Privacy Policy

Version 2026-06-13. Effective 13 June 2026. (Previous version: 2026-06-12.)

The short version. FamOwl is a family chores and rewards app. Only a parent has an account. Kids are "profiles" inside that parent's session — they never sign in themselves. We collect what's needed to run your household (mission titles, reward lists, activity log, optional proof photos, your email). We use Firebase (Google) to store it, RevenueCat to manage subscriptions, and OpenRouter to route requests to the AI assistant (configured for zero data retention and no training). We never sell your personal data, never run third-party ad networks or behavioural ads, never share your data with anyone for tracking, and never train AI on your personal data or on any individual child's data. We may one day add clearly-labelled, parent-approved sponsorships, or share aggregated statistics that can't identify anyone — but only after telling you first (see sections 6 and 8). You can export, correct, or delete everything at any time, right inside the app.

Who we are
Scope of this policy
What we collect
How we use it
Legal basis (GDPR)
Who we share it with
Children's data (COPPA, GDPR-K)
The AI assistant
Proof photos
International transfers
How long we keep data
Security
Your rights
How to exercise your rights
Changes to this policy
Contact
Regulators

1. Who we are

FamOwl (the "app," "we," "us") is operated by Simon Singh, a sole operator based in New Zealand. Simon Singh is the data controller for the purposes of the NZ Privacy Act 2020 and the UK/EU GDPR.

General contact: hello@famowl.app. Privacy, data-rights and legal contact: compliance@famowl.app.

2. Scope of this policy

This policy covers the FamOwl mobile application on iOS and Android, the account and subscription services that back it, and famowl.app and its subdomains. It does not cover any third-party site or service we link to — those operate under their own policies.

3. What we collect

3.1. From a parent, at sign-up

Item	Where stored	Purpose
Email address	Firebase Authentication	Log in, reset password, send transactional email.
Password	Firebase Authentication (salted + hashed, never in plaintext)	Log in.
Display name you choose	Cloud Firestore	Shown in the app so the family knows who did what.
Accepted Terms and Privacy Policy versions, plus timestamps	Cloud Firestore	Audit record of consent.

3.2. About each kid profile you create

Kids never sign in to FamOwl themselves. When you add a kid profile, you — as the parent or legal guardian — provide the following on the child's behalf:

Item	Where stored	Purpose
Display name (first name, nickname, or whatever you pick)	Cloud Firestore	Label the profile in the app.
Optional avatar photo	Firebase Storage	Display in the app.
Optional avatar colour	Cloud Firestore	Visual theming.
Your guardian-consent record (your parent uid, the timestamp, the policy version you accepted)	Cloud Firestore	Our audit that you authorised us to process this child's data.
Optional birth year (year only — set only if you enable Kid Hoot)	Cloud Firestore	Picks an age-appropriate strictness band for kid-chat safety moderation. Optional; clearable any time.

We do not ask for or store a kid's full date of birth, legal name, school, home address, phone number, or any contact detail. The one optional exception is a birth year (the year only — never a full date of birth) that you may set if you turn on Kid Hoot, so the safety moderation can pick an age-appropriate strictness band — see section 8. It is optional, you can clear it at any time, and no year set simply means the strictest band applies. Kid profiles cannot message or be messaged by anyone outside your household.

3.3. Usage data (created by using the app)

Missions, rewards, wishes, badges, long-term projects, family calendar events, kid-set goals — the content you and your household create.
Activity log — an append-only ledger of events ("X completed Y," "A verified B," "reward C redeemed"). Used to power the activity feed.
Points balance and lifetime earned per kid, plus streak counters.
Mission completion proof photos you or your household upload. See section 9.
AI assistant conversations if you choose to use the premium AI assistant. See section 8.
Push notification tokens, if you opt in to notifications.

3.4. Diagnostic and analytics data (optional)

FamOwl can send Firebase Analytics a stream of product-interaction events (for example: paywall shown, mission created, reward redeemed). We use this data in aggregate only — to understand flows like onboarding completion, never to profile individual accounts. It never includes your kids' names, mission titles, reward titles, photo content, or AI prompts — we enforce this with a hard-coded allow-list in the app and a block-list on keys that look like names or URLs. Analytics is also force-disabled whenever a kid profile is active on-device, with no way to override that.

How consent works: at sign-up you'll see an analytics checkbox with this disclosure. In regions with notice-based privacy laws (for example New Zealand, Australia, the United States) the box is pre-ticked; in the EEA, UK, and Switzerland it is presented unticked and analytics only runs if you actively opt in. Either way, one tap in Settings → Privacy & data turns it off at any time.

Firebase Crashlytics collects anonymised crash reports (stack trace, device model, OS version). This is gated on the same analytics opt-in.

3.5. Purchase data

If you buy a FamOwl Premium subscription, Apple (or Google Play) processes the payment. We never see your payment card, bank details, or billing address. RevenueCat, our subscription-management provider, receives your anonymised app user id (your Firebase uid), the subscription SKU, and entitlement status. We use that data to unlock premium features.

3.6. What we don't collect

No advertising identifiers (IDFA, GAID), no third-party ad networks, and no behavioural or targeted advertising — and never any advertising targeted at a child using their data.
No microphone, speech recognition, location, contacts, health or financial data.
No third-party tracking SDKs, no behavioural profiling, no fingerprinting.
No data about people outside your household.

4. How we use it

To run the app — sign you in, sync your household's content between devices, compute points balances, send mission-completion push notifications.
To process your subscription if you buy one.
To answer your questions when you email us.
To improve the app — only if you've opted in to analytics. We look at aggregate flows (how many parents complete onboarding, how often users hit the paywall), never individual accounts.
To comply with legal obligations — respond to lawful data requests, keep records the law requires us to keep.
To protect FamOwl from abuse — detect obvious misuse of the AI assistant (hard usage caps), prevent households from exceeding subscription limits.

We don't sell your personal data to data brokers, build advertising profiles about you, or train AI on your personal data or any individual child's data. (We may use aggregated, de-identified patterns — never tied to a person — to improve our own systems; see section 8.)

5. Legal basis (GDPR / UK GDPR only)

If you're in the European Economic Area, the United Kingdom, or Switzerland, our legal bases under Article 6 GDPR are:

Processing	Basis
Running the app for you, handling subscriptions, processing account data	Performance of a contract (Art. 6(1)(b))
Processing your kids' data (names, optional photos, mission activity)	Your consent as the parent / legal guardian, given at kid-profile creation (Art. 6(1)(a); Art. 8 for children's data)
The AI assistant (sending household context to OpenRouter), including the optional kid-facing chat	Your explicit opt-in consent in the AI consent sheet (Art. 6(1)(a); Art. 8 where you enable the kid-facing chat, given by you as the parent/guardian)
Proof photos (upload + 30-day retention)	Your explicit opt-in consent on first photo upload (Art. 6(1)(a))
Analytics and crash diagnostics	Your explicit opt-in in Settings (Art. 6(1)(a))
Security, abuse prevention, keeping legally-required records	Legitimate interests (Art. 6(1)(f)) / legal obligation (Art. 6(1)(c))

You can withdraw any consent-based processing at any time in the app (Settings → Legal & privacy → Manage consents, or Delete my account). Withdrawing consent doesn't affect processing we did before you withdrew it.

We work with a small set of service providers ("sub-processors") that process data on our instructions. We do not share your data with anyone else for any other purpose.

Provider	What they do for us	Where they store your data
Google (Firebase: Auth, Firestore, Storage, Cloud Functions, Analytics, Crashlytics, Remote Config)	Hosts FamOwl's accounts, data, files, backend logic, and (if you opt in) analytics and crash reports.	United States (with some Google-managed backups in other regions; see Firebase's privacy page).
OpenRouter, Inc. (only if you use the AI assistant)	Routes your assistant prompts to an approved model, under our zero-data-retention and no-training account settings. See section 8.	United States.
Anthropic, Google AI, or OpenAI (downstream model providers, selected by OpenRouter)	Generate the actual assistant response.	United States.
Exa (web search — only when Hoot looks something up)	Runs the web search when Hoot needs current information and returns result snippets to the model. For kids, searches are restricted to a curated kid-safe domain allowlist.	United States.
RevenueCat, Inc.	Manages auto-renewing subscriptions across Apple and Google billing.	United States.
Apple / Google Play	Processes your subscription payment. We receive only the purchase receipt, never your payment details.	Varies by platform.
Firebase Cloud Messaging (Google)	Delivers push notifications when a kid finishes a mission, when a wish is proposed, when kid-chat moderation needs a parent, etc.	United States.
Cloudflare	Hosts `famowl.app` (this site) and handles DNS/TLS.	Global edge network; no user data routed through it.

Each of these providers is contractually obliged (either directly via a data-processing agreement we've signed, or through their standard DPA we've accepted) to only process your data on our instructions and to keep it secure.

We may disclose information if we're legally compelled to — for example, a court order. We will push back on overbroad requests and notify you unless a gag order forbids it.

We never sell, rent, or trade your personal data. We may publish or share aggregated, de-identified statistics — for example, how many families used a feature, or how many children in a broad age band engaged with a sponsored item — but only where the numbers cannot identify you, your family, or any individual child, and never any personal information.

Business transfers. If FamOwl is ever involved in a merger, acquisition, or sale of assets, your data may transfer to the acquirer, who would be bound by commitments at least as protective as this policy. We will notify parents before any transfer of children's data.

Sponsorships and aggregate insights (not active today)

FamOwl is funded by subscriptions, and that's how we plan to keep it. We are reserving the option to do two things in the future, and we will update this policy and ask for your consent before switching either on:

Clearly-labelled sponsorships. We may feature sponsored content (for example, in articles) or sponsored rewards. Any sponsored reward is added or approved by a parent before a child ever sees it; sponsorships are always labelled; and they are contextual — never targeted using a profile of you or your child, and never behavioural advertising.
Aggregated, de-identified insights. We may share with a sponsor or partner aggregate figures — such as how many parents used a sponsored reward, or how many children in a broad age band engaged with an item. These are statistics only, broad enough that no individual family or child can be identified, and they never include personal information.

What we will never do: sell your personal data, run third-party ad networks, show behavioural or targeted ads, target advertising at a child using their data, or share any personal information about a child with a sponsor.

7. Children's data (COPPA and GDPR-K)

FamOwl is intended for use by parents and legal guardians aged 18 or older. Kids do not have their own accounts and cannot sign up independently.

Parent verifiable consent

When you create a kid profile, you are telling us that you are the parent or legal guardian of that child and that you consent to us processing their name, optional avatar, and activity history for the purposes described in this policy. We record this consent (your parent uid + timestamp + the policy version) and store it alongside the kid's profile.

Under the US Children's Online Privacy Protection Act (COPPA), we treat the parent's signup (with a financial instrument tied to the App Store account and a captcha/email-verified login) plus explicit in-app guardian consent as verifiable parental consent for children under 13. If you turn on Kid Hoot, the separate in-app AI consent you give as the parent also covers the disclosure of your child's chat messages to our AI providers for the purpose of generating and moderating replies, as described in section 8.

Under the EU/UK GDPR (GDPR-K), you are the lawful basis for our processing of your child's data until they reach the age where they can provide their own consent (13 to 16 depending on country).

Data minimisation for kids

We deliberately collect as little as possible about kids:

No real name required — only the display name you pick.
No date of birth, age, school, address, phone, email.
No kid-to-kid or kid-to-stranger communication — every kid-visible surface is scoped to the parent's household.
Kid names are replaced with first initials (for example, "A.") before any data is sent to the AI assistant, unless you explicitly opt in to sharing full names.
Proof photos auto-delete 30 days after a mission is verified.

Your rights as a parent

You can, at any time, inside the app: (a) review every field stored about your kid, (b) edit or delete a kid profile, (c) download a machine-readable copy of your family's data, (d) delete your whole account. See section 13.

We will not knowingly accept kid sign-ups outside of the parent-mediated flow. If you believe a child has somehow created an account without their parent's consent, email compliance@famowl.app and we'll delete it promptly.

8. The AI assistant

FamOwl includes an AI assistant that helps the parent manage the household (for example: "Create a daily brushing mission for my 8-year-old"). It is a premium feature, disabled by default, and requires explicit opt-in on first use.

What we send to the AI

When you message the assistant, we send a condensed snapshot of your household to OpenRouter (which may route to Anthropic, Google, or OpenAI), which process it in the United States: your message, recent missions, rewards, wishes, activity, and — only if you've explicitly opted in — your kids' first names. By default kids appear as first initials only (for example, "A."). If you've turned on Kid Hoot, your child's chat messages and Hoot's replies are also sent for processing, subject to the moderation and safeguards below. We may in future move some or all of this processing on-device or onto our own infrastructure; if we do, we will update this policy.

We never send proof photos, avatars, email addresses, push tokens, subscription data, or data from outside your household.

Model training

We never train AI models on your data — yours or your kids' — and we never will. We configure our OpenRouter account to disable model training and prompt logging and to route only to provider endpoints that operate under a zero-data-retention policy (the provider should not store your prompts or the AI's replies once a request is answered), and we instruct OpenRouter to exclude free or training-eligible endpoints. What we cannot do is independently audit or guarantee the internal practices of every third-party provider — those are settings the providers control, not something we can guarantee the way we can for our own Firebase backend. If a provider's practices, or our routing, change in a way that affects you, we will update this policy and re-prompt you for consent.

Separately, we may use aggregated, de-identified behaviour patterns — never an individual child's records, never personal information — to improve our own systems, including a future FamOwl-operated AI that we may run on our own infrastructure. That is different from training on your personal data, which we do not do.

Limits and kill-switches

Free-tier households can send up to 3 AI messages per month; premium households up to 500 per month, with a hard 50-per-day cap as a safety rail. We can disable the assistant remotely without an app release (a global kill-switch) if OpenRouter, a downstream provider, or our infrastructure needs emergency maintenance.

Accuracy disclaimer

AI-generated responses can be wrong. You should review anything the assistant suggests (especially mission creation, point awards, or advice) before acting on it. The assistant is not a replacement for parenting judgement.

Looking things up on the web

Hoot can search the web for current information when it helps answer a question (for example, a recent fact or result). When it does, the search runs through OpenRouter's web-search tool, powered by Exa (a US search provider): the model sends a short search query — not your whole conversation — and Exa returns result snippets that Hoot uses to answer. For the kid-facing chat, web searches are restricted to a curated allowlist of kid-safe sources, results are kept brief, source links are not shown to the child, and Hoot's answer still passes the kid-safety moderation check before your child sees it. Web search is the one AI step not covered by our zero-data-retention setting (it reaches Exa), so we keep what's sent to a minimal query.

Kid Hoot chat (optional, off by default)

Premium parents can optionally let a kid chat with the assistant ("Hoot"). This is off by default and only a parent can enable it. When enabled:

Parents can always read kids' chats — every kid conversation is visible in the parent's Hoot tab, and the kid-facing UI says so.
Each exchange is safety-reviewed. Each kid message and each reply passes an automated moderation check designed to catch unsuitable content before it reaches your child. No automated check is perfect, so this reduces — but cannot completely eliminate — the chance of unsuitable output; please keep an eye on your child's chats. If something is flagged, the kid's chat pauses, all parents are notified with age-appropriate talking points, and only a parent can unlock it. The automatic pause is a safety rail — not a final automated decision about your child; a parent's review and unlock is the human decision. Hoot is software, not a person, and is not a counsellor or emergency service.
Birth year (optional). You can set a kid's birth year so moderation uses an age-appropriate strictness band. We deliberately collect the year only — never a full date of birth. No year set = the strictest band applies. You can clear it at any time in Manage kids.
Per-kid daily message caps (default 10, parent-tunable) limit usage, and kids never see prices or upgrade prompts.

Turning it off

You can turn the assistant off at any time in Settings → Legal & privacy → Manage consents (and kid chat separately under Settings → Kid Hoot). Turning it off stops all future AI processing; past conversations remain in your account until you delete them.

9. Proof photos

You or your kid can optionally attach a photo to a completed mission ("look, I did it!"). These photos are:

Uploaded to Firebase Storage in the United States, scoped to your household only.
Accessible only to members of your household — no one else has read access, including us except when strictly necessary for debugging, and only on your written authorisation.
Never sent to the AI assistant.
Automatically deleted 30 days after the mission is verified, by a scheduled job that runs nightly.

We ask for explicit consent the first time you or a kid tries to attach a photo. You can also wipe every proof photo at once from Settings → Legal & privacy → Manage consents → Delete all proof photos.

We strongly recommend you don't use proof photos for anything you wouldn't be comfortable being in Google Cloud for up to 30 days — even though they're access-scoped to your household, nothing is invulnerable.

10. International transfers

FamOwl is operated from New Zealand. Your data is transferred to, stored in, and processed in the United States by our service providers: Google (Firebase, including Firebase Cloud Messaging) and RevenueCat for the core app, and — only if you use the AI assistant — OpenRouter and the model provider it routes to (Anthropic, Google, or OpenAI), plus Exa when Hoot looks something up on the web. If you turn on the kid-facing chat, your child's messages and the AI's replies form part of that transfer to OpenRouter and the model provider. New Zealand's Privacy Act 2020 Information Privacy Principle 12 requires us to tell you this explicitly, and to take reasonable steps to keep your data protected. We rely on:

Google's and RevenueCat's standard data-processing agreements and their certifications under the EU–US Data Privacy Framework.
Our zero-data-retention configuration with OpenRouter — under which neither OpenRouter nor the underlying model providers store your prompts or the AI's replies after a request is served — together with OpenRouter's published data-processing terms (see section 8).
NZ Privacy Act 2020 assessment of the US as a destination (accepting that protections differ, which you acknowledge by using FamOwl and by enabling its AI features).

If you are in the EEA or UK, we rely on the EU Commission's Standard Contractual Clauses (SCCs) or the UK Addendum as the lawful transfer mechanism for exports to Google and RevenueCat. For the AI providers we rely primarily on the zero-data-retention configuration described above; where a signed Data Processing Addendum with SCCs is available from OpenRouter, we put it in place.

11. How long we keep data

Data	Retention
Your parent account (email + profile)	Until you delete your account. Then: immediate hard delete.
Kid profiles + their mission activity + their balances	Until you delete the kid profile or your whole account. Then: immediate hard delete.
Proof photos	30 days after the mission is verified. Or immediately if you use "Delete all proof photos."
AI conversations	Until you delete the conversation or your account.
Subscription + billing records	Retained by Apple / Google / RevenueCat per their policies; we keep only the derived entitlement state.
Analytics events (Firebase)	14 months, Firebase default.
Crashlytics reports	90 days, Firebase default.
Firestore backups	Rolling 30-day window.
Your correspondence with us	Up to 2 years for support continuity; purged after that unless you opened a legal dispute.

When you delete data or your account, the live copies are removed immediately. Any residual copies in our rolling backups are overwritten within 30 days, and AI providers configured for zero data retention do not keep your prompts or replies after a request is served.

12. Security

Security is a moving target. What we do today:

Every Firebase read and write is gated by server-side security rules that scope data to the owning household. There is no physical path for one household to read or write another household's data.
Parent passwords are hashed by Firebase Authentication; we never see plaintext passwords.
All traffic between your device and our backend is encrypted in transit (TLS 1.2+).
Firebase encrypts data at rest in Google Cloud.
API keys for third-party providers (OpenRouter, webhook secrets) are stored in Google Secret Manager and only accessed by our backend. They are never shipped in the mobile app.
The AI assistant has automatic usage caps (3/month free, 500/month + 50/day premium) as a guard against abuse and runaway cost.
We log and alert on anomalous backend activity.

If we ever experience a breach that affects your data, we will notify you without undue delay and in any case within the legal timelines (72 hours for GDPR; "as soon as practicable" for the NZ Privacy Act). Notification will go to the email address on your account, and where the law requires we will also notify the relevant regulator (for example, the UK ICO or the NZ Office of the Privacy Commissioner).

13. Your rights

Regardless of where you are, you can:

Access and download your data — in the app: Settings → Legal & privacy → Download my data. You get a JSON file covering your profile, your household's missions, rewards, activity, and every kid in your household. Other household members' private fields (email, push tokens) are stripped.
Correct your data — edit your profile, household name, kid profiles, missions, rewards directly in the app.
Delete your data — in the app: Settings → Legal & privacy → Delete my account. If you're the sole parent in the household, your entire household is immediately hard-deleted (missions, rewards, photos, kids, everything). If you share the household with a co-parent, your personal data is deleted and your authored-by fields are scrubbed. Deletion is immediate — no 14-day grace window.
Withdraw consent — turn off the AI assistant, revoke share-names-with-AI, turn off analytics, delete all proof photos — all from Settings → Legal & privacy.
Object to processing — email us at compliance@famowl.app and we'll sort it out.
Data portability (GDPR Art. 20 / NZ IPP 7) — the "Download my data" export is a structured, commonly-used, machine-readable format.
Lodge a complaint — see section 17.

California and CCPA / CPRA

California residents have additional rights under the California Consumer Privacy Act as amended by the CPRA: the right to know what personal information we have collected about you, the right to request deletion, the right to correct inaccuracies, the right to opt out of "sale" or "sharing" of personal information (we don't sell or share for cross-context behavioural advertising), the right to limit use of sensitive personal information, and the right not to be discriminated against for exercising these rights. Submit any request to compliance@famowl.app; we verify your identity via the email on your account and respond within 45 days. Where your browser or device sends a Global Privacy Control signal, we honour it as an opt-out of sale/sharing — though note we do not sell or share your personal information in the first place.

14. How to exercise your rights

The fastest route is inside the app. Every right above is a one-tap action in Settings → Legal & privacy.

If you prefer email: compliance@famowl.app. Include the email address on your FamOwl account so we can verify you. We respond within:

20 working days (NZ Privacy Act 2020),
30 days (GDPR; extendable to 60 for complex requests),
45 days (CCPA; extendable to 90).

We don't charge for these requests. If a request is clearly excessive or repetitive, we may push back and ask you to narrow it.

15. Changes to this policy

We update this policy as the app changes or as laws change. Each new version has a bumped version string (see the top of this page). When we make a material change — for example, a new third-party processor, or a broader data-collection purpose — the FamOwl app will show you a re-consent modal on next launch so you can review and re-accept before continuing. Minor typographical changes happen silently.

Past versions are available on request.

16. Contact

General support: hello@famowl.app
Privacy, data-rights, legal: compliance@famowl.app
Postal address: available on request by emailing compliance@famowl.app.

17. Regulators

If you're unhappy with how we've handled your data and you don't feel we've resolved it, you can complain to your local data-protection authority. In particular:

New Zealand: Office of the Privacy Commissioner.
United Kingdom: Information Commissioner's Office (ICO).
EEA: your member-state supervisory authority (list on the EDPB website).
California: the California Privacy Protection Agency.

We'd rather you talk to us first so we can fix things quickly.