Privacy Policy

Last Updated: May 4, 2025

1. Introduction

Welcome to Family Roots ("we", "us", "our"). We are committed to protecting your privacy and handling your personal data transparently and securely. This Privacy Policy explains how we collect, use, process, and safeguard your information when you visit our website and use our services, including the Healing Tales feature.

This policy is designed to comply with relevant data protection regulations, including the General Data Protection Regulation (GDPR) and, where applicable, the Health Insurance Portability and Accountability Act (HIPAA) concerning Protected Health Information (PHI) submitted through features like Healing Tales.

2. Data Controller

Family Roots is the data controller responsible for your personal data collected through this website. If you have any questions about this policy or our data protection practices, please contact us at: contact@fam-roots.com

3. Information We Collect

We collect information to provide and improve our services. The types of information include:

• Account Information: When you register, we collect information such as your name, email address, and password.
• Profile Information: You may optionally provide additional information for your user profile.
• Healing Tales Data: When using the Healing Tales feature, you may provide information including personal narratives, therapeutic goals, and other details. Some of this information may constitute sensitive personal data or PHI. We collect this solely to generate the requested Healing Tale.
• Usage Data: We may collect information about how you interact with our website, such as IP address, browser type, pages visited, and time spent on pages. Currently, this is limited to essential server logs for security and functionality.
• Cookie Data: We use cookies as described in the "Cookie Policy" section below.
• Communication Data: If you contact us, we may keep a record of that correspondence.
• Browser Push Subscription Data: If you opt in to browser push notifications, we collect your browser's push subscription information (such as endpoint and public key) and associate it with your user account (if logged in). This information is used solely to deliver browser push notifications you have requested. You can unsubscribe at any time via your browser or your profile settings. Subscription data is stored securely and not shared with third parties except as required to deliver notifications. You are always in control of your subscription and can revoke permission in your browser at any time.

4. How We Use Your Information

We use your information for the following purposes:

• To Provide and Manage Services: Authenticate users, provide access to features (including Healing Tales generation), manage accounts.
• To Generate Healing Tales: Process the information you provide, including sending relevant data to our AI partner (currently Anthropic) under strict contractual agreements (BAA/DPA) to generate the tale content.
• To Communicate With You: Respond to inquiries, send service-related announcements, manage newsletter subscriptions (if opted-in).
• To Improve Our Services: Analyze usage patterns (using anonymized or aggregated data where possible) to understand user needs and enhance website functionality (future goal, requires consent for non-essential tracking).
• For Security and Compliance: Protect against fraud, abuse, and security threats; comply with legal obligations; enforce our terms.

5. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contractual Necessity: Processing necessary to perform our contract with you (e.g., providing account access, generating requested Healing Tales).
• Legitimate Interests: Processing for our legitimate interests, such as website security and basic functionality analysis, provided these interests are not overridden by your rights. The use of essential cookies falls under this basis.
• Consent: For specific activities, we rely on your consent. This includes:
  • Obtaining explicit consent before you submit sensitive data for Healing Tale generation.
  • Sending marketing communications/newsletters (where applicable).
  • Using non-essential cookies (e.g., for analytics or enhanced user experience) in the future. You have the right to withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with a legal requirement.

6. Cookie Policy

Cookies are small text files stored on your device when you visit websites. We use cookies for the following purposes:

• Essential Cookies: These are strictly necessary for the website to function correctly. They enable core functionality such as user login (session management) and security. Our website currently only uses essential cookies. These cookies do not require your prior consent under GDPR but are necessary for using secured areas of the site.

• Non-Essential Cookies (Future Use): We may wish to use non-essential cookies in the future for purposes such as:

  • Analytics: To understand how visitors interact with the website (e.g., using Google Analytics or a self-hosted solution).
  • Performance/Functionality: To enhance website performance or provide specific features.
  • These cookies will only be used if you provide your explicit consent.

• Consent Management:

  • When you first visit our site, a banner will appear informing you about our cookie use. Currently, as we only use essential cookies, no action is required to continue using the site with these essential functions enabled.
  • Should we introduce non-essential cookies in the future, the banner will provide you with clear options to "Accept" or "Reject" their use.
  • If you choose "Reject", only essential cookies will be active. If you choose "Accept", both essential and non-essential cookies (that we may deploy at that time) will be active.
  • Your preference ("accepted" or "rejected") for non-essential cookies will be stored in your browser's localStorage. You can typically clear localStorage or cookies via your browser settings if you wish to reset your preference.
• Third-Party Cookies: Be aware that embedded content or links to third-party sites may set their own cookies. We do not control these.

7. Data Sharing and Third Parties

We do not sell your personal data. We may share your information in the following limited circumstances:

• AI Provider (Anthropic): To generate Healing Tales, we securely transmit necessary input data provided by you to Anthropic.
• Service Providers: We may use third-party service providers for hosting, email delivery, and other essential operations. These providers are contractually obligated to protect your data.
• Legal Requirements: We may disclose your information if required by law, subpoena, or other legal processes, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

8. Data Security

We implement robust technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit (HTTPS/TLS).
• Encryption of sensitive data (like PHI submitted for Healing Tales) at rest.
• Strict access controls based on the principle of least privilege.
• Regular security reviews and updates.
• Secure development practices.
• Logging and monitoring for security events (without logging sensitive data itself).

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including providing services, complying with legal obligations, resolving disputes, and enforcing our agreements. Specific retention periods depend on the type of data and the purpose of processing. Data submitted for Healing Tales may be retained according to specific terms presented during the submission process or as required for legal compliance.

10. Your Rights

Depending on your location and applicable law (particularly GDPR and HIPAA), you may have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ('Right to be Forgotten'): Request deletion of your personal data, subject to certain exceptions.
• Right to Restrict Processing: Request restriction of how we process your data under certain conditions.
• Right to Data Portability: Request transfer of your data to another service in a structured, commonly used format (where technically feasible).
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent (this does not affect the lawfulness of processing before withdrawal).
• HIPAA Rights (if applicable to PHI): Right to access, amend, and receive an accounting of disclosures of your PHI.

To exercise these rights, please contact us using the details provided in Section 2. We may need to verify your identity before processing your request. You also have the right to lodge a complaint with a supervisory authority.

11. Children's Privacy

Our services are not intended for individuals under the age of 16 (or a higher age threshold if required by local law). We do not knowingly collect personal data from children without parental consent. If we become aware that we have inadvertently collected such data, we will take steps to delete it.

12. International Data Transfers

If we transfer your personal data outside your region (e.g., outside the European Economic Area), we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or reliance on the provider's Binding Corporate Rules, to protect your data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last Updated" date. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: contact@fam-roots.com