Add pillar articles: parental controls guide + layers of protection (EN/DE/FR)

Two more evergreen parent-intent pillars:
- Parental controls 2026 practical guide: layered comparison of Screen
  Time / Family Link / router DNS / VPN DNS with honest trade-offs
- Seven layers of online protection: ISP → router → VPN → OS → OS
  plugins → browser plugins → in-app, framing VPN as the load-bearing
  layer that travels with the device

All three languages share translationKey for hreflang.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

content/en/layers-of-online-protection-why-vpn-matters.md

@@ -0,0 +1,152 @@
+---
+title: "The Seven Layers of Online Protection — and Why a VPN Is the One You Cannot Skip"
+date: 2026-04-14
+description: "From your internet provider down to in-app settings, there are seven layers where a child's online safety can be enforced. Here is what each one does, what it misses, and why a family VPN is the layer that holds the others together."
+tags: ["parental controls", "VPN", "DNS filtering", "router", "browser extensions", "Screen Time", "defence in depth"]
+categories: ["safety"]
+author: "Agiliton"
+slug: "layers-of-online-protection-why-vpn-matters"
+translationKey: "layers-of-protection"
+---
+
+Online safety is not a switch. It is a stack of seven layers, each covering something the others don't. When parents struggle, it is almost always because they have set up one or two layers and assumed that was enough. It never is.
+
+This article walks through all seven — from your internet provider right down to the settings inside individual apps — explains what each actually blocks, and shows why a family VPN is the layer that stops the others from leaking.
+
+## Layer 1 — The Internet Service Provider
+
+Your ISP (Deutsche Telekom, Vodafone, Orange, BT, Comcast) sits between your house and the wider internet. Most major ISPs offer a "family filter" or "safe surf" option that you can enable in your customer portal.
+
+**What it does:** DNS-level category filtering applied to your home internet connection.
+
+**What it misses:**
+- Only the connection from that one subscription — not mobile data, not when your child is at a friend's house.
+- Most ISP filters are coarse, infrequently updated, and easy to bypass by switching DNS to `8.8.8.8`.
+- Nothing is blocked on cellular data, even if the phone is on the same household.
+
+**Verdict:** Turn it on if you have it. Don't rely on it.
+
+## Layer 2 — The Router
+
+Your home router is the first device in your house that every other device goes through. Modern routers (FRITZ!Box, AVM, eero, ASUS, Unifi) let you set custom DNS servers — like Cloudflare `1.1.1.3`, NextDNS, or Quad9 — and some even let you apply different rules per device.
+
+**What it does:** Enforces DNS filtering for every device on the home Wi-Fi, including smart TVs, gaming consoles, and friends' phones when they visit.
+
+**What it misses:**
+- Leaves your house with the device. Mobile data, school Wi-Fi, coffee shops — all unfiltered.
+- A child who installs a VPN app or changes DNS on the device itself bypasses the router entirely.
+- Cannot enforce per-user rules if everyone in the house shares the same Wi-Fi SSID.
+
+**Verdict:** Essential for the home baseline. Cannot protect mobile devices away from home.
+
+## Layer 3 — The VPN with DNS Filtering (The One You Cannot Skip)
+
+A VPN installed on the child's device tunnels all traffic through a filter that travels with the device — at home, on mobile data, on school Wi-Fi, on holiday. This is the layer that makes the others actually hold.
+
+**What it does:**
+- Applies the same curated DNS blocklist on every network the device connects to.
+- Blocks ads, trackers, malware, phishing, and — crucially — full content categories (social media, adult, gambling, dating, gaming).
+- In a locked-down child profile, cannot be disabled by the child.
+- Works regardless of browser, regardless of app, regardless of which account the child signs into.
+
+**What it misses:**
+- Does not limit time spent in apps that are allowed. You still need Screen Time / Family Link for that.
+- Cannot enforce "bedtime" or "downtime" windows — this is a device-OS job.
+
+**Why this layer matters more than the others:** Every layer above this one either stops at the front door (router, ISP) or can be trivially bypassed inside the device (OS filters, browser plugins). The VPN is the only layer that travels, stays on, and cannot be switched off by a determined child. That's why we call it the layer you cannot skip.
+
+Our own product, [Agiliton VPN](https://go.agiliton.eu/vpn-app), is designed around this role — a per-device, always-on filter with **Child (0-12)** and **Teen (13-17)** profiles that block age-appropriate categories by default.
+
+## Layer 4 — The Operating System
+
+iOS, Android, Windows and macOS all provide system-level parental controls: iOS **Screen Time**, Google **Family Link**, Windows **Family Safety**, macOS **Screen Time**.
+
+**What they do:**
+- Approve app installs
+- Limit daily time per app or app category
+- Restrict communication (who can call, message, FaceTime)
+- Enforce downtime windows (e.g. no apps between 22:00 and 07:00)
+- Block in-app purchases
+
+**What they miss:**
+- Web filtering is weak. Safari's "Limit Adult Websites" is a tiny, easily-bypassed list.
+- No control over network-level traffic — if an app makes a request to a tracker or social-media CDN, the OS doesn't see it.
+- A child with the passcode can change everything. Many parents unknowingly share it.
+
+**Verdict:** Mandatory for daily time limits and downtime. Useless for content-category filtering.
+
+## Layer 5 — OS-Level Plugins and DNS Profiles
+
+On iOS you can install a DNS configuration profile (NextDNS, CleanBrowsing, Agiliton VPN acts similarly). On Android you can set Private DNS in the OS settings. These operate at the OS level without a full VPN.
+
+**What they do:** Lightweight DNS filtering without a VPN tunnel. Applies to all apps.
+
+**What they miss:**
+- Often trivially removable by a child who knows where to look.
+- DNS-only profiles don't encrypt traffic, so some networks (especially schools) may override them.
+- No profile selection by role (child vs. teen) — one-size-fits-all.
+
+**Verdict:** Fine for parents who want a light-touch solution and trust their child. Not robust enough for younger children.
+
+## Layer 6 — Browser Extensions and Plugins
+
+Extensions like uBlock Origin, Privacy Badger, or school-issued content filters run inside the browser.
+
+**What they do:** Block ads, trackers, or listed domains within that browser only.
+
+**What they miss:**
+- Only work in the one browser they're installed in. Child switches to another browser → bypassed.
+- Do not work in apps (TikTok, Instagram, Roblox all operate outside the browser).
+- On mobile, extension support is limited (Safari on iOS supports a few, Chrome Android almost none).
+
+**Verdict:** Useful addition for desktop browsing hygiene. Close to useless as a primary child-safety layer.
+
+## Layer 7 — In-App Settings
+
+Every serious app has its own parental or safety settings: TikTok Family Pairing, Instagram Parental Supervision, YouTube Kids, Roblox Account Restrictions, Discord "Safe Messaging" defaults.
+
+**What they do:** App-specific protections — restricted content modes, communication limits, screen-time nudges within that app.
+
+**What they miss:**
+- Require the child to have an account in that app with the correct age — which, as covered in [our TikTok guide](/en/is-tiktok-safe-for-kids/), children routinely falsify.
+- Apply only to that app. A second account, a different app, or the web version bypasses them.
+- Frequently redesigned; settings that were protective last year may have been quietly removed or defaulted off.
+
+**Verdict:** Worth configuring on every app the child uses. Never a primary layer.
+
+## Why the VPN Is the Load-Bearing Layer
+
+Look at what each layer covers:
+
+| Layer | Home Wi-Fi | Mobile data | School Wi-Fi | Friends' Wi-Fi | In-app traffic | Bypassable by child |
+|---|---|---|---|---|---|---|
+| ISP filter | ✅ | ❌ | ❌ | ❌ | ✅ | Trivially |
+| Router DNS | ✅ | ❌ | ❌ | ❌ | ✅ | With effort |
+| **VPN DNS (child mode)** | ✅ | ✅ | ✅ | ✅ | ✅ | **No** |
+| OS parental controls | ✅ | ✅ | ✅ | ✅ | Partial | With passcode |
+| OS DNS profile | ✅ | ✅ | ✅ | ✅ | ✅ | Often |
+| Browser extension | Browser only | Browser only | Browser only | Browser only | ❌ | Easily |
+| In-app settings | In that app | In that app | In that app | In that app | In that app | Via fake age |
+
+The VPN in child mode is the only row with a tick in every column and a "No" on bypassability. Take it away, and suddenly there is no layer covering mobile data, no layer covering school Wi-Fi, and no layer covering content-category filtering inside apps.
+
+This is not marketing. It is what the layer diagram actually shows when you draw it honestly.
+
+## Our Recommended Stack
+
+For a family with children under 16, run layers **2 + 3 + 4 + 7**:
+
+1. **Router DNS** (Layer 2) — home-network baseline
+2. **Family VPN with child profile** (Layer 3) — the always-on filter that travels
+3. **OS parental controls** (Layer 4) — app approval, time limits, downtime
+4. **In-app settings** (Layer 7) — per-app configuration for whatever your child uses
+
+Skip layers 1, 5 and 6 unless you specifically need them. They are either redundant or not load-bearing.
+
+## Further Reading
+
+- [Parental Controls in 2026: A Practical Guide](/en/parental-controls-2026-practical-guide/)
+- [Is TikTok Safe for My Child?](/en/is-tiktok-safe-for-kids/)
+- [Safe Search and Content Filtering: What Actually Works in 2026](/en/safe-search-content-filtering-2026/)
+
+{{< vpn-cta >}}

content/en/parental-controls-2026-practical-guide.md

@@ -0,0 +1,82 @@
+---
+title: "Parental Controls in 2026: A Practical Guide That Actually Works"
+date: 2026-04-14
+description: "An honest comparison of iOS Screen Time, Android Family Link, router filters and DNS-based VPN filtering — what each one is good for, and how to combine them."
+tags: ["parental controls", "iOS Screen Time", "Family Link", "DNS filtering", "router", "VPN", "family"]
+categories: ["safety"]
+author: "Agiliton"
+slug: "parental-controls-2026-practical-guide"
+translationKey: "parental-controls-2026"
+---
+
+There is no single "parental control" that works. Every family eventually learns this the same way — they set up Screen Time on an iPad, watch their ten-year-old bypass it in an afternoon, and start searching for a better answer. The better answer is not a different product. It is a layered setup that plays each tool to its strengths.
+
+This guide compares the four tools most families actually have access to, what each does well, and how to combine them.
+
+## The Four Tools That Matter
+
+**1. iOS Screen Time.** Built into every iPhone and iPad. Strong at app-level time limits, content ratings, communication restrictions, and App Store approvals. Weak at anything web-based — Safari's content filter is a blunt instrument, and any child determined to visit a site can install a second browser, use a VPN, or open the site in the App Store preview.
+
+**2. Google Family Link (Android).** Similar to Screen Time. Strong at app approvals, Play Store controls, daily limits, and location. Weak on web, and weak on iOS where it simply isn't supported.
+
+**3. Router-level filtering.** DNS blocklists or content filters applied at your home Wi-Fi. Good because it covers every device on the home network, including friends' devices and the TV. Useless the moment the device leaves the house, and useless on mobile data.
+
+**4. VPN-based DNS filtering.** A per-device tunnel that applies the same DNS filter everywhere — at home, on mobile data, on school Wi-Fi, on holiday. This is the piece most families miss. It is also the only one that travels with the device.
+
+## Honest Comparison
+
+| Capability | iOS Screen Time | Family Link | Router DNS | VPN DNS (e.g. Agiliton) |
+|---|---|---|---|---|
+| App install approvals | ✅ | ✅ | ❌ | ❌ |
+| Daily app time limits | ✅ | ✅ | ❌ | ❌ |
+| Content category blocking (web + app) | Partial | Partial | ✅ | ✅ |
+| Works off home Wi-Fi | ✅ | ✅ | ❌ | ✅ |
+| Works on school / friends' Wi-Fi | ✅ | ✅ | ❌ | ✅ |
+| Blocks trackers & ads | ❌ | ❌ | Partial | ✅ |
+| Works on smart TVs / Apple TV | ❌ | ❌ | ✅ | ✅ (Apple TV) |
+| Your child can disable it | With the passcode | With the passcode | No | No (in child mode) |
+
+There is no row where a single tool wins everything. The useful question is which combination to run.
+
+## What We Actually Recommend
+
+For a family with children aged 6-15, the layered setup that works in practice:
+
+**Layer 1 — Device accounts (iOS Screen Time or Family Link).** Set a proper child account with the correct date of birth, an age-appropriate content rating, App Store approval required for every install, daily time limits per app category, and downtime hours that cover school and sleep. Do this first. Do not skip it, even if you add the other layers.
+
+**Layer 2 — DNS filtering that travels with the device.** This is where Agiliton VPN fits. Install it on the child's phone, tablet, and laptop; enable the **Child** profile. Now, regardless of which Wi-Fi the device is connected to, categories like adult content, social media, gambling and dating are blocked at the DNS layer — including TikTok's web version, the one iOS Screen Time misses. The child cannot disable the VPN in child mode.
+
+**Layer 3 — Home Wi-Fi settings.** If your router supports it (most modern mesh systems do), configure family-safe DNS on the home network. This covers visiting friends' devices, the smart TV, and gaming consoles when they're on your Wi-Fi. Cloudflare `1.1.1.3` (family filter) or NextDNS with a family profile are both fine.
+
+**Layer 4 — Conversation, every six months.** None of the above replaces talking to your child about what they are seeing online. Controls buy you time; literacy is the long game.
+
+## Why DNS Filtering Is the Missing Piece
+
+Most parents set up iOS Screen Time, feel covered, and don't realise that Screen Time has no web-category filter worth the name. Safari's built-in "Limit Adult Websites" is a tiny list and is trivially bypassed by navigating to a site's IP directly, by using a different browser wrapped in a Web Clip, or by opening the mobile web in the App Store's in-app browser.
+
+DNS filtering closes this. When a child's device tries to load `tiktok.com`, `pornhub.com` or `bet365.com`, the DNS lookup never resolves, so the app or browser has nothing to connect to. It doesn't matter which browser they use, which VPN they install, which account they sign into — the address just does not exist on that device.
+
+The Agiliton VPN **Child** profile does this by default. Our curated blocklist combines:
+
+- **HaGeZi Multi** for ads, trackers, malware and phishing
+- **OISD** as a low-false-positive reputation list
+- **A Cloudflare top-10k allowlist** to guarantee the most-visited sites stay reachable
+- **Category layers** on top: social media, adult, gambling, dating, and gaming — each toggleable per profile
+
+We trim the raw upstream lists to roughly 15-30,000 domains optimised for German and European traffic, because smaller is faster on mobile and produces fewer accidental blocks on regional sites.
+
+## Common Mistakes
+
+- **Giving the child the Screen Time passcode "just for homework".** Once it leaves your hands, treat it as compromised — reset it.
+- **Setting up Family Link on a second-hand Android without a factory reset.** The previous owner's supervision can linger, or — worse — the device may not actually be running Family Link despite appearances.
+- **Router filtering only.** Protects the house, fails the moment they're on mobile data or friends' Wi-Fi.
+- **VPN only.** Doesn't limit time spent in the apps that *are* allowed. You still need device-level limits.
+- **No conversation.** Produces sneaky teenagers, not safe ones.
+
+## Further Reading
+
+- [Is TikTok Safe for My Child?](/en/is-tiktok-safe-for-kids/)
+- [Safe Search and Content Filtering: What Actually Works in 2026](/en/safe-search-content-filtering-2026/)
+- [Roblox, Fortnite, Discord: Age Ratings and Real Risks](/en/roblox-fortnite-discord-age-ratings-risks/)
+
+{{< vpn-cta >}}