Privacy Policy

Guardian Systems Inc. ("Cylux", "we", "us", or "our") operates the Cylux parental monitoring platform, including the Cylux Parent mobile app, Cylux Child mobile app, and the web dashboard at cylux.co. For privacy inquiries, contact us at: privacy@cylux.co Postal address: Guardian Systems Inc., 535 Mission Street, San Francisco, CA 94105

2.1 Parent Account Data When you create a parent account, we collect: your name, email address, and encrypted password. We also collect subscription and billing information (processed securely by Stripe — we never store raw payment card data). 2.2 Device and Child Monitoring Data When a child's device is enrolled, we collect the following from that device on behalf of the parent: • GPS coordinates (updated every 30 seconds while the device is active) • App usage events (app name, package name, open/close timestamps, time spent) • Web activity (domain names visited and blocked — not full page content or URLs) • Device status (battery level, connectivity, compliance state) 2.3 Usage and Analytics Data We collect anonymized usage metrics to improve our service, including feature usage patterns and performance telemetry. This data cannot be used to identify individual users.

We use the data we collect exclusively to: • Provide the Cylux monitoring and child safety service • Process subscription payments and manage your account • Send security alerts, activity reports, and service notifications • Improve and debug our platform • Comply with legal obligations We do NOT use your data for advertising, profiling, or resale to any third party.

Cylux is used by parents to monitor their children's devices. We comply fully with the Children's Online Privacy Protection Act (COPPA). Children do not create accounts with Cylux and do not provide personal information to us directly. All monitoring data is collected on behalf of, and accessible only to, the verified parent or guardian who owns the account. We do not knowingly collect any information directly from children under 13 beyond what is captured automatically by the monitoring service for parent review. If you believe we have inadvertently collected personal information from a child without parental consent, please contact privacy@cylux.co immediately.

We share data with trusted third parties only as necessary to operate our service: • Stripe: Payment processing. Stripe is PCI-DSS certified. We share only what is necessary to process your subscription. • Firebase (Google): Push notification delivery. Alert payloads are encrypted. • Amazon Web Services: Cloud hosting and data storage. All data is encrypted at rest (AES-256) and in transit (TLS 1.3). • SendGrid: Transactional email delivery (account notifications, alerts). We do not share your data with advertisers, data brokers, or any other third parties beyond the above service providers. Law Enforcement: We may disclose data if required by valid legal process (court order, subpoena). We will notify you unless prohibited by law.

• GPS location history: 90 days (Premium), 30 days (Basic) • App usage and web activity logs: 90 days (Premium), 30 days (Basic) • Account data: Retained for the duration of your subscription plus 30 days after cancellation You can delete your account and all associated data at any time from the Settings page. Data deletion is processed within 72 hours.

Depending on your jurisdiction, you have the following rights regarding your personal data: • Right to Access: Request a copy of all personal data we hold about you • Right to Correction: Request correction of inaccurate data • Right to Deletion: Request deletion of your account and all associated data • Right to Portability: Export your data in a machine-readable format • Right to Object: Object to certain types of data processing • Right to Restrict Processing: Request that we limit how we use your data To exercise any of these rights, email privacy@cylux.co. We respond to all requests within 30 days. California residents: Under CCPA, you have the additional right to opt-out of the sale of personal information. We do not sell personal information.

We implement industry-standard security measures to protect your data: • All data transmitted between devices and our servers is encrypted using TLS 1.3 • Data stored in our databases is encrypted at rest using AES-256 • Access to production systems is restricted to authorized personnel and requires multi-factor authentication • We conduct regular security audits and penetration testing • We maintain SOC 2 Type II compliance Despite these measures, no system is 100% secure. If you discover a security vulnerability, please report it to security@cylux.co.

The Cylux website uses minimal cookies: • Authentication cookies: Required to keep you logged into the dashboard (session-only) • Preference cookies: Store your UI preferences (dark mode, language) • Analytics cookies: Anonymized usage data (can be disabled via your browser settings) We do not use third-party advertising or tracking cookies.

We may update this Privacy Policy periodically. When we make significant changes, we will notify you by email and display a notice in the Cylux dashboard. Your continued use of the service after notification constitutes acceptance of the updated policy.

For privacy-related questions, requests, or complaints: Email: privacy@cylux.co Post: Guardian Systems Inc., Attn: Privacy Team, 535 Mission Street, San Francisco, CA 94105 EU residents: Our EU Data Protection Representative can be reached at eu-privacy@cylux.co