Privacy Policy

Who we are

FamCircles is a family-coordination app. We help families stay aware of where everyone is, who's handling which event, and what needs doing — without the surveillance feel of broader tracking apps.

You can reach us about anything in this policy at support@famcircles.net.

This policy explains what data we collect, why we collect it, who can see it, and what you can do about it. We've tried to keep the language plain — if any of it is confusing, that's our fault and we want to know.

What we collect

When you create an account or use FamCircles we collect:

• Account info: your email address, an encrypted password (Firebase Auth never stores it as plaintext), your display name, and an optional profile photo.
• Family setup: the family name you pick, the household structure (single parent, two-parent, co-parenting), your role (parent or kid), and which household you belong to.
• Location data: your phone's GPS coordinates when you (a) tap the FamMap tab to check on the family, (b) accept a "FamMap pull" request from another family member, or (c) tap "I'm on my way" on an event to share your live location during a handoff. We store one cached coordinate per family member ("last known location") for up to 24 hours so the family can see where someone was even if their phone is currently offline. We do not run a continuous live-tracking stream; location only travels at the moments listed above.
• FamMap activity log: every FamMap pull is logged with timestamp + who initiated it. Parents in your family (and our admin support staff for support investigations) can see this log; kids cannot. Used for rate-limiting and family transparency. Retained 90 days then auto-deleted (see "How long we keep it").
• Events: titles, dates, times, locations, who's involved, who's handling drop-off and pickup, and the status of each event (claimed, on the way, done).
• Chat messages: text and photos in family chat, direct messages, group chats, event-scoped chats, and any Crew chats you participate in. Photo attachments auto-delete after 90 days; text messages persist until you or another family member deletes them, or until you delete your account.
• Tasks: titles, notes, comments, assignees for the family to-do list.
• Saved places: home, school, parks, and other locations you save for reuse. We store the coordinates and a label.
• Crew data: when you join a Crew (a cross-family closed group like "Soccer team carpool"), the Crew's other members can see your name, avatar, location during active handoffs, and any Crew chat messages or hangouts you participate in. Your home family's data stays private to your home family — only what you explicitly share into the Crew is visible to its members. Parents must approve every kid joining a Crew.
• External calendar events: when you connect your phone's calendar (Apple, Google, etc.), we sync the events you choose into FamCircles so they appear alongside FamCircles events. We only sync from calendars you explicitly enable.
• Push notification token: a device-specific identifier issued by Apple or Google that lets us send notifications to your phone.
• Subscription / billing data (Pro users only): if you subscribe to FamCircles Pro through Stripe, we receive and store your Stripe customer ID, subscription ID, current subscription status, and the timestamp your current paid period ends. We never see or store your card number — Stripe processes payment directly and shares only the operational metadata above with us.
• Basic device info: operating system, app version, language. We don't collect IMEI, advertising IDs, or any cross-app identifiers.

What we don't collect

To be clear about the things we explicitly don't do:

• We don't collect contact lists or anyone's phone numbers from your phone.
• We don't scan your messages, photos, or events for advertising or analytics. AI photo extraction (when you take a picture of an invitation, calendar, or schedule) sends only that single image to Google's Gemini API to extract event details. Multi-event scans (e.g. a school monthly calendar) extract every event visible in one call rather than uploading multiple times. The image isn't stored on our servers after extraction completes.
• We don't track you across other apps or websites. There are no advertising SDKs in FamCircles.
• We don't see or store your payment card number. If you subscribe to FamCircles Pro, payment is processed entirely by Stripe; we receive only the operational metadata listed in "What we collect" (customer ID, subscription status, period-end date).
• We don't collect biometric data, voice recordings, or microphone audio outside of explicit voice-event capture (when you long-press the Add button or tap the mic icon to dictate an event). Speech-to-text runs on your device; only the resulting transcript is sent to Google's Gemini API for event extraction. We don't retain the transcript on our servers after extraction.
• We don't profile minors. Kids' accounts collect the same operational data as adults' (location, events, chat) but receive zero advertising, behavioral tracking, or marketing.
• We don't sell, rent, or share your data with third parties for any purpose other than running the service. The full sub-processor list is in Section 4.

Who can see your data

The whole point of FamCircles is sharing within YOUR family. Inside your family circle:

• Other family members can see your last known location (from the most recent FamMap pull or "I'm on my way" share), your name and avatar, the events you own or are part of, and your messages in family chat or any DM/group you're in.
• Parents in your family can see the FamMap activity log (who pulled location, when). Kids in the family cannot see this log.
• Direct messages between two family members are visible only to those two people.
• Group chats are visible only to members of that group.
• Saved places, geofence settings (if any), and tasks are visible to every family member.

If you join a Crew (a cross-family group):

• Other Crew members (kids and parents from other families) can see your name, avatar, any Crew-shared location during an active handoff, and any messages you post in the Crew chat.
• Crew membership is parent-approved for kids — a parent in the kid's home family must explicitly approve before the kid can join. The approval is logged with a COPPA-compliant audit record.
• Your home family's data stays private to your home family. The Crew has its own separate scope.

Outside your family / Crews, your data goes nowhere except to the following sub-processors:

• Google Cloud / Firebase: hosts the database, file storage, and authentication. They process your data on our behalf as a sub-processor under their standard data processing agreement. They don't access it for any purpose except providing the hosting service.
• Google Gemini API: when you use AI features (voice event capture, photo flyer/calendar extraction), the relevant input (transcript text or single image) is sent to Google's Gemini API for extraction. Per Google's terms, prompts to Gemini's paid API are not used to train Google's models. The extracted output is returned to FamCircles and stored only as the parsed event data; the input is not retained on our servers.
• Stripe: if you subscribe to FamCircles Pro, Stripe processes your payment, stores your card information, and manages your subscription. We send Stripe your email address (so they can send receipts) and your family ID (so they can map subscriptions to families). We do NOT send Stripe any of your other family data.
• Expo: routes push notifications to Apple Push Notification Service and Firebase Cloud Messaging. They handle only the push token and the notification payload (title and body), not your underlying data.
• Apple App Store / Google Play: handle app distribution. If you subscribe via Apple in-app purchase (planned for a future release), Apple handles the payment instead of Stripe.
• Google Maps: provides the map tiles, Places autocomplete (for typing addresses), and reverse geocoding (for showing "near home" labels on the FamMap detail card). Live coordinates are never sent to Google Maps for tracking — only the search queries you type and the coordinates of saved Places when we render their pins.

We do not sell your data. We do not share it with advertisers. We do not share it with data brokers. We do not share it with anyone who isn't in your family circle or your Crews except as listed above.

How long we keep it

Different data has different lifecycles:

• Last-known location (FamMap cache): one coordinate per family member, refreshed each time someone pulls FamMap or shares during a handoff. Auto-suppressed in the UI after 24 hours; the underlying doc is overwritten on the next pull. When you turn off location sharing, your phone stops responding to pulls and the cached coordinate ages out.
• FamMap activity log: 90 days. Used for rate-limit enforcement and parent-side transparency. Auto-deleted after 90 days.
• Chat photos: 90 days from upload, then auto-deleted by a scheduled cleanup. You can delete a photo earlier by deleting the message that contains it.
• Chat text messages: persist until manually deleted (by you, by a parent, or by account deletion). They don't auto-expire.
• Events, tasks, saved places: persist until you or another family member deletes them, or until your account is deleted.
• Crews: a Crew expires automatically after 90 days of inactivity. When it expires, the entire Crew (members, messages, hangouts) is recursively deleted within 24 hours.
• Subscription / billing data: while your Pro subscription is active. When you cancel, we keep the metadata until the end of your paid period, then delete the customer record on Stripe's side and the corresponding fields on the family doc.
• Account data (member doc, auth credentials, profile photo): kept while your account is active. When you delete your account, the cascade typically completes within 60 seconds and removes everything except COPPA-required consent records (next section).
• Consent records (COPPA): when a parent records consent for a kid, that record is kept indefinitely as a legal audit trail, even after the kid's account is deleted. This is required by US federal regulation. We retain only the consent metadata (who consented, when, to what version) — not the underlying data the consent covered.

Children's privacy (COPPA)

We treat any account belonging to a child under 13 as subject to the US Children's Online Privacy Protection Act (COPPA). For families outside the US, we apply the same protections by default — the UK ICO and EU GDPR both treat under-16 users with similar care.

Before a kid account collects any operational data (location, chat, etc.), we capture verifiable parental consent server-side. The consent record includes:

• The parent's authenticated identity (verified Firebase Auth user)
• A timestamp from our server (not the client clock — can't be tampered with)
• The IP address the consent came from
• The user-agent (which device the parent used)
• The exact disclosure text the parent agreed to (so future copy changes can't retroactively rewrite history)

Parents control kid accounts entirely — they can delete a kid's account, edit a kid's profile, approve or deny Crew invites for a kid, and revoke consent at any time. Parents can also review every chat the kid is in (family room, direct messages, group chats, and event chats — all of it) via Me → Kids' Privacy → Review [Kid name]'s chats, exercising the parental review right under COPPA Rule 16 CFR §312.6(a)(1). Every parental review is server-side audit-logged. Kids see their own profile and the family roster but cannot see the FamMap activity log, the parental review log, the consent records, or per-kid administrative views — those are parent-only surfaces.

We never advertise to kids. We never use kid data for any purpose other than family coordination. We never share kid data with anyone outside the family, except with the members of any Crews the kid has joined — and only after a parent in the kid's home family has explicitly approved that Crew membership with a COPPA-compliant audit record.

If you believe a child under 13 has registered without parental consent, email support@famcircles.net and we'll delete the account and all associated data within 7 days.

Your rights (GDPR · CCPA · state law)

You can exercise these at any time directly in the app:

• Access: every piece of data we hold about you is visible to you in the app — your member profile, your events, your messages, your last-known location, your saved places. There's no separate "data subject access request" needed.
• Download: tap Me → Privacy → "Download my data" to get a JSON archive containing every doc and signed download URL for every photo we have on you. The archive is available for 7 days from a signed URL.
• Delete: tap Me → Account → "Delete account" to trigger a full cascade that removes your member doc, last-known location, push token, profile photo, every chat message you authored, every event you own, every Crew you're a member of (you're removed; the Crew survives if other members remain), and finally your auth account. The cascade typically completes within 60 seconds.
• Correction: edit your profile (name, nickname, photo, household, etc.) at any time from the Me page.
• Opt out of location sharing: tap the location toggle on the Me page. You can choose Everyone, Kids only, Off, or set a time-bounded sharing window. When location sharing is off, your phone won't respond to FamMap pulls and your last-known location ages out of the family's view within 24 hours.
• Withdraw consent: parents can revoke consent for a kid by deleting the kid's account. The COPPA consent record itself remains as a legal audit trail.
• Cancel subscription: Pro subscribers can cancel at any time via Me → Subscription → Manage Billing, which opens Stripe's hosted billing portal. Pro features remain active until the end of your current paid period; we don't pro-rate refunds.
• Adults can withdraw their own consent at any time by deleting their account; partial withdrawals (e.g. turning off AI features but keeping the app) are accomplished via the granular toggles in Me → Privacy.

GDPR / CCPA / state law rights: if you live in the EU, UK, California, or anywhere with similar comprehensive privacy law, the rights above already satisfy access, portability, deletion, and rectification rights. If you need a formal Data Subject Access Request, email support@famcircles.net and we'll respond within 30 days as required by law.

For users in the EEA / UK: in addition to the rights above, you have the rights to rectification (Art 16), restriction of processing (Art 18), and to object (Art 21) under GDPR. We do not engage in automated decision-making producing legal effects (Art 22) — all account-affecting decisions involve human review at our end.

How we secure your data

Security practices we follow:

• All network traffic uses HTTPS / TLS 1.2+. Plain HTTP is never accepted.
• Data is encrypted at rest by Google Cloud Firestore, Realtime Database, and Cloud Storage using Google-managed encryption keys.
• Authentication uses Firebase Auth — passwords are hashed and salted server-side; we never see plaintext passwords.
• Access to family data is enforced by Firestore and Realtime Database security rules at the path level. Cross-family reads are denied by both the path scope and the per-document membership check (defense in depth).
• Sensitive credentials are stored as Firebase Cloud Function secrets and never embedded in the app bundle. Public-restricted client API keys (Google Maps, Firebase) are scoped via Google Cloud Console restrictions to prevent abuse outside our app.
• Our Cloud Functions use Firebase Admin SDK with the default service account; we don't embed long-lived API keys in app builds.

No system is unbreakable. If we ever suffer a data breach that affects you, we'll notify you within 72 hours of becoming aware, with details about what was exposed and what we're doing about it. We follow GDPR Article 33 timelines as a baseline, regardless of where you live.

Where your data lives

Our backend runs on Google Cloud Firestore and Realtime Database in the us-central1 region (Iowa, USA). If you live outside the US, your data is transferred to and processed in the United States. We rely on Google Cloud's standard contractual clauses (SCCs) for cross-border transfers under GDPR. Google Cloud is also certified under the EU-US Data Privacy Framework (DPF), the UK-US DPF Extension, and the Swiss-US DPF — providing additional legal basis for transfers from those regions.

Push notifications are routed through Expo's servers (also in the US) before being delivered to Apple Push Notification Service or Firebase Cloud Messaging.

If you'd prefer your data live in another region, that's not something we offer today. The smallest meaningful step you can take is to delete your account, which removes the data from US servers within 60 seconds.

When this policy changes

We version this policy. The current version is shown at the top of this page (and in-app at Me → Privacy → Privacy Policy).

When we make a MATERIAL change — adding a new data category, adding a new sub-processor, changing what can be shared with whom, etc. — we'll bump the major or minor version and prompt you to re-read and accept the new version on your next app launch. You won't be able to keep using FamCircles until you accept (or sign out and stop using the app).

When we make a non-material change — fixing a typo, clarifying language without changing meaning, etc. — we'll bump the patch version. You can keep using the app without seeing a re-consent prompt; the new version is just on file.

We won't downgrade your privacy by surprise. If something material changes, you'll know.

Contact us

Questions, complaints, requests, or anything else:

• Email: support@famcircles.net

We aim to respond within 5 business days for general questions and within 30 days for formal data-subject requests (the GDPR / CCPA limit).

If you live in the EU and feel we haven't addressed your concerns, you also have the right to lodge a complaint with your local data protection authority. We hope it doesn't come to that, but the option is yours by law.