Architecture

Your child's data is not in the cloud: what that really means

"No cloud" is a phrase that wears thin fast. Here is the breakdown: what kinds of data a parental-control launcher produces, where they live in Quiles, and where they would end up with other tools.

Published: 16 May 2026 · Note: This article is not legal advice.

Categories

Four kinds of data. Four possible places.

A parental-control launcher like Quiles produces or manages four groups of information:

  • App activity: which app was opened, for how long, when. Source is Android's UsageStatsManager, a system API the launcher queries with permission.
  • Audit log: attempts to open blocked apps, more-time requests, rule changes. Useful so the parent can review.
  • Rules: allowed apps, schedules, daily limits, SOS contacts, pause modes.
  • License: a token tied to a subscription. Quiles Familia is free, so it needs none; the token only exists for the optional paid Quiles Mayor plan (€59/year).

In Quiles

Where each piece lives.

01

App activity

Computed on the child's device from UsageStatsManager. Quiles queries the value; it does not store it on a server. The parent device receives it as an encrypted envelope through a blind relay on Cloudflare, or directly over Bluetooth if both phones are nearby and there's no network.

02

Audit log

Persisted in Isar, encrypted at rest, on the child's phone. The parent can request it on demand; envelopes are encrypted at the source and only decrypted on the other phone, never in transit.

03

Rules

The parent edits them on their device and they are published to the child's phone over a persistent encrypted WSS connection to a Cloudflare relay, with Bluetooth as the offline fallback. The relay sees a random familyId, the packet size and a timestamp; never the content, because it's end-to-end encrypted. And it discards each envelope about 30 seconds after delivery. That's how they never pass through a Quiles server that could read them.

For the free Quiles Familia launcher, nothing traverses our infrastructure at all: there is no payment, so no token. The only paid piece, the optional Quiles Mayor plan, is purchased inside the app on the App Store or Google Play, not on our server. When someone subscribes, the Cloudflare Worker receives a webhook from RevenueCat carrying an anonymous subscription identifier (app user id, with no real name), and signs an ed25519 JWT with the subscription state used only to recognise your entitlement. It never stores your card or tax data: Apple or Google handles those.

The Worker

What the Cloudflare Worker can and cannot see.

The Worker is the only server-side component Quiles operates. Its mandate is deliberately narrow:

  • It receives a signed webhook from RevenueCat with the subscription event.
  • It verifies the webhook's authenticity before processing it.
  • It takes a few fields: an anonymous app user id, the plan, and the subscription state. It never receives your card or tax data; the store handles those.
  • It signs an ed25519 JWT with those fields to recognise your entitlement inside the app.

The Worker cannot see app activity. It cannot see which apps are allowed. It cannot see the audit log. It cannot see SOS contacts. It keeps no buyer database: once the token is issued, no persistent record stays in our infrastructure.

Comparison

Where the same data sits in Family Link or Qustodio.

In Google Family Link, app activity, search history, block logs and rules live in Google's infrastructure. The parent console is a web view over data Google already processes; the child's phone is essentially a client.

In Qustodio, the data travels to the company's own servers. URL history, calls, filtered messages and daily reports are processed in their backend. It is a legitimate and very capable model, but the consequence is that the minor's data does leave the home and becomes subject to the vendor's retention policy, jurisdiction and economics.

Quiles chose not to do that. The consequence is that certain features (remote historic reports, off-home web supervision) are different or do not exist. In exchange, the threat model shrinks back to your own household.

Implications

Things that stop being possible.

If the data is not on our servers, we cannot suffer a breach that exposes it. We cannot sell it to a broker. We cannot receive a subpoena from a foreign authority asking us to hand it over. We cannot change the privacy policy tomorrow and start training models on it. This is not a promise; it is the consequence of not having the infrastructure.

Quiles also cannot help you recover a lost password. There is no remote backup to fall back to. The trade-off of the model is exactly that: the control plane is the family, and only the family.

Quiles

If this resonates, install once and forget the server.