Privacy Policy

Plain language. No marketing fluff. Every claim is backed by the code we ship.

Version: 2.1  |  Effective Date: 2026-04-28

FamilyFlow is operated by Kahugu AI. "We", "our", and "us" refer to FamilyFlow throughout this document.

1. Summary

  • No trackers. No Google Analytics, Mixpanel, GTM, Plausible, Facebook Pixel, advertising SDKs, or any other third-party analytics in the iOS app or website.
  • No ads. We do not sell, rent, or share your personal information for advertising or marketing.
  • Adults only. FamilyFlow accounts require age 18 or older. Children appear only as profile entries managed by an adult; they do not have their own accounts.
  • Notes are end-to-end encrypted. The encryption key never leaves your device. We literally cannot read your notes.
  • Events and tasks are encrypted at rest with our keys using AES-GCM with envelope encryption from Google Cloud KMS. We can read this data on your behalf in order to power AI features and sync.
  • You can export everything as JSON and delete your account at any time.

2. Data We Collect

2.1 Information you give us

  • Account info: name and email from Apple Sign-In or Google Sign-In. (We do not offer email/password signup.)
  • Family profile data: names, relationships, and optionally birthdates, allergies, medical notes, and emergency contacts that you choose to enter.
  • Calendar events: titles, times, attendee names, free-text location strings, descriptions, and checklists.
  • Tasks: titles, due dates, assignees, status.
  • Notes: any free-text journaling or family notes you create.
  • Age confirmation: a one-time attestation that you are 18 or older.

2.2 Information collected automatically

  • Device information: iOS version and device model, used solely for crash diagnostics on iOS via first-party Apple frameworks.
  • Authentication tokens: Firebase ID tokens used to authenticate API requests.
  • Server logs: request paths, timestamps, and status codes are stored for up to 30 days for operational security and debugging. These logs do not include request bodies, note contents, or event details.

2.3 What we do NOT collect

  • Precise or coarse location. We do not access GPS, Core Location, geofences, or any continuous location signal. Event "location" is a free-text string you type (e.g., "Soccer field") — it is treated as text, not coordinates.
  • Health, fitness, or biometric data.
  • Financial information, payment methods, or purchase history.
  • Browsing history or search history outside the app.
  • Contacts, photos, microphone, or camera unless you explicitly upload an image.
  • Advertising identifiers (IDFA, AAID).

3. How We Store Your Data

All data is stored in Google Cloud (project familyflow-mvp, primary region us-central1) inside Cloud Firestore and Cloud Storage. Different data types have different protections:

  • Notes — end-to-end encrypted (E2EE). Notes are encrypted with AES-256-GCM in your browser or device using a key derived from your account credentials. The key never leaves your device and is never sent to our servers. Servers only ever see ciphertext. We cannot decrypt your notes; staff, law-enforcement requests, and database backups will only ever return encrypted blobs. Implementation: website/src/lib/crypto/aes-gcm.ts.
  • Events and tasks — application-layer AES-GCM with GCP KMS. Each family has a Data Encryption Key (DEK) wrapped by a Key Encryption Key (KEK) in Google Cloud KMS. Event and task records are encrypted server-side before being written to Firestore. We hold the keys (so AI features and cross-device sync work) and they are auditable, rotatable, and revocable.
  • Everything else (account profile, family membership, auth metadata) — Firestore-managed encryption. Encrypted at rest by Google Cloud's default storage encryption (AES-256), TLS 1.2+ in transit.
  • In transit: All client-to-server traffic uses HTTPS terminated at the GCP load balancer; internal cluster traffic is mTLS-protected via Istio.

4. What AI Sees

FamilyFlow uses two AI providers to power scheduling assistance, summaries, and the family assistant chat:

  • Anthropic Claude — accessed through Google Vertex AI in the us-east5 region (no direct calls to Anthropic's public API).
  • Google Gemini 2.0 Flash — accessed through the Google AI API.

When you use AI features, the relevant context — typically your event titles, task titles, and the question you asked — is sent in cleartext from our servers to the model. End-to-end encrypted notes are never sent to AI models. Other data is decrypted on our servers using our KMS-wrapped keys and forwarded over TLS.

No model training on your data. Both Anthropic (via Vertex AI) and Google (via the AI API enterprise terms) are contractually bound not to use customer data to train their models. See: Vertex AI data governance and Google AI API Additional Terms.

Per-family AI opt-out. A toggle in Settings → Privacy disables all AI processing for your family. With AI off, no event, task, or message text leaves our servers in any direction; the AI assistant, summaries, and smart suggestions become unavailable.

4a. Google API Services User Data

When you connect Google Calendar to FamilyFlow (Settings → Integrations), we request the OAuth scopes https://www.googleapis.com/auth/calendar.readonly and https://www.googleapis.com/auth/calendar.events. We only ask for these so that calendar events you choose to sync appear in FamilyFlow alongside the rest of your family's schedule, and so that events you create in FamilyFlow can be written back to your Google Calendar at your direction.

FamilyFlow's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, calendar data accessed via these scopes is:

  • Used only for the user-facing features described above — mirroring events into your FamilyFlow calendar, surfacing scheduling conflicts, and (forcalendar.events) writing back events you explicitly create. We do not use it for anything else.
  • Not used to train or improve any AI model — ours or anyone else's. Calendar data passed into AI-assisted features (e.g., summarizing your week) is sent under the same enterprise no-training terms covered in section 4 above and is never retained for training by our vendors.
  • Never sold and never used for advertising, ad targeting, or audience-segment building.
  • Not transferred to third parties except as needed to provide or improve the integration itself, comply with applicable law, or as part of a merger/acquisition with the same privacy protections preserved. We do not share calendar data with data brokers, ad networks, or analytics providers (we ship none — see section 5).
  • Not read by humans except (a) with your explicit consent in response to a support request, (b) for security purposes (investigating abuse or a vulnerability), or (c) when required by law.

OAuth tokens at rest. The access token and refresh token Google issues for your account are stored in Firestore wrapped by the same KMS envelope encryption used for event and task data (section 3). Decryption happens server-side only when we need to call the Calendar API on your behalf.

How to revoke. Disconnect at any time from Settings → Integrations, or globally at myaccount.google.com/permissions. Disconnecting deletes the stored tokens within seconds; we stop being able to read or write your Google Calendar immediately. Imported events already in FamilyFlow remain unless you also remove them.

Read-only alternative. If you prefer not to grant OAuth access, FamilyFlow also accepts public iCal feed URLs (Google Calendar → Settings → Integrate calendar → Secret address in iCal format). The URL is stored encrypted, the connection is read-only, and no OAuth scopes are involved.

5. Trackers and Analytics

FamilyFlow ships zero third-party analytics or advertising trackers. Verified clean as of 2026-04-28 via static dependency audit and network capture: no Google Analytics, Google Tag Manager, Mixpanel, Amplitude, Plausible, Segment, Heap, Facebook Pixel, TikTok Pixel, AppsFlyer, Adjust, Branch, or any advertising SDK is present in the iOS app or the website.

We respect Do Not Track signals trivially: because we do not track you, there is nothing to disable.

6. Third-Party Processors

We use a small set of vendors to operate the service. Each is a data processor under our instructions and bound by their own privacy and security commitments.

  • Google Cloud Platform — hosting, Firestore database, Cloud KMS for encryption keys, Vertex AI for Claude access, Gemini API, Firebase Authentication. Region: United States (us-central1, us-east5).
  • Anthropic, PBC — provider of the Claude models. Accessed only via Vertex AI; no data is sent to Anthropic's direct API.
  • Apple Inc. — Sign in with Apple authentication, App Store distribution, push notifications via APNs.

7. Data Retention

  • Active accounts: we keep your data for as long as your account is active.
  • Account deletion: when you delete your account, all of your user-scoped and family-scoped data (including notes, events, tasks, profiles, and Firebase Auth identity) is deleted from production systems within 24 hours. Implementation: website/src/app/api/v1/account/route.ts.
  • Backups: encrypted database backups are retained for up to 90 days for disaster recovery, after which they expire automatically. Backups inherit the same encryption protections as production data.
  • Server logs: retained for up to 30 days, then deleted.

8. Your Rights

  • Access & portability: export every piece of data tied to your account as a single JSON file from Settings → Privacy → Export My Data.
  • Correction: edit profile, event, task, and note data directly inside the app at any time.
  • Deletion: Settings → Account → Delete Account triggers a cascading delete (Firestore data, Apple token revocation if applicable, Firebase Auth user).
  • AI opt-out: Settings → Privacy → Disable AI features (per family).

9. GDPR (EU/EEA & UK Users)

If you reside in the European Economic Area, the United Kingdom, or Switzerland, the GDPR (or UK GDPR) applies. Our lawful basis for processing your account, event, task, and note data is the performance of our contract with you (Art. 6(1)(b)). For optional AI processing, the lawful basis is your consent (Art. 6(1)(a)), which you may withdraw at any time via the AI opt-out.

You have the rights to:

  • Access your personal data (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure / right to be forgotten (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time (Art. 7(3))
  • Lodge a complaint with your local supervisory authority

Contact privacy@familyflow.pro to exercise any of these rights. International transfers from the EEA/UK to our U.S.-based processors rely on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses where applicable.

10. California Privacy Rights (CCPA / CPRA)

California residents have the rights to know, access, delete, correct, and limit use of their personal information under the CCPA, as amended by the CPRA.

Do Not Sell or Share My Personal Information. FamilyFlow does not sell or share personal information for cross-context behavioural advertising. There is nothing to opt out of, but we honour the intent of the request: send privacy@familyflow.pro and we will confirm that no data has been or will be sold or shared.

We do not discriminate against you for exercising any privacy right.

11. Age Requirement

FamilyFlow is intended for use by individuals aged 18 and older. We require age confirmation at signup. Children may appear inside a family as profile entries managed by an adult (e.g., to coordinate their schedule), but children themselves do not have FamilyFlow accounts and cannot sign in. Because we do not knowingly collect personal information from anyone under 13 in a way that creates an account or relationship with that child, the U.S. Children's Online Privacy Protection Act (COPPA) does not apply. If you believe a minor has created an account, please email privacy@familyflow.pro and we will remove it.

12. International Data Transfers

Our infrastructure is hosted in the United States. If you access FamilyFlow from outside the U.S., your data is transferred to and processed in the U.S. We rely on Standard Contractual Clauses (where required) and our processors' participation in the EU-U.S. Data Privacy Framework.

13. Security Practices

  • TLS 1.2+ for all client-to-server traffic.
  • mTLS via Istio for internal service-to-service traffic.
  • AES-256-GCM application-layer encryption for events and tasks; AES-256 at-rest encryption for Firestore by default.
  • Client-side AES-GCM E2EE for notes; keys never leave your device.
  • Firebase Authentication for identity (Apple and Google providers only).
  • Default-deny network policies in our Kubernetes cluster.
  • Quarterly key rotation in Google Cloud KMS.

14. Changes to This Policy

We will publish material changes here, bump the version number and effective date at the top of this page, and prompt logged-in users to review the updated policy on next sign-in. Continued use of FamilyFlow after a published change constitutes acceptance.

15. Contact