UNDER THE HOOD
Most "private" software uploads your data. It just promises not to look at it.
Zero-cloud doesn't mean "nothing on the wire". It means no server ever sees the content. Below: the distinction, the two transports Quiles uses, and the one server that exists.
THE DISTINCTION
"Private" vs "no server can read it".
"End-to-end encrypted" is sometimes honest (Signal, iMessage) and sometimes marketing (WhatsApp, where the metadata is the product). Even when the content is encrypted, the metadata, who, when, how often, usually isn't. A parental-control app that uploads activity metadata to its servers, even encrypted, still gives the vendor and any future legal request a fairly complete picture of what your kid does on their phone.
Zero-cloud, as we use it, means the bytes that describe your child's activity never exist in readable form anywhere except on the two paired phones. A relay may carry envelopes between them, but it can't open them and forgets them seconds after delivery. Nothing to subpoena that says anything useful.
THE ARCHITECTURE
How parent and child sync without anyone in the middle reading along.
Two transport layers, used in complement:
- Persistent WSS to a Cloudflare relay: whenever there's network, both phones hold an authenticated WebSocket to a Cloudflare Durable Object. The parent posts an envelope, the relay forwards it to the child, and vice versa. The relay sees only a random
familyId, the byte size, a timestamp, and the direction. Never the content. Each envelope is discarded about 30 seconds after delivery; no log of what travelled. - BLE (Bluetooth Low Energy): the offline fallback. When there's no network but the two phones are nearby, BLE carries the same encrypted envelopes directly, phone to phone, no relay involved.
Every envelope is AES-GCM encrypted with a key derived from an X25519 (Curve25519 ECDH) handshake the first time you scan the QR. Neither half of that key ever leaves the two devices. The envelopes carry pause, grant, allowlist, schedule changes, audit log, more-time requests. They are opaque to the relay and to anyone observing the wire.
So "zero-cloud" here is not a claim that no bit ever traverses a server. It is a claim that the only thing a server can ever learn is "family X sent a 412-byte packet at 14:03". Not what was inside, not what changed, not what your child is doing.
THE ONE EXCEPTION
What about the Cloudflare Worker?
Quiles has one server-side component. A Cloudflare Worker that mints entitlement JWTs after the store confirms a subscription. The Worker:
- Receives RevenueCat webhooks (authenticity-verified) when a subscription starts, renews, or ends.
- Mints an Ed25519-signed JWT containing an anonymous app user id, tier, and device pub key.
- Maintains a revocation lookup (so cancellations revoke).
It never receives family activity, schedules, audit logs, or any pairing key. The source is open at cloudflare/worker/ in our repo. Read it, audit it, copy it.
THE UNCOMFORTABLE TRUTH
The trade, stated honestly.
Zero-cloud has a cost we acknowledge:
- Live features (location-in-real-time, SOS intercom) only work when both phones are online at the same time. The relay can't usefully "save" a live video stream for later. If your kid's phone is dead or out of coverage, those features wait. Rule changes and audit logs queue up fine and apply when they come back.
- No web dashboard. Your phone is the dashboard. The relay has no readable copy of your family's state to render in a browser.
- No vendor-side history. We can't show you "what your kid did six months ago" because we don't have it. The two phones do.
If those are deal-breakers, Qustodio or Bark may suit you better. Most parents we hear from accept them in exchange for never having their kid's data on someone else's server in readable form.
DONE
Try Quiles.
Also read: Your child's data is not in the cloud or The honest Family Link alternative.