Privacy policy.

Effective date: 25 June 2026  ·  Last updated: 25 June 2026

Tiny Beacon is a child-safety app for parents and legal guardians, operated by Amir Ariff bin Abdul Hadi(Shah Alam, Selangor, Malaysia). This policy explains what the app on the App Store and Google Play collects, how we use it, and how you can control or delete it. It is built to comply with the United States’ Children’s Online Privacy Protection Act (COPPA) — Tiny Beacon is a parental-control service operated by adults that collects children’s personal information only with verifiable parental consent — and with Malaysia’s Personal Data Protection Act 2010 (PDPA), our primary market.

Tiny Beacon accounts are created and operated by an adult parent or guardian. We do not knowingly collect personal information directly from a child: any information about a child is entered and managed by the parent, with their consent, as described in section 5.

1. What we collect

The public App Store / Google Play build of Tiny Beacon collects only the following, all encrypted in transit (TLS 1.2+) and at rest (AES-256):

1.1 Parent account & identity

• Parent name and email address (account creation and sign-in)
• Account and user identifiers
• Parent date of birth (used once as an adult age-gate, to confirm the account holder is an adult)
• Sign-in identity from Apple or Google (OAuth), only when you choose that sign-in method
• Optional profile photo (parent and child), only if you add one
• Your device’s encryption public key and an optional device label, so paired devices can exchange data securely
• Push / notification tokens (to deliver alerts to your own devices)

1.2 Child profile (parent-provided)

Entered and managed by the parent in the parent dashboard — never collected from the child directly:

• Child’s first and last name
• Child’s date of birth

1.3 Screen Time limits

If you set screen-time limits, the app uses the device’s built-in Screen Time / Family Controls to enforce them. The limit and shield events needed to do this are processed, but raw, per-app usage data stays on the device and is not uploaded by the public app. Detailed per-app usage collection ships only in supervised editions (see section 9).

1.4 Pairing & consent records

• A hash of the device-pairing code (we store the hash, not the code itself)
• Parental-consent records (what you consented to, and when) — required to demonstrate compliance
• Your retention settings

1.5 Diagnostics & analytics

• Product analytics via PostHog, tagged with account, parent, and child identifiers (no child-entered content; never used for advertising or cross-app tracking)
• Crash and performance diagnostics via Sentry — with personal identifiers minimised and parent context truncated before transmission

2. What we do not collect

The public build does not collect any of the following:

• Screenshots or any screen content (supervised editions only — see section 9)
• Any location data, foreground or background — the public app does not access or collect location; location-based safety features ship only in supervised editions (section 9)
• Raw, per-app usage harvested off the device (supervised editions only)
• SMS, chat, or message content
• Call logs
• Web browsing or search history
• Advertising identifiers (IDFA / AAID), and no cross-app tracking
• Contact lists
• Biometric data
• Audio or video recordings

3. How we use it

• Authentication: to create accounts, sign in, and pair devices
• Core service:to let a parent set up and manage a child’s profile and the family’s paired devices
• Safety features: to send emergency and amber alerts (which do not include location) and enforce any screen-time limits you set
• Alerts:to deliver notifications to the parent’s own devices
• App improvement: account-scoped analytics and crash diagnostics to keep the app working and improve it

We do not sell or rent personal information, we do not share it with advertisers or data brokers, and we do notuse children’s personal information for behavioural advertising or to build advertising profiles.

4. Encryption & security

• All data is encrypted in transit using TLS 1.2 or higher
• Personal data is encrypted at rest with AES-256
• Device encryption keys are generated on the device and held in the device secure enclave (e.g. iOS Keychain); the private key never leaves the device, and keys are wiped on sign-out
• Row Level Security (RLS) on every database table — a parent can access only their own family’s data
• Role-based access separates parent and child accounts

5. Children’s privacy & parental consent (COPPA)

Tiny Beacon is operated for parents and guardians, and we treat children’s information with the protections COPPA requires:

• Parental consent before collection.Information about a child is only ever added by the account holder — an adult who confirms they are over 18 through our date-of-birth age-gate and who controls the account. Consent is captured in the app before any child information is collected, and we keep a record of what was consented to and when.
• Parental review and deletion (COPPA §312.6).A parent can review the information held about their child, delete it, and refuse to permit its further collection or use — at any time, from the app’s settings.
• Data minimisation (COPPA §312.7).We collect only what is reasonably necessary for the service, and we do not condition a child’s participation on disclosing more than is reasonably necessary.
• No targeted advertising to children.We do not use children’s personal information for behavioural advertising.
• Limited retention (COPPA §312.10).Children’s information is kept only as long as needed for the service and is then deleted (see section 7).

If you believe a child has provided us personal information without parental consent, contact us at [email protected] and we will delete it.

6. Your rights under Malaysia’s PDPA 2010

Under Malaysia’s Personal Data Protection Act 2010 you have the right to access, correct, and withdraw consent for the processing of personal data. In practice you can:

• Review the data held in your account via the parent dashboard
• Correct account and child profile details at any time
• Withdraw consent and stop further processing
• Delete your data or your entire account, which permanently removes all associated data
• Request a data export by emailing [email protected]

7. Data retention & deletion

You can delete your data at any time, with or without the app:

• In the app: open Settings → Account and choose “Delete account”. This permanently removes all parent and child data associated with the account from our systems.
• Without the app (web): email [email protected] from your account email address and ask us to delete your account. We verify the request and delete the data within 30 days.
• Withdrawal of consent: withdrawing consent stops further collection and triggers deletion of the associated child data.
• Minimal retention: we keep personal data only as long as needed to provide the service or to meet a legal obligation.

8. Third-party services

Supabase — backend, database & authentication

Stores account and profile data and auth tokens. RLS policies, data isolation, encrypted at rest.

Apple & Google — sign in with Apple / Google (optional)

If you choose social sign-in, we receive a basic identity token. Only when you select that sign-in method.

PostHog — product analytics

Tagged with account, parent, and child identifiers. No child-entered content; never used for advertising or cross-app tracking.

Sentry — crash & error diagnostics

Crash reports with personal identifiers minimised. Parent context truncated before transmission.

Expo — push notifications & app delivery

Push tokens and device identifiers. Parent-facing notifications only.

Plausible — website analytics (tiny-beacon.com)

Aggregate page views — no cookies, no personal data. Privacy-first; nothing that identifies a visitor.

Cloudflare — website DNS, CDN & security

Processes IP address and request metadata for tiny-beacon.com. Website traffic only; no app data.

9. Supervised & enterprise editions

Everything above describes the public Tiny Beacon app on the App Store and Google Play. Separate supervised and enterprise editions — provided only under a distinct written agreement, not through the public app stores — may additionally collect location, on-device screen content, detailed app-usage, and web-filtering data for managed-device scenarios. The public app collects only the data described in sections 1–8.

10. Data storage location

Data is stored on Supabase-managed infrastructure, encrypted at rest (AES-256) and in transit (TLS 1.2+). Backups are encrypted and access-controlled.

11. Changes to this policy

Material changes will be communicated through:

• In-app notification to all parent accounts
• An updated “Last updated” date at the top of this page
• Re-consent for any change that materially affects how children’s data is handled

12. Contact

Questions about this policy, or to exercise your rights:

© 2026 Amir Ariff bin Abdul Hadi. Tiny Beacon is committed to protecting children’s privacy. Built in Kuala Lumpur, Malaysia.