Children Have Rights — Digital Ones Too
The General Data Protection Regulation (GDPR) gives children's personal data special protection. Article 8 and Recital 38 say, in plain terms, that children are less able to judge risks and consequences. For parents, that means an app in the nursery deserves more scrutiny than a weather widget.
In reality, privacy in baby monitor apps is often handled in small print. Sometimes it even feels like part of the business model.
What Typical Baby Monitor Apps Collect
A look at the Baby Monitor Timmy privacy policy and policies from other baby monitor apps quickly shows which data commonly appears:
- Location data: GPS position of the device. That is hard to justify for a baby monitor.
- Audio and video recordings: Some apps store recordings on their own servers, sometimes without clear deletion periods.
- Device information: Model, operating system, unique device IDs. That can turn into a profile quickly.
- Usage behavior: When you open the app, how long you listen, which features you use.
- Advertising IDs: Some apps include ad networks and share data with third parties.
All of this data comes from the most sensitive place there is: your child's bedroom. In many cases, it lands on servers you do not control.
How Timmy Does It Differently
Baby Monitor Timmy was built from the start around data minimization. In GDPR terms, that means collecting only the data needed for the specific purpose. Not everything that is technically possible.
In practice, this means:
- Anonymous authentication: Timmy uses Firebase Anonymous Auth. No account is created, no email address is requested, no password is stored. The device receives a temporary, anonymous ID. Connection setup does not need more.
- No audio or video storage: Audio and video are transmitted directly between devices (peer-to-peer via WebRTC). No server listens in, no server stores recordings. When the connection ends, there is no recording.
- No tracking, no analytics: Timmy does not include analytics tools. No Google Analytics, no Firebase Analytics, no advertising SDKs. I do not know when you use the app, and I do not want to know.
- No location, no contacts: Timmy asks only for permissions that are technically necessary: microphone and optional camera. Nothing else.
Firebase: Only the Essentials
Timmy uses Firebase for signaling, meaning coordination of connection setup between baby and parent device. Firestore receives technical data such as SDP offers (Session Description Protocol) and ICE candidates for WebRTC. They contain no personal information and become invalid after a short time.
Audio streams, video data, and usage profiles do not belong in Firebase. The actual communication runs directly between the devices and is encrypted by WebRTC.
Data Minimization in Practice
Data minimization is not something you add at the end as a checkbox. It sits in the architecture. For Timmy, it means:
What we don't collect, we can't lose. What we don't store, can't be hacked. What we don't know, can't be misused.
For every feature I ask the same question: can this work without collecting more data? So far in Timmy, the answer has been yes.
Conclusion: Privacy is Respect
Privacy in the nursery is more than a legal duty. It is respect for your child. Your baby cannot decide what data is created about them. That responsibility sits with you and with the apps you let in.
Baby Monitor Timmy takes that responsibility seriously. Nice promises are not enough for me; the architecture should avoid collecting data that is not needed for baby monitor operation in the first place.