Data Retention Policy
Draft — pending legal review. Bracketed [placeholders] have not been filled in and this document is not yet in force.
Why this policy exists
The U.S. Children's Online Privacy Protection Act (COPPA), as amended in 2025, requires us to keep a child's personal information only for as long as is reasonably necessary for the purpose we collected it, and to write down — for each kind of information — why we collect it, why we need to keep it, and when we delete it. This policy is that written record. It is also reproduced inside our Privacy Policy, which is the notice we present to you.
Our retention principle
We collect the minimum needed to run the chore-and-rewards feature, keep each item only while it serves that purpose, and then delete it. We do not retain children's information to build profiles, train models, or for advertising. When information is no longer reasonably necessary, we delete it and take reasonable measures to protect it during deletion.
What we keep, why, and for how long
• Child chore photo (review copy) — Purpose: let you review and dispute a graded chore. Why we keep it briefly: you need to see the work to confirm or overrule the grade. Deletion: automatically deleted after roughly 72 hours by a launch-time sweep plus a read-time filter that treats an expired photo as already gone. Photo location metadata (EXIF/GPS) is stripped on the device before the photo ever leaves the phone. • Transient grading image — Purpose: produce one AI grade. Why we need it: the grade cannot be computed without the image. Deletion: held only in our grading service's request memory and discarded the moment the grade is produced — never written to a file, record, or log, and not retained by the AI provider (zero-data-retention). • Gem ledger and balance — Purpose: track gems earned and redeemed. Why we keep it: the running balance is the heart of the app. Contents: identifiers, integers, and cryptographic signatures only — no names or photos. Deletion: retained in your family's iCloud while the account is active; removed when you delete the child or the account. • Chore submissions and reward redemptions — Purpose: give you an audit trail of what was submitted and redeemed. Why we keep it: you need history to manage the household. Deletion: retained while the account is active; cascade-deleted when the child or account is removed. • Device pairing code — Purpose: let a child's device join your household once, during setup. Contents: a child identifier and a short code. Deletion: expires 24 hours after creation and is swept on the next app launch; also deleted when the child is removed. • Parental consent record — Purpose: evidence that verifiable parental consent was obtained, which the law requires us to be able to show. Contents: a version stamp and timestamp — no contact details beyond your own account. Deletion: retained while the account is active as a compliance record. • Age-verification signal — Purpose: a one-time check that the person setting up the app is an adult. Deletion: never stored — it is reduced to a yes/no result and immediately discarded, and is never reused for the child's age. • Child nickname, age group, and personality — Purpose: run and personalize the chore feature. Note: this is a nickname you choose, not the child's real name. Deletion: retained while the account is active; deleted when the child or account is removed.
How deletion actually happens
Your family's data lives in your own iCloud (Apple CloudKit), not on our servers. Review photos carry an expiry and are removed by an automatic sweep when the app launches; reads ignore anything already past its window. Deleting a child removes that child's entire data zone — chores, submissions, redemptions, photos — and the associated ledger, balance, and mirror records. Deleting your account cascades the same deletion across every child. The transient copy of a photo sent for grading is discarded as soon as the grade is returned.
Your rights as a parent
You can review your child's photos and grades, overrule any result, and request deletion of a child's information or your entire account at any time using the in-app controls or by contacting us at [privacy@your-domain]. Withdrawing consent disables further photo collection.
Changes & contact
If we materially change what we keep or for how long, we will update this policy and the Privacy Policy and ask you to review the change. Questions: [Operator legal name], [privacy@your-domain].