Tortoise Time — Privacy Policy (English Version)
Translation Notice: This is the English translation of the authoritative Simplified Chinese version. In case of any conflict between this English version and the Simplified Chinese version, the Simplified Chinese version prevails.
Applicable Version: Tortoise Time V1.0.0 and above Effective Date: 2026-06-01 Last Updated: 2026-06-01
1. Who We Are
“Tortoise Time” (Chinese name: 小龟时光) is an Android application that helps children aged 6 to 14 manage their screen time. It is developed and maintained by independent developer wuyang.
Contact Information:
- Developer email: wu956826374@gmail.com
- Project website: https://www.serpilo.com/
- App package name:
com.serpilo.tortoise - GitHub Issues: https://github.com/wuyxp/tortoise-web/issues
2. Our Privacy Commitments
We built Tortoise Time on the following principles:
- Local-First: Almost all data generated by you and your child using Tortoise Time (daily limits, app configurations, parental PIN, Explorer Coins, Codex unlocks, etc.) is stored entirely on your device and is never uploaded to any server.
- We Never Sell Data: We will never sell, rent, or share your or your child’s information with advertising networks or data brokers.
- No Behavioral Profiling: We do not build behavioral profiles of children, and we do not engage in targeted advertising.
- Data Minimization: We collect only the minimum information necessary to operate the app. We do not collect data unrelated to the app’s core functions.
- Special Protection for Children: We comply with the U.S. Children’s Online Privacy Protection Act (COPPA), the EU General Data Protection Regulation for children (GDPR-K / Article 8), the UK GDPR (post-Brexit), the California Consumer Privacy Act (CCPA) for minors, and China’s Personal Information Protection Law Article 31 (PIPL §31).
3. Information We Collect and Process
3.1 Stored Locally Only — Never Uploaded
The following data is stored 100% on your device. Neither we nor any third party can access it:
- Daily screen time limit configuration (e.g., 60 minutes per day)
- List of app package names you choose to monitor (e.g., TikTok, YouTube)
- Daily actual usage duration records for each monitored app
- Parental PIN verification code (stored as a SHA-256 hash with a 16-byte random salt — we cannot reverse-engineer the original PIN)
- Progress data for the Tortoise Time gamification system (Explorer Coins, chapter unlocks, Codex items, Ocean Heart building, etc.)
- Device language preference
Important: If you uninstall Tortoise Time, Android will automatically delete all of this data. We have no cloud backup, no account system, and no cross-device sync.
3.2 Information Uploaded to Firebase (Anonymized)
We use the following Google Firebase services. These services are operated by Google, and Google’s Privacy Policy also applies (https://firebase.google.com/support/privacy):
| Service | What Is Collected | Purpose | Contains PII? |
|---|---|---|---|
| Firebase Crashlytics | Stack traces, device model, Android version, and the last few operation logs before a crash | Helps us identify crash bugs and improve app stability | ❌ No PII. Crash logs contain only program execution traces — never the content you or your child input, your PIN, or your app list. |
| Firebase Remote Config | Only delivers configuration to the app. Collects nothing. | Remotely disable new features (e.g., Kill Switch during abnormal staged rollout) | ❌ One-way delivery, no upload |
| Firebase Analytics ⚠ | (See §7.1 — we apply Google’s Child-Directed Treatment mode for all users) | See §7 | ⚠ See §7 |
3.3 Information We Do Not Collect
We list this explicitly for your peace of mind:
- ❌ We do not collect your or your child’s name, age, gender, or date of birth.
- ❌ We do not collect email addresses, phone numbers, or social account identifiers (Tortoise Time has no account system).
- ❌ We do not collect GPS location or IP addresses (Firebase auto-collects IP only for delivering responses; we do not store it).
- ❌ We do not collect contacts, photo library, microphone, or camera data (we do not request these permissions).
- ❌ We do not collect the specific content, browsing history, or video titles within monitored apps (e.g., what your child watches on TikTok).
- ❌ We do not collect hardware unique identifiers (IMEI, MAC address, or Advertising ID).
- ❌ We do not track your behavior across other apps.
- ❌ We do not share data with advertising networks or data brokers.
4. Device Permissions We Use
To provide the core function of “managing screen time,” Tortoise Time requests the following Android permissions:
| Permission | Purpose | Data Uploaded? |
|---|---|---|
| Usage Stats (PACKAGE_USAGE_STATS) | Detects when a monitored app is opened and how long it is used. Does not read content inside the app. | ❌ Local only |
| Display Over Other Apps (SYSTEM_ALERT_WINDOW) | Displays a full-screen overlay when 100% of the daily limit is reached, guiding the child to finish their session. | ❌ Local only |
| Notifications (POST_NOTIFICATIONS) | Sends gentle progressive reminders to the child at 60% / 75% / 90% / 100% of the daily limit. | ❌ Local only |
| Device Administrator (Device Admin) | Prevents the child from uninstalling Tortoise Time without parental consent. The only permission granted is USES_POLICY_WATCH_LOGIN. We do not call any remote-wipe, screen-lock, or password-change APIs. | ❌ Local only |
| Foreground Service (FOREGROUND_SERVICE) | Keeps the monitoring service running in the background for continuous screen-time tracking. | ❌ Local only |
| Boot Completed (RECEIVE_BOOT_COMPLETED) | Automatically restores the monitoring service after a device restart. | ❌ Local only |
| Install Packages (REQUEST_INSTALL_PACKAGES) | Used by users on the direct-download (sideload) channel to install new APK updates from within the app. Only APKs verified by signature and SHA-256 checksum are installed. | ❌ Local only |
We do not request the following permissions: contacts, SMS, phone calls, location, photo library, camera, microphone, sensors, or Bluetooth.
5. Data Storage and Security
- Local data location: Android system sandbox, accessible only by Tortoise Time (
/data/data/com.serpilo.tortoise/). - PIN hashing: SHA-256 + 16-byte SecureRandom salt + constant-time verification. Even with a rooted device, a 4-digit PIN cannot be brute-forced via this storage format.
- Database encryption: The local database is not additionally encrypted, but is protected by Android’s system sandbox isolation.
- Crash log transmission: Firebase Crashlytics transmits logs to Google servers over HTTPS (TLS 1.2+).
- Remote Config delivery: Firebase Remote Config uses HTTPS encryption.
- Network requests: Tortoise Time only connects to the tortoise-web server during update checks, using HTTPS.
- Written information security program: We maintain a written information security program proportionate to the sensitivity of the data — data minimization (no PII collected), local-first storage, salted-hash credential protection, HTTPS-only transmission, and lint-enforced PII guards in our analytics pipeline.
6. Third-Party SDK Disclosure (Google Play SDK Disclosure Compliance)
Tortoise Time integrates the following Google and open-source SDKs:
| SDK | Purpose | Data Collected | Privacy Policy |
|---|---|---|---|
| Google Firebase (Crashlytics) | Crash reporting | Stack traces, device model, Android version | Google Firebase Privacy Policy |
| Google Firebase (Remote Config) | Configuration delivery | None uploaded | Same as above |
| Google Firebase (Analytics) | Usage metrics (Child-Directed Treatment mode enabled for all users; see §7) | See §7 | Same as above |
| Google Play Core (App Update) | In-app update (Play Store channel) | Only update metadata | Google Play Privacy Policy |
| OkHttp | HTTPS client library (for update checks) | None collected | OkHttp Open Source License |
| Jetpack WorkManager | Background task scheduling | None uploaded | Android Developer Terms |
To view the full open-source license list, go to: Tortoise Time App → Settings → About Tortoise Time → Open Source Licenses.
7. Children’s Privacy — Special Provisions
Tortoise Time is designed for children aged 6 to 14. We take the protection of children’s Personal Information extremely seriously. This section addresses our compliance with the four major legal frameworks applicable to our users, presented in order of primary relevance.
7.1 Firebase Analytics — Child-Directed Treatment Mode
From V1.0.0 onwards, Tortoise Time enables Google’s official “Child-Directed Treatment” compliance mode for all users. This is Google’s compliance mode designed for children’s apps and simultaneously satisfies COPPA, GDPR-K, UK GDPR, and PIPL §31 requirements.
This means:
- ❌ Disabled: Ad cookies, ad profiling, cross-app tracking, and personalized advertising — we never serve ads to children.
- ✅ Retained: 4 aggregate events (Onboarding completed / Lock triggered / Service recovered / Chapter unlocked) — used to measure product quality.
- ✅ Strictly bounded: The fields in these 4 events are strictly limited to: a pseudonymous random UUID (not linked to your or your child’s real-world identity, but treated by us as personal data under GDPR for your protection) + app version + business enumerations. We never collect user ID, device ID, IMEI, MAC, IP, or advertising ID.
Parents can view this status at: Settings → About Tortoise Time → Privacy Options. This is a permanent setting — we do not provide an option to turn it off. This is our commitment to children’s privacy.
Why we do not fully disable Firebase Analytics: After V1 launches, we need to measure whether Tortoise Time is genuinely helping families (North Star Metric G1: “Percentage of families with ≥5 stable days of monitored usage within 7 days”). Fully disabling analytics means we are building the product blindly, which reduces our ability to find and fix real problems. Child-Directed Treatment is Google’s official compliant middle-ground for children’s apps — it preserves product quality measurement while disabling all ad-related data collection.
7.2 U.S. COPPA Compliance (Primary Framework — Children Under 13)
Tortoise Time’s target users include children under 13. We comply with the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506 and the FTC’s implementing Rule (16 C.F.R. Part 312):
- No PII collected from children: We do not knowingly collect Personal Information from children under 13. Because Tortoise Time has no account system and collects no PII of any kind (name, email, phone, location, device ID — see §3.3), COPPA’s verifiable parental consent requirement is not triggered.
- No targeted advertising to children: We do not engage in behavioral advertising, interest-based advertising, or retargeting to any user, including children under 13.
- Parental access and control: Parents can view, modify, and delete all data via the app (see §7.5 below).
- Accidental collection: If a parent believes we have inadvertently collected Personal Information from their child, please contact us at wu956826374@gmail.com. We will delete it promptly.
- Families Policy & Teacher Approved program: Tortoise Time complies with Google Play’s Families Policy and has opted in to its Teacher Approved program for rating (the current program for children’s apps, formerly branded “Designed for Families”).
7.3 UK GDPR Compliance (Children Under 13 in the United Kingdom)
For users located in the United Kingdom, we comply with the UK General Data Protection Regulation (UK GDPR) as incorporated into UK law by the Data Protection Act 2018, and the Age Appropriate Design Code (Children’s Code) issued by the Information Commissioner’s Office (ICO):
- Age of digital consent in the UK: Under UK GDPR Article 8 (as implemented by DPA 2018 §9), the age of consent for information society services is 13. Children under 13 require parental or guardian consent for consent-based processing.
- We do not rely on consent: Tortoise Time does not process identifiable personal data of any user (children or adults) based on consent as a legal basis, because we do not collect identifiable personal data to begin with (see §3.3).
- Data Protection by Design: Tortoise Time is built with privacy by default — the most privacy-protective settings are the only settings available. There is no option to enable advertising or behavioral tracking.
- No profiling, no automated decision-making: Tortoise Time’s daily limits are fixed rules set by parents, not AI-generated automated decisions.
7.4 EU GDPR-K Compliance (Children Under 16 in EU Member States)
For users located in EU member states, we comply with the EU General Data Protection Regulation (GDPR), Article 8 (Conditions Applicable to Child’s Consent in Relation to Information Society Services):
- Age of digital consent in the EU: GDPR Article 8(1) sets the age of consent at 16. Member states may lower this to a minimum of 13 by national law.
- We do not rely on consent as a legal basis: We do not process identifiable personal data of children (or adults), so GDPR Article 8’s consent requirement is not triggered for Tortoise Time’s core functions.
- Our lawful basis for the anonymized aggregate analytics (§7.1): We rely on Legitimate Interests (GDPR Article 6(1)(f)) — improving product quality for families — with the Child-Directed Treatment mode strictly limiting the scope of data to anonymized aggregate metrics that do not identify any individual.
- Data subject rights: See §8 for the full table of GDPR data subject rights and how Tortoise Time implements them.
7.5 Parental Access and Control (All Jurisdictions)
Regardless of jurisdiction, parents have the following rights over their child’s data in Tortoise Time:
- Access: View all data via Settings → Today’s Data (requires PIN verification).
- Correction: Modify daily limits and monitored app list (requires PIN verification).
- Deletion: Fully erase all local data via Settings → About Tortoise Time → Clear All Data (30-second long-press confirmation). Alternatively, uninstalling Tortoise Time will cause Android to automatically delete all local data.
- Opt-out of analytics: Contact us at wu956826374@gmail.com to request that we exclude your device’s anonymous identifier from our aggregated analytics events. We will process your request within 30 days.
7.6 No Solicitation of Children’s Information
Tortoise Time’s UI contains no fields asking children (or parents on behalf of children) to enter a name, email address, phone number, or any other Personal Information. The only entry required is a 4-digit parental PIN, which is set by the parent — it is not the child’s personal information.
7.7 CCPA — California Minors’ Privacy (Users Under 16 in California)
For users located in California, we comply with the California Consumer Privacy Act (CCPA), Cal. Civ. Code §1798.100 et seq., as amended by the California Privacy Rights Act (CPRA), and the Children’s Online Privacy Protection Act as it applies to California:
- Do Not Sell or Share: We do not sell or share Personal Information of any California consumer, including minors. (CCPA §1798.120 “right to opt-out of sale” is satisfied because we never sell.)
- Minors under 16 (SB 568 / CalOPPA): We do not sell the Personal Information of consumers we know to be under 16 without affirmative opt-in authorization. We never sell data at all.
- No sensitive Personal Information for inferencing: We do not use sensitive Personal Information to infer characteristics about any consumer (CPRA §1798.121).
- California consumer rights: See §8 for the full CCPA rights table.
7.8 China PIPL — Article 31 Compliance (Users in Mainland China)
For users located in mainland China, we comply with Article 31 of the Personal Information Protection Law of the People’s Republic of China (PIPL), which provides special protection for Personal Information of children under 14:
- Processing the Personal Information of children under 14 requires consent from their parents or other guardians.
- We do not proactively process the Personal Information of children under 14. The app’s functions operate entirely on locally stored data that is not transmitted to us.
- We have established dedicated children’s information processing rules (this §7 constitutes those rules).
- We have designated this Privacy Policy as our “Children’s Personal Information Processing Policy” (儿童个人信息处理规则), as required by PIPL §31 and the Provisions on the Cyberspace Protection of Children’s Personal Information (网络保护儿童个人信息规定).
8. Your Rights
The following tables set out your rights under the major applicable legal frameworks and how Tortoise Time implements them.
GDPR Rights (EU and UK Users)
| GDPR Right | Legal Basis | How Tortoise Time Implements It |
|---|---|---|
| Right of Access (Art. 15) | All processed data | Settings → Today’s Data (PIN required). All data is local — you can inspect it directly on your device. |
| Right to Rectification (Art. 16) | Inaccurate data | Settings → Adjust Daily Limit / Adjust Monitored Apps (PIN required). |
| Right to Erasure (“Right to be Forgotten”) (Art. 17) | All local data | Settings → About Tortoise Time → Clear All Data (30-second hold), or uninstall the app. |
| Right to Restriction of Processing (Art. 18) | All processing | Uninstall the app to stop all processing. For Firebase analytics exclusion, contact wu956826374@gmail.com. |
| Right to Data Portability (Art. 20) | Locally stored data | All data resides on your device. You are free to export via standard Android backup tools. We do not hold a cloud copy. |
| Right to Object (Art. 21) | Legitimate Interests processing | Contact wu956826374@gmail.com to object to anonymized analytics processing. We will process within 30 days. |
| Right Not to Be Subject to Automated Decision-Making (Art. 22) | All automated decisions | Tortoise Time’s daily limits are fixed rules set manually by parents, not AI-generated automated decisions. This right is N/A — no automated profiling occurs. |
| Right to Lodge a Complaint | Supervisory authority | EU users may lodge a complaint with their national Data Protection Authority. UK users may contact the ICO: https://ico.org.uk/make-a-complaint/ |
CCPA Rights (California Users)
| CCPA Right | CCPA Section | How Tortoise Time Implements It |
|---|---|---|
| Right to Know | §1798.100 | We disclose all categories of Personal Information collected in this Privacy Policy. You may also request a specific disclosure by contacting wu956826374@gmail.com. |
| Right to Delete | §1798.105 | Settings → About Tortoise Time → Clear All Data (30-second hold), or uninstall the app. For Firebase analytics anonymous identifier deletion, contact wu956826374@gmail.com. |
| Right to Correct | §1798.106 (CPRA) | Settings → Adjust Daily Limit / Adjust Monitored Apps (PIN required). |
| Right to Opt-Out of Sale or Sharing | §1798.120 | We never sell or share Personal Information. No opt-out mechanism is needed. |
| Right to Non-Discrimination | §1798.125 | We do not discriminate against any consumer for exercising their CCPA rights. |
COPPA Parental Rights (U.S. — Children Under 13)
| Parental Right | How Tortoise Time Implements It |
|---|---|
| Right to Review | Parents may view all data the app holds via Settings → Today’s Data (PIN required). |
| Right to Delete | Parents may delete all data via Settings → About Tortoise Time → Clear All Data, or by uninstalling the app. |
| Right to Refuse Further Collection | Uninstalling the app stops all data collection. The app has no ongoing server-side collection to refuse. |
| Right to Contact | Contact wu956826374@gmail.com. We will respond within 30 days. |
General Rights (All Users, All Jurisdictions)
| Right | How Implemented |
|---|---|
| Access | Settings → Today’s Data (PIN required) |
| Correction | Settings → Adjust Daily Limit / Adjust Monitored Apps (PIN required) |
| Deletion | Settings → About Tortoise Time → Clear All Data, or uninstall |
| Withdraw Consent | Uninstalling the app constitutes withdrawal of all consent |
| Data Portability | All data is on your device — you are the data custodian |
| Object to Automated Decision-Making | N/A — Tortoise Time uses only fixed parent-set rules, not AI decisions |
| Lodge a Complaint | wu956826374@gmail.com; China users: local Cyberspace Administration of China (CAC) office; EU users: national DPA; UK users: ICO |
9. Data Retention Policy
- Local data: Retained until you uninstall Tortoise Time or manually clear data via Settings.
- Firebase Crashlytics crash logs: Retained by Google for 90 days, then automatically deleted. See Google Firebase Privacy Policy.
- Firebase Analytics anonymized aggregate events: Retained by Google per their standard data retention schedule. Because the events are anonymized and not linked to an individual identity, deletion of an individual’s data is not applicable.
10. Policy Changes
If we modify this Privacy Policy, we will:
- Update the “Last Updated” date at the top of this page.
- Notify you within the app via a launch announcement or in-app notification.
- For material changes (e.g., we begin collecting a new type of data), we will provide at least 30 days’ advance notice before the change takes effect.
If you are an EU, UK, or CCPA-protected user and the material change involves processing new categories of Personal Information, we will seek fresh consent or provide a clear opt-out mechanism before the change takes effect, as required by applicable law.
11. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your rights, or wish to make a complaint:
- Email: wu956826374@gmail.com
- Project website: https://www.serpilo.com/
- GitHub Issues: https://github.com/wuyxp/tortoise-web/issues (public channel — please do not submit Personal Information)
- Response time: We commit to responding to your request within 30 days.
For users in the European Union, you also have the right to lodge a complaint with your local Data Protection Authority. For users in the United Kingdom, you may contact the Information Commissioner’s Office (ICO) at https://ico.org.uk/make-a-complaint/.
12. Governing Law and Dispute Resolution
12.1 Applicable Law
This Privacy Policy is governed by the laws of the People’s Republic of China (the jurisdiction where the developer, wuyang, resides and operates).
However, where mandatory applicable local law in your jurisdiction provides stronger protections or confers rights that conflict with this policy, your local mandatory law prevails over this policy. Specifically:
| Your Jurisdiction | Mandatory Law That Prevails Over This Policy |
|---|---|
| European Union member states | EU GDPR (Regulation (EU) 2016/679) — including all data subject rights in §8 |
| United Kingdom | UK GDPR and the Data Protection Act 2018 — including ICO enforcement |
| United States (Federal) | COPPA (15 U.S.C. §§ 6501–6506) and FTC Rule 16 C.F.R. Part 312 |
| California, USA | CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.) |
| Mainland China | PIPL, the Cybersecurity Law, and the Data Security Law of the PRC |
The above list is illustrative, not exhaustive. Where any applicable mandatory law in your jurisdiction grants you rights or protections beyond those described in this Privacy Policy, we honor those rights.
12.2 Dispute Resolution
In the event of a dispute arising from this Privacy Policy or our privacy practices:
- Mediation first: We encourage you to contact us at wu956826374@gmail.com. We commit to engaging in good-faith mediation within 30 days of receiving your written complaint.
- If mediation fails: Disputes shall be resolved by a court of competent jurisdiction in the developer’s place of residence (PRC), unless mandatory applicable law in your jurisdiction requires otherwise (e.g., EU GDPR grants EU supervisory authorities and courts jurisdiction over EU data subjects’ GDPR claims regardless of the controller’s location).
- EU and UK users: Nothing in this Governing Law clause prevents EU or UK data subjects from exercising their rights before their national Data Protection Authority or courts under GDPR or UK GDPR. EU supervisory authority jurisdiction is mandatory and cannot be contractually displaced.
Chinese version (authoritative): https://www.serpilo.com/privacy