GDPR Compliance
Last updated: 14 May 2026
This page explains how CanGuru complies with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and equivalent laws (UK GDPR, Swiss FADP). It is a companion to our Privacy Policy and our Terms of Service. Where this page and the Privacy Policy use different language for the same topic, both documents are intended to say the same thing — the Privacy Policy is the more detailed reference.
1. Data controller and contact
The controller of personal data within the meaning of GDPR Art. 4(7) is:
[CanGuru Operator OÜ / Ltd — legal entity to be confirmed] [Registered address, city, postal code, country — EU Member State, TBD] Email: support@canguru.family
We have not appointed a statutory Data Protection Officer because our processing does not meet the thresholds of GDPR Art. 37(1). You can still address any data-protection question to support@canguru.family; we will route it to the right person internally.
Because the controller is established in the EU, no separate EU representative under GDPR Art. 27 is needed.
2. Purposes of processing and legal bases
For every purpose we process personal data, we identify the legal basis required by GDPR Art. 6. For each purpose we also indicate the data categories used.
| Purpose | Data categories | Legal basis |
|---|---|---|
| Create and operate your account (sign-up, sign-in, profile, family creation) | Email, name, hashed password or sign-in token from Google or Apple, language, profile image | Contract — Art. 6(1)(b) |
| Deliver the parental-controls features (child profiles, paired devices, screen time, schedules, tasks, goals, wallet, notifications) | Child profile, device identifier, app-usage information, balance and points history, schedules, push tokens | Contract — Art. 6(1)(b) |
| Process subscriptions and payments (free vs Premium, in-app purchase validation) | Subscription customer reference, plan, status | Contract — Art. 6(1)(b) |
| Send transactional emails (verification, password reset, billing notices) | Email address, message content | Contract — Art. 6(1)(b) |
| Send service push notifications (task approved, low balance, schedule starting, etc.) | Push tokens, notification content, your notification preferences | Contract — Art. 6(1)(b) and, for OS-level notification permission, consent — Art. 6(1)(a) |
| Provide customer support | Email correspondence, basic account context | Contract / legitimate interest — Art. 6(1)(f) (running a responsive support service) |
| Secure the Service and prevent abuse (rate-limiting, abuse detection, server logs, dispute investigation) | IP address, request metadata, error stack traces, activity log | Legitimate interest — Art. 6(1)(f) |
| Diagnose crashes and fix bugs (Firebase Crashlytics on the kids Android app) | Stack trace, OS version, device model, anonymous install identifier | Legitimate interest — Art. 6(1)(f) |
| Comply with legal obligations (tax law, response to lawful authority requests) | Invoicing data, identifiers needed to respond to a request | Legal obligation — Art. 6(1)(c) |
| Defend our legal rights (retain limited records during a dispute) | Whatever is strictly necessary | Legitimate interest — Art. 6(1)(f) |
| Marketing emails (if and when we send them) | Email address, language | Consent — Art. 6(1)(a), withdrawable at any time |
| Cookies on the website (non-essential) | Cookie identifiers as listed in the cookie banner | Consent — Art. 6(1)(a), via the consent banner |
We do not rely on consent as a legal basis for the core parental-control features; those are processed on the basis of contract (you sign up to get them) and we cannot deliver the Service without them. You always remain free to delete your account, which deletes the data.
3. Categories of data subjects
We process personal data of:
- Parents and legal guardians who hold a CanGuru account;
- Children whose profile a parent has created and, where applicable, whose device has been paired with the parent's account;
- Other adult guardians that the primary guardian invited to a family;
- Website visitors at canguru.family;
- People who contact our support team.
4. Where data comes from
Personal data is obtained:
- From you, when you sign up, configure your family, install one of our apps and use the Service;
- From your device or the child's device, where the kids app collects screen-time and device-health signals it needs to enforce your rules;
- From identity providers (Google, Apple) if you choose to sign in with one of them — we receive only the basic profile (identifier, email, name).
We do not buy personal data from data brokers, and we do not enrich profiles from external sources.
5. Children's data (GDPR Art. 8)
CanGuru is delivered as two separate apps: CanGuru Parent, which the adult installs on their own device, and CanGuru Kids, which the parent installs on the child's Android device. The child uses CanGuru Kids directly — they see the in-app screens, their points balance, their tasks and the block overlay when a controlled app is restricted. We do not offer CanGuru Parent to children, do not allow children to create an account, and do not market to children.
Personal data about a child is processed only because:
- an adult parent or legal guardian has created the child profile inside their own CanGuru Parent account; and
- that adult has accepted these Terms and this GDPR document on the child's behalf, in their capacity as parent or guardian, and installed CanGuru Kids on the child's device.
We treat the parent's act of accepting these documents and pairing CanGuru Kids as the authorisation of the holder of parental responsibility required under GDPR Art. 8(1) for the processing of the child's personal data. We do not set a hard minimum age for the child; the parent decides whether CanGuru Kids is appropriate for their child.
We collect the minimum information needed to provide parental controls. We do not perform behavioural advertising, do not profile children for marketing, do not include third-party product-analytics SDKs in CanGuru Kids, and do not share child data with anyone outside the sub-processors listed in Section 7 below.
If you believe a child's data has been added to CanGuru without proper parental authority, please email support@canguru.family; we will investigate and, where appropriate, delete the data without undue delay.
6. Your rights under the GDPR
Articles 15–22 give every data subject the following rights. We honour them for every user of the Service (not only EU residents). For requests concerning a child, the request must come from the parent or legal guardian who owns the family account.
6.1 Right of access (Art. 15)
You have the right to be told whether we process personal data about you and, if so, to get a copy of it. The parent app already shows you most of the data live (your family, children, tasks, devices, statistics, activity log). For data that is not visible in the UI, you can ask us in writing and we will provide a copy.
6.2 Right to rectification (Art. 16)
You have the right to correct inaccurate or incomplete data. Most fields are editable directly in the app (your name, email, child name, child birth date, etc.). For anything you cannot edit yourself, write to us.
6.3 Right to erasure (Art. 17)
You can delete your account in the parent app. This cascade-deletes the family, all child profiles, paired devices, tasks, goals, wallet entries, schedules, settings and activity log from our primary database. Encrypted backups are overwritten on a rolling basis (typically within 30 days). The limited categories we may keep for longer — invoicing records to comply with tax law, evidence needed to defend a legal claim, support emails for a limited period — are listed in Section 4 of the Privacy Policy.
6.4 Right to restriction (Art. 18)
You may ask us to pause processing while a question (for example, the accuracy of your data) is being resolved. While restricted, we keep the data but do not actively process it.
6.5 Right to object (Art. 21)
You may object to processing based on our legitimate interest (mainly security logging, crash reporting, support, abuse prevention). We will weigh your specific situation against our interest and, unless compelling legitimate grounds override, stop the processing.
You may always object to direct marketing, in which case we stop it immediately, no questions asked. (As of today we do not send marketing.)
6.6 Right to data portability (Art. 20)
For data you provided to us (account, family, child profile, tasks, goals, schedules) we will give you, on request, a machine-readable export in JSON format. Write to support@canguru.family.
6.7 Right to withdraw consent (Art. 7)
Where processing is based on consent (currently: non-essential cookies on the website, OS-level notifications, future marketing emails), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing done before withdrawal.
6.8 Right not to be subject to solely automated decisions (Art. 22)
We do not take decisions about you that are based solely on automated processing and that produce legal or similarly significant effects. The "automatic" actions CanGuru takes (blocking an app, sending a notification) are direct executions of rules the parent has configured, not automated decisions about the parent themselves.
6.9 Right to lodge a complaint (Art. 77)
You may lodge a complaint with your local supervisory authority (typically the data-protection authority of your country of residence in the EEA). A list of authorities is available on the European Data Protection Board website.
6.10 How to exercise your rights
Email support@canguru.family. To protect you from impersonation, we may ask you to confirm the request from the email address registered to the account. We respond within one month (Art. 12(3)); the deadline can be extended by two further months for complex requests, in which case we will tell you within the first month and explain why. Exercising your rights is free of charge, except for manifestly unfounded or excessive requests, where we may charge a reasonable fee or refuse to act (Art. 12(5)).
7. Sub-processors and data sharing
The full, up-to-date list of sub-processors is in Section 5 of the Privacy Policy. In summary, we use:
- Hosting — an EU-based cloud provider for application servers and the database (final region to be confirmed; we will publish it on this page).
- Push notifications — Google Firebase Cloud Messaging (Android, web) and Apple Push Notification service (iOS).
- Identity providers — Google Sign-in and Apple Sign-in, if you choose to use them.
- Email delivery — a configurable SMTP provider.
- Crash reporting on the kids Android app — Google Firebase Crashlytics.
- Subscriptions — Apple App Store and Google Play in-app purchases, with planned RevenueCat receipt validation; Stripe for any future web-based subscriptions.
Each sub-processor is bound by a Data Processing Agreement under GDPR Art. 28. We carry out reasonable due diligence on each processor before engaging them.
We do not use product-analytics tools (Google Analytics, Mixpanel, Amplitude, PostHog, Segment), do not embed advertising or attribution SDKs (AppsFlyer, Branch, Adjust, AdMob), and do not use customer-chat SDKs in the apps.
8. International transfers (GDPR Chapter V)
We host CanGuru primarily in the European Union. Some sub-processors — most notably Google (Firebase Cloud Messaging, Firebase Crashlytics, Google Sign-in) and Apple (Apple Push Notification service, Sign in with Apple) — may process data in the United States or other countries outside the EEA.
For such transfers we rely on:
- the EU–US Data Privacy Framework where the recipient is certified under it; and/or
- the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914); and
- supplementary technical and organisational measures where required by a transfer-impact assessment.
A copy of the safeguards in place for a specific transfer is available on request from support@canguru.family.
9. Retention
Specific retention periods are listed in Section 4 of the Privacy Policy. In short:
- Account, family, children, devices and the controls data: while the account is active; deleted on account deletion.
- Server logs: up to 90 days.
- Crash reports: up to 90 days (Google's standard).
- Backups: rolling, up to 30 days.
- Support emails: up to 3 years from the last contact.
- Invoicing records (when paid subscriptions launch): as required by tax law in our country of registration, typically 7 years.
10. Security (GDPR Art. 32)
We protect personal data with measures appropriate to the risk, including:
- Encryption in transit (TLS) and at rest for the production database and backups;
- Hashed passwords; we never see your plaintext password;
- Secure storage on devices — iOS Keychain and Android Keystore for sign-in tokens on the parent app, encrypted shared preferences on the kids Android app;
- Rate-limiting on authentication and other sensitive endpoints;
- Least-privilege access for engineering, with audit logging of administrative actions;
- Regular dependency updates and review of third-party SDKs.
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware (GDPR Art. 33), and we will notify you without undue delay where the risk is high (Art. 34).
11. Profiling and automated decisions
We do not carry out automated decision-making that produces legal or similarly significant effects on you within the meaning of GDPR Art. 22. The "automatic" behaviour of the Service (blocking an app at zero balance, sending a notification at the start of school time) is a direct execution of rules you have configured.
We do not build behavioural profiles for advertising and we do not sell any personal data.
12. Records of processing and impact assessment
We maintain a Record of Processing Activities as required by GDPR Art. 30 and have carried out a Data Protection Impact Assessment for the kids-app monitoring features (app-usage tracking on a child's device) as required by GDPR Art. 35, in view of the systematic monitoring of a vulnerable category of data subjects. The impact assessment is available to supervisory authorities on request; a summary can be shared with users at our discretion.
13. Changes to this page
We will update this page when our processing or our sub-processors change in a material way. We will update the "Last updated" date at the top and, for material changes, give you at least 30 days' notice in-app or by email, where reasonably possible.
14. Contact
- Email: support@canguru.family
- Postal address: [CanGuru Operator OÜ / Ltd, registered address TBD]
- Supervisory authority: the data-protection authority of your country of residence in the EU/EEA, or of our country of registration.