Our guiding principle: GuardianAI is designed so that your family's private data never leaves your family's devices. We built a family safety app that does not require us to see your children's messages, browsing history, or personal information.
GuardianAI ("we," "our," or "us") provides a family safety application designed to help parents protect their children in the digital world. This Privacy Policy explains what information we collect, what we do not collect, how we store and protect data, and your rights as a parent or guardian.
This policy applies to the GuardianAI mobile application (for both parent and child devices), our website at guardianaiapp.com, and any related services (collectively, the "Service").
By using our Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.
We collect the minimum amount of information necessary to provide our Service. Here is a complete list:
| Data Type | Purpose | Stored Where |
|---|---|---|
| Parent email address | Account creation, login, notifications | Our servers (encrypted) |
| Parent-chosen display names | Family member identification within the app | Our servers (encrypted) |
| Family structure (parent/child roles) | Permissions and alert routing | Our servers (encrypted) |
| Device identifiers (anonymized) | Device pairing, preventing unauthorized access | Our servers (hashed) |
| Encrypted safety alerts | Delivering safety notifications to parents | Our servers (E2EE, unreadable by us) |
| Encrypted weekly digest data | Generating parent-facing activity summaries | Our servers (E2EE, unreadable by us) |
| Screen time configuration | Enforcing limits set by parents | Our servers (encrypted) |
| Web filter settings | Content filtering preferences | Our servers (encrypted) |
| App crash reports (anonymized) | Bug fixing and stability improvements | Our servers (no personal data) |
| Subscription and payment status | Plan management (payment processing handled by Google Play / Apple) | Our servers (encrypted) |
This is equally important. GuardianAI is architecturally designed so that the following data never leaves your child's device and is never transmitted to our servers:
Technical guarantee: Our on-device AI model processes content locally. Only encrypted, summarized safety signals (e.g., "potential cyberbullying detected" with a severity level) are transmitted. The underlying content that triggered the alert is never sent to our servers.
We use the limited information we collect solely for the following purposes:
We do not use your information for advertising, profiling, marketing to children, or any purpose unrelated to providing family safety.
All safety alerts and digest data transmitted between family devices are protected with end-to-end encryption. This means:
For the non-E2EE data we do store (account information, settings, device identifiers):
The core of GuardianAI's safety technology is a lightweight machine learning model that runs entirely on your child's device. This model:
When the on-device model detects a potential concern, it generates a summarized, encrypted alert (category and severity only) that is sent to parent devices. The underlying content remains on the child's device and is not transmitted.
On Apple devices (iOS, iPadOS, macOS, watchOS), GuardianAI uses Apple's Family Controls framework and related platform APIs to provide safety features. Each of these APIs is configured so that the sensitive underlying data stays on the child's device.
We request the Family Controls authorization to enable parental supervision on a child's device. Authorization is granted by an adult guardian during enrollment via Apple's system-level prompt. The opaque token Apple returns is scoped to this app and device and is never transmitted off the device.
We use DeviceActivity to track aggregate app usage and screen time on a child's device for the purpose of generating guardian-facing summaries and enforcing time-based limits set by the guardian. App identifiers and category counts stay on the device. Only aggregated, encrypted summaries (e.g., "2h 14min screen time today, 1 alert") flow to the guardian's device through our end-to-end encrypted channel.
We use Managed Settings to apply guardian-configured restrictions on a child's device -- blocking specific apps, blocking specific web domains, and enforcing safe-content settings. The list of restricted apps and domains is set by the guardian and stored on the child's device. Our Shield Action and Shield Configuration extensions present supportive ("nudge") UI when a child opens a restricted app, encouraging healthy alternatives without shaming. These extensions run on the child's device and have no network access -- they cannot transmit child data anywhere.
On the child's device, we use Apple's Network Extension framework to apply guardian-configured web filtering. Domain matching happens entirely on-device against the guardian's allow/block lists. Domain names visited or attempted are not transmitted to our servers -- only aggregate, anonymized counts of "blocked attempts" flow to the guardian's device through our E2EE channel.
For specific safety features that require location -- Ride-Share Monitor (verifying a child's ride completes safely) and optional Safe-Zone awareness -- we read location on the child's device only. Precise location coordinates are never transmitted to our servers. Only safety-relevant signals (e.g., "trip ended at expected destination", "child entered an area outside the family's declared safe zone") are sent to the guardian's device through our E2EE channel.
For Cross-Guardian Shield -- a feature that lets families anonymously alert each other to high-risk contacts -- we read the child's contact list on the device. Phone numbers are HMAC-hashed locally with a per-family secret. Only the resulting opaque hashes are uploaded into a privacy-preserving Bloom filter. Actual phone numbers, names, and contact details never leave the device.
We use Apple Push Notification Service to deliver guardian alerts. Push payloads carry only opaque alert identifiers; alert content is fetched from our E2EE-encrypted alert store using the family's private key after the push wakes the device.
App extensions on the child's device (content filter, VPN, broadcast capture, shield action) communicate with the main app through a shared App Group container. This storage is local to the child's device and is encrypted by iOS at rest. No App Group data is transmitted to our servers.
Apple platform-API summary: Every Apple safety API we use is configured so that sensitive underlying data (app names, URLs, contact details, location coordinates) stays on the child's device. Our servers see only the aggregate, encrypted, guardian-actionable signals required to make the family's safety dashboard work.
GuardianAI is fully compliant with the Children's Online Privacy Protection Act (COPPA). Our practices include:
As a parent or guardian, you have the following rights regarding your family's data:
You may request a complete copy of all data we store about your family at any time. We will provide this within 30 days of your request.
You may request deletion of all data associated with your family account at any time. Upon receiving your request, we will:
You may revoke consent for data collection at any time by deleting your account through the app settings or contacting us directly. Revoking consent will deactivate the Service on all family devices.
You may update your account information, display names, protection settings, and family structure at any time through the app.
You may export your family's configuration data (settings, screen time rules, filter preferences) in a standard machine-readable format.
| Data Type | Retention Period |
|---|---|
| Account information | Duration of active account + 30 days after deletion |
| Encrypted safety alerts | 90 days (Family Plus) or 30 days (Family / Free), then automatically deleted |
| Encrypted weekly digests | 90 days (Family Plus) or 30 days (Family / Free), then automatically deleted |
| Device identifiers | Duration of device pairing + 7 days after unpairing |
| Screen time and filter settings | Duration of active account |
| Anonymized crash reports | 12 months |
| Payment/subscription records | As required by law (typically 7 years for financial records) |
After the retention period expires, data is permanently and irrecoverably deleted from all systems, including backups, within 30 days.
We use the following third-party services in a limited capacity:
We do not use third-party advertising networks, data brokers, social media tracking pixels, or any service that would expose your family's data to external parties.
We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we do:
If you have questions about this Privacy Policy, wish to exercise your parental rights, or need to report a concern, please contact us:
For urgent matters related to child safety or data breaches, please email security@guardianaiapp.com with "URGENT" in the subject line.