This Privacy Policy (the "Policy") explains how TymedIn ("TymedIn", "we", "us", or "our") collects, uses, shares, and protects information when you ("you" or "your") install, access, or use the TymedIn Android application (the "App") or visit the website at tymedin.com (the "Site", and together with the App, the "Service"). By using the Service, you confirm that you have read, understood, and agree to this Policy.
1. The short version
TymedIn is designed so that almost everything stays on your device. The App does not require an account. Your parent password, the apps you choose to manage, the limits you set, and your daily usage counters never leave the phone. The Site collects nothing about you unless you contact us or opt in to a feature that uses the network. We do not sell your information. We do not run advertising trackers. We do not use your data to train artificial-intelligence models.
2. Definitions
Personal information means information that identifies or can reasonably be linked to you, your household, or your device. Process means any operation performed on personal information, including collection, storage, use, disclosure, and deletion. Service provider (also called a "processor") means a third party we engage to perform a service on our behalf under written terms that bind it to our instructions. You includes any adult user who installs, configures, or operates the App for a household or device.
3. Who is responsible (data controller)
TymedIn is the data controller for personal information processed through the Service, except where we act as a processor on your behalf (for example, when feedback you submit references a third party). You can reach our privacy contact at tymedin@gmail.com.
4. Information we handle
4.1 Information stored on your device only
The App stores the following on your device in private application storage, and not on any server we operate:
- Profiles you create (name and avatar choice).
- The list of apps you have placed under management and the per-launch, per-day, and cooldown limits you set for each.
- Daily usage counters used to enforce per-day caps.
- Your parent password as a BCrypt hash, and your recovery question with a BCrypt hash of the recovery answer.
- App preferences such as theme, language, biometric setting, and onboarding state.
This information is not readable by other apps on the device, is not transmitted to us, and is not subject to system-level cloud backup because we have opted out of Android Auto Backup for these data sets.
4.2 Information collected through the Site
The Site is hosted on Google Firebase Hosting. As is standard for hosted websites, Firebase logs limited request metadata (IP address, user agent, requested path, timestamps, and HTTP response code) for security, abuse prevention, and operational purposes. Firebase retains this access-log data for a short, rolling period and we do not export it for marketing analytics. We do not place advertising cookies, web beacons, fingerprinting scripts, or social-network trackers on the Site.
4.3 "Notify me" email
If you email us through the "Notify me" link, we receive the email address you choose to share and any message you send. We use this email solely to notify you of the TymedIn launch and to respond to your inquiry. We do not add this address to a marketing list or share it with any third party. You can ask us to delete it at any time by emailing tymedin@gmail.com.
4.4 In-app feedback (opt-in, per submission)
If you choose to send feedback from inside the App, the App displays the exact payload it intends to send before you submit. That payload may include a free-text description you write, an optional contact field you fill in, an anonymous Firebase Authentication user identifier created on your device, and a small set of bucketed diagnostics (such as the type of feedback, your app version, the route in the app where you were when you opened the form, and the last fifty lines of an in-memory log buffer the App keeps for this purpose). The App scrubs personally identifying material before send: package names are hashed to a short, irreversible token before they enter the payload, and durations and counts are bucketed into ranges (such as "5–15 minutes" or "1–3 items") rather than exact values. Submissions are written to a Firestore collection at the Firebase project we operate. Submissions you make while offline are queued locally and drained when the device is online. No feedback is sent unless you tap submit.
4.5 Analytics (off by default, region-gated)
The App may report a limited set of analytics events to Google Analytics for Firebase ("GA4") only after you grant consent. Analytics collection is disabled by default. In the European Economic Area, the United Kingdom, Switzerland, and California, the App presents a Google User Messaging Platform consent form before any analytics data is recorded. Elsewhere, the App presents a clear one-time notice with an opt-out. If you opt out (or decline consent), the App disables analytics collection and instructs Firebase to reset the analytics identifier on the device. The analytics events we use are bucketed and never include personally identifying material; for example, screen-view events use template route names, not concrete profile or package identifiers.
4.6 Crash reports
The App uses Firebase Crashlytics to record information about a crash if and when one occurs, including stack traces, device model, OS version, and the small set of bucketed analytics breadcrumbs described above. No personal information is added to Crashlytics custom keys. Crash reports help us diagnose and fix bugs.
5. Android permissions and why we request them
- Usage Stats and Accessibility: to detect which app is in the foreground and tick the timer. We do not read or record the content of any app.
- Draw over other apps (overlay): to show soft warnings, hard-limit blocks, and cooldown screens on top of managed apps.
- Notifications: to keep the foreground enforcement service alive and to surface limit notices.
- Ignore battery optimizations (optional): to keep enforcement running reliably when the device is in deep sleep modes.
- Device administrator (optional): to require the parent password before TymedIn can be uninstalled.
- Write system settings (optional): to fade media volume while a soft limit is active.
- Biometric (optional): to allow fingerprint, face, or device-credential unlock in place of the parent password.
- Query all packages: to list installed apps so you can choose which ones to manage.
6. What we do not collect
TymedIn does not collect, store on our servers, or share:
- The content of any app you or your child use.
- Your location, contacts, messages, photos, files, or browsing history.
- Personally identifying material about anyone in your household, beyond what you choose to type into a feedback message.
- Advertising identifiers or device fingerprints for advertising purposes.
- Biometric templates of any kind (biometric checks are performed by Android and never reach the App).
We do not sell or share personal information for cross-context behavioral advertising. We do not use your data to train artificial-intelligence or machine-learning models.
7. Legal bases for processing (EEA, UK, Switzerland)
Where data protection law in your jurisdiction requires us to identify a legal basis, we rely on:
- Consent for in-app feedback, analytics, and any other optional feature you actively enable. You may withdraw consent at any time as described in Section 12.
- Legitimate interests for keeping the Service secure, preventing abuse, debugging crashes, and operating the Site, where those interests are not overridden by your rights and freedoms.
- Performance of a contract for delivering the Service you have asked us to provide.
- Legal obligation where we must process information to comply with a law that applies to us.
8. How we share information
We share personal information only as follows.
Service providers. We rely on Google Firebase (operated by Google LLC) for Site hosting (Firebase Hosting), the feedback database (Cloud Firestore), anonymous identifiers used by the feedback flow (Firebase Authentication), analytics (Google Analytics for Firebase), and crash reporting (Firebase Crashlytics). Google processes this information under its own terms and security program, on our instructions, for the purposes described in this Policy.
Legal requirements. We may disclose information if we are required to do so by law, court order, or other valid legal process, or if disclosure is necessary to protect our rights, your safety, or the safety of others. We will resist overbroad requests and, where lawful, give you advance notice.
Corporate transactions. If TymedIn is involved in a merger, acquisition, financing, bankruptcy, or sale of assets, your information may be transferred to the successor entity, subject to this Policy or another policy that provides equivalent protection.
With your direction. We share information you ask us to share, such as a feedback submission you choose to send.
We do not rent, sell, trade, or otherwise transfer personal information to third parties for their own marketing or advertising purposes.
9. International data transfers
The service providers we rely on operate globally and may process information in the United States and other countries. Where we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland, we rely on the Standard Contractual Clauses (or, for the UK, the International Data Transfer Addendum) adopted by the relevant authority, together with the supplementary measures required by applicable case law, to provide an adequate level of protection.
10. Data retention
On-device data is retained for as long as the App is installed and is deleted when you uninstall the App or clear its storage. Site access logs are retained by Firebase for a short, rolling period in line with Google’s defaults. The "Notify me" email address is retained until you ask us to delete it or until the launch announcement is sent. Feedback submissions are retained for as long as we reasonably need them to diagnose issues, after which they are deleted or de-identified. Analytics events, if you have consented, are retained according to the retention setting we configure in GA4 (currently fourteen months). Crash reports are retained for ninety days.
11. How we protect information
We use technical and organizational measures designed to protect personal information against loss, misuse, and unauthorized access, disclosure, alteration, or destruction. These measures include encryption in transit (HTTPS / TLS) for everything that crosses the network, server-side encryption at rest applied by our service providers, BCrypt password hashing on the device, role-based access controls for the small number of administrators who can reach our service-provider consoles, multi-factor authentication for those accounts, automated abuse monitoring, and security reviews. No security program is perfect; you use the Service at your own risk.
12. Your privacy rights
12.1 If you are in the European Economic Area, the United Kingdom, or Switzerland
Subject to the conditions and exemptions in applicable law, you have the right to access your personal information, to ask us to correct or update inaccurate information, to ask us to delete information, to restrict or object to processing, to receive a portable copy of information you provided to us, and to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. You also have the right to lodge a complaint with your local data protection authority.
12.2 If you are a California resident (CCPA / CPRA)
Subject to the conditions and exemptions in California law, you have the right to know what categories and specific pieces of personal information we have collected about you, the right to delete personal information we have collected, the right to correct inaccurate personal information, the right to opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising, the right to limit the use and disclosure of sensitive personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information as those terms are defined under the CCPA / CPRA, and we do not use or disclose sensitive personal information for purposes that would trigger a limit-use right under California law.
12.3 If you are in another jurisdiction
Other data protection laws (for example, the Brazilian LGPD, the Canadian PIPEDA, and various U.S. state laws including Virginia, Colorado, Connecticut, Utah, and Texas) grant similar rights to access, correct, delete, and opt out. We will respond to verified requests under those laws to the extent they apply to us.
12.4 How to exercise your rights
To exercise any of the rights above, email tymedin@gmail.com with enough detail to identify the request. We will respond within the time frame required by applicable law (typically thirty days, extendable once for complex requests). We may need to verify your identity before fulfilling the request and may decline requests that are manifestly unfounded, excessive, or that would compromise the privacy of others. You may use an authorized agent to act on your behalf where applicable law allows.
13. Children’s privacy
TymedIn is designed to be installed, set up, and operated by a parent or guardian, not by a child. The App does not knowingly collect personal information from children under the age of thirteen (or the equivalent minimum age in your jurisdiction) in a manner that requires verifiable parental consent under laws such as the U.S. Children’s Online Privacy Protection Act ("COPPA") or Article 8 of the General Data Protection Regulation. Profiles created in the App for a child store only what the parent enters (a name and limit configuration) and remain on the device. Because almost nothing leaves the device, the App does not transmit personal information about children to us. If you believe a child has provided us with personal information without verifiable parental consent (for example, by emailing us directly), please contact tymedin@gmail.com and we will delete it.
14. Cookies, similar technologies, and Do Not Track
The Site does not set advertising cookies and does not use cross-site fingerprinting, web beacons, or social-network trackers. Strictly necessary cookies may be used by our hosting provider for security and abuse prevention. The App does not use cookies in the browser sense. Because there is no industry consensus on how to respond to Do Not Track and Global Privacy Control signals, the Site does not currently change its behavior in response to those signals; we will revisit this as standards develop.
15. Data breach notification
If we become aware of a security incident that has resulted in unauthorized access to your personal information, we will notify affected users and the relevant supervisory authorities as required by applicable law and without undue delay.
16. Changes to this Policy
We may update this Policy from time to time. Material changes will be highlighted on this page, reflected in the "Last updated" and "Effective date" entries above, and, where required by applicable law, notified to you separately (for example, by email or in-app notice). Your continued use of the Service after an updated Policy takes effect constitutes acceptance of the updated Policy.
17. Contact
Questions or requests about this Policy, your privacy choices, or your rights? Email tymedin@gmail.com.