Back home

MVP boilerplate — not legal advice.

This document is provisional text generated for a pre-launch product. It is not legal advice and it has not been reviewed by an attorney. A qualified lawyer must review and finalize this text before the product is made available to the public.

Privacy Policy

Last updated: 2026-04-09

1. Introduction

mx-family-tree (“we”, “us”, “our”) is a web application that helps individuals digitize, structure, and preserve paper-based family records. This Privacy Policy explains what information we collect when you use the service, how we use it, where we store it, and the choices you have about your information.

By creating an account you agree to the practices described here. If you do not agree, please do not create an account.

2. What we collect

We collect only the information you provide or generate while using the service:

  • Account information: your email address and a password hash. We use your email to authenticate you and to send essential service messages (password resets, email confirmation, billing receipts if you subscribe to a paid plan).
  • Family tree data: the people, relationships, dates, places, notes, and other details you enter about your family. This data is yours — you choose what to enter, and we store it on your behalf so you can access it across devices.
  • Photos and documents: any images, scanned records, or PDF documents you upload and attach to people in your tree.
  • Audit log: a record of changes you or your collaborators make to entries in a shared tree (who changed what, and when), so you can see the history of the tree.
  • Session cookies: cookies we set to keep you signed in. We do not use cookies for analytics or advertising.
  • Server logs: standard web server logs that include IP address, user agent, and request timestamps, kept for security and debugging purposes.

We do not collect payment card information directly. If and when paid plans are introduced, payments will be processed by a third-party provider (such as Stripe) and we will receive only the information necessary to reconcile the transaction with your account.

3. What we do not collect

We do not collect: geolocation beyond coarse IP-derived region; contact lists; browsing history outside of our own site; or any data from third-party services that you have not explicitly connected. We do not run any third-party analytics, advertising, or tracking scripts on the site.

4. How we use your information

We use the information we collect to:

  • Provide, maintain, and improve the service
  • Authenticate you and protect your account
  • Send essential service messages (confirmation, password reset, security alerts)
  • Respond to support requests
  • Enforce our Terms of Service and prevent abuse
  • Comply with legal obligations

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5. Where your data lives

Your data is stored with our infrastructure provider, Supabase, in data centers located in the United States. Uploaded photos and documents are stored in a private, access-controlled storage bucket that is only readable by members of the tree the file belongs to.

Email delivery (confirmation, password reset, notifications) is handled by Resend. Resend receives only the minimum information needed to deliver a message (your email address and the message body).

If you access the service from outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws different from those in your country.

6. How long we keep your data

We keep your account and the data you entered for as long as your account is active. When you delete your account, we delete your personal data within 30 days, except where we are required to retain it by law (for example, to comply with tax or financial reporting obligations if you purchased a paid plan). Audit logs referencing a deleted account are anonymized rather than deleted so collaborators' shared tree history remains readable.

7. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you
  • Correct information that is inaccurate or incomplete
  • Delete your account and associated personal data
  • Export your family tree data in a portable format (for example, GEDCOM)
  • Withdraw consent to our processing of your data
  • Object to certain processing, or restrict it
  • Lodge a complaint with a data protection authority if you believe we have mishandled your information

To exercise any of these rights, email us at privacy@mx-family-tree.app. We will respond within 30 days.

8. Cookies

We use cookies for two purposes:

  • Authentication cookies: set when you sign in, used to keep you logged in across pages. These are strictly necessary for the service to function and cannot be turned off while still using the service.
  • User preference cookies: small cookies that remember interface preferences (such as your dark/light theme choice).

We do not set analytics cookies, advertising cookies, or any tracking cookies from third parties that are not essential to the service. Because our cookies are strictly necessary, we do not display a cookie banner — this is consistent with the ePrivacy exemption for essential cookies.

9. Security

We take reasonable precautions to protect your data:

  • All traffic between your browser and the service is encrypted with HTTPS
  • Passwords are stored as salted hashes; we cannot read your password
  • Uploaded photos and documents are stored in a private bucket with row-level access control
  • Only members of a tree can view or edit that tree's data
  • We follow standard security practices for our infrastructure provider

No online service can guarantee perfect security. If we become aware of a breach affecting your personal information, we will notify you and the appropriate authorities as required by law.

10. Children's privacy

The service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and update the “last updated” date at the top of this page. Your continued use of the service after the changes take effect constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or to exercise any of your rights, email us at privacy@mx-family-tree.app.