Privacy Policy (GDPR)

Effective Date: 27th of May 2025 Last Updated: 7th of May 2025

1. Introduction

Welcome to Family Roots ("we," "us," or "our"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (fam-roots.com) and services (collectively, the "Services"), in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This policy applies to all users of our Services, particularly those residing in the European Economic Area (EEA).

Please read this Privacy Policy carefully. If you do not agree with the terms of this privacy policy, please do not access or use the Services.

2. Data Controller Information

Family Roots sp. jawna Monika Wirżajtys i Piotr Zalewa Kamykowa 6, 87-134 Rozgarty contact@fam-roots.com

For the purposes of GDPR, Family Roots is the Data Controller for the personal data processed through our Services.

3. What Personal Data We Collect

We may collect the following categories of personal data about you:

• Identity Data: First name, last name, username or similar identifier.
  • Source: Provided by you during account registration or social login (e.g., via Google).
• Contact Data: Email address.
  • Source: Provided by you during account registration, social login, newsletter subscription, or when submitting a support ticket.
• Technical Data: Internet protocol (IP) address, browser type and version, time zone setting and location (country level), browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Services. User agent strings.
  • Source: Collected automatically when you interact with our Services (e.g., from web server logs, admin error report emails).
• Profile Data: Your preferences for using our Services, such as preferred language, newsletter subscription choices (subscribed_languages), and notification preferences.
  • Source: Provided by you or set via your interaction with profile/notification settings.
• Usage Data: Information about how you use our website and Services, such as features used, pages visited. (If specific tracking is implemented beyond standard server logs, describe here).
  • Source: Collected automatically or through analytics tools (if any).
• Social Account Data: If you register or log in using a social media account (e.g., Google), we may collect your social media User ID and data from your social media profile permitted by the provider and your privacy settings, such as your full name, profile picture URL, and locale.
  • Source: Google, with your authorization during social login.
• Support Ticket Data: Information you provide when you request customer support, including your email address for correspondence, the subject, and the content of your message.
  • Source: Provided by you via our support channels.
• Healing Tale Input Data (Potentially including Special Category Data): Information you provide when requesting a Healing Tale, which may include:
  • Recipient's age.
  • Recipient's gender identity.
  • Group name/identifier (e.g., recipient's name, case ID - optional).
  • Narrative details about past history, current situation, other details, issues, and goals.
  • Specific therapeutic goals.
  • Source: Provided by you through the Healing Tale request form.
  • Note on Special Category Data: Some of the information you provide for Healing Tales (e.g., related to health) falls under "special categories of personal data" under GDPR. We process this data only with your explicit consent and for the purpose of providing the Healing Tale service.
  • Data Security: Sensitive input data is encrypted at rest using field-level encryption to ensure maximum protection.
• Healing Tale Output Data: The generated tale and title created by our AI service based on your inputs. The detailed explanation may contain sensitive analysis and is encrypted at rest.
  • Source: Generated by our AI service (Anthropic) based on your inputs.

We do not knowingly collect personal data from children under the age of 16 without parental consent, unless for specific services where age is relevant (e.g., patient_age for Healing Tales, provided by an adult user). If you believe we have collected such information inadvertently, please contact us.

4. Lawful Basis for Processing Your Personal Data

We process your personal data based on the following lawful bases:

• Consent:
  • For collecting and processing Special Category Personal Data you provide for Healing Tales (e.g., health details).
  • For sending marketing communications/newsletters (if you opt-in).
  • For placing non-essential cookies or similar tracking technologies (if applicable, requires a separate cookie consent mechanism).
  • You have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of processing before its withdrawal.
• Performance of a Contract: To provide you with our Services as requested, such as creating and managing your account, generating Healing Tales based on your non-special category inputs, and providing customer support.
• Legitimate Interests: For purposes such as:
  • Operating, maintaining, and improving our Services.
  • Ensuring the security of our Services and preventing fraud.
  • Communicating with you about service updates or important notices (non-marketing).
  • Analyzing usage of our Services (using de-identified or aggregated data where possible).
  • Responding to your support requests when the data processed is not special category data and processing is necessary for support.
• Legal Obligation: To comply with our legal and regulatory obligations (e.g., responding to lawful requests from authorities).

5. How We Use Your Personal Data (Purposes of Processing)

We use your personal data for the following purposes:

• To create and manage your user account.
• To provide and deliver our Services, including generating Healing Tales based on your inputs.
• To personalize your experience on our Services (e.g., language preferences).
• To communicate with you, including responding to your inquiries, providing customer support, and sending you service-related announcements.
• To send you newsletters and marketing communications, where you have consented.
• To operate, maintain, and improve the functionality and security of our Services.
• To monitor and analyze usage and trends to improve our Services.
• To comply with legal obligations and enforce our terms and conditions.
• To process and manage your exercise of data subject rights.

6. Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as long as your account is active.

• Account Data: Retained for as long as your account is active and for a reasonable period thereafter in case you decide to re-activate or for legal/audit purposes.
• Healing Tale Data: Retained as part of your account data. You have the right to request erasure (see Section 7).
• Support Ticket Data: Retained for a reasonable period to ensure effective support and track issue resolution.
• Technical/Log Data: Retained for a limited period for security and troubleshooting purposes (e.g., web server logs typically [specify period, e.g., 30-90 days]).

When we no longer need to retain your personal data, we will securely delete or anonymize it.

7. Your Data Protection Rights (Data Subject Rights under GDPR)

Under GDPR, you have the following rights regarding your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data we hold about you.
• Right to Erasure ('Right to be Forgotten'): You have the right to request the deletion of your personal data, subject to certain conditions (e.g., where the data is no longer necessary for the purposes for which it was collected, or you withdraw consent and there is no other legal ground for processing).
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data under certain conditions (e.g., if you contest the accuracy of the data, or the processing is unlawful).
• Right to Data Portability: You have the right to request that we transfer the data that we have collected about you to another organization, or directly to you, in a structured, commonly used, and machine-readable format (where processing is based on consent or contract and is carried out by automated means).
• Right to Object: You have the right to object to our processing of your personal data where we are relying on a legitimate interest as our lawful basis, or for direct marketing purposes.
• Right to Withdraw Consent: Where we rely on your consent to process personal data (especially Special Category Data or for marketing), you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
• Rights related to Automated Decision Making and Profiling: We do not currently engage in solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. If this changes, we will update this policy.

To exercise any of these rights, please contact us using the details provided in Section 11.

8. Data Transfers (International Transfers)

Your personal data may be transferred to, stored, and processed in countries other than your country of residence, including [Specify countries, e.g., the United States, where our servers or third-party service providers like Anthropic, DigitalOcean, Mailchimp, Google are located]. These countries may have data protection laws that are different from the laws of your country.

When we transfer your personal data to countries outside the EEA, we will ensure that appropriate safeguards are in place to protect your personal data, such as:

• Ensuring the country has been deemed to provide an adequate level of protection by the European Commission.
• Implementing Standard Contractual Clauses (SCCs) approved by the European Commission with the third party.
• Relying on the third party's Binding Corporate Rules (BCRs).
• For transfers to the US, we may rely on the EU-U.S. Data Privacy Framework or successor agreements where applicable and where the recipient is certified.

Specifically:

• Anthropic (AI Processing): USA. We will ensure a BAA is in place and will rely on [SCCs/Data Privacy Framework certification] for data transfers if applicable.
• DigitalOcean (Hosting): Frankfurt. We will ensure a DPA is in place.
• Mailchimp (Newsletters): USA. We will ensure a DPA is in place and rely on [SCCs/Data Privacy Framework certification].
• Titan Email (Email Service):. We will ensure a DPA is in place and appropriate transfer mechanisms if outside EEA.

9. Data Security

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal data we process. These measures include, but are not limited to:

• Encryption of sensitive data in transit (e.g., HTTPS/TLS).
• Field-level encryption of sensitive data at rest, including all sensitive Healing Tale input data and detailed explanations.
• Access controls to limit access to personal data to authorized personnel on a need-to-know basis.
• Regular security assessments and updates to our security practices.
• Use of secure third-party service providers who commit to data protection (e.g., via DPAs/BAAs).
• Password hashing for user accounts.

However, please remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

10. Cookies and Similar Tracking Technologies

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. We only use essential cookies for site functionality, session management, security.

11. Contact Us

If you have questions or comments about this Privacy Policy, wish to exercise your data subject rights, or have any concerns about our privacy practices, please contact us at: support@fam-roots.com

12. Right to Lodge a Complaint

If you are an EEA resident and believe that we have not processed your personal data in accordance with GDPR, you have the right to lodge a complaint with your local Data Protection Authority (DPA) or the lead supervisory authority for Family Roots, if one has been designated.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a "Last Updated" date and the updated version will be effective as soon as it is accessible. If we make material changes to this Privacy Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information.

---

This Privacy Policy is a draft and requires legal review and customization to ensure full compliance with GDPR and other applicable laws and regulations based on Family Roots' specific operations and services. Placeholders like [Insert Date], contact details, and specific details about third-party data processing locations need to be filled.