Controller: CyberHeroez CIC, United Kingdom — dipesh@cyberheroez.co.uk
This policy covers the OroQ Android app (uk.co.cyberheroez.oroq), a parental-control and web-filtering app with a parent role and a child role. OroQ is transparent and on-device first: the child phone is never monitored covertly, filtering runs locally, and the activity a parent sees is end-to-end encrypted.
Who the app is for
- Parent device: an adult sets up filtering, screen-time limits and app blocking, and views a child's activity summary.
- Child device: runs on-device filtering and reports a summary to the linked parent. OroQ is always visibly installed and shows its protection status; it does not hide itself.
What the app processes, and where it goes
On the child device (processed locally)
- Web requests (DNS): evaluated on-device by a local-only VPN to block harmful domains and apply Safe Search / YouTube Restricted Mode. Traffic is never routed to OroQ or any third party. Full URLs and page content are never read or stored — only the domain of a blocked request is recorded.
- Foreground app + screen time: read via Android Usage Access to enforce app blocks and screen-time limits.
- Installed-apps list: read so the parent can choose which apps to block.
- Recent block events: a rolling local log of up to 50 entries (domain or app name, category, timestamp).
Sent to the linked parent (end-to-end encrypted)
On a periodic sync the child uploads an activity summary encrypted for the parent device only (Tink hybrid encryption, HPKE over X25519): protection on/off, today's screen-time total and limit, top apps by time, blocked-today counts, recent block events, enabled block categories, the installed-apps list, blocked-app selection, and Safe Search / YouTube Restricted state. OroQ's server stores only the encrypted blob and cannot decrypt it. It auto-expires after 7 days; remote commands from the parent (also encrypted) expire after 24 hours.
Account data (parent only)
- Email address — used to sign in and identify the parent account.
- Google sign-in (optional): Google returns a verified email used as above. OroQ receives no other Google profile data and stores no Google tokens. A one-time email code remains available as an alternative.
- Device pairing keys: public encryption keys for paired devices. Private keys never leave the device that generated them.
Not collected
No browsing history or full URLs. No message, photo, video, or microphone content. No contacts. No location. No advertising identifiers. No third-party analytics or ad SDKs. No hardware identifiers — device identity is a random app-generated UUID.
Legal basis (UK GDPR)
- Performance of the service the parent requests (filtering, screen-time, the activity summary).
- Legitimate interests / safeguarding for organisational (school) deployments, supported by a DPIA and KCSIE compliance materials.
- Child-facing screens collect no data beyond what the linked parent's settings require, in line with the UK Age Appropriate Design Code.
Retention
- Encrypted activity summary (server): 7 days, then auto-deleted.
- Pending remote command (server): 24 hours.
- Sign-in email code, hashed (server): 10 minutes.
- Parent session token (device): 30 days.
- Parent account email (server): until account deletion is requested.
- Local block-event log (child device): rolling, last 50 events only.
- On-device settings, PIN hash, keys: until the app is uninstalled.
Sharing
OroQ does not sell data and shares it with no advertisers or data brokers. Processors used to run the service: Cloudflare (hosting and the pairing relay) and, for sign-in only, Resend (sends the one-time email code) and Google (verifies Sign in with Google and delivers push notifications). Each receives only the minimum needed. The activity summary is encrypted such that no processor — including Cloudflare — can read it; push notifications carry only IDs, never threat content.
Your rights and controls
- Access / deletion: email dipesh@cyberheroez.co.uk to access or delete your account and data. Uninstalling the child app stops all collection and deletes local data; the encrypted summary expires from the server within 7 days regardless.
- Withdraw: a parent can disable any protection or unpair a device at any time. Children can see protection status on the device at all times.
- Security disclosures: see SECURITY.md.
Children's data
OroQ is a tool operated by a parent or a school for a child's safety. It is not directed at children as consumers and shows no ads. Child-side data is minimised to what the supervising adult's settings produce, is encrypted in transit and at rest on the server, and is never used for profiling or advertising.
Changes
Material changes will update the date below and, where required, be surfaced in-app.