For parents: how Bubbs handles your child's data

Plain English. No lawyers. (But there is a real privacy policy underneath this, if you want it.)

The one-paragraph version.

Your child's device never sends anything to our servers until you, the caregiver, pair your phone and agree to the privacy policy on your phone. The "account" Bubbs uses is yours, not your child's. Nothing about your child — not their name, not their age, not their photo — ever leaves the device on its own.

The question parents ask

"Isn't this an app for my kid? Shouldn't I be filling out a parental consent form on their iPad?"

It's a reasonable question — most kids' apps do exactly that. COPPA (the US law covering kids under 13 online) usually requires what's called "verifiable parental consent": a credit-card check, a notarized form, a video call, something that proves a real adult signed off. It exists for good reason: too many apps hoover up data from kids and sell it.

Bubbs takes a different route. Instead of collecting data from your child and then asking you to consent to it, we designed the app so we never collect data from your child in the first place. No data, no consent problem.

What the child's device does

The child-side of Bubbs is an AAC board that lives entirely on the device. Here's what stays local:

Your child's name (if you entered one — many families skip this).
Your child's photo (if you added one).
The tiles you customized — photos of Grandma, a favorite snack, a specific medication, whatever helps your child say what they mean.
Their history of recent sentences.
App preferences — voice, rate, theme.

All of this sits in local storage on the tablet or phone. It does not leave. There is no "sign in." There is no backup to a cloud without your explicit action. If the tablet breaks, that data is gone unless you ran an export. (That's a tradeoff we made on purpose: the cost of "lose the tablet, lose the data" is lower than the cost of routinely shipping a child's private vocabulary list to our servers.)

What your (caregiver) device does

When you install Bubbs on your own phone and pair it to your child's device, your phone becomes the bridge. From that point forward, every sentence your child builds and speaks is also sent to your phone as a push notification — so you know they wanted juice, even if you're in the next room.

On your device, during onboarding, we ask you to agree to the privacy policy and the terms. We ask if you want to turn on crash reports. We ask if you want to turn on usage analytics. Both default to OFF. You are the adult data subject; you are the one consenting to everything we do.

What actually crosses the network

Three kinds of things travel from your child's device, through our servers, to your paired phone:

The sentence itself. Short text, like "I want juice please." No audio recording — the speech is synthesized on the device, not captured.
An optional photo of a tile (e.g., the juice box picture). Only if the tile was set up with a photo attachment.
Enough metadata to deliver it. Your paired device's push token (so Apple and Google know where to send it), a timestamp, and a message ID.

What doesn't cross over: the child's name, the child's photo, the child's device identifier, the child's age, their location, any diagnostic information about their device, their usage patterns, what tiles they looked at but didn't tap, what time they opened the app.

No ads, no tracking SDKs, no data brokers

We don't ship any advertising SDK in Bubbs. Not AdMob, not Meta Audience Network, not Unity Ads, not AppLovin, not ironSource. We don't ship attribution SDKs (AppsFlyer, Adjust, Branch, Singular). We don't ship social pixels (Facebook, TikTok, Snap, X, Pinterest). We don't ship third-party analytics on the child device at all — PostHog is caregiver-side only, opt-in, with an event allow-list that scrubs content.

This is both a marketing decision and a legal one. An AAC app for non-verbal children is not the place for ad networks. Ever.

Who else touches your data

Three vendors handle the caregiver side of Bubbs:

Firebase (Google) runs the authentication, database, storage, and push notifications. Your messages go through them on the way to your paired phones.
RevenueCat handles the subscription receipt when you upgrade. They see your Apple or Google purchase record. That's it.
Apple and Google handle push delivery to your caregiver phones (APNs / FCM) and the billing. They already have you as a customer for everything else on your phone.

If you opt in on your own phone, two more run on caregiver-only:

Sentry for crash reports (default OFF).
PostHog for anonymized usage analytics (default OFF).

None of these run on the child device. Not even if you opt in on yours.

The legal framework, in a sentence

Under COPPA, you (the caregiver) are both the "operator-facing user" and the person who owns the data. That's called caregiver-as-operator. Because we never collect data from your child, the verifiable-consent requirement doesn't apply — it's the collecting from the child that triggers it, and we don't.

If you'd like to read the full analysis (we wrote it mostly for Apple and Google's app reviewers, but you're welcome to it), it's in the Bubbs repo as docs/legal/coppa-analysis.md. If you'd like us to email it to you, just ask.

Your rights

You can do all of the following from inside the app, at any time, with no subscription required:

Download everything we have — Settings → Your data & privacy → "Download my data." A JSON file, yours to keep or share.
Delete everything we have — same screen, two taps. We confirm step-by-step what got removed.
Turn off crash reports — same screen, a single toggle.
Turn off analytics — same screen, a single toggle.
Remove a paired caregiver — Settings → Devices → Remove. The target device stops receiving messages immediately.

Things we can't do

Undo a deletion. If you tap "Delete everything," we actually do. We will not restore your account from a backup if you later change your mind.
Cancel your subscription for you. Apple and Google hold those contracts, not us. We have step-by-step instructions on the support page.
See what your child is doing. We don't get analytics from the child device. When you ask "what did my kid do in the app today," the honest answer is that the only data we have is whatever sentences they sent to you.

If you have questions

Email bubbs@abilenewebsitedesign.com. A human reads every one of these. Usually within a day.

If you'd prefer a phone call for a privacy question, say so in your email — we'll set one up.

One more thing

We built Bubbs because a kid who can't talk deserves to be able to ask for the juice without hitting a paywall or surrendering their data to an ad network on the way. That's the whole project. If anything about how Bubbs handles your family's data doesn't feel right, tell us — we care, and we'll fix it.