Privacy Policy
Effective Date: April 14, 2026 · Last Updated: April 14, 2026
Chasten (“Company,” “we,” “us,” or “our”) operates the Chasten application and website at chasten.ai (the “Service”). This Privacy Policy explains how we collect, use, store, protect, and disclose your information when you use the Service.
We take the privacy of your family seriously. Chasten handles sensitive information about parenting responses and children's behavioral patterns. This policy is written to be transparent about exactly what we do with that data.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- First name and last name
- Email address
- Password (stored as a one-way bcrypt hash — we cannot read your password)
- Household name
If you sign in with Google OAuth, we receive your name, email, and profile image from Google. We do not receive or store your Google password.
1.2 Children's Information
You may enter information about your children, including:
- First name (encrypted before storage)
- Birth month and year (encrypted before storage — we do not collect exact birthdates)
- An avatar color for display purposes
Important:Children do not create accounts or directly use the Service. All children's information is entered and managed exclusively by their parent or legal guardian.
1.3 Parenting Moments and Behavioral Data
When you log a parenting moment, we collect:
- Which child the moment relates to
- The behavior observed (selected from your configured list)
- Your response(s) and their details (duration, items involved, notes)
- Date and time of the moment
- Which parent logged the moment
- Whether the entry was made via voice or manual input
Notes and response details are encrypted at the application layer before being stored in our database.
1.4 Milestones
You may log positive milestones for your children (e.g., “first unprompted apology”). Milestone titles and descriptions are encrypted before storage. The Service may also automatically detect milestones based on behavioral streak data.
1.5 Technical and Usage Data
We automatically collect:
- Browser type and version
- Device type (desktop, mobile, tablet)
- Pages visited and features used
- IP address (for security and rate limiting only — not stored long-term)
- Cookies necessary for authentication (session tokens, trusted device tokens, 2FA verification)
1.6 Analytics Data
We use Google Analytics to collect anonymized usage data including page views, session duration, and general traffic patterns. Google Analytics does not have access to your encrypted personal data or children's information. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
2. How We Use Your Information
We use your information exclusively to:
- Provide, maintain, and improve the Service
- Authenticate your identity and secure your account (including 2FA)
- Generate analytics, trend charts, effectiveness scores, and behavioral insights for your household
- Detect behavioral milestones and streaks
- Perform fairness analysis across siblings within your household
- Send transactional emails (verification codes, login codes, household invitations, notifications)
- Display relevant scripture-based encouragement after logging moments
- Send push notifications when timed responses end (if enabled)
- Respond to your feedback and support requests
We do not use your data for advertising, marketing profiling, data mining, or any purpose other than providing the Service to you.
3. Data Encryption and Security
We implement multiple layers of security to protect your data:
3.1 Application-Layer Encryption
The following data is encrypted using industry-standard encryption at the application layer before being written to the database:
- Children's names
- Children's birth months
- Parenting moment notes
- Response action form data (items removed, privileges lost, etc.)
- User first and last names
- Milestone titles and descriptions
This means that even if our database were compromised, the sensitive data would appear as unreadable ciphertext. The encryption key is stored separately from the database and is never exposed in client-side code.
3.2 Password Security
Passwords are securely hashed using a one-way cryptographic algorithm before storage. We cannot read, recover, or reverse your password. If you forget your password, you must reset it.
3.3 Authentication Security
- Email verification is required before account access
- Two-factor authentication (2FA) via email is required for credential-based logins from untrusted devices
- Trusted device tokens are HMAC-signed and expire after 30 days
- Rate limiting is enforced on login attempts, verification codes, and invitations
- All data is transmitted over HTTPS (TLS encryption in transit)
3.4 Infrastructure Security
- Application hosted on enterprise-grade cloud infrastructure with automatic HTTPS and DDoS protection
- Database hosted on managed infrastructure in US-based data centers with encryption at rest
- Industry-standard security headers enforced to prevent common web vulnerabilities
4. Data Sharing and Third Parties
We do not sell, rent, trade, or share your personal data or your children's data with any third party for marketing, advertising, analytics profiling, or data brokerage purposes.
We share limited data with the following service providers solely to operate the Service:
| Category | Purpose | Data Shared |
|---|---|---|
| Cloud hosting provider | Application and database hosting | Server logs, IP addresses; database contains only encrypted data for sensitive fields |
| Email delivery provider | Transactional emails | Email addresses and email content (verification codes, notifications, invitations) |
| Authentication provider | Google sign-in (optional) | Email and name when you choose to sign in with Google |
| Analytics provider | Anonymized usage analytics | Anonymized page views and session data (no personal or children's data) |
These providers process data under their own privacy policies and terms. We have selected providers with strong security and privacy practices.
We may disclose your information if required by law, subpoena, court order, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
5. Voice Input Data
The Service offers optional voice input using the Web Speech API built into your browser. When you use voice input:
- Audio is processed by your browser's speech recognition engine (Google for Chrome, Apple for Safari)
- Audio may be sent to Google or Apple servers for processing — this is handled by your browser, not by Chasten
- We receive only the transcribed text, not the audio itself
- We do not store, record, or transmit audio data
Voice input is entirely optional. The manual form input works identically without voice. Voice input is not available on iOS devices.
6. Cookies and Local Storage
We use the following cookies, all of which are essential for the Service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| authjs.session-token | Authentication session | 30 days |
| chasten_trusted_device | Trusted device for 2FA skip | 30 days |
| chasten_2fa_verified | 2FA verified this session | 24 hours |
We do not use advertising cookies, tracking cookies, or third-party cookies for marketing purposes. Google Analytics uses its own cookies as described in Google's Privacy Policy.
The Service includes a service worker for Progressive Web App (PWA) functionality that may cache page assets locally on your device for offline access and performance. No sensitive personal data is intentionally cached by the service worker.
7. Data Retention
- Active accounts: Data is retained as long as your account is active.
- Deleted accounts: Upon account deletion, personal data is removed from active systems within 30 days. Encrypted data in database backups is purged within 90 days through standard backup rotation.
- Household invites: Pending invites expire after 7 days and are marked as expired.
- Email verification codes: Expire after 15 minutes.
- 2FA codes: Expire after 10 minutes.
- Feedback submissions: Retained for product improvement purposes. Contact us to request deletion.
8. Your Rights
You have the right to:
- Access your data — all your data is visible within the Service
- Correct your data — you can edit children, moments, milestones, and account information
- Delete your data — you can delete individual records or request full account deletion
- Export your data — contact us to request a data export
- Withdraw consent — you can stop using the Service and delete your account at any time
- Object to processing — contact us if you have concerns about how your data is processed
To exercise these rights, contact us at support@mail.chasten.ai.
9. Children's Privacy
The Service is designed for adult parents and guardians. Children do not create accounts, provide personal information directly, or interact with the Service. All information about children is provided by and controlled by their parent or legal guardian.
We collect only the minimum information about children necessary to provide the Service: a first name (encrypted), birth month and year (encrypted, not exact date), and an avatar color. We do not collect children's email addresses, phone numbers, photos, location data, or any other direct identifiers beyond what parents voluntarily enter.
If you believe a child has provided information to us directly without parental consent, contact us immediately at support@mail.chasten.ai and we will delete the information.
10. International Data Transfers
The Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We protect international data transfers through the encryption measures described in Section 3.
11. Data Breach Notification
In the event of a data breach that compromises your personal information, we will notify affected users by email within 72 hours of discovering the breach, consistent with applicable law. Due to our application-layer encryption, a breach of the database alone would not expose readable personal data.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice within the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically.
13. Contact
If you have questions, concerns, or requests regarding this Privacy Policy or your data, contact us at:
Email: support@mail.chasten.ai