Privacy Policy

Last updated: March 27, 2026

Introduction

Defilan Technologies LLC ("we," "our," or "us") operates Shelta, a parental control service that helps parents protect their children's devices. This Privacy Policy explains how we collect, use, and protect information when you use our service.

We are committed to protecting your privacy and the privacy of your children. Shelta is designed with privacy in mind. Our service uses two approaches to protect children's devices:

  • Companion App (FamilyControls): Our iOS companion app uses Apple's FamilyControls framework, where Apple handles all restriction enforcement on-device. Shelta sends configuration settings to the app but does not directly access or monitor your child's activity, messages, photos, or browsing content.
  • MDM (Mobile Device Management): For existing supervised devices, we use enterprise-grade MDM technology that focuses on device management rather than invasive monitoring.

Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Name (optional)
  • Authentication data through our provider, Clerk (see Third-Party Services below)

Device Information

When you enroll a child's device, we collect information depending on the enrollment type:

Companion App enrollment:

  • Device name and model
  • iOS version
  • APNs push token (used to notify the device when a parent changes settings)
  • Device enrollment status
  • Settings acknowledgment (which settings version the device has applied)

MDM enrollment (existing supervised devices):

  • Device name and model
  • Operating system version
  • Device identifiers (UDID) necessary for MDM management
  • Device enrollment status

Location Data

When a parent enables location sharing for their child's companion device, we collect:

  • Latitude, longitude, accuracy, and altitude of the device
  • Timestamp of each location update

Location data is collected using battery-efficient significant-change monitoring (approximately 500-meter granularity). This means we do not continuously track movement; the device reports its location only when it moves a significant distance.

Important: Location tracking is off by default and only activates when a parent explicitly enables it in the Shelta dashboard. Location data is automatically deleted after 7 days and is never shared with third parties.

Activity Event Data

The companion app reports certain enforcement events to the Shelta dashboard so parents can see when restrictions were applied. These events include:

  • Bedtime restrictions starting and ending
  • Daily screen time limits being reached
  • App or website shield being shown (when your child attempts to open a blocked app or visit a blocked website, we record that the shield was displayed — not which specific app or website was blocked)
  • FamilyControls authorization status changes (for example, if authorization is revoked on the device)

Activity events do not include the content of your child's activity, browsing history, messages, or app usage details. They record only that a restriction was enforced or that an authorization change occurred. Activity events are retained for 90 days, then automatically deleted.

URL Filtering (iOS 26+)

On devices running iOS 26 or later, Shelta can provide system-level URL filtering using Apple's NEURLFilter framework. This feature is designed to be privacy-preserving:

  • A Bloom filter (a compact data structure) is downloaded to the child's device. URL checks happen locally on the device — our server never sees which websites your child visits
  • When a URL matches the Bloom filter, Private Information Retrieval (PIR) is used to confirm the match. PIR uses cryptographic techniques so the server cannot determine which URL was queried
  • Parents configure blocked domains through the Shelta dashboard. Only the domain list (not browsing history) is stored on our servers
  • The Bloom filter is regenerated when parents update their rules and pushed to the device via a silent notification

Usage Data

For MDM-enrolled devices, we may collect basic app usage statistics (which apps are installed) to help parents understand device usage. For companion app devices, Apple's FamilyControls framework handles restriction enforcement directly on the device, and Shelta does not receive information about which specific apps your child uses. Parents have full control over the restrictions applied to their child's device through the Shelta dashboard.

How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Shelta service
  • Enable parents to manage and protect their children's devices
  • Deliver settings updates to companion devices via push notifications
  • Show parents when restrictions were enforced (bedtime, daily limits) and alert them to authorization changes
  • Display device location to parents when location sharing is enabled
  • Communicate with you about your account and service
  • Improve and develop our service
  • Ensure the security and integrity of our platform

Children's Privacy (COPPA Compliance)

Shelta is a parental control service designed to be used by parents and guardians, not by children. We comply with the Children's Online Privacy Protection Act (COPPA).

  • Only parents/guardians (18 years or older) may create Shelta accounts
  • We verify parental status through credit card verification during account creation (a nominal authorization confirms access to a valid payment method as evidence of adult status)
  • Device information is collected from children's devices only after verifiable parental consent is obtained. For companion app devices, enrollment requires a setup code generated by the parent
  • Parents have full access to view and delete their children's device data at any time
  • We do not knowingly collect personal information directly from children
  • We collect only the minimum data necessary to provide the Service (data minimization)
  • We do not use children's data for advertising purposes
  • We do not share, sell, or disclose children's personal information to third parties for marketing or advertising

Parental Rights Under COPPA

As a parent or guardian, you have the right to:

  • Review the personal information we have collected from your child's device
  • Request deletion of your child's information at any time
  • Refuse further collection of your child's information by unenrolling their device
  • Access and export your child's data through your Shelta dashboard

How to Exercise Your Rights

  • Review or delete device data: Log into your Shelta dashboard and navigate to Device Settings
  • Unenroll a device: Use the "Remove Device" option in your dashboard, which stops data collection and deletes stored data within 30 days
  • Delete your entire account: Email privacy@shelta.app with your request
  • Questions about your child's data: Contact privacy@shelta.app

We will respond to all COPPA-related requests within 30 days.

California Privacy Rights (CCPA)

If you are a California resident, you have the following rights:

  • Right to Know: You can request information about the personal information we collect, use, and disclose
  • Right to Delete: You can request deletion of your personal information
  • Right to Opt-Out: We do not sell personal information, so this right does not apply
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at contact@defilan.com.

Third-Party Services

Clerk (Authentication)

We use Clerk for user authentication. Clerk processes your login credentials and authentication data. See Clerk's Privacy Policy for more information.

Plausible Analytics

We use Plausible Analytics to understand how visitors use our website. Plausible is a privacy-focused analytics service that:

  • Does not use cookies
  • Does not collect personal data
  • Does not track users across websites
  • Is fully compliant with GDPR, CCPA, and PECR

See Plausible's Privacy Policy for more information.

Resend (Email)

We use Resend to send transactional emails such as account notifications, alerts, and weekly reports. Resend processes your email address to deliver these communications. See Resend's Privacy Policy for more information.

Apple Push Notification service (APNs)

We use Apple's Push Notification service to send silent notifications to companion devices when a parent updates settings. These notifications contain no personal data; they simply signal the device to fetch updated configuration from our servers. See Apple's Privacy Policy for more information.

Google Cloud Platform (Infrastructure)

Our service is hosted on Google Cloud Platform (GCP). Account and device data is stored in GCP databases located in the United States. Google acts as a data processor on our behalf and is contractually bound to protect your data. See Google's Privacy Policy for more information.

Data Security

We implement industry-standard security measures to protect your information:

  • All data transmission is encrypted using TLS/HTTPS
  • Companion app settings sync uses authenticated API endpoints with per-device bearer tokens
  • MDM-enrolled devices use enterprise-grade MDM security protocols
  • FamilyControls enforcement runs entirely on-device via Apple's secure framework, with no child data transmitted to our servers
  • Access to personal data is restricted to authorized personnel only
  • We regularly review and update our security practices

We maintain a written information security program specifically addressing the protection of children's personal information, as required by COPPA. This program includes safeguards appropriate to the sensitivity of the data we collect and is reviewed and updated at least annually.

Internal Administrative Access

Shelta's internal administrative dashboard provides aggregate platform statistics for operational monitoring. This includes:

  • Total counts of users, devices, and child profiles
  • Aggregated device model and iOS version distributions
  • Platform health metrics (alert counts by type)
  • Growth trends (new signups per month)

Important: Administrative access is strictly limited to platform owners and does not include access to:

  • Individual user identities, emails, or names
  • Specific device details or locations
  • Child profile information
  • Any personally identifiable information (PII)

The administrative dashboard is view-only and cannot be used to modify user data, manage devices, or take any actions on behalf of users.

Data Retention

We retain data only as long as necessary to provide the Service:

  • Account information: Retained while your account is active
  • Device enrollment data: Retained while the device is enrolled, plus 30 days after unenrollment
  • Location data: Automatically deleted after 7 days
  • Activity events: Retained for 90 days, then automatically deleted
  • Alert history: Retained for 90 days, then automatically deleted
  • Audit logs: Retained for 1 year for security purposes

When you delete your account, we will delete your personal information and all associated child and device data within 30 days, except where we are required to retain it for legal or regulatory purposes.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Defilan Technologies LLC

Email: contact@defilan.com

Website: shelta.app