Privacy Policy
Last updated: 14 May 2026
This Privacy Policy explains how CanGuru ("CanGuru", "we", "us") collects, uses, shares and protects personal data when you use the CanGuru parental-controls product. CanGuru is delivered as two separate apps that work together, plus our website:
- CanGuru Parent — the app that the parent or legal guardian installs on their own iOS or Android phone or tablet to manage their family;
- CanGuru Kids — the app that the parent installs on the child's Android device, which the child then uses directly on that device;
- the CanGuru website at canguru.family.
Together we call these the "Service".
We have written this policy to be honest and specific rather than generic. If something is unclear, write to us at support@canguru.family.
1. Who is the data controller
The controller of your personal data is [CanGuru Operator OÜ / Ltd — legal entity to be confirmed], a company registered in the European Union at [registered address TBD] (the "Controller").
- General contact: support@canguru.family
- Privacy / data-protection contact: support@canguru.family
For matters specific to the EU General Data Protection Regulation, see also our GDPR Compliance page.
2. Who the Service is for
CanGuru is a parental-controls product for families.
- CanGuru Parent is for the adult parent or legal guardian. Only an adult (18 years or older) may create a CanGuru account, accept these terms, configure rules and approve their child's tasks. The account holder is the family administrator.
- CanGuru Kids is for the child, on their own device. The child does not create an account, does not sign up and does not give us any data themselves; the device is paired with the parent's account using a short numeric code that the parent generates. Once paired, the child sees a personalised view of their tasks, points balance, goals and blocked apps. We do not set a hard minimum age for the child — the parent decides whether CanGuru is appropriate for their child.
The parent or legal guardian is responsible for obtaining any consent required under local law before adding a child to the Service or installing CanGuru Kids on the child's device, and for explaining to the child, in a way appropriate to their age, that the device is monitored.
3. What we collect and why
The categories of personal data we process, what we use them for, and our legal basis under the GDPR, are listed below.
3.1 Parent account data
| Data | Purpose | Legal basis |
|---|---|---|
| Your name, email address and (if you upload one) profile photo | Identify your account and address you correctly | Contract |
| The interface language you chose | Show the apps and our emails in your language | Contract |
| Your password (stored only as a one-way hash) or a sign-in token from Google or Apple, if you signed in with one of them | Authenticate you securely on each sign-in | Contract |
| One-time codes and short-lived magic-links we send to your email | Verify a new email address, reset a forgotten password, sign you in without a password | Contract |
| The platform from which you signed up (iOS, Android, web) | Understand on which platforms parents come to CanGuru | Legitimate interest |
| A subscription customer reference assigned by Apple, Google, RevenueCat or Stripe (we never store card numbers) | Link your account to your paid subscription, if you have one | Contract |
3.2 Family and child data
This is information you enter when you set up your family.
| Data | Purpose | Legal basis |
|---|---|---|
| The name of your family and the role of each adult guardian in it | Let several adults manage the same household | Contract |
| For each child: name, and optionally birth date and avatar; the time zone of the child | Show the child in your dashboard, apply schedules in local time | Contract |
| The parental-control rules you set up for each child (daily limit, schedules, allowed apps, calm mode, etc.) | Apply the rules you configured | Contract |
| Tasks you assigned, whether the child completed them, and any photo proof if you required one | Run the task / reward feature | Contract |
| Points balance, points history, savings goals and "borrowed time" entries | Run the points wallet and the goals feature | Contract |
| Family invite codes and device-pairing codes you generated | Let you invite another guardian or pair a new child device | Contract |
3.3 Child-device data
When you install the CanGuru kids app on a child's Android device and pair it with your family, the device exchanges the following information with our backend:
| Data | Purpose | Legal basis |
|---|---|---|
| A random identifier we generate for the device (not the hardware IMEI or serial number), plus the device name, model, operating-system version and app version | Tell paired devices apart, deliver the right rules to each, help with support | Contract |
| The push-notification token issued to the device by Apple or Google | Send timely notifications to the parent and to the child's device | Contract / OS-level consent |
| Periodic "heartbeats": battery level, network type (Wi-Fi or mobile or none), and whether monitoring is currently active | Show the parent whether the child's device is online; alert you when it has been offline for a long time | Contract |
| Which apps are currently running on the child's device and how many seconds each one was used during the day | Apply screen-time budgets and produce the daily and weekly stats shown to the parent | Contract |
| The list of apps installed on the child's device and a coarse category for each (game, social, video, productivity, etc.) | Let the parent pick which apps are controlled, which are whitelisted and which count against screen time | Contract |
| The child's current screen-time balance, the history of additions and deductions, and any "block now" instruction from the parent | Enforce the time budget and the parent's manual decisions | Contract |
| The active schedules (school time, bedtime, homework, etc.) and any one-off exceptions | Apply the schedule windows you defined | Contract |
| Daily aggregated statistics and a log of actions taken in the family | Show the parent the stats screen and provide an audit trail for support requests | Contract / legitimate interest |
Importantly, the CanGuru kids app does NOT collect any of the following:
- precise or coarse location (we do not request the location permission at all);
- contents of messages, SMS, calls, emails, browser history, or push notifications received by other apps;
- camera images, microphone audio, contacts, calendar, photos or media files;
- hardware identifiers such as IMEI, serial number or advertising ID;
- the web pages the child visited.
The kids app uses Android's app-usage-stats permission, the package-query permission, an accessibility service and a foreground service for the sole purpose of detecting which app is currently in the foreground and, where required, blocking it. It does not read content inside any other app.
3.4 Notifications
| Data | Purpose | Legal basis |
|---|---|---|
| The notifications we have shown you (title, body, the moment you read them) | Show the in-app notification feed and deliver push notifications | Contract |
| Your notification preferences (which categories you want to receive) | Respect your choice on what we send | Consent / contract |
3.5 Technical and diagnostic data
| Data | Purpose | Legal basis |
|---|---|---|
| Server logs — basic information about each request to our backend (timestamp, path, IP address, user identifier) and any error stack trace | Operate and secure the Service, investigate incidents and abuse | Legitimate interest |
| Crash reports from the child's Android app via Firebase Crashlytics (stack trace, operating-system version, device model, an anonymous install identifier) | Find and fix crashes | Legitimate interest |
| The fact that a given user or device is currently connected to our realtime channel (kept briefly in memory) | Power realtime updates between the parent app and the child's device | Contract |
We do not use third-party product-analytics tools (Mixpanel, Amplitude, PostHog, Google Analytics, Segment, etc.). Firebase Analytics, Firebase Performance Monitoring and the Firebase Ads SDK are disabled in our mobile apps. We do not embed advertising SDKs, attribution SDKs (AppsFlyer, Branch, Adjust) or customer-support chat SDKs in the apps.
3.6 Website data
When you visit canguru.family we use cookies and similar technologies only after you agree via our cookie banner. Strictly-necessary cookies (such as your language and your consent state) are always set. For full detail and to change your choice at any time, see the cookie-preferences link in the website footer.
4. How long we keep your data
| Data | Retention |
|---|---|
| Your account, your family, your children and everything they contain (tasks, goals, schedules, settings, paired devices, statistics, activity) | For as long as your account is active. When you delete your account, this data is removed by cascade from our primary database and overwritten in backups within 30 days |
| Authentication sessions and sign-in tokens | Until session expiry (default 30 days) or sign-out |
| Email-verification and one-time codes | A few minutes; deleted automatically after expiry |
| Server access and error logs | Up to 90 days, then deleted or aggregated |
| Crash reports (Firebase Crashlytics) | Up to 90 days under Google's standard retention |
| Encrypted backups | Up to 30 days on a rolling basis, then overwritten |
| Customer-support emails | Up to 3 years from the last contact, or longer if needed to defend a legal claim |
| Invoicing and accounting records (once paid subscriptions launch) | As required by applicable tax law in our country of registration — typically 7 years |
If you ask us to delete your data sooner, we will (subject to the legal-retention exceptions above and to genuine legal-claim defence).
5. Who we share data with (sub-processors)
We do not sell personal data. We share personal data only with the providers we strictly need to run the Service, listed here. Each sub-processor is bound by a data-processing agreement; transfers outside the EEA rely on Standard Contractual Clauses where applicable.
| Sub-processor | Role | Data shared |
|---|---|---|
| Google Firebase Cloud Messaging (Google Ireland Ltd. / Google LLC) | Deliver push notifications to Android devices | Device push token and the notification payload (title, body, action keys, child or task identifier) |
| Apple Push Notification service (Apple Distribution International Ltd. / Apple Inc.) | Deliver push notifications to iOS devices | Device push token and the notification payload |
| Google Firebase Crashlytics (Google Ireland Ltd. / Google LLC) | Collect crash reports from the kids Android app | Crash stack trace, device model, OS version, anonymous install identifier |
| Google Sign-in / OAuth (Google Ireland Ltd.) | Let parents sign in with their Google account, if they choose to | Email, name, profile photo |
| Apple Sign-in (Apple Distribution International Ltd.) | Let parents sign in with their Apple ID, if they choose to | Apple-issued user identifier, email (relay or real, your choice), name |
| Email-delivery provider (a configurable SMTP provider, e.g. Amazon SES, Postmark or similar) | Send transactional emails (verification, password reset, magic link, notifications) | Recipient email and the message content |
| Hosting / cloud provider (to be confirmed; primarily an EU-based cloud provider for application servers and the database) | Run our backend and store the primary database | All data described in Section 3 |
| Apple App Store and Google Play | Distribute the apps and process in-app purchases | Account identifier, purchase status (we do not see your card data) |
| RevenueCat (planned) | Validate in-app subscription receipts | Pseudonymous user identifier, purchase status, country of the store account |
| Stripe (planned, web-based subscriptions only) | Process credit-card payments for web subscriptions | Email and billing details; the card data itself is handled exclusively by Stripe |
We will publish the final hosting region and any new sub-processor on this page at least 30 days before it takes effect, where reasonably possible.
We may also disclose data when legally required to do so (court order, lawful request from a competent authority) or when strictly necessary to defend our legal rights.
6. International transfers
We host CanGuru primarily in the European Union. Some sub-processors (notably Google and Apple, for push notifications and crash reports) may process data in the United States or other countries outside the EEA. For these transfers we rely on:
- the EU–US Data Privacy Framework where the recipient is certified, and/or
- the Standard Contractual Clauses approved by the European Commission, plus appropriate supplementary measures.
You can request a copy of the safeguards in place by writing to support@canguru.family.
7. Your rights
Under the GDPR and equivalent laws (UK GDPR, Swiss FADP) you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten");
- Restrict processing in certain cases;
- Object to processing based on our legitimate interest;
- Portability — receive a copy of your data in a structured, machine-readable format;
- Withdraw consent at any time, without affecting prior lawful processing;
- Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (we do not perform such automated decision-making);
- Lodge a complaint with your local data-protection supervisory authority.
You can exercise most of these rights directly inside the parent app:
- Access / rectify: edit your account and your children's profiles in the app.
- Erase: tap "Delete account" in account settings. We cascade-delete the family and all linked child profiles, devices, tasks, goals, wallet entries, schedules and activity. (If you are the primary guardian of a family that has other adult members, transfer ownership first.)
For everything else, or if a button does not work for you, email support@canguru.family. We respond within 30 days (extendable by up to 60 additional days for complex requests, in which case we will tell you).
8. Children's privacy
Children do use CanGuru Kids directly on their own device — they see the in-app screens, their points balance, their tasks and the "blocked" overlay when a controlled app is restricted. We are honest about this: a child is a real user of CanGuru Kids software, even though they do not have an account.
What this means in practice:
- A child cannot sign up, cannot give us their data themselves and cannot accept any agreement with us. The parent or legal guardian does that on the child's behalf, in their capacity as parent or guardian.
- The parent enters the child's name (and optionally birth date and avatar) into their own account.
- The parent installs CanGuru Kids on the child's device and pairs it with the parent's account using a numeric code generated in CanGuru Parent.
- The parent configures which apps are controlled, what schedules apply, and what tasks earn points.
We collect only the minimum information needed for parental controls to function: which apps run on the child's device and for how long, plus device health (battery, network) and identifiers needed to pair and notify the device. We do not:
- show ads to children;
- use behavioural or location-based advertising of any kind;
- profile children for marketing;
- include third-party product-analytics SDKs in CanGuru Kids;
- transfer child data to any party not listed in Section 5.
If you believe a child's data has been added to CanGuru without proper parental authority, email support@canguru.family and we will investigate and, where appropriate, delete the data.
9. Security
We apply industry-standard technical and organisational measures, including:
- TLS in transit, encryption at rest for the production database and for backups;
- Hashed passwords — we never see or store your plaintext password;
- Secure storage of sign-in tokens on devices (iOS Keychain and Android Keystore on the parent app, encrypted shared preferences on the kids app);
- Rate-limiting and abuse protection on authentication endpoints;
- Principle of least privilege for engineering access; audit logging of administrative actions.
No system is perfectly secure. If you believe you have found a vulnerability, please email support@canguru.family — we appreciate responsible disclosure.
10. Automated decision-making
We do not make decisions about you that are based solely on automated processing and that have legal or similarly significant effects. The only "automatic" actions taken by CanGuru are the ones the parent has explicitly configured (e.g., block an app when the daily balance reaches zero, send a notification at the start of school time).
11. Changes to this policy
When we change this Privacy Policy in a material way, we will update the "Last updated" date at the top and, where appropriate, notify you in-app or by email at least 30 days before the change takes effect. The current version is always available at canguru.family/en/privacy.
12. Contact
- General privacy contact: support@canguru.family
- Postal address: [CanGuru Operator OÜ / Ltd, registered address TBD]
- Supervisory authority: you can lodge a complaint with the data-protection authority of your country of residence in the EU/EEA, or in our country of registration.