Privacy Policy

This Privacy Policy describes how Hush, a product of Maple Elegance Marketing Inc. (a Canadian federally incorporated corporation, hereafter "Hush", "we", "us", "our"), collects, uses, and protects information when you use the Hush mobile application (the "App"). If you have any question about this policy, email us at support@hush.app.

1. What we encrypt

Everything baby-related: child profiles, every logged event (naps, feeds, diapers, growth, symptoms, medications, milestones), handoff notes between caregivers, and any photos attached to those notes. All of it is encrypted on your device before upload.

The encryption key (Family Data Encryption Key, or "FDEK") is generated on your device, wrapped for each authorized caregiver's device by X25519 key agreement, and wrapped again by a key derived from your 24-word recovery phrase via Argon2id. Content is encrypted with XChaCha20-Poly1305 IETF. None of this key material ever reaches our servers.

2. What our server stores

For each event, our server stores only:

• family_id — the routing key telling us which family's other devices should receive the blob.
• child_id — opaque to us; used so per-child caregiver permissions can be enforced.
• event_id — a client-generated ULID for ordering and tombstone replay.
• created_at and updated_at — timestamps for sync.
• blob_size — the size in bytes of the ciphertext.
• ciphertext — the encrypted event payload itself. We cannot decrypt it.

Account-level data we hold in plaintext: the email and display name you signed in with, an install ID for crash debugging, and your subscription status.

3. Google Sign-In

When you sign in with Google, the Google Sign-In SDK returns an ID token containing your email and display name. We use that token only to populate the local Caregiver row on your device — the raw ID token is never transmitted to our server. The server simply receives your email and display name to identify your account across devices.

We do not link your Google ID to any advertising or analytics identifier.

4. AdMob (free tier only)

On the free tier, Google AdMob is the only third-party SDK that participates in serving content. We configure AdMob to serve non-personalized ads, which means:

• AdMob does not use your behavior in other apps to choose ads.
• We do not pass the Android Advertising ID (AD_ID) into any baby-data API, link it to your Hush account, or store it server-side. AdMob itself uses it within Google's ad inventory matching; you can reset it any time in Android Settings → Privacy.
• No event-level baby data is shared with AdMob. The two systems run in entirely separate code paths.

Premium subscribers do not see ads — the SDK is initialized but never queried for content.

5. Aggregate app-usage analytics

We use Firebase Analytics to understand how Hush is used at an aggregate level — not who uses it. The goal is to know which features matter, which screens confuse people, and where the experience can be improved. The goal is not to sell your data and we do not.

What this means in practice:

• We see categories, never content. When you log a feed, our analytics records the event event_logged with kind=feed. It does not record the ounces, the time, which child, or any note attached. The same is true for every other event — we only know that a feed of some kind happened, not what it was.
• We never set a user identifier. Firebase issues each app install a random "app instance ID" so daily-active-users rollups work, but it is not linked to your Google account, your email, or any other identifier we hold. Clearing app data resets it.
• Advertising ID collection is disabled. The Android Advertising ID (AD_ID) and Android ID (SSAID) are explicitly disabled in our Firebase Analytics configuration. This means Firebase's "audiences" / "interest categories" / "demographic estimates" features receive no signal from Hush and stay empty.
• No baby data, no PII, no free-text. The event-parameter API we built into the app deliberately accepts only category labels (kind, mode, plan, source, result). Trying to send a name, timestamp, photo, or any other content is impossible without changing the app's source code.

You can opt out of usage analytics any time in Settings → Privacy → "Send anonymous usage stats." Turning it off stops all Firebase Analytics traffic from your device immediately and the existing instance ID is wiped on next launch.

6. What we do not do

• No third-party crash reporters in the baby-data path. Crashes are surfaced via Play Console's built-in reporting (no payload from us).
• No data sales, no "we may share with partners" clause, no AI / model-training use of your content.
• No advertising profile keyed to your Hush account.
• No Crashlytics, no Mixpanel, no Amplitude, no Segment. The only behavioral telemetry we collect is the aggregate Firebase Analytics described in section 5 above.

7. Data deletion and panic-wipe

In Settings you can:

• Panic-wipe — immediately erases the local database, keys, and signed-in session on the device. The other family devices remain intact.
• Delete family vault — tombstones every server-side blob and metadata row associated with the family. Our worker runs a 30-day server-side purge that physically removes the ciphertext from D1 and R2 after the grace period. After that window we retain only the minimum required by tax law (subscription receipts), with all baby-data linkage removed.

8. Children's privacy

Hush is a tool for parents tracking their own children's care. It is not a service directed at children, does not collect data from children acting on their own behalf, and is not subject to COPPA-style under-13 collection rules in the United States.

The information stored about your child (name, date of birth, logged events) is provided by you, the parent or authorized caregiver, on the child's behalf and is encrypted end-to-end as described above.

If you believe a child under 13 has independently created a Hush account, email support@hush.app and we will delete the account.

9. Your rights

Depending on your jurisdiction (GDPR, CCPA/CPRA, PIPEDA, Quebec Law 25, etc.), you may have rights to access, correct, delete, or export your data, and to withdraw consent at any time. To exercise any of these, email support@hush.app — we respond within 30 days.

For users in California: we do not sell or share your personal information for cross-context behavioral advertising. AdMob's non-personalized mode does not qualify as a "sale" or "share" under CCPA.

10. Security

• Cryptography: libsodium (XChaCha20-Poly1305, X25519, Ed25519, Argon2id). No custom crypto.
• On-device storage: SQLCipher (AES-256) with the database key in Android Keystore (hardware-backed where available).
• In transit: TLS 1.2+ on every connection to our servers.
• Server-side: Cloudflare Workers + D1 + R2. Every signed endpoint validates an Ed25519 request signature, so a stolen blob can't be replayed without the originating device's private key.

Report vulnerabilities to security@hush.app.

11. When we share information

We share data only when:

• Required by law — e.g., a valid court order. Note we can only share what we have, which is ciphertext and routing metadata.
• You explicitly direct us to — e.g., exporting an encrypted backup to your own Drive.
• For service operation — Google Play Billing (subscriptions), Cloudflare (encrypted blob storage), AdMob (free-tier ads only). These providers process data on contractually limited terms.

12. International transfers

Our servers run on Cloudflare's global network. Encrypted blobs may be processed in any Cloudflare region. Because the data is ciphertext, no jurisdiction can read it regardless of where it is stored.

13. Changes to this policy

We will notify you in-app at least 30 days before material changes take effect. The current version is always at hush.app/privacy.

14. Contact

• Operating entity: Maple Elegance Marketing Inc., a Canadian federally incorporated corporation.
• Support & data requests: support@hush.app
• Security: security@hush.app