Your family. Your records. Your rules.

All data — names, dates, photos, notes — is encrypted in transit (TLS 1.2+) and at rest on managed Postgres. Photos live in a private storage bucket with random unguessable filenames, and the app serves them through short-lived signed URLs (one-hour expiry) — there's no public link anyone can hot-link or share.

Our database enforces that you can only ever read or change rows tagged with your user ID. Even if a bug in our app code asked for "all family members," the database itself would refuse to return anyone else's records. This is a hard wall, not a polite suggestion.

We use Lovable Cloud authentication with bcrypt-hashed passwords (we never see the plaintext) plus optional Google sign-in. New passwords are screened against the Have I Been Pwned database, so a password leaked in another breach can't be reused here.

Every form submission is re-validated on our servers using strict schemas — surnames, birth years, place names, and notes all have length limits and character rules. This blocks injection attacks even if a browser is compromised.

Card numbers never touch our servers. Checkout is hosted by Stripe (PCI-DSS Level 1). We only store your subscription status and a customer reference — no card data, no CVV, nothing reusable if our database were ever breached.

We use one cookie: the one that keeps you signed in. No Facebook pixel, no Google Ads remarketing, no third-party analytics that profile you across the web.

Your tree is private by default. The only way another user can see overlapping ancestors is if you flip the "share for matching" switch in your profile. Even then, only ancestor names + birth years/places are exposed — never your living relatives, photos, notes, or contact info.

We don't ask for, store, or sell DNA. We don't ask for Social Security numbers. Our AI explains general history and research strategy — it never claims to have "found" a specific ancestor, and it never invents records, census entries, or birthdays.

We strongly recommend marking living people as "living" in their notes. Anything tagged this way is automatically hidden from cousin-matching exports, even if you later turn matching on.

You own your tree. Download a full GEDCOM file (the universal genealogy format accepted by every other family-history app) on demand, or ask us to permanently delete your account and we'll wipe everything within 30 days.

Ask us for a copy of everything we hold about you. We'll send a JSON or CSV bundle within 7 days, free of charge.

Download a standard GEDCOM file from your tree page anytime. It works in Ancestry, FamilySearch, MyHeritage, RootsMagic, and dozens of other apps.

Email us and we'll delete your account and all associated data within 30 days. We'll confirm in writing when it's done.

All your data is editable inside the app — names, dates, notes, photos, the matching opt-in. Nothing is locked.