Privacy Policy
The Short Version
- Children: Nicknames only. We minimise children's data by design and never require legal names or dates of birth for child profiles.
- The Stack: We use premium tools like Cloudflare, PostHog, and Sentry to stay secure. Some are US-based; transfers are protected by Standard Contractual Clauses.
- Selling Data: Never. We sell software licences. You are the customer, not the product.
- Cookies: Only analytics cookies, and only if you accept them. Decline anytime.
- Erasure: Delete your account and we purge your personal identifiers after 30 days. Pseudonymised ledger records are retained to preserve hash-chain integrity. They remain personal data under UK GDPR; we hold them under legitimate interests with strict access controls and no retained linkage key.
1. Who Is Responsible for Your Data
The data controller is Darren Savery, trading as Morechard (sole trader).
Postal address: 331 Finchampstead Road, Wokingham, Berkshire, RG40 3JT, United Kingdom
Email: support@morechard.com
2. The "Nicknames Only" Policy
Privacy starts with not collecting what isn't needed.
- Parents: We use your Google account name and email for identity and billing.
- Children: We explicitly request that you use nicknames for your children's profiles. Morechard does not require, and asks you not to provide, legal names or dates of birth for child profiles. A nickname combined with household and behavioural records is still personal data about a child — we process it in minimised form, on the parent's authority.
3. Why We Process Your Data
We process your data to provide and improve the Morechard service. For each purpose, the lawful basis under UK GDPR Article 6 is stated below.
-
Core service — creating your family account, syncing chores and rewards, maintaining the family ledger.
Basis: Contract (Art. 6(1)(b)) — necessary to perform the service you signed up for. -
Analytics cookies on the public website
Basis: Consent (Art. 6(1)(a)) — you explicitly accept via our cookie banner. You may withdraw at any time. -
30-day soft-delete window after account deletion — retained to allow co-parents to intervene against unauthorised deletion.
Basis: Legitimate interests (Art. 6(1)(f)) — protecting co-parents from irreversible data loss. A Legitimate Interests Assessment (LIA) is on file. -
Crash and error reporting via Sentry
Basis: Legitimate interests (Art. 6(1)(f)) — keeping the service secure and operational. -
Transactional emails — trial reminders, security alerts.
Basis: Contract (Art. 6(1)(b)) — communications necessary to deliver the service.
4. Our Service Providers & International Transfers
We use a carefully selected set of service providers and share only the minimum data necessary for each to function. Several are based in the US; where that is the case, transfers from the UK are protected by the relevant mechanism noted below.
Infrastructure & Security
- Cloudflare (US): Primary host and database provider. Transfer mechanism: EU Standard Contractual Clauses with UK Addendum (IDTA).
- GitHub (US): Source code and deployment management. Transfer mechanism: EU SCCs with UK Addendum.
Analytics & Reliability
- PostHog (US/EU): Product analytics. On the public website, PostHog only runs after you accept cookies. Transfer mechanism where US processing occurs: EU SCCs with UK Addendum.
- Sentry (US): Crash and error reporting. Receives diagnostic data when the app errors. Transfer mechanism: EU SCCs with UK Addendum.
Communication & Payments
- Google (US): Secure "one-tap" authentication. Transfer mechanism: EU SCCs with UK Addendum.
- Resend (US): Transactional email delivery. Transfer mechanism: EU SCCs with UK Addendum.
- Paddle (UK): Merchant of Record handling all payments. UK-based — no international transfer. We never store full payment card details on our own servers.
5. Children's Privacy (COPPA, GDPR-K & the Children's Code)
Morechard is designed for parents to use alongside their children. Because children's personal data is involved, this service falls within the scope of the ICO's Age Appropriate Design Code (Children's Code). We apply the Code's 15 standards by design — including high-privacy defaults, data minimisation, no behavioural nudging, and no session recording on child profiles.
Lawful basis for processing children's data
Child profiles are created and managed by a parent. The parent acts as the responsible adult and provides consent on the child's behalf, in accordance with UK GDPR, GDPR-K, and COPPA. We process children's data in minimised form (nicknames, no dates of birth or legal names) on the parent's authority.
Age thresholds by jurisdiction
- United Kingdom: The UK age of digital consent for information society services is 13. Children under 13 may only use the service under direct parental account management.
- Poland: The age of digital consent is 16. Children under 16 require verifiable parental consent.
- United States (COPPA): We do not knowingly collect personal information from children under 13 without verified parental consent.
DPIA
Processing children's data under the Children's Code makes a Data Protection Impact Assessment (DPIA) mandatory. A DPIA for Morechard is in progress and will be completed before any material change to how we process children's data.
6. Data Retention
Active accounts
We retain your personal data for as long as your account is active. You may request a copy or deletion at any time — see Section 7.
Deletion and the 30-day soft-delete window
When you delete your account, a 30-day window begins. Your data is hidden immediately but retained for 30 days to prevent accidental loss and to allow co-parents to intervene if a deletion was unauthorised. After 30 days, personal identifiers — name, email, authentication hashes — are permanently purged from our active systems.
The family ledger
Ledger transaction records (amounts, timestamps, chore identifiers, and the hash chain) are pseudonymised after account deletion — direct personal identifiers are removed and replaced with anonymous tokens. These records remain personal data under UK GDPR: the combination of amounts, timestamps, and chore patterns may constitute a unique behavioural fingerprint capable of singling out a household. We retain them under legitimate interests to preserve the cryptographic integrity of the ledger, with strict access controls and no retained linkage key. See Section 8 for how this interacts with your right to erasure.
Backups
Database backups are retained for up to 30 days, encrypted at rest, and then overwritten in rotation. Any personal data purged from active systems is not restored from backups.
7. Your Rights
Under UK GDPR you have the right to:
- Access a copy of your personal data.
- Correct inaccurate data.
- Port your data — available via our CSV Export.
- Erase your data — see Section 6 for how erasure interacts with the family ledger.
- Object to processing based on legitimate interests.
- Withdraw consent at any time where consent is the lawful basis (e.g. analytics cookies) — this does not affect the lawfulness of processing before withdrawal.
To exercise any right, email support@morechard.com. We will respond within one calendar month.
Right to complain to a supervisory authority
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the relevant data protection authority:
8. Security & the Family Ledger
Morechard uses cryptographic hashing to ensure the integrity of your family ledger. Each transaction is linked to a hash of the previous one, forming a tamper-evident chain — this is the "Sovereign Ledger" design.
How erasure works with an immutable ledger
The hash chain covers transaction records — amounts, timestamps, and chore identifiers. When you delete your account, direct personal identifiers (name, email, authentication hashes) are removed and replaced with pseudonymous tokens. The hash chain remains mathematically valid because its integrity is anchored to transaction data, not to your identity.
However, the combination of amounts, timestamps, and chore patterns may constitute a unique behavioural fingerprint. Under UK GDPR this means the retained records are pseudonymous personal data — not truly anonymous data. We rely on Article 17(3) to decline full erasure of the hash chain, specifically the legitimate interest in maintaining ledger integrity for audit and legal-claims purposes. We minimise re-identification risk through strict access controls, no indexing of behavioural fields, and no secondary dataset that could enable re-linkage.
9. Automated Decision-Making
Morechard uses AI to generate coaching observations and financial literacy content personalised to your child's activity in the app. These AI observations are informational only — they are presented to parents as guidance and carry no binding effect on any account, access right, or entitlement. A parent reviews all chore approvals, reward payments, and account-level decisions. No purely automated decision that produces a legal or similarly significant effect on any user is made by Morechard.
10. Cookies & Similar Technologies
We keep cookies to a minimum. We do not use advertising or cross-site tracking cookies, and we never sell your data. On our public website, analytics cookies are only set after you accept them using our cookie banner — if you decline, none are stored. You can change your choice at any time via Cookie settings in the footer.
Strictly necessary (no consent needed)
A small amount of browser storage is used to remember your cookie choice, keep your light/dark theme, and keep you securely signed in to the app. These are essential for the service to function and do not require consent.
Analytics (consent required)
- PostHog: Helps us understand which features people use so we can improve them. It sets first-party cookies to recognise return visits and, inside the app, to record session activity (every form input is masked). We never record children's sessions — session replay is switched off entirely on child profiles. On the public website you stay anonymous; once you sign in to the app, events are linked to your account ID so we can support you. We never sell this data.
- Sentry: Crash reporting. If something breaks, Sentry sends us a diagnostic report so we can fix it. It does not set advertising cookies.
Because these are non-essential, they only load once you have given consent on our website. Withdrawing consent stops further collection and opts you out.