Privacy Policy for Bee Kid (Bee Kid)

Effective Date: May 15, 2026

1. Introduction and Data Controller

Welcome to Bee Kid ("we," "our," or "us"). The data controller for the purposes of GDPR Art. 4(7), UK GDPR, KVKK Md. 3, and similar laws is Göktuğ Başaran (sole developer/operator), located in Istanbul, Turkey, reachable at dev.goktugbasaran@gmail.com. We have not appointed a Data Protection Officer, as the scale and nature of processing do not require one under GDPR Art. 37(1).

This Privacy Policy explains how Bee Kid collects, uses, and safeguards information when you use our mobile application (the "App") on iOS and Android.

Legal Bases for Processing

We process personal data on the following legal bases under GDPR, UK GDPR, KVKK, and similar regimes:

• Explicit consent — for the processing of children's location, device, and app-usage data, and for cross-border transfer where required. Consent is obtained from the parent or legal guardian during onboarding and per-child pairing.
• Performance of contract — for delivering the parental-control service you have requested (rule sync, push notifications, account management).
• Legitimate interests — for pseudonymous analytics, crash reporting, abuse prevention, and security. We balance these interests against your rights and freedoms and offer mechanisms to object.
• Legal obligation — to comply with applicable law, court orders, and regulator requests.

2. Our Core Privacy Commitment

Bee Kid is designed to be privacy-first.

• Family Data is Synced via Firebase: Your family data (child names, rules, location, PIN codes) is stored and synchronized using Google Firebase/Firestore. All data is encrypted in transit (TLS) and at rest. We do not maintain a separate proprietary backend server to mine your data.
• Pseudonymous Analytics: We use Google Firebase Analytics to collect pseudonymous product usage statistics (events tied to a generated install ID, never to your name or your child's specific identity). This helps us improve the app and is never used for advertising.

3. Information We Collect

Bee Kid collects data to provide parental control and safety features. This data is categorized as follows:

A. Family & Device Data (Stored in Firebase Firestore)

To facilitate communication between Parent and Child devices, the following data is stored in Firebase Firestore:

• Device Information: Unique identifiers, device names, device model, battery level, charging state, and permission statuses to manage connections and monitor device health.
• Child Profiles: Names/nicknames you assign to children.
• Blocking Rules & Schedules: The configuration of your downtime and restrictions. On iOS, we utilize Apple's privacy-preserving 'opaque tokens' for app selection, meaning we never know specifically which apps you have chosen to restrict. On Android, app identifiers (package names) are stored to enforce blocking rules.
• Installed Apps (Android only): On Android child devices, we collect the list of installed applications (package names and categories) to enable app blocking features.
• Screen Time Data: Daily screen time usage and per-app usage duration on child devices.
• Website Blocking Rules: Domain names configured by the parent for website blocking.
• Activity Logs: History of blocked attempts on child devices.
• PIN Codes: Secure hashes (SHA-256 with salt) stored for parent authentication.

B. Location Data

Bee Kid collects location data to enable the "Family Map" and safety features.

• Data Collected: Precise location (latitude/longitude), speed, course, altitude, and battery level of the Child Device, along with a human-readable place name and street address that are reverse-geocoded from these coordinates on the device and stored together with the location entry.
• Purpose: To allow parents to view the current location and location history of their children.
• Collection Method: Location is collected in the background (via significant change monitoring) and on-demand (when requested by the parent).
• Storage: Location data is uploaded to Firebase Firestore to be shared with the authorized Parent device.

C. Camera Access

The App uses the device camera solely for scanning QR codes during the device pairing process. No images or video are captured, stored, or transmitted.

D. Push Notifications

We use Firebase Cloud Messaging (FCM) to deliver push notifications between parent and child devices. This includes rule update notifications, blocked app attempt alerts, and on-demand location requests. FCM tokens are stored in Firebase to route notifications to the correct devices.

E. App Usage & Subscription Data (Processed by Third Parties)

To maintain and improve the App, we use the following third-party services. These services collect data that is not linked to your private family content.

• Firebase Analytics: Used for pseudonymous event collection to understand how users interact with the app.
  • Data Collected: Pseudonymous usage events (e.g., "Screen Viewed", "Button Tapped"), device type information, and aggregate user properties (such as number of children configured, subscription status, rule count). Events are tied to a generated install identifier, not to your account or your child's identity, and are never used for advertising.
• Firebase Crashlytics: Used to collect crash reports and diagnostics to improve app stability.
  • Data Collected: Crash logs, device model, OS version, and stack traces. No personal or family data is included.
• App Store / Google Play: Subscriptions are managed through the respective platform's billing system (Apple App Store or Google Play Store).
  • Data Collected: Purchase history and subscription status. Payment details are handled entirely by Apple/Google and are never shared with us.

4. How We Use Your Information

We use the collected information for the following purposes:

1. To Provide Services: Enforcing screen time rules, tracking device location for safety, and delivering notifications between family devices.
2. To Synchronize Data: Ensuring rules, status, and location are consistent across family devices via Firebase Firestore.
3. To Improve the App: Analyzing pseudonymous usage patterns via Firebase Analytics to identify bugs and popular features.

5. Data Sharing and Disclosure

We do not sell your personal information. We share data only with the following service providers to operate the App:

• Google (Firebase/Firestore): For data synchronization, push notifications, pseudonymous usage analytics, and crash reporting.
• Google Maps: For displaying child location on an interactive map.
• Apple Inc. (iOS only): For Location Services and Screen Time API infrastructure on iOS devices.
• RevenueCat: For processing and managing in-app subscriptions. Receives the App Store / Google Play purchase receipt and a generated app user identifier; does not receive your child's data or precise location.

Legal Compliance: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

Internal Access: Authorized personnel of Bee Kid (currently the sole developer/operator) may access stored data for the limited purposes of technical support, debugging, abuse prevention, security incident investigation, and operational maintenance. Such access is restricted on a need-to-know basis, is logged via Google Cloud audit logs, and is never used for advertising, profiling, or marketing. Personnel are bound by confidentiality obligations.

International Data Transfers: Your data is processed and stored on Google Cloud servers located in the United States (Firestore multi-region nam5). Transfers from the European Economic Area, the United Kingdom, Turkey, and other jurisdictions outside the United States are made under Google's Data Processing and Security Terms, which incorporate the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism for cross-border transfer, together with supplementary technical safeguards (TLS encryption in transit and AES-256 encryption at rest). Under Turkish KVKK, this transfer relies on the adequate safeguards mechanism (Md. 9) provided by these Standard Contractual Clauses. By using the App you acknowledge that your data will be transferred to and processed in the United States under this framework.

6. Children's Privacy

Bee Kid is explicitly designed to assist parents in managing their children's device usage.

• Parental Authorization: In compliance with the Children's Online Privacy Protection Act (COPPA), the App is intended to be configured by a parent or legal guardian. By using the App to monitor a child under 13, you represent that you are the child's legal guardian and you authorize the collection of data from their device solely for the purpose of providing parental control features.
• Strict Usage Limits: We do not use any data collected from a child's device for advertising, profiling, or marketing purposes. Access to this data is strictly limited to the operation of the App's safety features.
• Parental Control: Data collection (including location) on a child's device only occurs after a parent has installed the App, paired the device, and explicitly authorized permissions.

7. California Residents (CCPA/CPRA Notice)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

A. Categories of personal information collected

In the past 12 months we have collected the categories listed in Section 3 above: identifiers (Firebase Auth UID, device IDs), commercial information (subscription status), internet/network activity information (app usage events, blocked-attempt logs), geolocation data (precise location of child devices), and inferences from app interaction. We do not collect categories of "sensitive personal information" as defined in §1798.140(ae) beyond precise geolocation, which is already disclosed and processed for the parental-control service.

B. Purposes

We use this information solely to provide the parental-control service, deliver notifications between paired devices, maintain account security, and improve the App via aggregated diagnostics. We do not sell or share personal information for cross-context behavioral advertising, and we do not use it to profile California residents.

C. Your rights under CCPA/CPRA

• Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: request deletion of your personal information. You can exercise this directly through Settings → "Reset App" or by emailing us.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale/sharing: we do not sell or share personal information, so there is nothing to opt out of, but you may submit a verifiable request to confirm this.
• Right to limit use of sensitive personal information: precise geolocation is processed only to provide the parental-control service you have authorized.
• Right to non-discrimination: we will not deny service, charge different prices, or provide a different level of quality if you exercise these rights.

D. Children under 16 (CCPA §1798.120(c))

We do not knowingly sell or share the personal information of California residents under 16 without affirmative authorization (opt-in). For children under 13, COPPA verifiable parental consent applies and overrides; for children 13 to 15, the minor's own affirmative consent is required in addition to parental authorization.

E. How to exercise your rights

Submit a verifiable consumer request by emailing dev.goktugbasaran@gmail.com with subject line "CCPA Request" and a description of your request. We will verify your identity using information already on file (Firebase Auth UID, email associated with the App Store purchase) and respond within 45 days as required by §1798.130(a)(2).

8. Data Retention and Deletion

• Retention: Your data remains in Firebase Firestore as long as you use the App. To minimize data exposure, location history is automatically deleted after 14 days.
• In-App Data Deletion: You have full control over your data. You can delete all your data directly from the App:
  • Parent device (iOS & Android): Go to Settings > "Reset App". This permanently deletes all family data from our servers, including all children profiles, rules, locations, activity logs, and your account.
  • Child device (iOS & Android): Go to Settings > "Reset Device" (requires parent PIN). This removes all parental controls, deletes child data from our servers, and returns the app to its initial setup state.
• Upon reset, your data is immediately archived and made inaccessible from the App. All archived family data is then permanently deleted from our Firebase servers within 14 days by an automated daily background cleanup process.
• Alternative: You can also request data deletion by emailing us at dev.goktugbasaran@gmail.com.

9. Your Rights (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or a jurisdiction with similar data-protection law, you have the following rights with respect to your personal data:

• Right of access (Art. 15) — to obtain confirmation of whether we process your personal data and a copy of that data.
• Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected.
• Right to erasure ("right to be forgotten") (Art. 17) — to have your personal data deleted, subject to certain exceptions. You can exercise this directly via Settings → "Reset App" in the parent device, which permanently archives and deletes all family data within 14 days.
• Right to restriction of processing (Art. 18) — to have processing limited in certain circumstances.
• Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to object (Art. 21) — to object to processing based on legitimate interests, including profiling. We do not perform profiling for marketing.
• Right to withdraw consent (Art. 7(3)) — at any time, with effect from the moment of withdrawal. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. You can withdraw consent by removing the child (per-child consent) or resetting the app (family-level consent).
• Right not to be subject to automated decision-making (Art. 22) — we do not engage in solely automated decision-making with legal or similarly significant effects on you.
• Right to lodge a complaint with a supervisory authority (Art. 77) — you may lodge a complaint with your local data-protection authority (for EEA residents) or the Information Commissioner's Office in the UK (ico.org.uk). You can find the list of EU supervisory authorities at edpb.europa.eu.

How to exercise your rights: email dev.goktugbasaran@gmail.com with the subject "GDPR Request" (or "UK GDPR Request") and a description of the right you wish to exercise. We will verify your identity using information already on file and respond within one month as required by Art. 12(3).

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Effective Date" at the top of this policy and, if the changes are significant, by providing a prominent notice within the App.

11. Contact Us

If you have any questions or suggestions about our Privacy Policy, do not hesitate to contact us at:

Email: dev.goktugbasaran@gmail.com