Privacy policy

Last Updated: May 2026

Introduction

PhotoHeirloom ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our family photo preservation and sharing service.

Information we collect

We collect the following types of information:

  • Account information: name, email address, and authentication data
  • Photos and videos you upload, including AI-enhanced versions
  • Family tree information: names, relationships, birth dates, and biographical details
  • Usage data: how you interact with our service

How we use your information

  • To provide and maintain our service
  • To improve and personalize your experience
  • To communicate with you about your account
  • To ensure the security of our service

Google Contacts integration

PhotoHeirloom offers an optional integration with Google Contacts to help you easily invite family members to your family tree.

What we access from your Google account:

  • Contact names from your Google Contacts
  • Email addresses associated with your contacts

How we use this information:

  • To provide autocomplete suggestions when adding email addresses to family member profiles
  • To help you quickly send invitations to family members

Important privacy protections:

  • Your Google Contacts data is NOT stored on our servers - it is only fetched temporarily when you use the autocomplete feature
  • We never share your Google Contacts data with third parties
  • You can disconnect your Google account at any time from your account settings

To revoke PhotoHeirloom's access to your Google Contacts, visit your Google Account settings at myaccount.google.com/permissions, or disconnect from your PhotoHeirloom settings page.

Data sharing

We do not sell your personal information. We may share data:

  • With family members you invite to your family tree
  • With service providers who assist in operating our service (hosting, AI processing). For a complete list of our subprocessors, please see our Subprocessors page
  • When required by law or to protect our rights

Data storage and security

Your data is stored securely with industry-standard encryption. Photos and videos are stored on Cloudflare R2 (EU region) with secure access controls. Authentication is handled by Clerk, our database is hosted on Supabase (EU), and the application runs on Hetzner servers in the EU.

Data retention

We retain your personal data for as long as your account remains active. Specific retention periods include:

  • Photos and videos: Retained while your account is active, plus 30 days after account deletion
  • Family tree data: Retained while your account is active, plus 30 days after account deletion
  • Account information: Retained while your account is active, deleted immediately upon account deletion request
  • Usage analytics: Anonymized data may be retained indefinitely for service improvement
  • Backup copies: Permanently deleted within 90 days of account deletion

You can request complete data deletion at any time from your account settings. Upon deletion, we will permanently remove all your data from our production systems within 30 days, and from backup systems within 90 days.

Data breach notification

In the unlikely event of a data breach that affects your personal information, we will:

  • Notify affected users via email within 72 hours of discovering the breach
  • Provide details about what data was affected and the nature of the breach
  • Explain what steps we have taken to contain and remedy the breach
  • Advise you on steps you can take to protect yourself (e.g., password changes, monitoring)
  • Notify relevant regulatory authorities as required by law (GDPR, CCPA, etc.)

We maintain robust security measures and continuously monitor our systems to prevent unauthorized access. Our incident response team is trained to act quickly to minimize any potential impact.

Your rights

Under GDPR and similar regulations, you have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your data (right to be forgotten)
  • Export your data in a portable format
  • Withdraw consent at any time

To exercise these rights, visit your account settings

Cookies

We use essential cookies for authentication and site functionality. We also use optional analytics cookies with your consent to improve our service. For detailed information about our use of cookies, please see our Cookie Policy.

Advertising & the Meta Pixel

On our public marketing pages we may use the Meta Pixel to measure advertising performance. We do not run it on pages that display your family photos or family tree, and for U.S. visitors we apply Meta's Limited Data Use. In regions that require consent, it loads only after you accept Marketing cookies.

You can opt out at any time by disabling Marketing cookies, using Global Privacy Control, or via our opt-out page: Do Not Sell or Share My Personal Information

Children's privacy

PhotoHeirloom is not directed to children under 13. By creating an account you represent that you are at least 13 years old. We do not knowingly collect personal information from children under 13. If you believe a child has provided us information, please contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the 'Last Updated' date.

Contact Us

If you have questions about this Privacy Policy or your data, please contact us through our support channels.

Back to Home