Legal
How we collect, use, and protect your information.
Your privacy matters to us. This policy explains what data we collect, why we collect it, and how we keep it safe. We've written it in plain language.
Last updated: January 2025
Account information: When you sign up, we collect your email address and the password you choose (stored as a secure hash — we never see your actual password). You may optionally provide a display name.
Vault content: Everything you add to your vault — heirloom records, photos, stories, family members, and any other content — is stored on our servers so you can access it from any device.
Usage data: We collect basic logs of actions taken in your vault (items added, edited, etc.) to power the activity log feature. We do not sell or share this data.
Technical data: Standard web server logs including IP addresses and browser type, retained for security purposes.
We don't run advertising. We don't sell your data to third parties. We don't track you across other websites. We don't use your content to train AI models.
To provide the Heirloom service: storing your vault, authenticating your account, sending transactional emails (confirmation, invites). That's it.
Your data is stored in the European Union using Supabase infrastructure, which uses industry-standard encryption at rest and in transit. Photos and files are stored in encrypted object storage with access controlled by signed URLs.
We don't share your personal data with third parties except where required by law, or where you explicitly choose to share content (for example, generating a shareable read-only link to your collection).
We use Supabase as our database and authentication provider. Their privacy policy applies to the infrastructure layer.
You can export all your data at any time from the Export page. You can delete your account from Account Settings, which permanently removes all your vault content. If you're in the EU or UK, you have rights under GDPR to access, correct, or delete your data — contact us to exercise these rights.
We use only essential cookies required for authentication. We don't use tracking or analytics cookies.
Privacy questions: contact us here.