Last updated 2026-05-16 · Operator: KyrosWorks LLC, Texas, USA · [email protected]
The short version
ChoreKey is a parental-controls app for families with children ages 8–17. We do not sell data. We do not run ads. We do not use analytics SDKs. We do not let third parties track your family.
What we do with your data depends on your tier:
v1 — ChoreKey alone ($2.99 one-time): everything stays on your child's iPhone. No cloud.
v2 — Plus tier ($29.99 one-time, requires Parent app): chore data and photos sync to a cloud backend so you can approve chores remotely. For all-Apple families, that cloud is your own iCloud account via Apple CloudKit — we cannot see it. For families with any Android device, the cloud is our own Supabase backend on AWS US-East.
v3 — Pro tier ($7.99/month or $79.99/year): in addition to v2, chore photos are sent to Anthropic's Claude vision API for AI evaluation. Anthropic does not retain photos beyond a short abuse-screening window and does not use them to train models.
Cloud sync is off by default — it only turns on when a parent pairs the Parent app. AI is also off by default and only turns on if a parent subscribes to Pro.
Things that are always true, at every tier
Phone calls, Messages, and Maps are never blocked. If your child's phone is locked because chores aren't done, they can still call you, text you, and use Maps to get home. This cannot be turned off.
No analytics SDKs. No Google Analytics, Firebase, Mixpanel, Segment, Amplitude, or anything equivalent. There are no third-party SDKs in either app that report usage back to us or anyone else.
No advertising IDs. We do not read your Advertising Identifier (IDFA / AAID). We do not show ads.
No selling data. We do not, and will not, sell, rent, or trade any data to anyone — including anonymized or aggregated data.
No profiling for marketing. We do not build profiles of children or parents for advertising or behavioral targeting.
No accounts on your child's device. The ChoreKey app never asks for an email, phone number, or password. Pairing uses a one-shot token, not a user account.
You can delete everything. A parent can request full deletion at any tier. We act within 30 days, including from backups. Email [email protected] from the email tied to your Parent app sign-in.
v1 — ChoreKey alone (default, no-cloud mode)
Everything stays on your child's iPhone. Nothing leaves the device. This is what you get when you buy ChoreKey for $2.99 and use it without the Parent app.
What's stored, and where (all local on your child's iPhone)
Chore photos: stored in the app's private file storage. Auto-deleted seven days after parent approval.
Home geofence coordinate: the latitude/longitude of "home" you set during setup. Never transmitted.
PIN code: the 4-digit parent-approval PIN, stored as a hash. We never see it.
App settings and notification preferences.
What we don't do at this tier
We do not collect, transmit, or store anything on our servers. There are no servers.
We do not log a location history. The app only asks the OS, "Are you inside the geofence right now?" We never see coordinates.
The camera is used only for chore photos. Photos stay in the app's private storage.
No analytics, no crash reports, no telemetry. The app does not phone home.
The ChoreKey app uses Apple's Family Controls framework to lock and unlock apps. The framework runs entirely on-device; selections of which apps are blocked never leave the device.
v2 — Plus tier (cloud sync turns on)
When a parent installs the Parent app and pairs it to the child's device, chore data and photos sync to a cloud backend so the parent can approve chores remotely. For all-Apple families, that backend is your own iCloud account via Apple CloudKit. For families with any Android device, the backend is our Supabase database on AWS US-East.
Cloud sync is off by default. It enables only after the parent completes the pairing flow, which requires Sign in with Apple (iOS) or Google (Android) plus a confirmation tap on the child's device.
Which backend hosts your data
Your family
Backend
Who controls the data
All Apple devices
Apple CloudKit
The data sits in your iCloud account. Apple is the data processor. We have no read access.
Any Android device in the family
Supabase on AWS US-East
Hosted by Supabase Inc. on AWS in the United States. We are the data controller; Supabase is our sub-processor.
If you start on CloudKit and later add an Android device, the Parent app prompts you to migrate to Supabase, explains the privacy change, and requires explicit confirmation.
What syncs to the cloud at this tier
Chore records: title, description, schedule, due time, completion and approval status, the rubric text you write per chore.
Chore photos: stored encrypted, accessed via short-lived signed URLs, automatically deleted seven days after parent approval by an automated cron. You can also delete a photo manually any time.
Pairing metadata: which children's devices are paired to which parent accounts, an opaque per-device token (not the device's serial number or advertising ID), and the child's first name (your choice what to enter).
Audit trail: every approval, redo, override, and tamper event, with timestamp.
Geofence enter/exit events: when the child's device crosses the home boundary, an event is logged. The home coordinate itself stays on the child's device — it is never sent to the cloud. No other location point is stored.
Tamper events: if Family Controls is revoked or the heartbeat drops, an event is logged so the parent is notified.
What we do NOT store in the cloud at this tier
Real-time location of the child. We never poll or log coordinates.
Location history beyond the enter/exit events at your home boundary.
The home geofence coordinate — it stays on the child's device.
Photos older than seven days post-approval — the cron deletes them.
Phone call logs, message contents, contacts, browsing history, app-usage minute counts — none of this is collected.
Biometric data. Face ID / Touch ID / fingerprint data never leaves the device.
Security
All cloud traffic uses TLS 1.2+ in transit.
Data is encrypted at rest by the backend (Apple for CloudKit; Supabase / AWS for the Supabase backend).
Row-Level Security on the Supabase backend isolates each family's data at the database level — one family cannot read another's rows.
Photo access requires short-lived signed URLs (typically 15 minutes). The URLs cannot be valid forever or shared usefully.
The Approve action in the Parent app is gated behind Face ID / fingerprint.
The child's device verifies a server-signed unlock event before lifting the lock. A child editing local storage cannot self-unlock.
Third parties at this tier
Apple Inc. (all-Apple families on CloudKit). Apple stores the data inside your iCloud account. Apple's privacy policy applies.
Supabase, Inc. (cross-platform families). Provides our managed Postgres database, file storage, realtime channels, and authentication. Sub-processor. Privacy policy: supabase.com/privacy.
Amazon Web Services (indirectly, for cross-platform families). Supabase hosts our database in AWS US-East. AWS has no application-level access to your data.
Apple Push Notification service / Firebase Cloud Messaging. Deliver push notifications. Payloads contain only short messages (e.g. "Mia submitted a chore"); no photos.
No other third party receives data at this tier.
Multi-parent and multi-child
When two parents are paired to the same family, both can see and approve chores for any paired child. Up to five children per family on Plus; each child sees only their own chores. Audit entries identify which parent approved which chore.
v3 — Pro tier (AI evaluation turns on)
When a parent subscribes to Pro, chore photos are sent to Anthropic's Claude vision API for AI evaluation against the rubric the parent wrote. Anthropic returns a verdict (approve/redo), a confidence score, and one-line reasoning. The AI's decision is logged so you can review it weekly and override it.
Pro is a subscription ($7.99/month or $79.99/year, 14-day free trial). It is off by default. AI only turns on once a parent explicitly subscribes.
Pro is required for families with any Android device (the AI infrastructure cannot run on CloudKit). It is optional for all-Apple families.
What's sent to Anthropic, per chore submission
The photo lands in our Supabase Storage as it would on Plus.
An Edge Function on our backend fetches the photo via a signed URL.
The Edge Function calls Anthropic's API with: the photo, the rubric text the parent wrote (e.g. "Trash bag tied and inside the green can"), and up to three past override examples from the same chore type for that family.
Anthropic's model (Claude Haiku 4.5 first, escalating to Claude Opus 4.7 for ambiguous cases) returns {verdict, confidence, reasoning}.
The verdict drives the auto-approve / parent-queue routing.
Anthropic's handling of the photo
Per Anthropic's API terms as of 2026-05-16:
No training. Inputs and outputs from API calls are not used to train Anthropic's models. This is a stronger commitment than Anthropic's consumer products offer.
Short retention for abuse screening. Anthropic retains API inputs and outputs for up to seven days for abuse and safety screening, then automatically deletes them.
No human review of inputs or outputs unless a safety classifier flags the request for a trust-and-safety review.
Anthropic is a sub-processor for ChoreKey's Pro tier. Anthropic's privacy policy: anthropic.com/legal/privacy.
What we store in our own database for Pro
In addition to everything stored at Plus:
Rubrics: the plain-English description per chore that defines "what does done look like."
AI decision history: verdict, confidence, reasoning, and parent override (if any). Powers your weekly Decision Report.
Override examples: when you override the AI, we store the photo and override so the AI does better next time on that chore type for your family only. Row-Level Security isolates these per family.
Per-chore parent controls
Full auto: AI decides, you review weekly.
Confirm each: AI suggests, you tap to confirm before unlock.
Always manual: the AI never sees the photo. Use this for medication, safety-critical, or sensitive chores.
New chore types default to Confirm each for the first two weeks. They auto-promote to Full auto only after the AI hits 95%+ agreement with the parent.
Pro features that don't involve AI
Per-app time budgets: stored as rules in our database, enforced on-device by Apple's Family Controls.
Scheduled routines: cron-like rules in our database, evaluated on-device.
Trusted-adult delegation: a short-lived signed token bound to the invited person's device gives them approve-only access during a window you set, then auto-expires.
Weekly digest email: a Sunday cron emails you a per-family summary. Contains chore counts and trend prose — no photos.
Children's data — special handling
ChoreKey is designed for children ages 8–17. We apply additional protections specifically for our youngest users:
We do not sell, rent, trade, or share children's data with advertisers.
We do not build advertising or behavioral profiles of children.
We do not enable third-party tracking on the ChoreKey app. There are no third-party SDKs in the ChoreKey app.
We do not use children's photos to train AI models. Anthropic's API terms prohibit training on API inputs; we have not opted into any program that would change this.
Photos are short-lived. Chore photos auto-delete seven days after parent approval, at every tier.
The home geofence coordinate is never sent to the cloud. It stays on the child's device.
Parent consent gates every upgrade. Pairing requires the parent to authenticate (Sign in with Apple or Google). Subscribing to Pro and turning on AI requires the parent to confirm a paywall that names the privacy change.
For US families with children under 13, we collect only what is necessary to operate the service the parent purchased, with verifiable parent consent via Apple's or Google's account systems and the in-app pairing flow.
If you believe we have collected information from a child without parent consent, or you want to review or delete information about your child, email [email protected] — we'll act within 30 days.
Your rights
At any tier you can:
See what we have. Email [email protected] from your Parent-app sign-in email; we will send a copy of your family's data within 30 days.
Correct it. Most data is editable in the Parent app. For anything you can't edit, email us.
Delete it. Ask for full deletion. We remove from primary storage immediately and from backups within 30 days. Audit-trail entries also get deleted — note that trade-off.
Export it. JSON export of chore and audit data on request.
Opt out of AI. Cancel Pro to stop AI on the next billing cycle. You can also flip every chore to "Always manual" while keeping Pro for the non-AI features.
Residents of California (CCPA/CPRA), the EU/UK (GDPR), and other jurisdictions with similar rights laws have the rights named in those laws. Email us from your sign-in email and we will honor them. We do not sell data, so the "right to opt out of sale" is already the default.
Changes to this policy
If we change this policy in a way that materially expands what we do with data, we will:
Update the Last updated date at the top.
Show the change in-app the next time you open the Parent app, in plain English.
Require an explicit tap to acknowledge.
We will not roll out a material change quietly via a buried link.