Privacy

What is zero-knowledge parental monitoring (and why it matters)

SentinelMDM Team · Updated June 2026 · ~6 min read

Here's an uncomfortable truth about most parental control apps: the company behind them can read everything they collect about your child. Their location. Their messages. Their photos. Their screen. It all sits on a server the vendor controls, in a form the vendor can open. "Zero-knowledge" monitoring is the design that closes that hole — and once you understand it, it's hard to accept anything less.

The problem with "trust us" monitoring

When a typical monitoring app captures data, it uploads it to the vendor's cloud where it's stored in readable form (or with keys the vendor holds). That means your child's most sensitive data is exposed to three risks you can't control: a data breach at the vendor, an insider who looks at what they shouldn't, and secondary use — analytics, ad profiling, or "anonymized" data sales. The monitoring tool meant to protect your child becomes a new place your child's life can leak from. This isn't hypothetical; the stalkerware and "family tracker" category has a long, documented history of breaches.

What "zero-knowledge" actually means

Zero-knowledge means the service provider has zero knowledge of your data — it stores only ciphertext it cannot decrypt. The data is encrypted on the device before it's uploaded, with a key that only you hold. The server becomes a dumb, blind locker: it can hold the sealed boxes and hand them back to you, but it can never open them.

How SentinelMDM does it, step by step

  1. 1The data (a photo, location, on-screen text) is generated on the device.
  2. 2It's encrypted on the device with strong symmetric encryption (AES-256-GCM), using a one-time data key.
  3. 3That data key is sealed to your public key (elliptic-curve ECDH key agreement), so only your private key can unseal it.
  4. 4Only the ciphertext leaves the device. Our server stores it as an opaque blob.
  5. 5When you open your dashboard, decryption happens in your browser with a key derived from your password — which never leaves your device.

The result: at no point does readable data — or the key to it — touch our servers or logs. We physically cannot hand your child's data to anyone, sell it, or expose it in a breach, because we never have it in readable form.

The honest trade-off: no password recovery

True zero-knowledge has one real cost, and any vendor that hides it isn't being straight with you: we can't reset your password. Because the encryption key is derived from your password and never reaches us, there's no "email me a reset link" that could recover your encrypted data — if such a link existed, it would prove we held the keys all along. Losing your password means starting fresh with a new key. That's not a bug; it's the proof the system works as claimed.

Why this is the right bar for a child's data

A child can't consent to having their life mined by a company. The most respectful way to supervise a minor is to make sure the sensitive data exists in exactly one readable place: the parent's own screen. Pair that with a short 30-day retention window (data minimization, aligned with COPPA's spirit) and disclosed installation, and you have monitoring that protects your child from the monitoring tool itself.

Questions to ask any monitoring vendor

  • Can you (the vendor) read my child's data? If the answer isn't a flat "no," it's a yes.
  • Where is the encryption key, and could a "forgot password" link recover my data? (If yes, it isn't zero-knowledge.)
  • How long is data kept, and is it ever used for analytics or sold?

Keep reading

Is parental phone monitoring legal?

Ownership, age, disclosure, and the line between supervision and spying.

Read

Disclosed vs. stealth monitoring

Why open supervision is safer for your family and your liability.

Read

See zero-knowledge monitoring in action

A full FamilySafe dashboard, encrypted so only you can read it. See a tour of the real dashboard.

See the dashboard Security architecture