FocalNest

Security & Data Practices

FocalNest handles data for families with children. We take that seriously. This page covers what we do technically and operationally to protect your family's information.

Encryption

In transit

All communication between your device and our servers uses TLS 1.2+. We enforce HTTPS everywhere — there is no HTTP fallback.

At rest

Your data is stored on encrypted volumes. Passwords are never stored — we use bcrypt hashing with a work factor that we update as hardware improves.

Authentication tokens

Session tokens are short-lived JWTs. Refresh tokens are rotated on each use and stored as HTTP-only cookies — they are not accessible to JavaScript.

Infrastructure

API & database

Hosted on Fly.io in the US. Each family's data is logically isolated — you cannot access another family's records through any normal operation. Database backups run daily and are retained for 7 days.

CDN & edge

Static assets are served through Cloudflare Pages, which provides DDoS protection and global edge caching.

Payments

Billing is handled entirely by Stripe. We never see or store your payment card details.

Email

Transactional email (password resets, parental consent requests) is sent via Resend under a data processing agreement. We do not use email marketing services.

Access & Isolation

Every API request is authenticated and scoped to a family. It is not possible to read another family's data through the API — this is enforced at the database query level, not just the application layer.

Within a family, the system distinguishes between admin and member roles. Admins can manage family members and settings; members can manage their own tasks and see shared content. Children have a restricted view appropriate to their age.

Our internal team has access to production systems only through audited, MFA-protected admin tooling. We do not have routine access to your family's content.

What We Don't Do

  • We do not sell your data or your children's data to anyone, ever.
  • We do not run advertising — there are no ad networks, no tracking pixels, no remarketing.
  • We do not use third-party analytics that profile users (no Google Analytics, no Meta Pixel).
  • We do not build profiles of your children's behavior for any purpose other than showing them their own tasks.
  • We do not send marketing email to children.
  • We do not share data with partners, affiliates, or data brokers.

Children's Data (COPPA)

FocalNest complies with the Children's Online Privacy Protection Act (COPPA). Children under 13 cannot create accounts independently — a parent or guardian must verify and approve the account first.

Once a child account is active, the data we collect is minimal: display name, birthday (for age-appropriate features), and in-app activity (tasks completed, points earned). We collect no email, phone number, or location data from children.

Parents can review, export, or permanently delete their child's account and all associated data at any time from the parental controls dashboard.

Read the full COPPA section in our Privacy Policy →

Reporting a Security Issue

If you discover a security vulnerability in FocalNest, please report it responsibly. We ask that you do not publicly disclose the issue until we have had a chance to address it.

Email security@focalnest.app Response time Within 2 business days Scope focalnest.app, app.focalnest.app, api.focalnest.app

We do not currently offer a formal bug bounty program, but we genuinely appreciate responsible disclosure and will publicly credit researchers with their permission.

Questions about our security practices?

Email us at privacy@focalnest.app or visit our contact page. We're happy to answer specific questions.