KidTag

Last updated · May 22, 2026

Privacy policy.

Contents
  1. What we collect
  2. How data is stored
  3. Where data is processed
  4. What we do not do
  5. Advertising on the free tier
  6. Subscription billing
  7. Who can see what
  8. Children's privacy
  9. Your rights
  10. Single-device sign-in
  11. California residents
  12. If KidTag is acquired or shuts down
  13. Changes to this policy
  14. Contact

KidTag is a parent-facing coordination tool. This policy covers what we collect, how it's stored, who can see it, and what we refuse to do with it, all in plain English. Questions: [email protected].

What we collect.

To sign you in and make the app work, we collect:

  • Phone number. Required. Used for one-time-password sign-in. We do not send marketing SMS.
  • Display name. Required. Shown to other members of your household and to parents in households you're connected to.
  • Home address. Required for the neighborhood map and for context on tag events. Stored on Firebase, encrypted at rest with Google-managed keys; access restricted by Firestore rules to your household and the households you've trusted.
  • Profile photo. Optional, for adults. Uploaded to Firebase Storage and only visible to members of your household and connected households.

For each child you add to your household, parents may provide:

  • First name (required).
  • Birth month and year (optional).
  • Photo (optional).
  • Allergy or medication notes (optional). Stored on Firebase, encrypted at rest with Google-managed keys; visible only to your household and the households you've trusted, with access enforced at the database layer by Firestore security rules.

As you use the app, we also store:

  • Tag-in and tag-out events. Which kid, which household, who tagged them, the timestamp, and any optional note.
  • Trusted household relationships. Who's in your circle and who invited whom.
  • Notification preferences. What you want to be pinged about and how.
  • Push notification token. When you sign in, we register your device's Firebase Cloud Messaging token so we can deliver notifications to your phone. It's removed when you sign out, and FCM refreshes it periodically (the old value is replaced).
  • Your device's precise location at geofence crossings, for adults who've opted in. If you've enabled geofence notification routing, your device tells our servers "at home" or "away" when it crosses your own household's geofence — a configurable 100–1000 m radius around your address. We use this to suppress non-urgent notifications when you're away from home; high-urgency safety notifications (tag-in, recall, visitor arrival) are always delivered regardless. We store only the boolean state and the household it relates to — never a coordinate stream. iOS asks for permission the first time and you can revoke it any time in Settings. (Note: this routes caretaker and parent presence; the kid's whereabouts are always set by an adult's explicit Tag-In or Tag-Out action.)
  • Basic app telemetry. Firebase first-party only — Firebase Analytics for screen-view counts and aggregate engagement (which screens are reached, country derived from IP, and an anonymized vendor-scoped device identifier called IDFV that resets when you uninstall), plus a small number of subscription-funnel events (paywall shown, trial started, cap reached) that carry no personal information — they only record which feature triggered the event and which subscription plan, if any. Firebase auth logs (sign-in success or failure) are also recorded for security. We do not use third-party analytics SDKs.
  • Diagnostics and crash reports. Firebase Crashlytics, on by default. When the app hits an unexpected error, we record the technical context — stack trace, screen name, OS version, device model, anonymized Firebase installation identifier — to help us fix it. We do not attach your account ID, and a context-scrub pass redacts names, phone numbers, email addresses, home addresses, photo URLs, and any field that smells like personal information before the report leaves your phone. You can turn this off any time in Settings → Privacy → Send diagnostic data.
  • App attestation tokens. To stop forged traffic from non-genuine builds of KidTag, the app uses Firebase App Check with Apple's App Attest framework. iOS produces a short-lived attestation token that proves the request came from a real, unmodified copy of KidTag on a real Apple device. The token contains no personal information and no advertising identifier; it is not a form of tracking and does not require the App Tracking Transparency prompt.

How data is stored.

KidTag runs on Firebase. Auth handles phone verification, Firestore stores household and event data, and Storage holds photos. Data is scoped per household. Cross-household visibility only exists once both sides accept an explicit trust connection.

What we do. All traffic between your phone and our servers uses TLS 1.2+. Data at rest in Firebase is encrypted with Google-managed keys (Firebase default). Photos in Firebase Storage have an additional Google-managed encryption layer. Access to your data is restricted at the database layer — Firestore security rules enforce that only your household, and any household you've explicitly trusted via a connection invite, can read your records. We do not run advertising on the paid tier, we do not sell data to brokers, and we do not include third-party behavioral-tracking SDKs other than Google AdMob on the free tier. (Whether KidTag accesses your iOS advertising identifier is governed by your App Tracking Transparency choice — see the Advertising section below.)

A note on what changed in v1.0.4. Earlier versions of KidTag encrypted a handful of child fields (allergies, medications, notes, adult phone, address) on the device with a per-household key before upload. We removed that layer in version 1.0.4 because it blocked two things parents need: signing into KidTag on a new phone, and inviting a second parent into the same household to see the same data. With device-bound keys, "new phone" meant "the data is gone," and "second parent" meant "they can't read it." That trade-off didn't earn its keep. Today the same fields are protected by Firestore security rules (only your household and trusted households can read them), Google's at-rest encryption (AES-256, server-side), and TLS in transit. Older records still saved in the previous format are decrypted seamlessly the next time you open them, and flip to the new format on the next save.

On your phone, sign-in credentials live in the iOS Keychain (the same vault iOS uses for app secrets), and the on-device cache is encrypted by iOS Data Protection — unreadable from boot until you first unlock the phone after a restart.

Where data is processed.

KidTag is operated from the United States. Firebase, our hosting platform, may process data in multiple regions around the world. By using the service, you consent to your data being transferred to and processed in the United States and other jurisdictions where Firebase operates. We acknowledge that data residency matters: regardless of which region a particular Firebase server sits in, your data is encrypted at rest with Google-managed keys, and access is restricted at the database layer by Firestore security rules to your household and the households you've explicitly trusted.

What we do not do.

  • We do not run personalized advertising by default. If you decline App Tracking Transparency (the default in our UX), all ads on the free tier are non-personalized; if you grant it, ads may be personalized — see the Advertising section for the full breakdown. The paid tier has no ads at all.
  • We do not use third-party analytics SDKs (Mixpanel, Segment, Amplitude, etc.). Our telemetry is Firebase first-party only — see "Basic app telemetry" above for what that includes.
  • We do not sell data. To anyone. Ever.
  • We do not share user or household information with carriers, insurers, data brokers, or ad networks.
  • We do not train machine-learning models on user data.
  • We do not allow any cross-household visibility that isn't gated by an explicit, accepted trust invite.

Advertising on the free tier.

The free tier of KidTag shows ads provided by Google AdMob. The paid tier has no ads.

The first time you would see an ad, iOS asks whether to allow KidTag to track your activity across other companies' apps and websites. This is the standard App Tracking Transparency (ATT) prompt. Your answer determines what AdMob receives:

  • If you decline, dismiss, or never answer the prompt — the default in our UX — ads are non-personalized. Google chooses which ad to show based only on the app's category, your device's language, and a rough country-level location derived from your IP address. We do not send your advertising identifier (IDFA) to AdMob.
  • If you allow tracking, AdMob may receive your IDFA so Google can serve more relevant ads. We disclose this to Apple in our App Privacy questionnaire as "Identifiers — Device ID, used for Third-Party Advertising, linked to user." You can change this answer at any time in iOS Settings → Privacy & Security → Tracking or in iOS Settings → KidTag → Allow Tracking.

Either way, what we never send to AdMob:

  • Your name, phone number, email, or home address.
  • Anything about your household, your trusted connections, or any child.
  • Anything from your trusted-circle data — child names, tag notes, allergies, addresses, or photos.

Ads appear only to adult account-holders, and no ad surfaces are placed near child content. If you'd rather have no ads at all (regardless of your ATT choice), upgrade to the paid tier.

Subscription billing.

KidTag Plus is an optional auto-renewable subscription. Plans: $1.99/month or $14.99/year, both with a 7-day free trial. Plus is per-household — one subscription covers every parent and caretaker in the same KidTag household.

Payment is processed by Apple through StoreKit; we never see your card or full Apple ID. What we receive from Apple, and store under your household record:

  • Subscription state. Active, in trial, in billing retry, expired, or refunded.
  • Plan and renewal date. Which tier, when the next renewal is, and whether auto-renew is on or off.
  • Apple transaction identifiers. An anonymized transaction id and original-transaction id used to validate the subscription with Apple's servers and to detect duplicate purchases. These are not your Apple ID.

What we do not receive: your name on file at Apple, your email, your billing address, your card number, or your purchase history outside KidTag. Apple's privacy practices govern that data; ours apply only to what we store on our side.

If you cancel, downgrade, or get a refund: Apple notifies our servers, your household reverts to the free tier at the end of the billing period, and we keep the most recent transaction id for fraud-detection and accounting reasons. The transaction id is removed when you delete your account.

Who can see what.

  • You see everything in your household, plus the specific kids and events that connected households have shared with you.
  • Other adults in your household see the same as you.
  • Parents in a connected household see only the kids and events that have been shared with them via the trust connection. Typically that means the child who's currently at their house, and the tag events for that child.
  • KidTag, the company can see phone numbers (Firebase Auth), relationship structure, and operational logs. KidTag staff and Firebase administrators with production access technically can read your household's Firestore data — child names, tag notes, allergies, addresses. We constrain operator access (minimum staff, minimum frequency, audit logging) and use it only for support and reliability.
  • Nobody outside your trusted circle sees anything. There is no public directory, no neighborhood feed, no "discover" tab.

What we honestly cannot promise. "End-to-end encrypted" is a loaded term we deliberately avoid. KidTag's servers can read your household's data — that's how we route push notifications, render the neighborhood map, sync a second parent into the same household, and answer support questions. KidTag staff and Firebase administrators with production access technically can read child names, tag notes, allergies, addresses, and other non-photo data. We treat operator access as we treat any sensitive privilege: minimum staff, minimum frequency, audit logging, and a strict policy against using your data for anything other than fixing your reported issue. If full end-to-end encryption across everything is a hard requirement for your family, KidTag is not the right product today.

Children's privacy.

KidTag is a tool for parents. In this version of KidTag, children do not have accounts and do not sign in. All information about children (first name, optional birth month/year, optional photo, optional allergy or medication notes) is provided by a parent and is visible only to the child's own household and to parents in households that have an accepted trust connection with them.

Where children's information appears in KidTag, it has been provided by the child's parent or legal guardian, who is the user contracting with us under this policy and our Terms. The parent or guardian is responsible for the accuracy and lawfulness of any child information they upload.

In this version of KidTag, we do not collect any data directly from children. We do not sell, transfer, or otherwise share children's information outside the parent's trusted circle. We do not build advertising or behavioral profiles on children. The product is designed to be COPPA-aligned even though it isn't used directly by children.

If a future version of KidTag adds a child-paired-device feature (for example, a way to associate a child's iPhone or Apple Watch with the parent's household so the parent can see the child's location), we will update this policy in advance, refresh our App Privacy disclosures with Apple, and notify active users in-app before that feature ships.

Your rights.

You can delete your account, your household, and all associated data at any time from Settings → Account → Leave & Delete. Deletion cascades across Firestore and Firebase Storage, and any remaining artifacts are cleaned up by a scheduled job.

Data export is planned post-launch. Until then, if you need a copy of your data before deleting, email [email protected] and we'll get you one.

What deletion actually removes, and what it doesn't. Most of your personal data — your account, profile photo, push tokens, accessibility and notification preferences, and your household-membership entry — is removed within 30 days. Two things behave differently, and we want to be honest about both:

  • Tag-in and tag-out events you participated in stay on the affected household's record. They're part of that household's own coordination history — the way a friend's house remembers "Sam came over Tuesday at 3pm" — so your display name and profile photo at the time of the event remain attached to that event on their record. We don't delete other people's history of their own kids.
  • Encrypted backup snapshots may keep a copy of everything for up to 365 days. We run weekly Firestore backups into a separate, encrypted Cloud Storage bucket so we can recover from accidental data loss; that backup bucket has a 365-day rolling lifecycle policy, after which snapshots roll off automatically. Live data is gone in 30 days; backed-up copies age out within a year.

If your household has an active subscription when you delete your account, the subscription itself continues on the household until Apple's billing period ends (we null out the link to your user record, but we don't cancel Apple's subscription — that's between the household and Apple).

Single-device sign-in.

For security, you can be signed in to KidTag on only one mobile device at a time. Signing in on a new device will sign you out of any other device where you were previously signed in, and push notifications will stop going to the prior device. This protects your household if a phone is lost, given away, or sold without a wipe. If you want to move KidTag to a new phone, just sign in there with the same phone number — the old device will quietly disconnect on its own the next time it talks to our servers.

California residents.

If you live in California, the CCPA and CalOPPA give you the right to:

  • Know and access what personal information we've collected about you, where it came from, and how it's used.
  • Request a copy of that data in a portable form.
  • Request deletion of your data, subject to the same retention behavior described under "Your rights" above (most data within 30 days; backup snapshots age out within 365 days; tag events on other households' records are preserved as part of those households' coordination history).
  • Equal service. We won't treat you differently for exercising any of these rights.
  • Opt out of the sale of personal information. Easy one: we don't sell personal information, to anyone, ever.

To exercise any of these rights, email [email protected]. We'll respond within 30 days.

If KidTag is acquired or shuts down.

If the service is sold, merged, or wound down, we'll notify active users in-app and give you a reasonable window to export or delete your data before anything transfers. Any acquirer will be bound by this Privacy Policy, or one at least as protective, for data collected before the transfer. If we're shutting down entirely, we'll delete everything.

Changes to this policy.

If we change this policy in a way that affects what we collect or who can see it, we will update the "last updated" date above and notify active users in-app. Minor editorial changes (typos, clarifications) may be made without notice.

Contact.

Questions, corrections, or a data request: [email protected].