App Privacy Policy
Last updated: June 18, 2026
This policy explains what data The Regulated Child collects, where it goes, and what you can do about it. We've tried to write it in plain English — no legalese. If anything here is unclear, email us at hello@regulatedchild.com.
A note on who this is for: The Regulated Child apps are built for parents and caregivers — the adult is the user. The content you enter often describes a child (your observations of their behavior). Section 8 explains how we treat that.
1. What we collect
When you use a Regulated Child app, three kinds of data are involved:
On your device only — never sent to us
- Your behavior tracker entries, state-signature notes, written reflections, regulation-clock notes, the scripts you mark as effective, and anything else you type or select in the apps. This lives only in your browser's local storage on your device. You can inspect or delete it at any time.
Sent to us
- Your email address — used to confirm your purchase and unlock the paid apps, and (only if you opt in through one of our free tools) to send you marketing.
- A short-lived request count tied to your IP address, used only to rate-limit our functions and prevent abuse. It is held briefly in memory, not stored, and not linked to your identity.
Sent only when you click an AI button
- The structured observations and the freeform text you've written, sent for AI analysis. Your email and purchase identity are never included. See section 4 for exactly what this means.
We do not use cookies. We do not run analytics. We do not store your AI prompts or AI responses on our servers.
2. How we use it
- Your email verifies your purchase so the paid apps unlock, and is used for marketing only if you opted in. You can unsubscribe from marketing anytime via the link at the bottom of any email we've sent.
- The rate-limit count prevents abuse of our functions. It is not used for anything else and is not joined to your identity.
We do not profile you, sell your data, or share it with advertisers.
3. Who we share data with
We use a small number of third-party services, each with a specific purpose:
- Anthropic — processes the content you send when you click an AI button. Anthropic does not train its models on API inputs. Inputs may be retained by Anthropic for up to 30 days for abuse monitoring. We are currently pursuing a Zero Data Retention agreement with Anthropic that would eliminate this 30-day window.
- Klaviyo — sends marketing emails only if you opted in via one of our free apps. Klaviyo receives the email address and the name you provide, plus which app you signed up from.
- Shopify — processes purchases on regulatedchild.com. Shopify's own privacy policy governs that step. We receive only the email tied to your order.
- Netlify — hosts the apps and the supporting functions, and stores the email-to-purchase record that unlocks the paid apps. Receives network-level information (IP address, request metadata) inherent to serving any website.
- Google Fonts — the apps load typefaces from Google Fonts. Google receives standard network information (IP address, request metadata) when fonts load. No app content or email is sent.
We do not sell your data. We do not share it with advertisers.
4. AI processing — what gets sent and what doesn't
Several features in the paid apps use AI to analyze what you enter — for example "Decode this behavior," "Analyze my patterns," "Coach my signature," and "Generate AI-enhanced report" in the Behavior Decoder Workbook, and "Find my script" and "Personalize this script" in the In-the-Moment Scripts Pack. Before your first AI request, the app shows you a consent screen describing what follows. Here is what happens:
- Your structured observations and the reflections you've written are sent to Anthropic for pattern analysis. Your email stays on your device.
- If you've written your child's name into your reflections, that text will be included in the request. Consider using a first initial or nickname.
- Anthropic does not train models on this data. They may retain it for up to 30 days for abuse monitoring. We're currently pursuing a Zero Data Retention agreement that would eliminate this 30-day window.
- If our system detects language suggesting abuse, self-harm, or a child in immediate danger, the response will surface crisis-appropriate guidance instead of the usual analysis.
The AI is constrained by a system policy enforced in our code: it is instructed to frame behavior through a nervous-system lens, never to give clinical, diagnostic, medical, IEP, 504, or special-education guidance, and to avoid pathologizing language. Crisis language (such as references to self-harm, abuse, or a child in danger) is intercepted before any request reaches the AI, and we return crisis resources — call or text 988, text HOME to 741741, or call 911 in an emergency — instead of an AI analysis.
If you do not want your data processed by an AI service, do not click the AI buttons. All other app features work without them.
5. Where your data lives
| Data | Location |
|---|---|
| Behavior tracker, state signature, reflections, regulation clock, marked scripts | Your device (browser local storage) |
| Email address tied to purchase | Netlify (our backend) and Shopify |
| Marketing-subscribed email and name | Klaviyo |
| AI request body | Transient at Anthropic (up to 30 days) |
6. Your rights and controls
- Access: Open your browser's DevTools → Application → Local Storage to inspect any data stored by the apps.
- Delete on this device: Each paid app has a "Manage my data" link in the footer that wipes your tracking, notes, and AI-consent record from the device. Your purchase access is preserved, so you don't have to re-enter your email.
- Delete from our backend: Email us at hello@regulatedchild.com and we will remove your email from the purchase record (and request deletion of your Klaviyo profile) within seven days.
- Opt out of marketing: Use the unsubscribe link in any email we've sent.
If you live in the EU, UK, or California, you also have rights under GDPR or CCPA. Email us to exercise them.
7. Security
We take reasonable steps to keep your data safe:
- All traffic to our apps is HTTPS-only, with HTTP Strict Transport Security enabled across subdomains.
- A Content Security Policy restricts what the apps are allowed to connect to, which protects the data stored on your device.
- A Permissions Policy disables camera, microphone, and location access.
- Per-IP rate limits protect the AI and purchase-verification functions from abuse.
- Purchase verification is handled server-side from a record populated by Shopify's order webhook.
- We do not log AI prompts or responses on our servers, and errors from the AI service are sanitized before they reach you.
- Crisis-language interception returns support resources instead of an AI analysis.
8. Children and the child you're describing
The Regulated Child apps are designed for adult parents and caregivers. We do not knowingly let anyone under 18 create an account or make a purchase, and we do not knowingly collect data directly from a child.
Because these apps help you understand a child's behavior, the notes and reflections you write often describe your child. That content stays on your device and is never sent to us. It is sent to our AI provider only when you click an AI button. To protect your child's privacy, we recommend using a first initial or nickname rather than a full name in anything you type. If you believe a child has used the apps directly, email us and we will delete any associated data.
9. Changes to this policy
If we make material changes, we will update the "last updated" date at the top of this page and, where reasonable, notify users by email.
10. Contact
Questions, requests, or concerns: hello@regulatedchild.com.