FamFeel
Privacy Policy

Your family,
your data.

Version 2.1 · Last updated April 2026

1. The short version

FamFeel was built as the opposite of a data-hungry app. We don't collect emails, we don't show ads, we don't sell anything about you, we don't use behavioural-analytics platforms, and nothing you log ever leaves your family's private workspace. This page explains exactly what we do — and don't — do with your data, in plain English and in enough detail to satisfy EU/UK GDPR, the California CCPA, and any other jurisdiction that cares (which, to be fair, should be all of them).

2. Who we are ("data controller")

"FamFeel" is operated by the team behind famfeel.com. In the language of the GDPR we are the data controller for any personal data you or your family members enter into the service. You can reach us at the address in section 15 (Contact) with any privacy question, request, or complaint.

3. What we store

We store only what's needed to make the app work. Here is the entire list — no hidden collections, no "third category" footnotes:

Family workspace

  • Family name, 6-letter join code, a bcrypt hash of your family PIN (never the PIN itself), timezone, check-in cutoff hour, week-start preference, custom tag/plan presets, and paid plan status.
  • Country (optional, self-reported at signup): a two-letter country code you pick from a drop-down, or left blank. We never IP-geolocate you — this is the only way FamFeel learns where a family is from, and you can leave it at "Prefer not to say".
  • Houses (Grand and Extended Family tiers): a short list of household labels you chose (e.g. "Mum's", "Dad's"), and which member belongs to each.

Members

  • Each member's name, avatar emoji, optional uploaded avatar photo, role (parent / kid / grandparent / pet / other), birthday (required for people, so the calendar can show a birthday card; pets don't need one), optional PIN (bcrypt-hashed), and — for pets — species.
  • Per-member cross-house privacy toggles (mood / sleep / status / note / tags) on Grand and Extended Family tiers.

About uploaded avatar photos: when you upload a photo it is compressed in your browser to a 256×256 JPEG (about 25 KB) before it leaves your device — we never receive the original full-resolution file. The compressed image is stored as a base64 string inside your family's own member record in our database, never on a separate image CDN and never linked to any URL outside FamFeel. Remove it any time by opening the member in Settings and tapping the avatar picker to clear it; the string is overwritten on save. Uploaded avatars are a paid-tier feature; the Free tier uses emoji-only avatars which store nothing beyond one small character.

Check-ins & activity

  • The daily check-in you tap in: sleep, mood, tags, status, optional note, optional private note (end-to-end encrypted, see §8), optional today-plan, reactions, and who has "seen" the check-in.
  • Pet care: dog walks (time + who), feed / water-change / mood stamps for other pets, and — for dogs and cats — the small Care log of vet-exam, tick/flea-treatment, bath, and (opt-in for indoor cats) litter-change dates. These live on the pet's member record, are visible to the whole family, and are purely dates you tap in yourself — we never contact a vet, pharmacy, or any outside service.
  • Calendar events you add (title, start/end times, kind, attendees, optional notes, category chips, optional house scope, recurrence rule if any, arrivals/skip stamps, and whether you opt in a push reminder).
  • Chores (title, assignee, repeat cadence, today's completion records).
  • Messages (lightweight in-app notes between members, scoped to your family) — end-to-end encrypted in your browser, see §8.

Operational data (short-lived)

  • Wrong-PIN attempts: stored for 24 hours so we can rate-limit brute-force attacks, then auto-deleted.
  • Push-notification subscriptions: the anonymous browser/device token (endpoint + keys) each device registers if you turn on push, so we can deliver any reminders you've opted into — including but not limited to; morning summary, walk reminders, birthdays and family nudges. Delete a device from Settings → Notifications and its token is purged.
  • Push nudge log: a single-day record of "member A nudged member B" so the same nudge can't spam someone repeatedly within a day. Rolls off daily.
  • Payment transactions: the Stripe checkout session id, amount, tier, currency, and success timestamp. No card data — ever. See §6.
  • Anonymous landing visit counts: one row per page view with timestamp, path, truncated user-agent, and a salted one-way hash of the source IP. No cookies, no persistent ad profile, no IP geolocation. Bot and crawler user-agents are filtered out at insert time, so this is genuinely a read of real humans visiting the landing page. Used only to know whether the site is working.

4. What we don't store

  • No email addresses, phone numbers, or postal addresses.
  • No location tracking. We never ask for device GPS or do IP geolocation. The only "location" in the app is a free-text field you optionally type (e.g. "Grandma's").
  • No advertising or behavioural profiles. No Google Analytics, Facebook Pixel, TikTok Pixel, Hotjar, Amplitude, Mixpanel, Segment, or equivalent.
  • No third-party cookies. We set one first-party token cookie/localStorage item that keeps your family signed in on that browser. That's it.
  • No selling, renting, or sharing of your data. Not now, not ever. If this ever changed the app would stop being FamFeel; we would email you (if we had your email, which we don't) and give you the option to delete your family before any change took effect.
  • No AI training. Your family's check-ins, notes, photos and events are never fed to a language model, ours or anyone else's.

5. Legal basis (GDPR / UK-GDPR)

If you're in the EU/UK, we rely on the following legal bases under Article 6 of the GDPR:

  • Contract (Art. 6(1)(b)): most of what we store is necessary to provide the service you signed up for — the family workspace, check-ins, houses, chores, calendar, payments.
  • Legitimate interest (Art. 6(1)(f)): 24-hour wrong-PIN rate-limiting, anonymous landing-page counts, and server error logs, all balanced against your interest in a secure, working app.
  • Consent (Art. 6(1)(a)): push notifications (only sent if you enable them per device) and optional uploaded photo avatars. Withdraw consent any time from Settings → Notifications or by removing the avatar.

Under the GDPR, "special-category" health data (Article 9) includes things like mood. FamFeel only stores the mood you type in yourself, for you and your own family to see, and never shares it with anyone outside the workspace or uses it for any other purpose — so processing is limited to Article 9(2)(a) (your explicit consent by choosing to log it).

6. Payments

If you upgrade to a paid plan (Plus, Grand, or Extended Family), payment is handled entirely by Stripe, Inc. (San Francisco, CA) under their own privacy policy at stripe.com/privacy. We never see or store your card number, expiry, CVC, or billing address. Our server only receives — and only retains — the Stripe checkout session ID, amount, currency, tier, and paid-until date, so we know which plan your family is on and when it expires. Stripe webhooks are verified by a signing secret before we accept any subscription update. Cancel any time from Settings → Family → Manage billing, or from your Stripe-hosted customer portal.

7. Sub-processors

We use only the following third-party services to operate FamFeel. Each processes the minimum data needed to do its job:

  • Stripe (payments) — card details, billing country, subscription lifecycle.
  • MongoDB Atlas (database) — all stored family data listed in §3.
  • Apple / Google / Microsoft / Mozilla push services — if you opt in to push notifications, the notification payload transits their push servers (Web Push standard); the payload itself is encrypted with VAPID so they can't read it.
  • Our hosting provider — runs the FamFeel server and serves the web app. Standard GDPR Data Processing Addendum in place.

We do not use Google Analytics, Facebook Pixel, advertising networks, session replay tools, AI/ML training APIs, or any other third-party telemetry in FamFeel.

8. Security

  • Encryption in transit: HTTPS / TLS on every connection. HSTS header set so browsers refuse to downgrade to HTTP.
  • Encryption at rest: the database provider encrypts storage volumes by default.
  • End-to-end encrypted private notes & messages: when you tick "Private · encrypted" on a check-in note, and for every message posted to the family board, the text is encrypted in your browser (AES-GCM-256, key derived from your family PIN) before it leaves your device. The server only sees ciphertext and cannot decrypt it. Caveat: this protects against a server breach, not someone picking up your unlocked phone. If a device is lost or no longer trusted, open Settings → Family → Signed-in devices on any other device to kick it.
  • PINs are hashed with bcrypt — never stored or logged in plaintext. We can't tell you your own PIN; if you forget it a parent has to reset the family.
  • Family-scoped access: every API call requires a JWT bound to one specific family_id. The server explicitly filters every query by family_id — cross-family data access is not possible by design.
  • Rate limiting: per-IP request limits and per-family wrong-PIN lockout after repeated failures.
  • Stripe webhook signatures verified on every inbound billing event; unsigned events are rejected with HTTP 400.
  • CORS restricted to our own origins; no third-party site can call our API on your behalf.
  • No source maps in production; security headers (CSP, X-Content-Type-Options, Referrer-Policy) set conservatively.

9. How long we keep things

  • Your family workspace — kept until you delete it (Settings → Family → Danger zone → Delete everything). That action is immediate and irreversible.
  • Check-ins, events, chores, messages — kept for as long as the family workspace exists, which lets any family member open a member's History page and scroll back to re-read past days (Free tier sees the last 14 days; Plus and up see the full range). No automatic deletion. You can delete any individual record from the UI.
  • Wrong-PIN attempts — 24 hours.
  • Push nudge log — same-day only (automatic roll-off).
  • Payment transactions — kept for up to 7 years where legally required for tax/accounting; otherwise purged with the family workspace.
  • Anonymous landing visit rows — retained in aggregate for up to 90 days.
  • Backups — daily database snapshots held for up to 14 days, then overwritten. Deleted families may persist in a backup for that window; after 14 days they are fully gone.

10. Children & under-13 data

FamFeel is a household tool set up and operated by an adult — a parent, guardian, or other responsible caretaker. A child never creates the account, never sets the PIN, and never enters personal information themselves; a parent does that on their behalf. The app does not ask a child for their email, phone number, address, school, device ID, or any direct contact information — none of those fields exist.

For a child under 13 the only personally-identifying data FamFeel ever stores is what the parent chose to type in:

  • The country the family picked at signup (a two-letter code, optional, family-level — not per-child).
  • The child's birthday (required when the parent adds the child, so the calendar can show a birthday card).
  • A first name or nickname the parent chose, and the emoji or compressed 256×256 photo the parent picked as the avatar.
  • The check-ins, moods, sleep, tags and notes the child (or the parent on their behalf) chose to tap into the app. Nothing else, ever.

We do not track a child's location, we do not collect their device fingerprint, we do not profile them, we do not share their data with anyone outside the family workspace, and we never feed it to an advertising network or an AI training model. Section 4 ("What we don't store") applies to children exactly as strictly as it applies to adults.

Parental responsibility. The parent or caretaker who set up the family is responsible for (a) deciding whether a child is mature enough to tap in their own check-ins, (b) the content they choose to type in about a child, (c) who they grant access to the family PIN, and (d) deleting the data when they no longer want it stored. FamFeel provides the tools to do this; the adult makes the calls. This is particularly important in any jurisdiction (EU / UK under GDPR Article 8, US under COPPA, etc.) where processing a child's data requires documented parental consent — by creating a family that includes a child, you (the parent) confirm that consent.

Deleting a child's data. At any time, any parent in the family can:

  • Delete an individual child member from Settings → Family. Their check-ins, chores, and any events referencing them are removed with them.
  • Delete an individual check-in, event, chore, message, or uploaded avatar from within the UI.
  • Delete the entire family workspace from Settings → Family → Danger zone → Delete everything. Immediate and irreversible — every child's data goes with it.
  • Request a full JSON export of all their child's data before deletion by emailing us (see §15) — provided at no cost within 30 days.

If a child under 13 has been added to a family without your knowledge or consent, email us at the address in §15 with enough detail to identify the record and we will remove it promptly — typically within one business day.

11. Your rights

Under the GDPR, UK-GDPR and CCPA, you have the following rights. Most are self-service in the app:

  • Access: every piece of stored data is visible to parents in the app — check-ins, events, members, houses, chores, payment history.
  • Rectification: edit any member, check-in, event, or setting directly in the UI.
  • Erasure ("right to be forgotten"): remove individual members (their check-ins and chores go with them), or delete the entire family workspace from Settings → Family → Danger zone. Immediate, irreversible, cascades to every related record.
  • Portability: on request (contact us in §15) we'll export your family's data as JSON within 30 days, at no cost.
  • Restriction / Objection: pause push notifications per-device at any time; contact us to restrict other processing.
  • Withdraw consent: turn off push in Settings → Notifications; remove an uploaded avatar photo in the member edit screen.

You also have the right to lodge a complaint with your local data-protection authority.

12. International transfers

The database and application servers run in EU / US data centres. Where personal data is transferred from the EU/UK to a non-adequacy country (currently Stripe US), we rely on Standard Contractual Clauses (SCCs) in place with the sub-processor. No data is ever transferred to jurisdictions subject to government surveillance programmes disclosed at the time of writing (e.g. China, Russia).

13. If something goes wrong

Despite every reasonable measure, no system is uncrackable. If we become aware of a data breach that affects you, we will:

  • Notify the relevant data-protection authority within 72 hours, as required by GDPR Article 33.
  • Publish a plain-English incident note on famfeel.com describing what happened, what data was involved, what we did to contain it, and what you should do in response.
  • Trigger an in-app banner at the top of the dashboard so every device that opens FamFeel sees the notice on next login.

14. Changes to this policy

We'll update this page when we add new features that affect data, or when laws change. Material changes trigger a banner at the top of the app for 30 days and a version bump visible at the top of this page. We don't "silently" change the rules — if something meaningful shifts you will see it the next time you open FamFeel.

15. Contact

Questions, requests, or just curious? Email famfeel.com@gmail.com. We aim to respond within 7 calendar days.

This policy is written to satisfy the EU GDPR, UK-GDPR, California CCPA and general good-faith privacy practice. Nothing in it is intended to create a lesser standard than the law requires — if a law in your jurisdiction grants you stronger rights, those stronger rights apply.