Privacy Policy
1. The short version
- Your baby's data is end-to-end encrypted. We physically cannot read your logged events, photos or notes on our servers.
- We never sell your data. It's a design constraint, not a promise — we can't read it.
- We never run analytics on your baby's data. Usage analytics (Google Firebase Analytics) and our own first-party lifecycle telemetry are strictly category-level (e.g. "an onboarding completed"), never your child's data, and you can turn them off in Settings → Privacy. No Crashlytics, Mixpanel or Amplitude.
- On the free tier we serve ads via Google AdMob (in the EEA/UK we gather consent through Google's certified consent platform first; decline and you see no ads). Premium removes ads entirely.
- You can permanently delete everything — on your device and our servers — at any time via Settings → Privacy → "Delete account & all data" (or our web deletion page).
2. Information we collect
2.1 What you give us
- Email and display name from Google Sign-In — used as your caregiver identifier. Stored in the encrypted vault; reaches our servers only as ciphertext.
- Family and child profile, and logged events (feeds, naps, diapers, etc.) — encrypted on your device before upload; ciphertext on our servers.
2.2 What we collect automatically
- Usage analytics (Firebase Analytics): category-level events plus a per-install app-instance ID. Advertising-ID and Android-ID collection are disabled and we never set a user ID. Opt out in Settings → Privacy.
- First-party lifecycle telemetry: a few acquisition events (install, onboarding, paywall view, subscription, invite) to our own servers — never baby data. Same opt-out.
- Push token: if notifications are on, your Firebase Cloud Messaging token is stored so we can wake your device to sync. Notification content is built on-device from decrypted data; our servers never see it.
- Sync + purchase metadata: timestamps, sizes, family/device/event IDs, and — for subscriptions — your Google Play purchase token + product ID (to verify the purchase with Google). None of it can reveal baby data.
- We do not use a crash-reporting SDK.
2.3 Advertising partners (free tier only)
Google AdMob is our advertising partner. In the EEA/UK we gather consent through Google's certified User Messaging Platform before serving ads, and a user who declines sees no ads. AdMob's SDK collects an advertising ID, IP address, device model and session duration. Ad requests are non-personalized by default. Premium subscribers never reach an ad surface.
3. How we use information
Only to: provide the app (sync, recovery, multi-device); process subscriptions through Google Play Billing; comply with legal obligations (e.g. tax records); and measure aggregate, category-level usage to improve the app — never using your baby's data. We do not train AI on your data, build ad profiles, or share with employers/insurers/anyone (except as legally compelled — §7).
4. End-to-end encryption
When you create a family vault, Hush generates a Family Data Encryption Key on your device, wraps it with a Recovery Key derived from your 24-word phrase (Argon2id, libsodium MODERATE parameters), wraps it per-device with X25519, and encrypts every event with XChaCha20-Poly1305. Our servers store only ciphertext plus minimal routing metadata. If you lose every device and your recovery phrase, your data is gone forever — we never had the keys.
5. Data retention
- Event ciphertext is kept until you tombstone the event (tombstones GC'd after 30 days) or delete your account, which purges it immediately.
- Account metadata (wrapped keys, recovery blob, device records, push token) is purged immediately on account deletion.
- Subscription receipts are kept for the period required by tax/accounting law (typically 7 years), even after deletion.
6. Your rights & controls
Depending on your region (GDPR, CCPA/CPRA, PIPEDA) you may have rights to access, correct, delete, export, or restrict your data, and to withdraw consent. You can delete all your data yourself any time from Settings → Privacy → "Delete account & all data" (or the web page), and opt out of usage analytics in Settings → Privacy. For anything else email support@hush.app; we respond within 30 days.
7. When we share
Only when required by law (we can share only ciphertext + metadata; we can't decrypt your baby data even if compelled), when you direct us to (e.g. exporting an encrypted backup to your own Drive), or with the service providers that operate the app — Google Play Billing, Cloudflare (encrypted storage), and AdMob (free-tier ads).
8. Children's privacy
Hush is for adults tracking their own children's care. The app is not directed at children and we do not knowingly collect data from anyone under 13 acting on their own behalf. Parents provide consent on their child's behalf. The product is intended for users 18+.
9. Security
Cryptography via libsodium (XChaCha20-Poly1305, X25519, Ed25519, Argon2id); on-device storage in SQLCipher (AES-256) with keys in the Android Keystore (hardware-backed where available); TLS on all connections.
10. International transfers & changes
Our servers run on Cloudflare's global network; because the data is ciphertext, no region can read it. We'll notify you in-app at least 30 days before material changes; the current version always lives at this URL.