Privacy Policy

Effective Date: April 4, 2026 · Last Updated: April 28, 2026

Our guiding principle: GuardianAI is designed so that your family's private data never leaves your family's devices. We built a family safety app that does not require us to see your children's messages, browsing history, or personal information.

1. Introduction

GuardianAI ("we," "our," or "us") provides a family safety application designed to help parents protect their children in the digital world. This Privacy Policy explains what information we collect, what we do not collect, how we store and protect data, and your rights as a parent or guardian.

This policy applies to the GuardianAI mobile application (for both parent and child devices), our website at guardianaiapp.com, and any related services (collectively, the "Service").

By using our Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

We collect the minimum amount of information necessary to provide our Service. Here is a complete list:

Data Type Purpose Stored Where
Parent email address Account creation, login, notifications Our servers (encrypted)
Parent-chosen display names Family member identification within the app Our servers (encrypted)
Family structure (parent/child roles) Permissions and alert routing Our servers (encrypted)
Device identifiers (anonymized) Device pairing, preventing unauthorized access Our servers (hashed)
Encrypted safety alerts Delivering safety notifications to parents Our servers (E2EE, unreadable by us)
Encrypted weekly digest data Generating parent-facing activity summaries Our servers (E2EE, unreadable by us)
Screen time configuration Enforcing limits set by parents Our servers (encrypted)
Web filter settings Content filtering preferences Our servers (encrypted)
App crash reports (anonymized) Bug fixing and stability improvements Our servers (no personal data)
Subscription and payment status Plan management (payment processing handled by Google Play / Apple) Our servers (encrypted)

3. Information We Do NOT Collect

This is equally important. GuardianAI is architecturally designed so that the following data never leaves your child's device and is never transmitted to our servers:

Technical guarantee: Our on-device AI model processes content locally. Only encrypted, summarized safety signals (e.g., "potential cyberbullying detected" with a severity level) are transmitted. The underlying content that triggered the alert is never sent to our servers.

4. How We Use Your Information

We use the limited information we collect solely for the following purposes:

We do not use your information for advertising, profiling, marketing to children, or any purpose unrelated to providing family safety.

5. Data Storage and Security

End-to-End Encryption (E2EE)

All safety alerts and digest data transmitted between family devices are protected with end-to-end encryption. This means:

Server Security

For the non-E2EE data we do store (account information, settings, device identifiers):

6. On-Device Processing

The core of GuardianAI's safety technology is a lightweight machine learning model that runs entirely on your child's device. This model:

When the on-device model detects a potential concern, it generates a summarized, encrypted alert (category and severity only) that is sent to parent devices. The underlying content remains on the child's device and is not transmitted.

7. Apple Platform Integrations and Family Controls

On Apple devices (iOS, iPadOS, macOS, watchOS), GuardianAI uses Apple's Family Controls framework and related platform APIs to provide safety features. Each of these APIs is configured so that the sensitive underlying data stays on the child's device.

Family Controls (FamilyControls.framework)

We request the Family Controls authorization to enable parental supervision on a child's device. Authorization is granted by an adult guardian during enrollment via Apple's system-level prompt. The opaque token Apple returns is scoped to this app and device and is never transmitted off the device.

Device Activity (DeviceActivity.framework)

We use DeviceActivity to track aggregate app usage and screen time on a child's device for the purpose of generating guardian-facing summaries and enforcing time-based limits set by the guardian. App identifiers and category counts stay on the device. Only aggregated, encrypted summaries (e.g., "2h 14min screen time today, 1 alert") flow to the guardian's device through our end-to-end encrypted channel.

Managed Settings (ManagedSettings.framework) and Shield Extensions

We use Managed Settings to apply guardian-configured restrictions on a child's device -- blocking specific apps, blocking specific web domains, and enforcing safe-content settings. The list of restricted apps and domains is set by the guardian and stored on the child's device. Our Shield Action and Shield Configuration extensions present supportive ("nudge") UI when a child opens a restricted app, encouraging healthy alternatives without shaming. These extensions run on the child's device and have no network access -- they cannot transmit child data anywhere.

Network Extensions (Content Filter, VPN)

On the child's device, we use Apple's Network Extension framework to apply guardian-configured web filtering. Domain matching happens entirely on-device against the guardian's allow/block lists. Domain names visited or attempted are not transmitted to our servers -- only aggregate, anonymized counts of "blocked attempts" flow to the guardian's device through our E2EE channel.

Location (CoreLocation)

For specific safety features that require location -- Ride-Share Monitor (verifying a child's ride completes safely) and optional Safe-Zone awareness -- we read location on the child's device only. Precise location coordinates are never transmitted to our servers. Only safety-relevant signals (e.g., "trip ended at expected destination", "child entered an area outside the family's declared safe zone") are sent to the guardian's device through our E2EE channel.

Contacts (Cross-Guardian Shield)

For Cross-Guardian Shield -- a feature that lets families anonymously alert each other to high-risk contacts -- we read the child's contact list on the device. Phone numbers are HMAC-hashed locally with a per-family secret. Only the resulting opaque hashes are uploaded into a privacy-preserving Bloom filter. Actual phone numbers, names, and contact details never leave the device.

Push Notifications (APNs)

We use Apple Push Notification Service to deliver guardian alerts. Push payloads carry only opaque alert identifiers; alert content is fetched from our E2EE-encrypted alert store using the family's private key after the push wakes the device.

App Group and Cross-Process Storage

App extensions on the child's device (content filter, VPN, broadcast capture, shield action) communicate with the main app through a shared App Group container. This storage is local to the child's device and is encrypted by iOS at rest. No App Group data is transmitted to our servers.

Apple platform-API summary: Every Apple safety API we use is configured so that sensitive underlying data (app names, URLs, contact details, location coordinates) stays on the child's device. Our servers see only the aggregate, encrypted, guardian-actionable signals required to make the family's safety dashboard work.

8. COPPA Compliance

GuardianAI is fully compliant with the Children's Online Privacy Protection Act (COPPA). Our practices include:

Verifiable Parental Consent

Minimal Collection from Children

No Behavioral Advertising

9. Parental Rights

As a parent or guardian, you have the following rights regarding your family's data:

Right to Access

You may request a complete copy of all data we store about your family at any time. We will provide this within 30 days of your request.

Right to Delete

You may request deletion of all data associated with your family account at any time. Upon receiving your request, we will:

Right to Revoke Consent

You may revoke consent for data collection at any time by deleting your account through the app settings or contacting us directly. Revoking consent will deactivate the Service on all family devices.

Right to Modify

You may update your account information, display names, protection settings, and family structure at any time through the app.

Right to Data Portability

You may export your family's configuration data (settings, screen time rules, filter preferences) in a standard machine-readable format.

10. Data Retention

Data Type Retention Period
Account information Duration of active account + 30 days after deletion
Encrypted safety alerts 90 days (Family Plus) or 30 days (Family / Free), then automatically deleted
Encrypted weekly digests 90 days (Family Plus) or 30 days (Family / Free), then automatically deleted
Device identifiers Duration of device pairing + 7 days after unpairing
Screen time and filter settings Duration of active account
Anonymized crash reports 12 months
Payment/subscription records As required by law (typically 7 years for financial records)

After the retention period expires, data is permanently and irrecoverably deleted from all systems, including backups, within 30 days.

11. Third-Party Services

We use the following third-party services in a limited capacity:

We do not use third-party advertising networks, data brokers, social media tracking pixels, or any service that would expose your family's data to external parties.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we do:

13. Contact Information

If you have questions about this Privacy Policy, wish to exercise your parental rights, or need to report a concern, please contact us:

For urgent matters related to child safety or data breaches, please email security@guardianaiapp.com with "URGENT" in the subject line.