We take your family's privacy seriously. This policy explains what we collect, how we use it, and how we protect it.
This Privacy Policy applies to the GrowTide mobile application and the growtide.app website (together, the "Services"), owned and operated by Manus Labs LLC ("we," "us," or "our"), a limited liability company registered in Utah, USA. By using the Services, you agree to the practices described in this policy.
Questions? Contact us at [email protected].
GrowTide is a family chore and rewards application designed for parents and children aged 9–17. The Services are operated by:
For purposes of the EU and UK General Data Protection Regulation (GDPR / UK GDPR), Manus Labs LLC is the "data controller" of the personal information processed through the Services. This means we determine the purposes and means of processing your data and are responsible for handling your privacy rights requests. Where we use third parties to process data on our behalf — such as Google Firebase and RevenueCat — those parties act as our "data processors" and are bound by written data processing agreements (see Section 6).
Data minimization principle: We only collect personal information that is reasonably necessary to provide the Services. We do not condition a child's participation in the Services on the disclosure of more personal information than is reasonably necessary. This principle is required under 16 CFR § 312.7 (the COPPA Rule) and applies to all data we collect from or about children.
What we do NOT collect: GrowTide does not collect biometric identifiers of any kind — including facial recognition data, voiceprints, fingerprints (beyond local device biometric unlock, which never leaves the device), retinal scans, gait patterns, or any other biometric data. We do not collect geolocation data from child accounts. We do not collect audio or video recordings. These categories of Personal Information, as defined under the 2026 amendments to the Children's Online Privacy Protection Act, are outside the scope of our data collection entirely.
All child profiles are created and managed exclusively by a parent or guardian. We collect the following data for each child profile:
When you visit growtide.app, we may collect:
Marketing emails are consent-based. We send marketing emails only where you have provided consent, and you may withdraw that consent at any time by using the unsubscribe link in any email or by emailing [email protected]. Where required by applicable law, we obtain your consent through a clear affirmative action (such as checking an unchecked box) before sending marketing communications. We do not pre-tick consent boxes. Signing up for the launch waitlist or subscribing to the GrowTide blog is itself the affirmative action that grants consent to receive the corresponding emails (launch and product updates, or new blog posts).
Website tracking does not extend into the GrowTide app. The app and the website are separate environments with separate data practices.
The growtide.app website is directed at parents, not children. The website is a marketing and informational site intended for parents considering the app. Child profiles exist only inside the app itself, which has no advertising pixels, no website tracking, and no external analytics for child-linked devices.
The table below sets out which data elements are required to use the Services, why we need them, and what happens if you choose not to provide them. This disclosure is provided under GDPR Article 13(2)(e):
| Data type | Required? | Why we collect it | If not provided |
|---|---|---|---|
| Parent email address | Required | Account login, password reset, family invitations | Cannot create or access an account |
| Parent password | Required | Account authentication via Firebase Authentication | Cannot create or access an account |
| Family name or label | Optional | Display label inside the app | A default label is used |
| Child first name or display name | Required for each child profile | Identifies the child profile inside the app | Cannot create a child profile |
| Child date of birth | Optional | Age-appropriate features and birthday display | Profile still works; no age-based defaults applied |
| Child avatar | Optional (default provided) | Visual identification of the child profile | A default avatar is used |
| Job completion photos | Optional | Proof of completion if the parent requires it for a given job | Job can still be submitted without a photo when not required |
| Push notification token | Optional (granted at the OS level) | Reminders, approvals, screen time alerts | No push notifications; in-app features still work |
| Child PIN (shared-device profile switching) | Optional | Profile separation on a shared family device | Profile switching is immediate without a PIN |
| Subscription / payment data | Required only for paid features | Process subscription via the App Store / Google Play and RevenueCat | Free-tier features remain available; paid features are gated |
| Waitlist or blog email (growtide.app website) | Optional | Send launch and product updates, or new blog posts, if you sign up | No marketing emails; you can still browse the site |
GrowTide is designed for shared family use. Adults in the same family — parents, legal guardians, or other adult family members granted access by the account owner — have equal visibility into that family's activity. This section describes what information is shared between those adults, and what is shared with children.
Visible to every adult in the same family:
Visible to children in the family:
The Owner role, described in our Terms of Service, determines which adult manages the family's subscription and roster. It does not change what any adult or child can see within the family.
We may run paid ads on platforms such as Meta (Facebook/Instagram) and Google to reach parents who may benefit from GrowTide. We do not load any third-party advertising or analytics tracking script on growtide.app. For app install attribution we rely only on the platforms' own privacy-preserving mechanisms and first-party reporting; no personal data is shared with these platforms for attribution.
Separate consent for any future targeted advertising: If we ever introduce any form of targeted advertising that would involve a child's personal information, we would be required under the 2026 amendments to the Children's Online Privacy Protection Act to obtain separate, specific, verifiable parental consent — distinct from general consent to the Services. We have no present or planned use case that would require this, but we disclose the safeguard for transparency.
We use the third parties listed below to operate the Services. Each acts as our data processor (processing data only on our written instructions and only for the purposes set out below) except where noted as an independent controller. None of these parties is permitted to use your data for their own marketing or to sell it. Each is bound by a written data processing agreement that obligates them to maintain appropriate technical and organizational safeguards for the personal information they handle on our behalf.
We remain responsible for the processing of your personal data by our service providers acting on our behalf.
assets.mailerlite.com domain in connection with that submission; we do not set MailerLite cookies on the growtide.app domain — MailerLite Privacy PolicyThe growtide.app website does not currently load Meta Pixel, Google Ads tags, Google Analytics, Google Tag Manager, or any other third-party advertising or analytics SDK. If we ever add such tools, we will update this Section, update Section 13, and (where required by law) introduce a cookie consent mechanism before they go live.
We do not sell your data to any third party. We do not use any advertising SDK inside the GrowTide app. We rely on the written assurances of each processor named above as part of our compliance with COPPA, the GDPR, and other applicable data protection law.
GrowTide is designed for children aged 9 and older. We do not knowingly create profiles for or collect personal information about children under the age of 9.
We collect personal information about children only after obtaining verifiable parental consent. Children cannot create GrowTide accounts on their own. All data about a child is provided and managed by an authenticated parent or legal guardian who has set up the family account.
The consent mechanism we use is: a parent first creates an account using a verified email address and password through Firebase Authentication, and is then shown a non-dismissible direct notice describing what we collect from children, how we use it, and the parent's rights. The parent must affirmatively proceed past that notice before any child profile can be created. This combination of parent-only authentication plus an affirmative direct-notice acknowledgment is the verifiable parental consent on which we rely.
We use reasonable methods designed to ensure that consent is provided by a parent or legal guardian. No identity-verification method is infallible; we have selected a method that, in light of available technology and the limited categories of data we collect, is reasonably calculated to ensure consent comes from a parent or legal guardian.
Depending on the circumstances and risk of the processing, we may require additional verification steps to confirm that consent is provided by a parent or legal guardian.
We do not use children's personal information for behavioral advertising or profiling.
If at any point we discover that a child has provided personal data to us without verifiable parental consent, we will delete that data promptly.
GrowTide collects limited personal information from children as part of parent-managed family accounts. We comply with the Children's Online Privacy Protection Act (COPPA).
If you believe a child profile was created without proper parental consent, contact us immediately at [email protected] and we will delete it promptly.
We use industry-standard safeguards to protect your data, including:
GrowTide maintains a written children's personal information security program — covering periodic risk review, designation of a responsible person, and documented technical and organizational safeguards — as required by 16 CFR § 312.8.
No method of transmission over the internet is 100% secure. While we implement industry-standard protections, we cannot guarantee absolute security.
Breach notification: In the event of a personal data breach that is likely to result in a risk to your or your child's rights and freedoms, we will notify affected users without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notifications will include a description of the breach, the categories of data affected, the likely consequences, the measures we have taken in response, and steps you can take to protect yourself. We will also notify supervisory authorities as required by applicable law, including under GDPR Article 33 for EU/UK users.
If you are a parent or legal guardian of a child whose personal information is held in GrowTide, you have the following rights under the Children's Online Privacy Protection Act (COPPA). These rights apply regardless of your location, and are in addition to any rights you may have under GDPR, CCPA, or other applicable law.
To exercise any of these rights, use the in-app controls in Settings or contact us at [email protected]. We will take reasonable steps designed to verify your identity as the account-owning parent before processing requests (typically by confirming control of the registered account email). We will respond within 30 days.
Filing a complaint with the FTC: If you believe GrowTide has violated COPPA or mishandled your child's personal information, you may file a complaint with the Federal Trade Commission at reportfraud.ftc.gov or by calling 1-877-FTC-HELP. We would appreciate the opportunity to address your concerns directly first — please email [email protected].
If you are located in the EU or UK, the following table sets out, for each processing activity, the lawful basis on which we rely under Article 6 of the GDPR (and, for children, Article 8). This disclosure is provided under Articles 13 and 14 of the GDPR / UK GDPR.
| Processing activity | Lawful basis |
|---|---|
| Creating and operating a parent account; running the chore, reward, and approval features | Contract — Art. 6(1)(b) |
| Collecting and processing child profile data within a family account | Consent — Art. 6(1)(a), with parental authorization under Article 8. For U.S. users, COPPA verifiable parental consent applies separately. |
| Subscription billing and entitlement management (RevenueCat, App Store, Google Play) | Contract — Art. 6(1)(b) |
| Sending push notifications about jobs, approvals, reminders, and screen time | Consent — Art. 6(1)(a). Granted at the OS level when you enable notifications; can be revoked in device settings at any time |
| Crash reporting (Firebase Crashlytics) and abuse / security monitoring (Firebase App Check, rate limiting) | Legitimate interests — Art. 6(1)(f) — keeping the Services stable and protecting users from abuse. Disabled or anonymized on child-linked devices. |
| Anonymized parent-side analytics for app improvement | Legitimate interests — Art. 6(1)(f). Disabled entirely on child-linked devices. |
| Retaining billing and tax records | Legal obligation — Art. 6(1)(c) |
| Responding to a legal request or enforcing our Terms | Legal obligation — Art. 6(1)(c) and/or legitimate interests — Art. 6(1)(f) |
| Website cookies, ad measurement, and waitlist or blog email marketing on growtide.app | Consent — Art. 6(1)(a). You may withdraw consent at any time using browser controls or by unsubscribing. |
You have the right to withdraw consent at any time where consent is the lawful basis. Withdrawal does not affect the lawfulness of processing already carried out before withdrawal. Where we rely on legitimate interests, you have the right to object — see Section 12.
No automated decision-making: Under Article 22 of the GDPR, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. GrowTide does not engage in any such automated decision-making or profiling. All parental controls — approvals, rewards, and account decisions — are made by the parent, not by automated systems.
For children under 16 in the EU, parental consent is required before account creation. GrowTide enforces this by design — only parents can create accounts and child profiles.
Right to lodge a complaint: If you are located in the EU or UK and believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with your local data protection supervisory authority. For example, the UK Information Commissioner's Office (ICO) at ico.org.uk, France's CNIL at cnil.fr, Germany's Federal Commissioner for Data Protection (BfDI) at bfdi.bund.de, or the equivalent authority in your country. We would appreciate the chance to address your concerns first — please contact us at [email protected] before filing a complaint, and we will respond within 30 days.
We do not sell or share personal information as defined under the California Consumer Privacy Act (CCPA), including for purposes of cross-context behavioral advertising.
We do not use or disclose sensitive personal information, including children's data, for purposes other than providing the Service. Under CPRA § 1798.121, this means we do not use sensitive personal information to infer characteristics about a consumer or for any secondary purpose beyond what is necessary to deliver the Services you have requested.
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the following rights regarding personal information we collect about you or your children:
To exercise these rights, contact us at [email protected]. We will take reasonable steps designed to verify your identity before processing the request and respond within 45 days, as required by California law. Verification may include confirming ownership of the registered account email.
You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you.
Nevada residents: Under Nevada Revised Statutes § 603A.340, Nevada consumers have the right to submit a verified request directing a covered operator not to sell certain categories of covered personal information. GrowTide does not sell your personal information as the term "sale" is defined under Nevada law, and we have no plans to do so. If this changes in the future, we will update this policy and provide Nevada residents with a clear opt-out mechanism. To submit a Nevada opt-out request or ask questions about this right, contact us at [email protected].
Depending on your location, you may have the following rights:
To exercise these rights, use the in-app controls or contact us at [email protected]. We will respond within 30 days.
A note on cached and backup data: When you delete data, we remove it from our active systems immediately. However, copies may remain briefly in encrypted backups, server logs, and caches for operational and security purposes before being overwritten in the ordinary course. We never restore deleted data from backups except in a disaster-recovery scenario; in such a scenario, any personal information you previously deleted would be re-deleted as soon as the restore is verified.
The GrowTide app does not use cookies. The growtide.app website uses only strictly essential cookies:
We do not use non-essential analytics or advertising cookies on the website, and no third-party tracking script runs on page load. Specifically, growtide.app does not load Meta Pixel, Google Ads tags, Google Analytics, Google Tag Manager, MailerLite Universal, Hotjar, FullStory, Segment, Mixpanel, or any other behavioral-advertising or third-party-analytics SDK.
MailerLite is contacted only at the moment you submit a waitlist or blog subscription form. When you submit one of those forms, your browser sends your email (and first name, if provided) directly to MailerLite to add you to the relevant list. MailerLite may set its own cookies on the assets.mailerlite.com domain in connection with that submission; we do not set MailerLite cookies on the growtide.app domain.
Because we do not place non-essential cookies on growtide.app, the website does not display a cookie consent banner. We do not use cross-site tracking and do not allow third parties to collect personally identifiable information about your activity on growtide.app for their own purposes.
This section constitutes GrowTide's Written Data Retention Policy as required under 16 CFR § 312.10 (Children's Online Privacy Protection Rule, 2026 amendments). It sets forth, for each category of data we collect, the purpose for which the data is retained and the timeframe after which the data is deleted.
We do not retain personal information — including personal information collected from or about children — for any period longer than is reasonably necessary to fulfill the purposes for which it was collected, or as required by law. Indefinite retention of children's personal information is prohibited and we do not engage in it.
The specific retention period for each data category is as follows:
| Data type | Retained until |
|---|---|
| Family and parent account data | Account deleted |
| Child profiles | 14-day grace period after deletion, then permanent purge |
| Job history | Account deleted |
| Job completion photos | 90 days after job approval, or immediately on child/account deletion |
| FCM push tokens | Device unlinked or account deleted |
| Security and rate-limit logs | 90 days |
| Billing records | 7 years (US tax law requirement) |
| Website server logs | Up to 90 days (rotated by hosting provider). The growtide.app website does not run Google Analytics or other third-party web analytics; no separate analytics dataset is retained. |
| Linked device records | Retained for audit integrity; deleted when the associated child profile is purged (14 days after a parent deletes the child) or when the parent account is deleted |
| Waitlist and blog subscriber email addresses | Until you unsubscribe |
If you believe we are retaining your or your child's personal information longer than reasonably necessary, contact us at [email protected]. We review this policy at least annually and update retention periods to reflect the minimum necessary for each purpose.
GrowTide is operated by Manus Labs LLC, based in Utah, United States. The Services run on Google Cloud / Firebase infrastructure hosted in the United States. Google acts as our processor on our written instructions.
If you use the Services from outside the United States, your personal data — including any personal data about your children — is transferred to, processed in, and stored in the United States in the Google Cloud regions listed above. We rely on the safeguards described in Section 16 (International Data Transfers), which include the European Commission's 2021 Standard Contractual Clauses (and, for UK transfers, the UK International Data Transfer Addendum). Where applicable, our providers may additionally be certified under the EU–U.S. Data Privacy Framework; we treat that certification as a supplementary safeguard, not a sole legal basis for the transfer.
Retention. We retain personal data only as long as necessary to provide the Services and fulfill the purposes set out in this policy. In particular: child profiles are deleted within 14 days of a parent's deletion request, after a short grace window during which the parent can restore the profile; after that, the data is permanently and irreversibly purged. Full account deletion is immediate and irreversible — the entire family account is removed when the account-owning parent confirms deletion in the app. For category-by-category retention periods (including photos, security logs, and billing records), see Section 14 (Written Data Retention Policy).
Your rights regarding stored data. You may request access to, correction of, deletion of, or withdrawal of consent for your personal data. Requests can be sent to [email protected]. We respond within 30 days, or such longer period as is permitted by applicable law (for example, up to 45 days under the CCPA, or up to a further two months under the GDPR for unusually complex requests, with notice given within the first month). For full details of your rights, see Section 9 (Parental Rights under COPPA), Section 10 (GDPR), Section 11 (California Privacy Rights), and Section 12 (Your Rights).
Manus Labs LLC is established in the United States. As a result, your personal data — including, where applicable, personal data about children — will be transferred to and processed in the United States, where our principal processors are located:
If you are located in the EU, the UK, or another jurisdiction with cross-border data transfer restrictions, we rely on the following safeguards under Articles 44–49 of the GDPR (and the corresponding UK GDPR provisions):
Transfer impact assessment (Schrems II): We assess the legal frameworks of recipient countries and implement supplementary technical and organizational measures where necessary to ensure an equivalent level of data protection. This assessment considers, among other factors, the law and practices of the destination country, the categories of data being transferred, and the safeguards already implemented by our processors.
You may request a copy of the SCCs in place by emailing [email protected].
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the app or by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
For privacy questions, data requests, or concerns: