Privacy Policy

1. Who we are

HouseHeld is operated by HouseHeld LLC ([COMPANY_ADDRESS]). This Privacy Policy explains what information we collect, how we use it, and the rights you have. For privacy questions, email privacy@househeld.app.

2. Information we collect

From parents and account holders

• Email address and password (password hashed at rest)
• Household name
• Master PIN (hashed at rest)
• Payment information for the Verifiable Parental Consent charge (processed by Stripe; we do not store card details)
• Subscription payment information, if applicable (processed by Stripe)

From children under 13 — COPPA-governed

• Name and avatar (color or uploaded image)
• Date of birth (used only to determine under-13 status and badge eligibility)
• Optional profile PIN (hashed at rest)
• Chore completions and optional photo proof
• XP, level, badges earned, points balance, streaks
• Reward redemptions and allowance payments within the household
• Expo push notification token (only if notifications are enabled by the parent)

We do not collect biometric identifiers, government-issued identifiers, precise geolocation, contacts, or voice recordings from children.

3. How we use this information

• To operate the HouseHeld service: authenticate household accounts, display chores, track progress, and deliver notifications
• To enforce parental controls and approval workflows
• To process subscription payments and Verifiable Parental Consent charges
• To communicate service-related updates to parents
• To diagnose errors and improve reliability (error telemetry)

We never use a child's information for behavioral advertising. We never sell personal information. We do not combine a child's data with data from other services.

4. Verifiable Parental Consent

Before we collect any personal information from a child under 13, we obtain verifiable parental consent as required by COPPA. Our current method is a refundable $0.50 payment-card authorization processed by Stripe. This is an FTC-approved method that confirms the account holder is an adult with a valid payment card. The charge is refunded immediately.

You may withdraw consent at any time. Withdrawing consent disables the child's profile and stops further collection. You may also request full deletion of the child's data — see Section 7.

5. Third parties that process this information

Per FTC 2025 COPPA amendments, we disclose every third party that processes personal information:

• DigitalOcean Spaces — stores chore-proof photos. Integral to the photo-proof feature.
• Expo Push Notifications — delivers notifications when the parent enables them.
• Sentry — error telemetry for service reliability. No child identifiers are transmitted.
• Stripe — processes the VPC authorization and, if applicable, subscription payments. Stripe does not receive children's personal data.
• Resend — transactional email to parents (password reset, account notices). Does not receive children's data.
• DigitalOcean — application and database hosting.

A parent may consent to data collection without consenting to disclosure to these third parties beyond what is integral to the service. Separate consent controls appear during sign-up.

6. How long we keep data

7. Your rights as a parent

You have the right, at any time, to:

• Review all information we have about your child (data export)
• Delete your child's profile and all associated data
• Withdraw consent
• Refuse further collection — the profile is suspended
• Request corrections to any inaccurate data

Parents can exercise these rights directly in the HouseHeld app (Settings → Child Profiles), or by emailing privacy@househeld.app. We respond within [RESPONSE_WINDOW_DAYS] days. See Parent Data Rights for step-by-step instructions.

8. Security

HouseHeld maintains a written Information Security Program covering designated security personnel, annual risk assessments, safeguards tailored to the sensitivity of child data, regular monitoring, and written security commitments from every third-party processor. We use HTTPS for all data in transit, Argon2 password hashing, short-lived JWT tokens with refresh rotation, and database encryption at rest (DigitalOcean Managed Postgres).

No system is perfectly secure. If we experience a data breach affecting children's personal information, we will notify affected parents within [BREACH_NOTIFICATION_DAYS] days.

9. COPPA

HouseHeld complies with the Children's Online Privacy Protection Act and the 2025 amendments to the COPPA Rule. This means:

• We obtain verifiable parental consent before collecting personal information from children under 13
• We provide this Privacy Policy and a direct notice to parents before any collection
• We offer parents the right to review, correct, or delete their child's data
• We never condition a child's participation in an activity on disclosing more information than is reasonably necessary
• We maintain reasonable procedures to protect the confidentiality, security, and integrity of children's information

10. California residents (CCPA and CPRA)

To be drafted by counsel. Must cover: categories of information collected, right to know, right to delete, right to correct, right to opt out of sale or sharing (none occurs), right to limit use of sensitive information, right to non-discrimination, and contact method for exercising rights.

11. EU and UK residents (GDPR)

To be drafted by counsel. Must cover: legal basis for processing, data-subject rights (access, erasure, rectification, restriction, portability, objection), DPO contact, and cross-border transfer mechanism.

12. Changes to this policy

If we materially change how we handle children's information, we will notify parents and request renewed consent. Non-material changes (typographical corrections, clarifications) will be published here with an updated version number.

13. Contact

For any privacy question, concern, or request, email privacy@househeld.app. For general support, email support@househeld.app.

HouseHeld LLC · [COMPANY_ADDRESS] · [PHONE_NUMBER]