This page explains what data CubTime collects, why we collect it, and what you can do about it. We’ve tried to write it in plain English. If anything is unclear, email hello@cubtime.com and we’ll fix the wording.
The Short Version
- CubTime is a parental-control app. Parents sign up, add children as family members, and install agents on their children’s devices.
- The agent records which apps and windows the child uses, and for how long. The parent sees that. Nobody else does.
- We never sell your data and never share it with advertisers. We do not use it to train AI models.
- We use a small set of trusted services (Stripe for payments, Hetzner for hosting, Google for Android push notifications). They process data on our behalf, under contract.
- You can export or delete everything from your account settings, or by emailing us.
Who we are
CubTime is operated under the trading name LevelUp B3 (“CubTime”, “we”, “us”). We are the data controller for personal data processed through the CubTime apps and website. A formal company registration is in progress; this page will be updated with the registered entity name and address once that is complete.
Contact: hello@cubtime.com
Who’s in the picture
Three roles to keep clear:
- The parent or guardian — creates the CubTime account, sets up the family, and consents to processing on behalf of their child. They are the account holder.
- The child — added by the parent as a “family member”. Children do not sign up themselves and do not enter any data into CubTime directly. We collect data about the child’s device use, on the parent’s instruction.
- The managed device — a Windows PC, Android phone, or tablet that the parent has placed under management. The CubTime agent runs on the device and reports activity.
What we collect
Only what’s needed for the app to do its job.
About the parent / account holder
- Email address, password (stored as a one-way hash, never in plain text)
- Account language and locale preference
- If you turn on multi-factor authentication, an encrypted TOTP secret
- Login activity (timestamps, failed-login counts) for security
- Subscription state and billing identifiers if you subscribe — we never store card numbers; Stripe handles that
- Device push token, if you’ve installed the parent app and enabled notifications
About the family
- The names you give to your family group and family members
- Optional: a birthday for each child member, used to give age-appropriate defaults
- Optional: an email address, if you invite a family member as a separate user
About managed devices
- Device name and identifier (e.g. computer hostname or Android model)
- Agent version, last-seen timestamp
- The settings you choose for that device (e.g. whether to pause tracking when idle)
About activity on the managed device
- The names of applications used in the foreground (e.g.
chrome.exe,RobloxPlayerBeta.exe) - The titles of the windows or pages that appear in the foreground — this can include document names or website page titles, so please be aware of that when setting up the agent
- How long each app was in the foreground
- Whether an attempt to use the device was blocked by a schedule or time limit
- Daily totals: minutes used per child per day, plus a per-app breakdown
Server-side logs (security only)
- IP addresses, request timestamps, and basic request metadata, kept for a short period to investigate abuse and security incidents.
What we do not collect
- The contents of documents, messages, or websites — only what the operating system already shows in the title bar of the active window
- Microphone, camera, or screen recordings
- Browsing history beyond the active page title
- Location, unless you have explicitly enabled location sharing on a device
- Anything from devices that are not registered to your CubTime family
Why we collect it (lawful basis)
Under UK GDPR Article 6, we rely on:
- Performance of a contract — account, family, device, schedule, and limit data are processed to deliver the service you’ve signed up for. (Art. 6(1)(b))
- Legitimate interests — activity monitoring is performed in pursuit of the parent’s legitimate interest in safeguarding their child online, balanced against the child’s right to privacy. We pause tracking when the device is idle, collect only what’s needed for the parent to make decisions, and never share with third parties for their own purposes.
- Legal obligation — for example, retaining billing records for tax purposes.
- Consent — for optional features such as marketing emails. You can withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
Children’s data
CubTime is, by design, a service that collects data about children, on a parent’s instruction. We’ve aligned our handling with the UK Information Commissioner’s Age Appropriate Design Code (Children’s Code) and US COPPA:
- We do not market to children. The app the child interacts with is the agent — it shows time remaining and lock screens, and nothing else.
- A verified parent or guardian creates the account, adds the child as a family member, and decides what to monitor. Children do not sign up.
- We collect only what’s necessary to give the parent the information they need to set healthy boundaries. We do not enrich child profiles, build behavioural models for advertising, or share child data with anyone outside our processing chain.
- We will delete a child’s data on the parent’s request, or on the child’s own request when they are legally able to make one.
If we ever change anything material about how we handle children’s data, we’ll update this policy and notify account holders.
Who we share data with
We use a small set of trusted “sub-processors” that handle data on our behalf under contract. None of them are permitted to use your data for their own purposes.
| Service | What they do | Where |
|---|---|---|
| Hetzner Online GmbH | Hosts the CubTime backend and database | Germany (EU) |
| Stripe | Processes subscription payments | Ireland (EU) / United States, with Standard Contractual Clauses |
| Google (Firebase Cloud Messaging) | Delivers push notifications to the parent app on Android | United States, with Standard Contractual Clauses |
| [Email provider — e.g. Postmark / Amazon SES] | Sends transactional email (verification, password reset, alerts) | [Region], with appropriate transfer safeguards |
| Google Play | Distributes our Android apps | United States, governed by Google’s terms |
We do not share data with advertisers, data brokers, or analytics companies. We do not sell your data. We do not use your data to train AI models.
We may disclose data if compelled by a valid legal request (e.g. a court order), but only what is strictly required, and we will inform you unless legally prohibited from doing so.
Where your data is stored
Primary storage is in Germany (Hetzner). Backups are encrypted and held in the same region. Some sub-processors operate from outside the UK and EU; in those cases we rely on the UK Government’s adequacy regulations or Standard Contractual Clauses to ensure your data remains protected to UK / EU standards.
How long we keep it
| Data | Retention |
|---|---|
| Account, family, device, schedule, and limit configuration | While your account is active. Deleted within 30 days of account closure. |
| Activity events (app names, window titles, durations) | 90 days, then deleted. Daily aggregates are kept while the account is active. |
| Daily usage aggregates | While your account is active. Deleted within 30 days of account closure. |
| Server access logs | 90 days. |
| Backups | Encrypted, retained for 30 days, then overwritten. |
| Billing records | 7 years, as required by HMRC for UK tax purposes. |
You can request earlier deletion at any time — see Your rights below.
Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you (and your children).
- Rectify anything that’s wrong.
- Delete (“right to be forgotten”) your account and the data associated with it.
- Port your data to another service in a structured, machine-readable form.
- Restrict or object to certain types of processing.
- Withdraw consent for any processing that is based on consent (such as marketing emails), without affecting the lawfulness of processing before withdrawal.
- Complain to the UK Information Commissioner’s Office at ico.org.uk, or to your local supervisory authority if you’re outside the UK.
The fastest way to exercise these rights is from your account settings — there are direct controls for export and deletion. Or email hello@cubtime.com and we’ll respond within 30 days.
Security
We take security seriously and try to be honest about where we are:
- In transit: all connections to our servers use HTTPS (TLS 1.2+).
- Authentication: passwords are stored using bcrypt one-way hashing. Multi-factor authentication is available and recommended.
- At rest: as of the effective date of this policy, application data on our database is protected by underlying disk and operating-system controls. Encryption-at-rest at the database or column level is on our roadmap; this section will be updated when implemented. Backups are encrypted.
- Access controls: database access is restricted to a small number of named individuals on least-privilege principles.
- Monitoring: server access is logged; suspicious patterns trigger alerts.
- Independent review: we have an independent security review planned before broad public release.
If you discover a security issue, please email security@cubtime.com before disclosing publicly. We’ll acknowledge within 48 hours.
Cookies and similar technologies
The CubTime website uses a small number of essential cookies for the sign-in flow and to remember your preferences. We do not use third-party analytics cookies, advertising cookies, or tracking pixels on our website. The CubTime apps (parent and child) do not use cookies as such, but they store data locally on the device to function (account session, cached settings, queued usage data when offline).
Changes to this policy
If we change anything material about how we handle data, we’ll:
- Update the “Effective” and “Last updated” dates at the top.
- Notify account holders by email at least 30 days before the change takes effect.
- Keep older versions available on request.
Minor wording changes (typo fixes, layout updates) won’t trigger a notification.
How to contact us
| General privacy questions | hello@cubtime.com |
| Security issues | security@cubtime.com |
| UK supervisory authority | Information Commissioner’s Office (ICO) |