Trust Center
What the product currently protects, what it exports, and what it does not claim.
Privacy Model
Owner and admin accounts can view and manage all active profiles. Steward accounts can manage visible non-staff profiles. Member and viewer accounts only see visible relatives connected within the configured family-graph distance.
Contact fields default to close-family visibility, but living minors always keep contact details staff-only. Medical and genetic fields default to staff-only unless a stricter per-profile setting is chosen.
Protection Boundaries
Transport security depends on HTTPS at the deployment layer. Sensitive contact, medical, and genetic fields are encrypted at rest in application storage. Media files and backups are authenticated and access-controlled, but this is not a zero-knowledge or end-to-end encrypted system.
The current hosted-archive model is single-tenant per family archive, with one database and one media root inside the deployment data directory.
Backups and Exit
Admins can trigger a backup, verify restore, download the latest backup ZIP, download a GEDCOM export, and download a full archive export with JSON, stories, media files, and a manifest describing omissions and Family Book custom fields.
GEDCOM is included for portability, but it does not represent every Family Book field. Sensitive contact, medical, and genetic data are preserved in the full archive JSON export instead.
Deletion and Cancellation
Profiles are soft-deleted in the app so auditability and recovery remain possible. Hosted families should be able to export first, then request cancellation and archive deletion according to the hosting policy in force for that environment.