FamilyBoard Privacy Policy
Draft — not legal advice. This document is written for transparency and to make our processing understandable to the people it affects. It has not been reviewed by a lawyer and it is not legal advice. Before you rely on it for a regulatory filing or a data-subject response, please have a qualified lawyer in your jurisdiction review it.
Language: This document is currently available in English only. Detta dokument finns på svenska i en kommande version / A Swedish version is planned.
Last updated: 2026-05-10 (version 2.2: weather on events via Met.no + OpenAI)
App: FamilyBoard (iOS bundle id io.familyboard.app)
Website: https://www.familyboard.io
1. Who we are
FamilyBoard is operated by Expi AB, a company registered in Sweden at [COMPANY_REGISTERED_ADDRESS], Billesholm (company number [COMPANY_NUMBER]). In this policy "we", "us", and "our" mean that company. We are the data controller for the personal data described below.
- Privacy questions: privacy@familyboard.io
- General support: support@familyboard.io
- Postal address: [COMPANY_REGISTERED_ADDRESS]
- Data Protection Officer (if appointed): [DPO_NAME_OR_REMOVE]
Because we are established in the EU we have not appointed an Article 27 representative; EU users can contact us directly at the address above. If we ever establish outside the EU we will name a representative here.
2. Scope
This policy covers:
- The FamilyBoard iOS app (and any later Android version).
- The marketing and account website at familyboard.io (including www, book, and app subdomains).
- Bookable share-link pages at book.familyboard.io.
- Our customer support channels (email, in-app messages).
It does not cover third-party services we link to (for example the App Store itself, external calendar providers such as Apple Calendar or Google Calendar, or external sites a share-link recipient may reach). Those are governed by their own policies.
3. What we collect
We try to collect only what we need. We group the data into four categories:
3.1 Account data
| Field | Notes |
|---|---|
| Display name | Chosen by you; can be changed at any time |
| Email address | Used for sign-in, verification, account recovery, and essential service messages |
| Password (hash) | Stored only as a salted hash by Supabase Auth; we never see your plaintext password |
| Sign in with Apple identifier | If you use Apple sign-in, including the private-relay email if you choose |
| Profile photo | Optional |
| Family group id, role | For example "parent", "child", "caregiver" |
| Locale, time zone | So reminders fire at the right local time |
3.2 Content data (things you create in the app)
| Field | Notes |
|---|---|
| Events | Title, notes, location, start/end, attendees, recurrence, attachments |
| Tasks and handoffs | What, who, when |
| Bookable share-links and responses | URL, availability windows, booker name/email/note |
| Lists and list items | Shared shopping, packing, to-do and other lists you create per family. Free-text item titles, done state, who added/checked off, optional event link |
| Pet profiles | Name, species, breed, birth year, microchip number, allergies, vet contact details, free-text notes |
| Child health profiles | Per-child practical info adults in the family choose to record: blood type, allergies, medications, doctor name and phone, emergency contact, free-text notes. Never visible to children themselves. |
| Family documents | Files you upload (PDFs, images, etc.) up to 25 MB each. Stored encrypted in EU object storage; visible only to active members of your family |
| AI inputs | Voice recordings, photos, and free-text prompts you submit for event extraction; trip details (location, dates, kids' ages) for AI packing-list generation; family size, dietary preferences and notes for AI weekly-menu generation |
| AI outputs | Structured event drafts, packing lists, weekly menus and consolidated shopping lists produced from those inputs |
| Read / acknowledgement receipts | When a family member has seen a shared event or notification |
3.3 Device and technical data
| Field | Notes |
|---|---|
| Device model, OS version, app version | For troubleshooting and compatibility |
| Language, time zone | Set by the device |
| APNs push token (iOS) / FCM token (Android) | For push notifications |
| Crash traces and performance samples | Collected by Sentry (see section 7) |
| Server access logs | IP address, endpoint, response code, timestamp — kept up to 90 days |
| Anonymous page-view counts (marketing site) | Collected by Plausible; no cookies, no cross-site tracking |
3.4 Communication and commercial data
| Field | Notes |
|---|---|
| Support messages | Anything you write to support@familyboard.io, plus screenshots and logs you attach |
| Subscription status | Plan, renewal date, entitlement — from Apple/Google via RevenueCat |
| Purchase receipts | Opaque receipt tokens; we never see your card number, Apple or Google handles payment |
4. Why we process it — lawful basis (GDPR Article 6)
Under Article 6 GDPR we must identify a lawful basis for each processing purpose. The table below maps ours.
| Purpose | Data used | Lawful basis (Art. 6 GDPR) |
|---|---|---|
| Create and maintain your account and family group | Account data | 6(1)(b) Contract |
| Sync events, tasks, handoffs across family members' devices | Content data | 6(1)(b) Contract |
| Extract events from voice, photo, or text via AI, at your request | AI inputs/outputs | 6(1)(b) Contract |
| Deliver push notifications for reminders, handoffs, shared-event changes | Device tokens, content data | 6(1)(b) Contract; 6(1)(a) Consent for any marketing push |
| Process subscriptions and entitlements | Account + commercial data | 6(1)(b) Contract |
| Detect abuse, fraud, and rate-limit violations | Account + technical data | 6(1)(f) Legitimate interest (running a reliable, safe service) |
| Diagnose crashes and improve reliability | Crash/performance data | 6(1)(f) Legitimate interest |
| Respond to support requests | Communication data | 6(1)(b) Contract |
| Keep tax and accounting records for store-billed purchases | Commercial data | 6(1)(c) Legal obligation (Swedish Bokföringslagen) |
| Send optional product-update email | Email, preferences | 6(1)(a) Consent — withdrawable any time |
| Defend legal claims | Relevant subset | 6(1)(f) Legitimate interest |
For children's data where the child is below the age of digital consent (see section 11), we additionally rely on Article 8 GDPR — consent given or authorised by the holder of parental responsibility.
Where we rely on legitimate interest, we have carried out a balancing test and documented it; you can request a summary by writing to privacy@familyboard.io.
5. How we use your data
Concretely, the purposes above translate into:
- Running the shared calendar. Storing events you and your family create, syncing them between devices, and sending the push or in-app reminders you set.
- AI event extraction. When you tap the microphone, camera, or paste-text button, we send that input to OpenAI so it can return a structured draft event. You always see the draft and confirm it before it is saved.
- AI packing lists and weekly menus. When you ask for a generated packing list (trip details + optional ages) or a 7-day dinner plan (family size + diet preferences), we send those parameters to OpenAI so it can return a list. You always see the result and decide whether to save it. Per the OpenAI zero-retention API tier, those prompts are not used to train any model and are not retained beyond the request.
- Weather on events (optional, opt-in default on). When the weather feature is enabled (Settings → Weather on events), we send the event location's coordinates (without your name or the event title) to Met.no (the Norwegian Meteorological Institute, EU/EEA-equivalent GDPR) to fetch a forecast, and we ask OpenAI to generate a short clothing tip from that weather data plus the time of day and your app language. Event titles and personal identifiers are not included in either request. You can turn this off at any time in Settings.
- Family sharing. Making events, tasks, and handoffs visible to the other members of your family group. Read/acknowledgement receipts help you see whether someone has seen a message.
- Bookable share-links. Publishing an availability page at book.familyboard.io so people you choose can pick a slot.
- Notifications. Sending push notifications via APNs (iOS) or FCM (Android) and occasional transactional email (password reset, share-link response).
- Billing. Letting Apple or Google bill you, and asking RevenueCat whether your device still has an active subscription.
- Reliability and safety. Collecting crash reports (Sentry), rate-limiting abusive traffic, investigating incidents.
- Product improvement. Counting anonymous page views on the marketing site (Plausible) and reading aggregated, non-identifying usage signals. We do not build behavioural profiles.
We do not sell your personal data. We do not use it for cross-site behavioural advertising. We do not run ad networks or share data with data brokers.
6. Who we share it with (sub-processors)
To run the service we rely on the processors listed below. Each is contractually bound by a Data Processing Agreement that incorporates the EU Standard Contractual Clauses where relevant.
| Processor | Role | Primary location | Transfer mechanism |
|---|---|---|---|
| Supabase | Postgres database, authentication, encrypted object storage for uploaded photos, voice recordings, and family documents, server APIs | EU (Frankfurt region) | Intra-EEA; US sub-processors under SCCs |
| OpenAI | AI event extraction from voice, photos, text; weather-based clothing tips (when enabled) | United States | SCCs + Data Privacy Framework (where certified); zero-retention API tier |
| Met.no | Weather forecasts for event locations (when enabled in Settings) | Norway (EEA) | Intra-EEA; only event coordinates sent, no personal identifiers |
| RevenueCat | Subscription state and receipt validation | United States | SCCs |
| Apple | iOS distribution, in-app purchase billing, Sign in with Apple, APNs push delivery | United States / Ireland | SCCs / DPF |
| (Android release) Play distribution, Play Billing, FCM push delivery | United States | SCCs / DPF | |
| Sentry | Crash and error reporting | EU region (sentry.io EU) | Intra-EEA |
| Plausible | Privacy-friendly, cookieless analytics for the marketing site | EU (Germany) | Intra-EEA |
| Vercel | Hosting for the marketing and booking websites | EU edge + US control plane | SCCs for US control-plane access |
| Cloudflare | DNS, TLS termination, DDoS protection, CDN | Global edge | SCCs |
| [Transactional email provider, e.g. Postmark / Resend] | Verification emails, password-reset, share-link notifications | [EMAIL_PROVIDER_REGION] | SCCs if non-EEA |
A current, dated list of sub-processors is maintained at https://www.familyboard.io/legal/subprocessors. We will give at least 30 days' notice before adding a new sub-processor that receives content data, so that you have time to object.
We also share data:
- With other members of your family group, because that is the point of the product.
- With a recipient you send a share-link to, limited to what that page shows.
- With professional advisers (auditors, lawyers) under confidentiality.
- With a buyer or successor in the event of a merger, acquisition, or sale of assets — in which case we will notify you in advance.
- With law enforcement where we are legally compelled and the request is valid; we push back on overbroad requests.
7. International transfers
Our primary infrastructure is hosted in the European Economic Area (Supabase Frankfurt, Sentry EU, Plausible Germany, Vercel EU edge). Some processors (OpenAI, RevenueCat, Apple, Google, Cloudflare) are established in the United States or process data there.
When personal data leaves the EEA we rely on one or more of the following:
- The European Commission's Standard Contractual Clauses (Decision 2021/914).
- The EU–US Data Privacy Framework and its UK Extension, where the receiving organisation is certified.
- Explicit consent (Article 49(1)(a) GDPR) where no other mechanism is available and the transfer is necessary for a feature you requested.
A summary of our transfer impact assessments is available on request to privacy@familyboard.io.
8. Retention
We keep personal data only as long as we need it. The defaults below apply unless a law requires a longer period (for example, Swedish bookkeeping law requires receipts to be retained for 7 years).
| Data | Default retention |
|---|---|
| Account record (email, display name, password hash) | Life of the account. Hard-deleted from the auth store within 24 hours of the account-deletion request. A tombstone (user id + deletion timestamp, no PII) is kept to prevent re-registration races. |
| Events, tasks, handoffs | Life of the account; shared items remain visible to other family members until they too remove them. |
| Voice recordings submitted for AI extraction | 90 days, then automatically purged. You can delete sooner in Settings. |
| Uploaded images submitted for AI extraction | 90 days, then automatically purged. |
| AI extraction records (input hash + structured output) | 180 days for quality debugging, then purged. |
| Read / acknowledgement receipts for notifications | 60 days. |
| Push tokens | Until you disable notifications or uninstall. |
| Purchase receipts and subscription records | 7 years (Swedish Bokföringslagen). |
| Support messages | 24 months. |
| Server access logs | 90 days for security investigation. |
| Sentry crash reports | 90 days. |
| Plausible page-view counts | Aggregated; no per-user retention. |
| Backups | Encrypted, rolling 30 day window; deleted records fall out of backups within that window. |
9. Your rights (GDPR Articles 12–23)
If the GDPR or UK GDPR applies to you, you have the following rights:
- Access (Art. 15) — a copy of the personal data we hold about you, plus the context (purpose, recipients, retention).
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — have your data deleted ("right to be forgotten"), subject to our legal obligations.
- Restriction (Art. 18) — pause processing while a dispute is resolved.
- Portability (Art. 20) — receive your data in a common machine-readable format (we export JSON).
- Objection (Art. 21) — object to processing we base on legitimate interest (Art. 6(1)(f)).
- Withdraw consent (Art. 7) — where we rely on consent, withdrawal is one tap away and does not affect past lawful processing.
- Not be subject to solely-automated decisions (Art. 22) — see section 14.
- Lodge a complaint (Art. 77) — with your local supervisory authority. For users in Sweden this is Integritetsskyddsmyndigheten (IMY) — https://www.imy.se. A list of EEA DPAs is at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
How to exercise them
Most of this you can do yourself in-app:
- Access / portability: Settings → Privacy → Export my data — you get a JSON bundle of your account, events, tasks, handoffs, share-link configurations, and AI extractions.
- Rectification: edit your profile and any item directly.
- Erasure: Settings → Account → Delete my account. This removes your account from the auth store within 24 hours and your content within 30 days (longer for content shared with other family members who have not yet left the group).
- Withdraw consent / turn off marketing email: Settings → Notifications.
For anything else — including an Article 15 request — write to privacy@familyboard.io with the subject "Privacy request". We respond within 30 days (extendable by up to 60 more under Art. 12(3) for complex requests; we will tell you). We may ask you to verify your identity before we act, in particular for erasure requests.
10. Security
We follow reasonable industry practice, including:
- TLS 1.2+ for all traffic in transit.
- Encryption at rest on the Supabase Postgres database and on object storage.
- Row-Level Security (RLS) policies so one family's data cannot be read by another.
- Hashed passwords (bcrypt / Argon2 via Supabase Auth); we never store plaintext.
- Short-lived access tokens and refresh rotation.
- MFA required for all staff with production access.
- Least-privilege IAM; audit logging of administrative actions.
- Vulnerability scanning on dependencies and container images.
- An incident-response plan: if we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR) and, where the risk is high, notify you without undue delay (Art. 34).
No system is perfectly secure. If you find a vulnerability, please email security@familyboard.io — we welcome responsible disclosure.
11. Children's data
FamilyBoard is deliberately family-oriented, which means minors are involved. We take this seriously.
- Minimum age for an independent account: 13 (most non-EEA countries) or 16 in the EEA, unless local law sets a different age of digital consent and a parent has given Article 8 consent.
- Children under the minimum age participate only as a managed family member created and administered by a parent or legal guardian. Managed profiles:
- have no independent login;
- receive no marketing communication;
- cannot submit voice or photo uploads to AI unless the parent turns that on;
- cannot publish share-links unless the parent turns that on;
- have minimised data collection (no device telemetry tied to the child).
- Parental consent (Art. 8 GDPR / COPPA): for managed child profiles in the EEA we rely on the parent's consent, given in-app during the add-child flow. For US users we follow COPPA: verifiable parental consent, and parents can review, export, or delete the child's data at any time via Settings → Family → [child's name].
- If we discover an underage account created without parental consent, we suspend it and delete the associated personal data.
Questions about a child's data: privacy@familyboard.io, subject "Child data".
12. Cookies and tracking
- The mobile app does not use cookies. Authentication uses a secure token stored in the device keychain.
- The marketing website uses Plausible Analytics — cookieless, no cross-site tracking, no behavioural profiling, no ad networks. Aggregated metrics only (page, referrer, country, device type).
- The booking pages at book.familyboard.io use strictly-necessary first-party storage to render the availability calendar and submit a booking. No advertising or third-party analytics cookies.
- We do not use Facebook Pixel, Google Analytics, TikTok Pixel, or any similar tracker.
- We honour the Global Privacy Control signal on our websites.
13. Automated decision-making and profiling
We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing (Art. 22 GDPR).
Our AI event extraction produces a draft suggestion that you review and confirm before it is saved — there is always a human (you) in the loop. It is not a decision under Art. 22.
14. Changes to this policy
If we make a material change we will notify you in-app and, where we have your email, by email, at least 14 days before it takes effect, unless a shorter period is required by law. The "Last updated" date at the top reflects the current version. Superseded versions are archived at https://www.familyboard.io/legal/archive.
15. Contact and complaints
- Email: privacy@familyboard.io
- Post: [COMPANY_LEGAL_NAME], [COMPANY_REGISTERED_ADDRESS]
- Supervisory authority (Sweden): Integritetsskyddsmyndigheten (IMY) — https://www.imy.se — imy@imy.se
- Other EEA authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en
If you have a concern, please write to us first — we try hard to resolve things. You have the right to go straight to your supervisory authority; you don't have to go through us.