The short version: We collect only what the app needs to work. We never sell your data, show ads, or share information with third parties for marketing purposes. Your family's data is yours.
1. Who we are
First Things Done ("we", "us", or "our") is a parental-control and task-management service that helps families build daily responsibility habits. The service is operated by First Things Done and can be reached at support@firstthingsdone.com.
2. Who this policy applies to
This policy covers all users of www.firstthingsdone.com and the associated API, including:
- Parents / guardians — adults who create and manage a family account.
- Children — minors whose task screens are managed by a parent or guardian. Children do not create accounts and do not provide personal information directly to us.
3. Information we collect
Account information (parent)
- Email address — provided via Google Sign-In or during account creation.
- Family name — chosen by you during setup (e.g. "The Smith Family").
Child profile information
- Child's first name — entered by the parent. We recommend using a first name only.
- Task lists, schedules, and completion records — created and managed by the parent.
Device information
- A randomly generated device token is stored on each registered device (kid's phone or tablet). This token is used to authenticate the device — it contains no personal information.
- Browser name and rough device type (e.g. "Chrome on Windows") are recorded when a device is registered, to help parents identify their devices.
Activity logs
- Task completions and resets.
- Internet lock / unlock events and override modes.
- Break session start and end times.
- "I need help" requests from children.
These logs are visible only to the parent in the Activity tab. We do not analyse them for advertising or profiling purposes.
Service usage analytics (aggregate, founder-only)
To understand how the service is used and to improve it, we collect and analyse aggregate, anonymised usage metrics internally. These metrics are never shared with third parties and are not used for advertising. They include:
- Last login timestamp — the date and time a parent account last accessed the service. Used to identify inactive accounts and understand retention. Not shared with any third party.
- Task postponement count — how many times a task instance was unchecked after being marked complete in a single day. Used in aggregate to understand task completion patterns. Stored per task instance; no personal data is attached.
- Task list size — the number of tasks per child per day, in aggregate. Used to understand how families configure the app.
- Session frequency — how often families log in over time. Used to calculate overall activity and identify churn trends.
All analytics are derived from data you have already provided (task records and login events). No additional tracking scripts, cookies, or third-party SDKs are used. Metrics are only accessible to the First Things Done founder via a password-protected admin dashboard.
Push notification subscriptions
If you enable push notifications, your browser generates a push subscription (an endpoint URL and encryption keys managed by your browser vendor). We store this on our servers to deliver notifications to you. You can revoke this at any time by disabling notifications in your browser.
DNS query data
When internet controls are active on a child's device, DNS queries are processed by NextDNS (nextdns.io), a third-party service. NextDNS has its own privacy policy. We do not receive or store individual DNS queries unless you explicitly opt in to the "Blocked site attempt log" feature in your account settings.
4. How we use your information
- To provide and operate the service — task management, internet controls, break tracking, and notifications.
- To authenticate parents and registered child devices.
- To send push notifications you have opted into (task completions, help requests).
- To respond to support requests.
We do not use your information for advertising, behavioural profiling, or any purpose unrelated to operating the service.
5. Information we do not collect
- We do not track which websites children visit (unless the opt-in blocked site log is enabled).
- We do not collect payment information (the service is currently free).
- We do not use cookies for tracking or analytics.
- We do not use third-party analytics services (e.g. Google Analytics).
6. How we share your information
We do not sell, rent, or trade your personal information. We share data only with:
- Supabase — our authentication and database provider. Your account data is stored in a Supabase-managed PostgreSQL database. See Supabase's privacy policy.
- NextDNS — processes DNS queries for registered kid devices when internet controls are active. See NextDNS's privacy policy.
- Railway — our hosting provider. Application logs may pass through their infrastructure. See Railway's privacy policy.
- Browser push services — (e.g. Google FCM for Chrome, Mozilla Push for Firefox) when you subscribe to notifications. These services relay the notification payload but cannot read the content.
We may also disclose information if required by law or to protect the rights and safety of our users.
7. Children's privacy (COPPA)
First Things Done is a tool for parents, not children. Children do not create accounts and do not directly submit personal information to us. All child data (name, tasks, activity) is entered and controlled by the parent or guardian who holds the account.
We require account holders to confirm they are 18 years of age or older. If you believe a child has created an account without parental consent, please contact us at support@firstthingsdone.com and we will delete it promptly.
8. Data retention and deletion
- Your data is retained for as long as your account is active.
- Activity logs are retained for 90 days by default.
- You can delete a child profile at any time from the parent dashboard — this permanently removes all associated tasks, activity, and device records.
- To delete your entire account and all associated data, go to Settings → Danger zone → Delete account in the parent dashboard. Deletion is immediate and permanent. You may also email support@firstthingsdone.com if you need assistance.
9. Data security
- All data is transmitted over HTTPS (TLS).
- Passwords (for email/password accounts) are hashed with bcrypt.
- Authentication tokens expire after one hour.
- Child device tokens are randomly generated UUIDs with no personally identifiable information.
No method of transmission or storage is 100% secure. We take reasonable measures to protect your information but cannot guarantee absolute security.
10. Your rights
Depending on your location, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Request deletion of your data.
- Object to or restrict certain processing.
- Data portability (receive your data in a structured format).
To exercise any of these rights, email support@firstthingsdone.com.
11. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.
12. Contact
Questions about this policy? Email us at support@firstthingsdone.com.