Privacy Policy

Last updated: 2026-06-01

This Privacy Policy describes what data Family Heirloom collects, why, who we share it with, and how you can control it.

The short version: we store the data you upload so we can show it to your family. We don't sell it. We don't use it for ads or for training AI. We don't share it with anyone except the infrastructure providers we use to run the service. You can delete it any time.

1. Who's running this

Family Heirloom is operated by a single independent developer. There's no marketing department, no analytics team, no third-party data brokers in the loop. You can reach the operator at [email protected].

2. What we collect

From you, directly

• Account info: your email, display name, optional birth date, and a hashed password (we don't store the plain text — even we can't read it).
• Family content: photos and their metadata (filename, mime type, EXIF capture date if present, image dimensions), recipes, tree node data, relationship labels, folder names, and any descriptions you add.
• Avatar: if you upload one.
• Billing details: handled entirely by Stripe. We never see your card number. What we keep is a Stripe customer ID linked to your family.

Automatically

• Server logs: standard web access logs (IP address, user agent, timestamps, URL hit) kept for a short period for debugging and abuse prevention.
• Authentication cookies / tokens: a JWT stored in your browser's localStorage so you stay signed in. That's it — no tracking cookies, no analytics cookies, no advertising cookies.

3. How we use it

We use the data only for:

• Providing the service — showing your family their photos, sending password reset emails, processing payments.
• Keeping the service secure — investigating abuse, rate limiting, fraud detection.
• Sending you operational emails (verification, password reset, billing notices). We don't send marketing.

We do not sell your data, share it with advertisers, or use it to train machine learning models.

4. Infrastructure providers ("subprocessors")

To run the service we use a small number of well-known providers. Each receives only the data they need:

• Cloudflare (R2 + CDN, USA) — stores and serves your photos. Their privacy policy.
• Stripe (USA) — processes payments and stores billing details. They never share your card with us. Stripe privacy policy.
• Backblaze (USA) — stores off-site backups of photo content for families who opt into the backup add-on. Backblaze privacy policy.
• Resend (USA) — delivers the operational emails described above. Resend privacy policy.
• Hetzner (Germany / Finland) — hosts the application server. Hetzner privacy policy.

5. Cross-border transfers

Our infrastructure providers are headquartered in the US and EU. If you're using the service from elsewhere, your data will be transferred to those countries. We rely on each provider's standard data-protection commitments (Standard Contractual Clauses where applicable).

6. Children

The service is not intended for users under 13. Children may appear in photos uploaded by their family members — that's the nature of a family photo app. If you're a parent and want a photo containing your child removed, email us at [email protected].

7. Security

We do what's reasonable for a small SaaS:

• Passwords are hashed with Argon2id (modern, slow, memory-hard — designed to resist brute-force attacks).
• All traffic is served over HTTPS.
• Database connections are restricted to the application server's local network.
• Stripe handles all card data, so a compromise of our systems wouldn't expose card numbers.
• We sign authentication tokens and verify them on every request.
• The Cloudflare and Backblaze accounts holding your content are protected by separate credentials and MFA.

That said, no online service is invulnerable. You use the service at your own risk. If we ever experience a breach affecting your data, we'll notify you in a reasonable timeframe.

8. Your rights

You have the right to:

• Access the data we hold about you — most of it is visible to you in the app already. For anything else, email us.
• Correct inaccurate data — most fields are user-editable in the app.
• Delete your account and content. Cancel the family's subscription via Manage Billing and at the end of the paid period the family and all its content are permanently deleted (see the Terms of Service for details).
• Export your photos — drop a request at [email protected] and we'll provide a download bundle within a reasonable time.
• Object or restrict processing — email us and we'll work with you on whatever you need.

Depending on where you live (EU/UK GDPR, California CCPA, etc.) you may have additional statutory rights. We honor those rights regardless of where you are.

9. Data retention

Active accounts: data is kept as long as you have an account and an active subscription (for hosted families).

Cancelled subscriptions: the family and all its content are deleted at the end of the paid period — that's part of the lifecycle, not a punishment.

Server logs: kept for up to 30 days for debugging and abuse investigation, then rotated out.

Stripe billing records: kept by Stripe per their own retention policies and applicable financial regulations, independently of what we keep.

10. Changes to this policy

We may update this policy from time to time. For material changes we'll prompt you to re-accept inside the app. Continued use after a change means you accept the new policy.

11. Contact

Any privacy question, request, or complaint — [email protected]. We aim to respond within a few business days.

See also: Terms of Service