Privacy Policy

Oliver Pitsch

Gerhard-vom-Rath-Straße 63, 50968 Köln, Germany

Email: famili@pitsch.me

If you have questions about data protection, you can contact us at the above address at any time.

We process personal data in the following categories:

Account data: Name, email address (via Clerk authentication).

Family and organization data: Family name, member roles, tasks, calendar entries, reminders, contacts, and notes.

Children's data: First names, dates of birth, clothing/shoe sizes, allergies, medical notes, school/daycare, hobbies.

Documents: Files uploaded by you (e.g., IDs, certificates, contracts).

Payment data: Billing address, payment method, and transaction data (processed by Stripe).

Usage data: Page views, interactions, and device information (via PostHog, only with consent).

Your data is processed on the following legal bases:

Contract performance (Art. 6(1)(b) GDPR): For providing the Famili platform, managing your user account, and processing payments.

Consent (Art. 6(1)(a) GDPR): For processing analytics cookies (PostHog). Consent can be withdrawn at any time via the cookie banner or the imprint page.

Legitimate interests (Art. 6(1)(f) GDPR): For ensuring technical operation and protection against misuse.

Consent for children's data (Art. 6(1)(a) in conjunction with Art. 8 GDPR): The entry of data in child profiles is performed by users with parental authority and requires their consent.

Registration and login are handled by the external service Clerk (Clerk, Inc., USA). The following data is processed:

Email address, name, profile picture (if available), and login metadata (IP address, device, timestamp).

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Third country transfer: Clerk processes data in the USA based on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

More information: clerk.com/legal/privacy

All data you create in your family workspace is processed exclusively for providing platform functionality:

Calendar entries, tasks, reminders, contacts, waiting list items, and routines. This data is only visible to members of your family workspace.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Storage location: PostgreSQL database on servers in the EU.

Famili allows creating child profiles with the following optional information: first name, date of birth, clothing and shoe sizes, allergies, medical notes, school/daycare, and hobbies.

This data is used exclusively for platform functionality and is only visible to members of the respective family workspace. It is not used for advertising, profiling, or other purposes and is not shared with third parties.

Legal basis: Consent of the person with parental authority (Art. 6(1)(a) in conjunction with Art. 8 GDPR). Providing this data is voluntary.

When the child profile or family workspace is deleted, this data is completely removed.

We use Stripe (Stripe, Inc., USA / Stripe Payments Europe, Ltd., Ireland) for payment processing. The following data is transmitted to Stripe:

Email address, name, billing address, selected plan, and payment information. Payment data (e.g., credit card numbers) is processed exclusively by Stripe and is not accessible to us.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Third country transfer: Stripe Payments Europe (Ireland) processes payments within the EU. For certain services, transfer to the USA may occur based on SCCs and the EU-US Data Privacy Framework.

More information: stripe.com/privacy

Uploaded documents are stored on Amazon Web Services (AWS) S3 in the eu-central-1 region (Frankfurt).

Documents are only accessible to members of the respective family workspace, unless you actively create a share link. Share links can be revoked at any time.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Storage location: EU (Frankfurt, Germany).

We use PostHog (PostHog, Inc.) to analyze platform usage. PostHog is only activated when you explicitly consent via the cookie banner.

Data processed: Page views, interactions (e.g., task created, calendar entry added), anonymized IP address, device information.

Data not processed: No content of tasks, documents, contacts, or child profiles. Only event types and IDs are captured, no personal content.

Legal basis: Consent (Art. 6(1)(a) GDPR). Without consent, no analytics cookies are set and no data is transmitted to PostHog.

Storage location: EU (PostHog EU Cloud). Consent can be withdrawn at any time via the cookie banner, the imprint page, or by clearing browser storage.

The platform is hosted on Vercel (Vercel, Inc., USA). Server logs with IP addresses and access times may be processed.

Legal basis: Legitimate interest in secure and efficient platform delivery (Art. 6(1)(f) GDPR).

Third country transfer: Vercel uses edge networks that preferentially use EU locations. Transfer to the USA occurs based on SCCs and the EU-US Data Privacy Framework.

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR): You can request information about the data we process.

Right to rectification (Art. 16 GDPR): You can request correction of inaccurate data.

Right to erasure (Art. 17 GDPR): You can request deletion of your data, provided no statutory retention obligations apply.

Right to restriction (Art. 18 GDPR): You can request restriction of processing.

Right to data portability (Art. 20 GDPR): You can request your data in a structured, machine-readable format.

Right to object (Art. 21 GDPR): You can object to processing based on legitimate interests.

Withdrawal of consent: Consent granted (e.g., for analytics cookies) can be withdrawn at any time with effect for the future.

To exercise your rights, contact famili@pitsch.me.

Account data: Stored for the duration of use and deleted within 30 days after account deletion.

Workspace data: Deleted within 30 days after family workspace deletion.

Payment data: Billing data is retained for up to 10 years in accordance with tax retention requirements (§ 147 AO).

Analytics data: PostHog data is automatically deleted after 90 days.

Server logs: Deleted after 30 days.

We employ appropriate technical and organizational measures to protect your data from unauthorized access, loss, or misuse:

Encrypted data transmission (TLS/HTTPS), access control through authentication (Clerk), role-based permissions within the family workspace, regular security updates, and encrypted storage of sensitive data.

Complete protection against all risks is technically not possible. We continuously work to improve our security measures.

Some of our service providers are based in the USA. Data transfers are based on the following safeguards:

EU-US Data Privacy Framework: Clerk and Stripe are certified under the EU-US Data Privacy Framework.

Standard Contractual Clauses (SCCs): Additionally, Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR are in place with all US service providers.

EU data where possible: PostHog (EU Cloud), AWS S3 (Frankfurt), and the database (EU) process data exclusively within the EU.

We reserve the right to update this privacy policy to reflect changes in legal requirements or our services.

The current version is always available on this page. For significant changes, we will inform you by email or notification on the platform.

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates the GDPR.

Competent supervisory authority:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestraße 2-4, 40213 Düsseldorf, Germany

poststelle@ldi.nrw.de