residents.

If you live in California, the CCPA and CalOPPA give you the right to:

• Know and access what personal information we've collected about you, where it came from, and how it's used.
• Request a copy of that data in a portable form.
• Request deletion of your data, subject to the same 30-day cleanup described above.
• Equal service. We won't treat you differently for exercising any of these rights.
• Opt out of the sale of personal information. Easy one: we don't sell personal information, to anyone, ever.

To exercise any of these rights, email [email protected]. We'll respond within 30 days.

If KidTag is acquired or shuts down.

If the service is sold, merged, or wound down, we'll notify active users in-app and give you a reasonable window to export or delete your data before anything transfers. Any acquirer will be bound by this Privacy Policy, or one at least as protective, for data collected before the transfer. If we're shutting down entirely, we'll delete everything.

Changes to this policy.

If we change this policy in a way that affects what we collect or who can see it, we will update the "last updated" date above and notify active users in-app. Minor editorial changes (typos, clarifications) may be made without notice.

Contact.

Questions, corrections, or a data request: [email protected].