Privacy Policy — ChildLink

Effective date: 5 June 2026 · Last updated: 5 June 2026

This Privacy Policy explains how personal data is collected, used and shared when you use ChildLink, a mobile application that helps separated or divorced parents coordinate a shared schedule for their children. It is published here on the ChildLink marketing website (childlinkapp.com); a note about the website itself is at the end.

This policy is written in plain language. Where it uses legal terms, those terms have the meaning given to them in the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

1. Data controller

The data controller responsible for personal data processed in ChildLink is:

Kocsis Norbert e.v. Tax ID: 69146277-1-43 Country: Hungary Email: [email protected]

We are a small operator and have not appointed a Data Protection Officer; the email address above is the point of contact for all privacy-related questions and requests.

2. Who this policy applies to

ChildLink is intended to be used by adults (parents, legal guardians or other family members exercising parental responsibility). The app is about children — it stores names, birth dates and schedule information for the children of the household — but it is not used by children.

If you are a parent or guardian creating a record about a minor, you are responsible for ensuring you have the appropriate legal authority to do so, and for telling the other parent or guardian that data about the child is being recorded in the app.

A family group is normally shared by up to two parents. A parent may also invite a spectator — for example a grandparent or a new partner — who is given read-only access to the family’s calendar and children’s data. See sections 3.2 and 8.

3. What personal data we process

3.1 Account and identity data

When you create an account or sign in, Firebase Authentication (operated by Google) processes the following on our behalf:

A unique user ID (UID).
Your email address (always).
If you sign in with Google: your Google account identifier and the OAuth tokens needed to verify your identity. We do not receive or store your Google password.

3.2 Family profile

For each family group you create or join, we store in our database:

The IDs of the parents linked to the family (one or two Firebase UIDs).
An 8-character invite code used to let the second parent join.
Optional display names for each parent.
Optional colour preferences used to style the calendar.
The currently active week-pattern configuration (see 3.5).
The subscription state of the family (see 3.8).
For each spectator a parent invites: a spectator invite code, the spectator’s Firebase UID once they join, and an optional display name. Spectators have read-only access to the family.

3.3 Children’s data

For each child you add to the family, we store:

The child’s name.
The child’s date of birth (optional).
The child’s name day, where applicable (optional).

We do not collect photographs, identification documents, medical information or location data about children. Please do not enter such data into free-text fields.

The legal basis for processing children’s data is the performance of a contract (Art. 6(1)(b) GDPR) between you and us — we cannot deliver the calendar service without it — combined with your exercise of parental responsibility. Where two parents share the same family group, each parent acts as a joint controller for the data of the children they both have authority over.

3.4 Schedule entries

Each entry on the shared calendar contains:

A start and end date/time.
An entry type: overnight stay, pickup, drop-off or activity.
The IDs of the children the entry relates to (or “all children”).
Which parent the entry is assigned to (parent1, parent2 or both).
A free-text notes field — anything you type here is stored. Please avoid putting medical, legal or other especially sensitive information in this field.
Audit metadata: who created the entry, who last modified it, and when reminders should fire.

3.5 Custody patterns

When you save a recurring custody pattern (for example, “Mum / Dad / Mum / Dad / Mum / weekend together”), we store the day-by-day assignment for one or two reference weeks and the date used to align alternating-week schedules.

3.6 AI assistant conversations

ChildLink offers a chat assistant powered by OpenAI GPT-4o that can read and modify your calendar on your behalf. See section 5 below for full details on how this works. In short:

Conversations are kept only in the memory of your device for the duration of a chat session and are cleared when you clear the chat or close the screen.
We do not store conversation transcripts on our servers.
Each request you send is forwarded to OpenAI together with the context the assistant needs to answer it.

3.7 Push-notification tokens

When you allow ChildLink to send you notifications, your device receives a Firebase Cloud Messaging (FCM) token. We store, against your user account:

The FCM token.
Whether the token came from Android, iOS, web or another platform.
The display language selected on that device, so notifications reach you in the right language.
The timestamp at which we last saw the token.

Tokens that the FCM service tells us are no longer valid are automatically deleted.

3.8 Subscription and billing data

ChildLink is free to start with. Two optional paid plans unlock extra features, and the AI assistant has a small free quota with optional paid top-ups. Stripe handles all payments — see section 6.

Subscription plans (per family). A family can subscribe to a Premium (currently €2.99/month) or Family (currently €4.99/month) plan. The subscription belongs to the whole family group. Against the family record we store:

The current plan (free, premium or family).
The subscription status (active, past due, canceled or incomplete).
The date the current billing period ends.
The Stripe customer ID and the Stripe subscription ID linked to the family.
When the subscription record was last updated.

These fields are written only by our server when Stripe notifies us of a change; the app itself cannot edit them.

AI assistant quota and credits (per user). The number of free AI conversations per month depends on the family’s plan (currently 1 on Free, 10 on Premium, 30 on Family). Beyond that, conversations consume paid AI credits. Against your user account we store:

The number of free conversations used this month and the date the monthly allowance resets.
Your remaining paid AI-credit balance.

Payment-event log. When Stripe confirms a payment we keep an audit record in a separate stripeEvents log so the same event is never processed twice. For a subscription change this record contains the Stripe event type, the family ID, the Stripe subscription ID and a timestamp. For an AI-credit purchase it contains the Stripe event type, your user ID, the number of credits granted, the Stripe paymentIntent identifier and a timestamp. We do not store card numbers, CVV codes or bank details (see section 6).

3.9 Google Calendar synchronisation

If you choose to connect Google Calendar, ChildLink can mirror your schedule entries into a dedicated “ChildLink” calendar in your own Google account. This feature is off by default and only runs after you sign in with Google and grant calendar access.

What is accessed: with your permission we request the Google calendar access scope and your email address. We use this only to create the dedicated ChildLink calendar and to add, update or delete the events that correspond to your ChildLink schedule entries. The synchronisation runs on your device and talks to Google directly.
What is written to Google: for each synced entry, an event with its title, description (which may include the children’s names and the entry notes), start/end time and reminder. Once an event is in your Google Calendar it is governed by Google’s terms and by your Google account’s sharing settings, which are outside our control.
What we store on our side: a small mapping for each synced entry — the Google calendar ID, the Google event ID and the time it was last synced — plus the calendar ID cached locally on your device. We do not store your Google Calendar contents on our servers.
You can disconnect Google Calendar at any time from within the app; doing so revokes our access and removes the locally cached calendar ID.

The legal basis for this processing is your consent (Art. 6(1)(a) GDPR), given when you connect Google Calendar; you can withdraw it by disconnecting.

3.10 Activity log (audit log)

Every meaningful change to a family’s data is recorded in a structured activity log so that co-parents can see who changed what and when. The log is written automatically by our server whenever a schedule entry, child, custody pattern, family setting, spectator or subscription is created, changed or removed. For each event we store, under the family record:

The time of the change.
A category and a structured action code (for example entry.created, child.renamed, pattern.updated, family.spectator_joined, subscription.tier_changed).
The user ID of the person who made the change (or none, for changes made by the system such as a Stripe billing update).
A snapshot of that person’s display name at the time, so older log lines stay readable.
A small payload describing what changed (for example the entry type, dates and the children involved).

Viewing the full activity log in the app, and exporting it as a PDF, is part of the Family plan; the log itself is always recorded regardless of plan.

3.11 Local device storage

Your selected display language is stored on the device using your operating system’s standard preferences storage, together with the cached Google Calendar ID if you use calendar sync (see 3.9). This data never leaves your device except as described above.

3.12 What we do not collect

We do not use product analytics, crash reporting, advertising SDKs or third-party trackers. We do not request permission to access your location, contacts, camera, microphone, photo library or any other personal device data. The only Android permission requested by the app is POST_NOTIFICATIONS. Access to your Google Calendar is requested only if you choose to turn on calendar sync (section 3.9).

4. Why we process your data, and on what legal basis

Purpose	Categories used	Legal basis (GDPR Art. 6)
Operate the shared calendar (creating, editing, syncing schedule entries between co-parents and spectators)	Account, family, children, schedule, custody patterns	(b) Performance of the contract you have with us
Send push notifications, reminders and the optional weekly digest	Push tokens, schedule entries	(b) Performance of the contract; (a) Your consent for receiving notifications, given when your operating system asks you to allow them
Run the AI assistant on your request	Conversation contents, family ID, children’s names/IDs, schedule entries	(b) Performance of the contract you trigger by sending a chat request
Manage subscriptions and process AI-credit purchases	Account ID, family ID, subscription and billing data, Stripe event log	(b) Performance of the contract; (c) Compliance with tax and accounting obligations under Hungarian law
Mirror entries to your Google Calendar	Schedule entries, Google account email, calendar/event IDs	(a) Your consent, given when you connect Google Calendar
Keep an activity log of changes for co-parents	Account ID, actor name snapshot, change payload	(b) Performance of the contract; (f) Our and your co-parent’s legitimate interest in an accountable shared record
Prevent fraud and abuse, keep the service secure	Account, billing data, server logs	(f) Our legitimate interest in operating a secure service

You have the right to object to processing based on legitimate interests; see section 11.

5. The AI assistant (OpenAI)

When you send a message to the in-app AI assistant, the following happens:

Your request is sent to a Cloud Function we operate in the EU (europe-west1).
The Cloud Function forwards your message — together with the recent messages in the same chat session, your role in the family (parent1 / parent2), your family ID, the names and IDs of your children, and the current date — to OpenAI (OpenAI Ireland Limited / OpenAI, L.L.C., USA), which runs the GPT-4o model.
If the assistant decides it needs to read or change your calendar, it asks our Cloud Function for the relevant data (e.g. “schedule entries between these two dates”) and we return only that slice. That data is then included in the next message we send to OpenAI.
OpenAI’s response is returned to your device and rendered in the chat.
Your conversation is held only in your device’s memory. Closing the chat or clearing it erases the history. We do not write conversations to our database.

Things to be aware of:

OpenAI processes your data outside the EU (in the United States). We rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses for these transfers.
We have a paid OpenAI account configured to not allow OpenAI to train its models on data sent through our API. OpenAI may still retain inputs and outputs for a limited period for abuse-monitoring purposes, in line with their published API data policy.
Please do not enter especially sensitive personal data into the chat (for example, medical conditions, criminal proceedings, religious beliefs). The assistant cannot do anything useful with such data and you would be sending it to a third party for no benefit.

The free monthly allowance depends on your family’s plan (currently one conversation per user per month on Free, ten on Premium and thirty on Family). Beyond that, conversations consume paid AI credits (sold in €1, €3 and €5 packages — see section 6).

6. Payments (Stripe)

All payments are processed by Stripe (Stripe Payments Europe, Limited and its US affiliates). We never see, transmit or store your card number, expiry date, CVV or bank account information.

Subscriptions. When you start a Premium or Family subscription, we ask Stripe to create a secure hosted checkout page and send you to it. To do this we create a Stripe customer record for your family using your email address and metadata identifying your family and user ID, and we tell Stripe which plan you chose. Card details are entered directly on Stripe’s hosted pages. You can review, change or cancel your subscription through Stripe’s hosted Customer Portal, which we open for you from the app. When Stripe notifies us of a subscription change via webhook, we update the family’s plan and store an audit record of the event (see 3.8).

AI-credit top-ups. When you buy AI credits, card details are entered into Stripe’s secure in-app payment sheet. We send Stripe your user ID, the package you chose and the amount in euro cents so that Stripe can create a payment intent. When Stripe confirms the payment via webhook, we add the credits to your account and store an audit record of the event.

Stripe is an independent data controller for the personal data it processes for fraud prevention and regulatory purposes. Stripe’s own privacy practices are described in Stripe’s Privacy Policy.

Tax invoicing is the responsibility of the operator (Kocsis Norbert e.v.) as required by Hungarian law.

7. Push notifications and the weekly digest

We send push notifications when:

A co-parent in your family creates, modifies or deletes a schedule entry that involves you or your children.
A reminder you configured for an entry is due.

Notification text may include the name of the co-parent who made the change, the affected child’s name, the entry type, the date/time range and (for activities) any notes attached to the entry. If your phone is locked when a notification arrives, this information may be visible on the lock screen depending on your device settings.

If you enable the weekly digest, we additionally send you, once a week, a summary of the upcoming custody arrangement and planned activities for your family. This is built from the same family data and is sent only to family members who have switched the digest on.

You can turn off notifications for ChildLink at any time in your operating system’s settings, and turn the weekly digest off in the app’s notification settings. Doing so does not affect the rest of the app.

8. Who we share your data with

We share data only with the processors and partners we genuinely need to run the service, and — within the app — with the other members of your own family group.

Within your family group. Your co-parent sees the shared family, children and schedule data. If a parent invites a spectator, that spectator gets read-only access to the same calendar and children’s data. Anyone with access can be removed in the app.

Processors and partners:

Recipient	Role	What they receive	More information
Google (Firebase: Authentication, Firestore, Cloud Functions, Cloud Messaging)	Processor — provides the backend infrastructure of the app	All personal data described in section 3 except the AI conversation contents (which are in-memory only). Data is hosted in the `europe-west1` region (EU).	Firebase Privacy & Security
Google Calendar	At your direction — only if you turn on calendar sync	The schedule events (title, description, time, reminder) written into the dedicated ChildLink calendar in your own Google account.	Google Privacy Policy
OpenAI	Sub-processor — runs the AI model that powers the in-app chat assistant	The chat messages you send, your family ID, your role, your children’s names/IDs and the schedule slice the assistant requests for each turn. Processed in the United States.	OpenAI Privacy Policy
Stripe	Independent controller for payment processing	Your email, user ID and family ID, the plan or package you chose, the payment amount, and the card details you enter directly into Stripe’s UI.	Stripe Privacy Policy

We do not sell personal data and we do not share it with advertisers.

We may also disclose data when we are required to do so by law (for example, in response to a valid court order or a request from a competent authority), or where it is necessary to protect the rights, property or safety of users or the public.

9. International transfers

Our backend is hosted in the European Union (Belgium, europe-west1).

Transfers that may leave the EU:

OpenAI, in the United States, processes the data described in section 5.
Stripe, when processing payments, may transfer billing data to its US affiliates.
Google Calendar, if you enable sync, processes the events you write to your own Google account on Google’s global infrastructure.

These transfers rely on the European Commission’s adequacy decision under the EU–US Data Privacy Framework and/or on the Standard Contractual Clauses approved by the Commission. Copies of the relevant safeguards can be requested at the contact address in section 1.

10. How long we keep your data

Data	Retention
Account, family, children, schedule entries, custody patterns	Kept while your account is active. Deleted on request (see section 11).
Activity log	Kept with the rest of the family’s data while the family group exists.
AI conversation history	Kept only in the memory of your device during a chat session. Cleared when you clear the chat or leave the screen.
Google Calendar sync mappings	Kept while sync is enabled; removed when you disconnect Google Calendar (events already written to your Google account are managed by you in Google Calendar).
Push-notification tokens	Kept until your device unregisters the token or FCM tells us the token is no longer valid, at which point we delete it automatically.
Subscription state, Stripe payment-event records and AI-credit balance	Kept for as long as required by Hungarian tax and accounting law (currently up to 8 years for accounting documents).
Local language preference and cached calendar ID	Kept on your device until you change it, disconnect sync or uninstall the app.

11. Your rights

Under the GDPR you have the following rights in relation to your personal data:

Right of access — to ask whether we hold data about you and to receive a copy.
Right to rectification — to correct data that is inaccurate or incomplete.
Right to erasure (“right to be forgotten”) — to ask us to delete your data.
Right to restriction — to ask us to stop using your data while a question about it is resolved.
Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
Right to object — to object to processing based on our legitimate interests.
Right to withdraw consent — where processing is based on consent, you can withdraw it at any time. Disabling notifications in your operating system withdraws your consent for push notifications; disconnecting Google Calendar withdraws your consent for calendar sync.
Right to lodge a complaint — with the data protection supervisory authority competent for your country of residence. In Hungary this is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

To exercise any of these rights, email [email protected] from the address linked to your account. We aim to respond within one month.

A note on account deletion. The app does not yet have a built-in “delete my account” button. If you want your account, your family record and all associated data to be deleted, please send an email to the address above and we will carry out the deletion manually. We are working on adding an in-app deletion flow.

When two parents share the same family group, deleting your own account does not automatically delete the children’s records or the schedule entries — these are also being processed by your co-parent on the basis of their own parental responsibility. We will discuss the appropriate scope of deletion with you when you make the request.

12. Security

We protect your data with the following measures:

All connections between your device, Firebase and our Cloud Functions are encrypted with HTTPS/TLS.
Authentication is handled by Firebase Authentication; passwords are never visible to us.
Access to the database is restricted by Firebase security rules so that, for example, the subscription fields on a family can only be modified by our server-side functions.
Sensitive credentials such as the OpenAI API key and the Stripe secret key are stored as Firebase secrets and are never shipped to your device.
Data at rest in Firestore is encrypted by Google.

We do not offer end-to-end encryption: it is technically possible for the operator to read schedule notes and similar free-text fields in the database. Please bear this in mind before recording especially sensitive information.

13. Cookies and tracking technologies

ChildLink is a mobile application and does not use browser cookies. We do not run any analytics, advertising or third-party tracking SDKs. The only persistent storage on your device is a small preferences file containing your selected display language and, if you use calendar sync, the cached ChildLink calendar ID. For the marketing website, see “The ChildLink website” at the end of this policy.

14. Changes to this policy

We may update this Privacy Policy from time to time, for example to reflect new features or new processors. The “Last updated” date at the top of the document tells you when it last changed. For material changes we will tell you in-app or by email before the change takes effect. If you continue to use the app after a change, you are accepting the updated policy; if you do not agree, you can stop using the app and request deletion of your data under section 11.

15. Contact

For any question, request or complaint about this policy or about how your personal data is handled in ChildLink, please write to:

Kocsis Norbert e.v. — [email protected]

The ChildLink website

The page you are reading is published on childlinkapp.com, the marketing website for the ChildLink mobile app. The website itself is a static information site:

It has no user accounts, no database and no login — you cannot sign in on the website.
It sets no cookies and uses no analytics, advertising or tracking of any kind.
It loads the Plus Jakarta Sans web font from Google Fonts. When your browser fetches the font, Google receives your IP address and standard request data, as with any site that embeds Google Fonts.
The subscription result pages (shown after a Stripe checkout that you started from the app) may read a Stripe session_id from the page address only to display a confirmation message. Nothing from those pages is stored.

All personal data described in the sections above is processed by the mobile app, not by this website. The data controller and contact details in sections 1 and 15 apply to both.