Privacy Policy
Last updated: 27 April 2026
SudoParent helps parents manage their children's device usage. Your family's privacy is important to us. This policy explains what information we collect, how we use it, and the choices you have.
What we collect
| Data | Purpose | Stored where |
|---|---|---|
| Account info | Parent email and display name, used to authenticate the parent account and label it in the dashboard. | Firebase Authentication + Cloud Firestore |
| Child profiles | Child name, paired status, basic device info, and last-seen timestamp so parents can identify each child's device in the dashboard. | Cloud Firestore |
| Usage data | Per-app daily minutes used, so the agent can enforce time limits and the parent can review usage. | Child device (Room) + Cloud Firestore (synced) |
| Installed app list | Package names of apps on the child device, so parents can set rules against specific apps. | Cloud Firestore |
| Rules & schedules | Time limits, schedules, blocked apps, blocked website categories, and vacation windows configured by the parent. | Cloud Firestore |
| Access requests & overrides | Child-initiated requests for more time, app access, or website access, and the parent's approve / deny decisions. | Cloud Firestore |
| Pairing & invites | Single-use pairing tokens (parent ↔ child) and parent-invite codes (adding a second parent). All expire after use. | Cloud Firestore (Cloud Functions-only writes) |
| Push notification routing | Firebase Cloud Messaging tokens for parent and child devices, used to deliver tamper alerts and access-request notifications. | Cloud Firestore (under each parent / child profile) |
How data flows between devices
Child device: The SudoParent agent collects app usage statistics using Android's UsageStatsManager API. This data is synced to Cloud Firestore so the parent can view it. Rules set by the parent are downloaded from Firestore and enforced locally.
Parent device: The parent dashboard reads usage data and writes rule changes to Cloud Firestore. Push notifications (via Firebase Cloud Messaging) alert parents to access requests and tamper events.
Website blocking: The accessibility service reads the URL of the active browser tab to enforce website blocks. URLs are checked locally on the child device — passive browsing is never stored, transmitted, or logged.
Exception: if your child taps "Request Access" on a blocked website, the bare domain (and category) is sent to the parent device as part of that request, so the parent can see what's being requested. This is the only case in which a URL leaves the device, and only the bare domain — never the full URL with path or query.
All data transmission between devices passes through Firebase infrastructure. No data is sent directly between devices, and no data is sent to third-party services beyond Firebase.
How we store your data
- Cloud storage: All cloud data is stored in Google Cloud Firestore, protected by Firebase Security Rules that ensure each family can only access their own data.
- Local storage: Usage data and cached rules are stored locally on the child device using Room (Android's local SQLite database) and DataStore. The Family PIN is the only secret stored on-device; it is hashed and stored in
EncryptedSharedPreferences(AES-256 via the Android Keystore). - Authentication: Parent accounts use Firebase Authentication with email and password. Passwords are never stored in plain text.
- Child authentication: Child devices authenticate using custom tokens minted by Cloud Functions. Children never need to enter credentials.
Technical detail — every collection we use
For developer-parents and reviewers — the exhaustive enumeration. The categories above are the user-facing summary; this is the schema.
| Path / table / store | Purpose | Surface |
|---|---|---|
| families/{familyId} | Family settings root document (display name, Cringe Mode toggle, active pack). | Cloud Firestore |
| pairingTokens/{token} | Single-use child-pairing tokens (Cloud Functions only — no client read or write). | Cloud Firestore |
| parentInvites/{code} | Single-use parent-invite codes for adding a second parent (Cloud Functions only). | Cloud Firestore |
| families/{familyId}/parents/{parentId} | Parent profile (display name, FCM token). | Cloud Firestore |
| families/{familyId}/children/{childId} | Child profile (name, paired flag, deviceInfo, FCM token, last-seen timestamp). | Cloud Firestore |
| families/{familyId}/children/{childId}/rules/{document} | Per-child rules (per-app limits, schedules, blocked website categories, site overrides, vacation window). | Cloud Firestore |
| families/{familyId}/children/{childId}/usage/{document} | Per-day app usage data, synced from local Room. | Cloud Firestore |
| families/{familyId}/children/{childId}/deviceData/{document} | Installed-apps list, so parents can set rules against specific packages. | Cloud Firestore |
| families/{familyId}/children/{childId}/presence/{docId} | Live agent-status (online / offline, per-browser detection booleans — never URLs). | Cloud Firestore |
| families/{familyId}/children/{childId}/accessRequests/{requestId} | Child-initiated access requests (includes domain for website-access requests). |
Cloud Firestore |
| families/{familyId}/children/{childId}/tamperEvents/{eventId} | Append-only tamper-event log (Settings tamper, accessibility-disabled, device-admin deactivated). | Cloud Firestore |
| families/{familyId}/schedules/{scheduleId} | Reusable schedule definitions referenced by per-child rule documents. | Cloud Firestore |
| families/{familyId}/auditLog/{entryId} | Append-only audit log of parent actions (rule changes, vacation toggles, pairings). | Cloud Firestore |
| families/{familyId}/familyPin/{document} | PIN state document (version, configured-at, bypass duration). Never stores the PIN hash itself. | Cloud Firestore |
| families/{familyId}/familyPinAuditLog/{entryId} | Append-only PIN-event audit log (Cloud Functions only). | Cloud Firestore |
| families/{familyId}/pinCommands/{commandId} | Per-dispatch PIN command payloads; child reads via authenticated Firestore (not via FCM data). | Cloud Firestore |
| usage_sessions | Local accumulating per-app usage on the child device; aggregated and synced to Firestore, then pruned. Stored unencrypted at rest by SudoParent — protected by Android filesystem permissions only. | Room (on-device) |
| child_config | Child-mode credentials cache (familyId, childId, childName, cached unlimited apps, PIN-migration completion flag). | DataStore (Preferences) |
| app_mode | App mode selector (PARENT / CHILD / NONE) for the consolidated single-app shell. | DataStore (Preferences) |
| parental_pin_attempts | PIN attempt counter and lockout state (counter only — not the secret). | SharedPreferences |
| parental_bypass_store | Active per-package PIN-bypass windows (e.g., "Settings allowed for 30 minutes"). | SharedPreferences |
| parental_pin_secure | Family PIN hash + salt — the only encrypted local store. AES-256-GCM via the Android Keystore. | EncryptedSharedPreferences |
| deeplinks | One-time deep-link payloads for UI navigation. Not user-secret. | SharedPreferences |
| app_mode_prefs | Synchronous mirror of app_mode for early-bootstrap reads in Application.onCreate(). |
SharedPreferences |
Permissions the child agent requires
| Permission | Why it's needed |
|---|---|
| Usage Access (PACKAGE_USAGE_STATS) | Read app usage statistics to track time against limits |
| Accessibility Service | Detect foreground app changes for real-time enforcement; overlay block screens |
| Device Admin | Prevent uninstallation of the agent app |
| Display Over Other Apps | Show block screen when a restricted app is opened |
| Foreground Service (FOREGROUND_SERVICE, FOREGROUND_SERVICE_SPECIAL_USE) | Keep the monitoring agent running continuously. Android 14+ requires the explicit specialUse foreground-service type for parental-control monitoring. |
| Notifications | Show persistent notification for foreground service; receive push messages |
| Camera (CAMERA) | Scan QR codes during initial pairing between parent and child devices. Used only during pairing — not background camera access. |
| Receive Boot Completed (RECEIVE_BOOT_COMPLETED) | Restart the monitoring agent automatically after the child device reboots, so enforcement resumes without parent intervention. |
What we do NOT do
- We do not sell your data to anyone.
- We do not track your child's location.
- We do not read message content, calls, or personal communications.
- We do not record screen content or keystrokes.
- We do not log or store your child's browsing history. URLs are only checked at the moment of navigation; see the website-blocking note above for the one consensual exception.
- We do not share your family's data with advertisers or third parties.
- We do not use your data for profiling, analytics, or any purpose beyond parental control.
Children's privacy
SudoParent is designed to be installed and configured by parents or legal guardians. The child agent is installed on a minor's device under parental consent and supervision. We collect only the minimum data necessary for parental control functionality.
Children cannot create accounts or provide personal information directly. All configuration is controlled by the authenticated parent.
Your rights
- View your data: All collected data is visible in the parent dashboard.
- Delete your data: Unpairing a child device removes their data from Firestore. Deleting your parent account removes all associated data.
- Data export: Request a copy of your data by contacting us.
- Withdraw consent (parent app): Open the child profile and tap Unpair. The child device signs out, monitoring stops, and the uninstall-protection gate clears automatically.
- Withdraw consent (child device): Enter the Family PIN (set by the parent during pairing) on the Settings tamper-block overlay to deactivate device admin, then uninstall the agent normally. Without the Family PIN, the child agent is uninstall-protected by design.
Changes to this policy
We may update this policy from time to time. We will notify you of significant changes through the app. The "Last updated" date at the top of this page reflects the most recent revision.
Questions about your privacy?