← Back to home

Privacy Policy

1. Introduction

WhatsOn ("we", "our", "us") is committed to protecting your personal data. This privacy policy explains how we collect, use, and protect the information we receive when you use our mobile application and website.

WhatsOn is a caring parental control tool designed to help parents monitor the online presence of their minor children on WhatsApp.

2. Data Controller

Data controller: WhatsOn
Email: support@whatsonfamily.com
Website: https://whatsonfamily.com

3. Data We Collect

3.1 Account information

• Email address (via Firebase Authentication)
• Device unique identifier (FCM token for push notifications)

3.2 Family data

• Phone numbers of watched family members (WhatsApp contacts)
• Display names chosen by you
• Online/offline status (timestamps)

3.3 Technical data

• Android device model and OS version (diagnostic only)
• Anonymous crash logs (Firebase Crashlytics)

We never collect: message content, photos, call logs, precise location, or WhatsApp message history.

4. Legal Basis (GDPR)

• Contractual performance: to provide the service you subscribe to
• Legitimate interest: to improve and secure the service
• Consent: for optional notifications and analytics

5. Data Usage

Your data is used exclusively to:

• Provide the online presence tracking service
• Send you notifications you have subscribed to
• Technical support via our email address
• Prevent fraud and abuse

We never sell your data to third parties. We do not use your data for targeted advertising.

6. Data Retention

• Account data: as long as your account is active
• Status history: 30 days maximum, then automatic deletion
• Anonymous logs: 90 days

Upon account deletion, all your personal data is removed within 30 days.

7. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access — obtain a copy of your personal data (art. 15)
• Right to rectification — correct inaccurate data (art. 16)
• Right to erasure — "right to be forgotten" (art. 17)
• Right to data portability — receive your data in JSON format directly from the app, Settings → Export my data (art. 20)
• Right to object to processing (art. 21)
• Right to restriction of processing (art. 18)
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise these rights, contact us at support@whatsonfamily.com. We respond within 30 days (art. 12 GDPR).

You also have the right to lodge a complaint with your national supervisory authority:

• France: CNIL — cnil.fr/en/plaintes
• Other EU countries: edpb.europa.eu
• UK: ICO — ico.org.uk

8. Data Controller & DPO

Data controller: [LEGAL ENTITY NAME — TO BE COMPLETED], [POSTAL ADDRESS], France.

Privacy contact / DPO: dpo@whatsonfamily.com

9. International Data Transfers

Your data is stored on servers located in the European Union (Frankfurt, Germany). However, some sub-processors may access your data from third countries:

• Google LLC (Firebase, AdMob, Play Billing): United States — transfer covered by the European Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework (adequacy decision EU 2023/1795).
• DigitalOcean: VPS infrastructure in the EU (Frankfurt) — no transfer outside the EU.

10. Automated Decision-Making

WhatsOn does not make any fully automated decisions producing legal effects concerning you or significantly affecting you (art. 22 GDPR).

11. Security — Technical & Organizational Measures

• TLS 1.2+ mandatory for all communications (Let's Encrypt certificates)
• Certificate pinning in the mobile app
• JWT authentication via Firebase + Firebase App Check (Play Integrity / App Attest)
• Local storage encrypted (AES-256-GCM via AndroidKeyStore / iOS Keychain)
• Server secrets isolated (environment variables + 0600 permissions)
• Rate-limiting + fail2ban on the backend
• Automatic security patches (unattended-upgrades)
• Daily encrypted backups with 30-day retention

12. Data Breach Notification

In the event of a data breach likely to result in a risk to your rights and freedoms, we commit to notifying the supervisory authority within 72 hours (art. 33 GDPR) and to informing you directly as soon as possible (art. 34 GDPR).

13. Detailed Retention Periods

• User account (email, Firebase UID): as long as the account is active; deleted within 30 days of an erasure request.
• Watched phone numbers: as long as you keep them in the app.
• Presence timestamps: maximum 30 days, then automatically deleted by scheduled task.
• API access logs: 12 months (legal basis: security, legitimate interest).
• Billing data: 10 years (French accounting law).

14. Third-Party Services

We use the following services:

• Firebase (Google): authentication, push notifications, App Check
• Google Play Billing / App Store StoreKit: subscription payment
• AdMob (Google): ads (free version only, with a consent banner — Consent Mode v2)

Each service has its own privacy policy.

15. Minors & Parental Context

WhatsOn is intended for adult parents and legal guardians (18+). The app must be used exclusively for the monitoring of your own minor children, with prior information given to the child commensurate with their age and maturity.

Using WhatsOn to monitor an adult without their consent, a spouse, a colleague, or anyone other than your minor children is strictly prohibited and may constitute a criminal offense (France: art. 226-1 of the Penal Code — invasion of privacy; up to 1 year imprisonment and €45,000 fine).

16. Policy Changes

We reserve the right to update this policy. Major changes will be notified via the app and by email at least 30 days before they take effect.

17. Contact

Any questions about this policy or to exercise your rights?

General: support@whatsonfamily.com
Privacy / DPO: dpo@whatsonfamily.com