← BACK · নির্ভয় PRIVACY · গোপনীয়তা

What we hold. What we don't.

Last updated · 2026-05-21 · short version of pilot/consent_form_bn.md

Scope update — 2026-05-21

The project no longer operates a public responder network or recruits pilot families. We continue active development for the maintainers' own family + a small handful of trusted personal connections. This page describes what we hold for those deployments. The privacy guarantees are the same regardless of scale.

The short version

We hold the absolute minimum we need to deliver an alert to a parent. We do not hold alert content — only that an alert happened, when, and at what severity. The content is encrypted to your phone + only your phone can open it. We cannot. Cloudflare cannot. Google cannot. Your cellular operator cannot.

সংক্ষিপ্ত সংস্করণ

একটি অভিভাবকের কাছে অ্যালার্ট পৌঁছানোর জন্য যা ন্যূনতম প্রয়োজন — তা-ই আমরা রাখি। অ্যালার্টের বিষয়বস্তু আমরা দেখি না — কেবল কখন একটি অ্যালার্ট হয়েছিল আর কোন স্তরের। বিষয়বস্তু আপনার ফোনে এনক্রিপ্টেড — কেবল আপনার ফোনই খুলতে পারে। আমরা পারি না। Cloudflare পারে না। Google পারে না। মোবাইল অপারেটর পারে না।

What we collect

Item	Why
family_id (random opaque string)	Routing alerts to the right family
Device public Ed25519 key + form factor	Verifying alerts come from the registered device
Trusted-contact phone numbers (the few you choose)	SMS fallback when push fails
Audit log: time + tier of each alert (no content)	For tampering detection + your own family's history
FCM/APNs push token	Waking your app for content-less push delivery

What we do NOT collect

• Your child's location (it lives on your phone, encrypted)
• The contents of alerts (encrypted to your phone)
• Anything the microphone heard (processed on-device, then discarded)
• Photos, contacts, messages from your phone
• Your child's school, schedule, behaviour patterns
• Your name, address, or any personal identifier beyond the trusted-contact phone numbers you choose to provide

What we do not do with what we collect

• No sale, ever — to anyone
• No advertising — none
• No third-party analytics SDKs (no Google Analytics, no Sentry that phones home with PII)
• No sharing with NGOs, foundations, employers, schools, journalists, or commercial companies
• Police access only with a properly-issued court order naming your family — and we have very little to hand over even with one (see what we collect, above)

How you exercise your rights

• Right to delete — email ethics@nirbhoy.org; we delete your records within 24 hours. Audit log entries about your family pass their 90-day retention then auto-delete. R2-archived copies delete within 30 days after that.
• Right to read what we have — request a copy in writing; we send within 7 days.
• Right to a signed receipt — every time we create a family or pair a device, we issue a signed consent receipt. You can verify it any time + use it as evidence of what we promised.

The legal framing — short

Nirbhoy operates as an open, nonprofit, individually-funded project from Bangladesh. We are not a registered company; we are not an NGO; we are not a government program. We do not have a privacy-shield certification + we do not pretend to. The above is the actual operational practice, derivable from the open-source code at github.com/raihan-js/nirbhoy.

Contact

ethics@nirbhoy.org — read by a person not in the chain of whatever made you uncomfortable.