The cloud sees
ciphertext, not kids.

What stays on the family's devices.

Everything. Chore details, allowance balances, goal progress, calendar events, photo proof, role assignments — all stored locally on each family member's installed Pawprint client. Cleartext never leaves the device.

What gets sent to the cloud.

For families on the paid Family tier (encrypted-blob sync between devices), serialized state changes are encrypted with the family's symmetric key and pushed to a blob-storage backend. The backend sees:

• An opaque family-instance ID (random UUID; not derivable from anything personal).
• A timestamp.
• A blob of ciphertext.

It does not see: child names, ages, addresses, photo content, chore titles, allowance amounts, calendar entries, or any other family data. None of those exist in cleartext on any server we operate.

What we do see, on purpose.

Aggregate, anonymized usage telemetry — how many families have installed, how many sync events per day in aggregate, latency percentiles. None of it linkable to a specific family. This is opt-in and visible in Settings.

No advertising-data sale.

The Solo tier shows banner ads (third-party ad network; we'll publish the specific network and its data-handling terms before launch). The Family tier has no ads. We do not, and architecturally cannot, sell behavioral data — there's no readable behavioral data to sell.

No covert parental surveillance.

Pawprint isn't a monitoring tool. The kid sees what's logged about them. The parent sees what's logged about the kid. There is no hidden dashboard a parent gets that the kid is shielded from. Same audit trail, same surface — what differs is who can edit (parent) vs who can interact (kid).

Children's privacy.

We will comply with COPPA and equivalent regional regulations. The minimum data required to make Pawprint useful for a child is: a first name (or chosen handle), an age, and an avatar pick. No email address, no phone number, no real-name verification, no photo of the child uploaded anywhere. Photos attached to chores as proof are stored on the family's devices, encrypted in any sync blob, and never extracted for any other purpose.

Data export + deletion.

Any guardian-admin can, at any time:

• Export the family's whole local store as a single signed JSON file.
• Trigger a full wipe — local store cleared, family key rotated, the encrypted blob in the storage backend made unreadable forever.
• Remove a single device (e.g. a babysitter who's no longer welcome) by rotating the family key on remaining devices.

Contact form data.

Submissions to the notify-me form on this site go to Netlify Forms. We pull entries by hand. No email-marketing platform, no third-party data broker. If you ever want your entry removed, email kdeibel@cleanmoneycorporation.com (or whatever the Pawprint-specific contact becomes — we'll update this when launch is closer).

This page is design-phase.

Pawprint is currently in founding-families preview. The privacy posture above is the product posture we are building toward; the formal policy will be finalized before paid launch and reviewed by counsel. If anything in that eventual policy contradicts the principles on this page, the policy gets fixed.