Snugapp
snugapp.ai Icon
snugapp.ai

Privacy Policy

Last updated: April 17, 2026

At snugapp.ai, operated by SnugApp AI ("we", "our", or "us"), we prioritize the privacy and security of your family's data above all else. snugapp.ai provides an AI-powered child safety monitoring service designed to help parents protect their children while maintaining their privacy. This policy explains precisely what data we collect, why, and — critically — what we never collect. It is designed to comply with the GDPR, CCPA, COPPA (Children's Online Privacy Protection Act), and all applicable data protection frameworks.

1. Our Core Privacy Commitment — Zero-Content Architecture

The single most important fact about snugapp.ai's privacy model:

We never store, log, transmit, or retain any raw message content. No text, audio, images, or video from the Monitored Device is ever written to our database, cloud storage, or server logs. All AI analysis occurs exclusively in volatile server memory and is permanently purged immediately after an analysis result is produced.

This is not merely a policy preference — it is a core architectural constraint enforced at every layer of our system. We do not act as an archive or backup for your child's communications.

Lawful Parental Safety Tool: snugapp.ai is a parental safety tool that operates exclusively under the legal authority of a parent or court-appointed guardian. It does not constitute surveillance software, spyware, or any tool for unauthorized access to data belonging to another party. Monitoring is initiated only through an affirmative multi-step process: account creation, payment verification, and physical scanning of a QR code on the child's device — ensuring informed, deliberate parental consent.

2. Data We Collect
2.1 Account Data (Account Holder)

  • Name & email address — Account creation and authentication.

  • Phone number — Two-factor authentication and WhatsApp alert delivery.

  • Password (hashed) — Account security. We never store plaintext passwords.

  • Subscription & billing records — Payment processing is handled by Paddle (our Merchant of Record). SnugApp AI does not store your full credit card numbers; all payment data is collected and processed directly by Paddle. For details on how Paddle handles your payment data, see Paddle's Privacy Policy.

  • Preferred language & timezone — Localized Alert delivery.

2.2 Device & Monitoring Configuration Data

  • Monitored Device's linked WhatsApp identifier — Establishing the monitoring session.

  • Monitored User's name/alias (as set by you) — Displaying within your dashboard ("Snuggie").

  • Monitored User's disclosed age group — Calibrating age-appropriate AI sensitivity thresholds.

  • Active monitoring session metadata — Connection health and status monitoring.

  • Contact registry — Chat display names, chat identifiers, and known-contact status for individuals who communicate with the Monitored User. This is used to provide context to the AI analysis (e.g., distinguishing known contacts from strangers). We do not store phone numbers of these contacts.

2.3 Analysis Metadata (Not Content)

  • Message batch count & timestamp range — Confirming analysis was performed.

  • AI-generated threat category & severity — Powering the Alerts dashboard.

  • AI-generated high-level summary (no quotes) — Explaining Alert context to the Account Holder without using raw message text.

  • Alert delivery status — Confirming notifications were sent.

2.4 Technical & Service Data

  • IP address & browser/device type — Security, fraud prevention, and diagnostics.

  • Service usage logs — Product improvement and reliability.

  • Error logs — Debugging and system stability (never containing message content).

3. Data We Expressly Do NOT Collect

We explicitly do not collect, store, or process:

  • ❌ Raw message text, audio messages, images, or video from any conversation.

  • ❌ Phone numbers of the Monitored User's contacts.

  • ❌ The Monitored User's browsing history, app usage, or location.

  • ❌ Biometric data.

  • ❌ Excerpts, snippets, or transcripts from any conversation.

4. How We Use Your Data

Your data is used exclusively for:

  • Delivering the Service — Processing monitoring sessions, generating Alerts, and sending notifications.

  • Improving AI Accuracy — Using aggregated, anonymized metadata (never content) to improve detection models and reduce false positives.

  • Account & Security Management — Authenticating users, preventing fraud, and protecting the platform.

  • Legal Compliance — Meeting obligations under applicable law, including responses to lawful data requests.

  • Customer Support — Resolving technical issues reported by Account Holders.

We do not use your data for behavioral advertising, third-party marketing, or sale to data brokers.

5. AI Processing & Google Cloud Platform

We utilize Google Cloud's Vertex AI (Gemini models) as our core intelligence engine under a strict Enterprise Data agreement ensuring that:

  • No Model Training: Your family's data is never used to train, tune, or improve Google's foundation models or snugapp.ai's base algorithms.

  • Secure Enclaves: Data is analyzed in secure, isolated regions and is encrypted both in transit (TLS 1.3) and during the brief moment it exists at rest.

  • Transient Processing: Message content sent to the AI model for analysis is not retained by the provider beyond the API call.

6. Third-Party Sharing

SnugApp AI does not sell, rent, trade, share, or commercially transfer your personal data or the Monitored User's data to any third party. This includes advertisers, data brokers, and analytics companies. Paddle, as our Merchant of Record, similarly does not sell your personal information (as defined under the CCPA).

We share data only in the following limited circumstances:

  • Google Cloud Platform (Vertex AI, Firebase, Firestore) — Cloud hosting and AI processing, under a Data Processing Agreement (DPA).

  • Paddle (paddle.com) — Merchant of Record for all subscription transactions. Paddle processes your payment information (name, email, billing address, payment method), handles tax collection, and manages invoicing. As the Merchant of Record, Paddle acts as an independent data controller for transaction-related personal data. See Paddle's Privacy Policy for details on how they handle your data.

  • WhatsApp (Meta) — The underlying messaging platform we connect to via their multi-device architecture. snugapp.ai is not affiliated with, endorsed by, or officially connected to Meta or WhatsApp.

  • Law Enforcement / Regulators — Only in response to a lawful subpoena or court order, and only the minimum data required.

7. Children's Privacy — COPPA & GDPR

snugapp.ai's users (Account Holders) are adults. However, because the Service involves monitoring minors, SnugApp AI applies the strictest possible data minimization principles to all data associated with a Monitored User. We comply with the Children's Online Privacy Protection Act (COPPA) for children under 13, and with GDPR Article 8 and related child-specific provisions for children under 16 in the European Economic Area.

  • We do not create profiles of Monitored Users for any commercial purpose.

  • We do not share Monitored User data with any third party for marketing.

  • We do not retain any Monitored User data beyond what is necessary to deliver Alerts to their Account Holder.

Verifiable Parental Consent: Under COPPA and GDPR, verifiable parental consent is required before collecting or processing personal information relating to a child. SnugApp AI implements a multi-step verification process to ensure genuine parental consent: (1) account creation by the parent/guardian, (2) payment verification through Paddle (confirming adult financial authority), and (3) physical scanning of a QR code on the child's device (confirming physical access and custody). No data from the child's device is collected until all three steps are completed. Parents may review, delete, or halt collection of their child's data at any time by disconnecting the device via the dashboard.

If you believe a minor has independently created an account, contact us immediately at privacy@snugapp.ai and we will delete the account.

8. Your Rights

Depending on your jurisdiction (e.g., GDPR, CCPA), you may exercise the following rights by contacting us at privacy@snugapp.ai:

  • Access — Request a copy of all personal data held about your account.

  • Rectification — Correct inaccurate data (e.g., update your name or email).

  • Export (Portability) — Receive your account data in a structured, machine-readable format.

  • Deletion ("Right to Forget") — Request deletion of your account and all associated data. This action is irreversible. Because of our Zero-Content Architecture, there is no message content to delete, as none was ever stored.

  • Objection / Restriction — Object to or restrict certain processing activities.

  • Withdraw Consent — Withdraw consent at any time where processing is consent-based.

You can also instantly disconnect your WhatsApp session at any time through the dashboard, which immediately stops all data synchronization for that device. You can delete your account and all associated Alert data directly from "Account Settings."

We will acknowledge all rights requests within 72 hours and fulfill them within 30 days.

9. How We Protect Your Data

  • Encryption at Rest: All data in Firestore (Google Cloud) is encrypted at rest using AES-256.

  • Encryption in Transit: All data transmitted between your devices and our servers is encrypted using TLS 1.2+.

  • Access Controls: Access to production data is restricted to authorized engineers through role-based access control (RBAC) with audit logging.

  • Principle of Least Privilege: Engineers are granted access only to the minimum data required for their role.

  • No Persistent Content: The Zero-Content Architecture itself eliminates the most sensitive data class from our attack surface entirely.

9.1 Data Breach Notification

In the unlikely event of a data breach affecting your personal data, SnugApp AI commits to the following:

  • Regulatory Notification: We will notify the relevant supervisory authority (e.g., the ICO, CNIL, or applicable Data Protection Authority) within 72 hours of becoming aware of a breach, as required by GDPR Article 33.

  • User Notification: If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected Account Holders without undue delay via email and in-app notification, as required by GDPR Article 34.

  • Scope Limitation: Due to our Zero-Content Architecture, a breach of our systems cannot expose raw message content, as no such data is ever stored. Any breach would be limited to account metadata (name, email, subscription status) and alert summaries.

10. Data Retention

  • Account data — Duration of subscription + 30 days post-deletion.

  • Alert history — Duration of subscription, or until manually deleted or account deletion. Note that for certain tiers (e.g., Basic), your dashboard view may be limited to the last 24 hours of activity history, even if data is retained for a longer period in the database.

  • Analysis metadata (batch counts) — Duration of subscription.

  • Server & error logs — 30–90 days, then automatically purged.

  • Billing records — Retained by Paddle (Merchant of Record) as required by applicable tax law. snugapp.ai retains subscription status records for the duration of the account.

11. Changes to This Policy

SnugApp AI reserves the right to update this Privacy Policy. Material changes will be communicated via email to registered Account Holders at least 14 days prior to taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact

For questions regarding this Privacy Policy or how your family's data is handled, visit our Help Center or contact our Data Protection Officer at privacy@snugapp.ai.