Privacy Policy
Last updated · DRAFT
DRAFT — this policy has not yet been reviewed by counsel. Do not treat as legally binding until reviewed and signed off.
Backstop is a parental audit product. A parent installs Backstop on their child’s laptop. The endpoint agent takes screenshots on a schedule, asks a large language model (“LLM”) what is on screen, and dispatches alerts to the parent when the description matches rules the parent wrote. This policy explains what we handle, what we don’t, and what your rights are.
Data we collect
We are a small backend by design. On the control plane we store:
- Account fields: your email, an Argon2id password hash, TOTP secret (envelope-encrypted), billing identifiers from Stripe.
- Endpoint metadata: a per-endpoint identifier, its public key, its heartbeat timestamps, its software version, an opaque device label the parent picked.
- Ciphertext of alerts: opaque bytes we cannot read (see below). We store an alert ID, timestamp, a coarse severity bucket, and the encrypted content.
- Delivery routing hints: for each alert, the channel and destination the parent chose (e.g. “web push to this browser,” “SMS to +1‑555…”). Where possible, alert previews sent by SMS/email are content-free (“You have a new Backstop alert. Open the app to see.”).
- Ciphertext of configuration: your harms taxonomy, blocklists, and cadence choices, again as opaque bytes.
- Operational logs: request timings, error rates, and integrity signals for security and reliability. Logs never contain alert content or screenshots.
Data we do NOT collect
- Screenshots. They are captured on your child’s laptop, sent directly to your BYOK LLM provider under the parent’s own API key, and deleted from the endpoint after evaluation. They never touch Backstop servers.
- Your LLM provider API key. It lives on the endpoint’s OS keychain. We never see it.
- Full LLM responses. Only the fields required to render an alert (a one-sentence summary, triggered categories, a severity bucket) leave the endpoint, and even those are encrypted end-to-end before we see them.
- Plaintext alerts. All alert content is encrypted with your family key on the endpoint. We store ciphertext.
- Plaintext harms taxonomy or blocklists. Same.
- Your child’s keystrokes, DMs, or browsing history.
Because we never hold the family key, a subpoena or breach against our infrastructure yields ciphertext and metadata — not content.
How we use what we do collect
- Account fields are used to authenticate you.
- Endpoint metadata is used to know which of your devices are online, when to auto-update, and whether a device is tampered with.
- Alert ciphertext is used to relay alerts from endpoint to your PWA and to your chosen notification channels.
- Configuration ciphertext is used to distribute your rules to enrolled endpoints.
- Delivery hints are used to route the “you have a new alert” ping to the right SMS number, email address, or push subscription.
Retention
- Alerts: 30 days by default; you may reduce this in settings.
- Endpoint heartbeats: 90 days.
- Configuration ciphertext: retained until you change or delete it, plus a short recovery window.
- Screenshots: N/A — we never receive them. On the endpoint, they are deleted immediately after the LLM call completes.
- Deleted accounts: purged within 30 days.
Your rights
You may at any time:
- Delete your account and all associated ciphertext. One click in the parent app.
- Export everything we hold about you as a JSON archive.
- Revoke parental consent (see below). Revocation deletes your child’s records within 30 days.
- Restrict processing to essential operations (billing, security).
If we ever cannot fulfil a request within statutory windows, we will tell you why and when.
Children under 13 — COPPA specifics
Backstop only collects data about your child through a parent-installed agent, at the parent’s direction. Under COPPA (the Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et seq.) we treat the parent as the data controller and require verified parental consent before any endpoint reports to us:
- Verification is by credit card charge on the parent’s account. This is the FTC-approved sufficient method.
- Scope is set per data category (screenshots [never], URL history [not in v1], alerts [yes]). Each category has its own consent checkbox at signup.
- Revocation is available in the parent app at any time. Revocation is honored within 30 days and confirmed by email.
We do not knowingly collect data about children under 13 outside of this parent-directed flow. If you believe we have, email privacy@backstop.family.
International transfers
Backstop is operated from the United States. Our control plane runs on Google Cloud Platform in US regions and our database is hosted by Neon in a US region. If you use Backstop from outside the US, your account fields and the opaque ciphertext described above will be transferred to and stored in the US.
We do not currently offer service in the EU or UK. If we do in future, we will publish an updated policy addressing GDPR and UK GDPR data-transfer safeguards.
Security
See our Security page for the full architecture. Highlights:
- End-to-end encryption using the
ageprotocol (X25519 + ChaCha20-Poly1305). - Family key lives only on your devices; we never see it.
- Our own service secrets live in Google Cloud KMS with non-exportable keys.
- Vulnerability disclosure: security@backstop.family and /.well-known/security.txt.
Contact
- Privacy: privacy@backstop.family
- Security: security@backstop.family
- Postal address will appear here after entity formation.
Changes to this policy
We will post material changes at this URL and, where we have your email, notify you at least 30 days before the change takes effect.