Privacy Policy

Last updated: April 20, 2026

familyzone.online ("the App") is a family-oriented task, rewards, calendar, and communication tool used inside a single household. This policy explains what data we collect, why, with whom we share it, and how you can exercise your rights.

The App operates in line with the Israeli Protection of Privacy Law, 5741-1981. This page is informational and is not legal advice.

1. Data controller & contact

Operator: [Operator / Company name — to be filled]
Address: [Registered address — to be filled]
Privacy contact: support@familyzone.online

2. Data we collect

3. Children under 13

The App is family-oriented and includes children. Child accounts are created exclusively by a parent or legal guardian through a family invitation. We collect only the minimum information about a child required to operate tasks and rewards within their own family, and we never use this information for advertising, profiling, or marketing.

A parent may at any time review their child's data, request deletion of the child's account, or revoke permissions by contacting us or via the settings screen in the App.

4. Cookies & trackers

The App and website do not use advertising SDKs, social pixels, session replay, or third-party analytics. Only a strictly necessary session cookie is used for authentication.

5. Sharing

We do not sell personal information and do not share data with advertisers.

6. Security

• Passwords stored with bcrypt.
• HMAC-signed session tokens, timing-safe comparison.
• Per-family isolation enforced at database level (PostgreSQL Row Level Security).
• HTTPS-only in production.
• Admin access requires a strong password and two-factor authentication.

7. Retention & deletion

• Location: 72 hours, then auto-deleted.
• User account: soft-deleted immediately on request; hard-delete on a defined retention window (TODO: confirm window).
• Uploaded files: kept while the account is active; removed when the family is deleted.

8. Your rights

Under the Israeli Protection of Privacy Law you may:

• request access to data we hold about you;
• request correction of inaccurate data;
• request deletion of your account and personal data;
• withdraw consent (e.g. opt out of push notifications).

Privacy requests: support@familyzone.online. We aim to respond within 14 business days.

For account deletion specifically, see the dedicated Account deletion request page — it lists exactly what is deleted, what is retained and why, and how to request it.

9. International transfers

Some processors (FCM, Open-Meteo, SMTP provider) operate outside Israel. The transfer is based on your consent to use the App and is necessary to provide the service.

10. Changes to this policy

We may update this policy from time to time. Material changes will be posted on this page with an updated "last updated" date.

11. EU / EEA / UK users (GDPR & UK GDPR)

If you reside in the EU, EEA, or the United Kingdom, the EU General Data Protection Regulation (GDPR) and the UK GDPR apply to our processing of your personal data. In addition to the rights granted under Israeli law, you have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability in a structured, machine-readable format (Art. 20), and to object to processing (Art. 21). You may also withdraw consent at any time (Art. 7); withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

11.1 Lawful basis (Art. 6 / Art. 9)

• Identity, family graph, tasks, rewards, calendar, lists: performance of a contract (Art. 6(1)(b)).
• Location of family members: explicit consent (Art. 6(1)(a)) — enabled per-device and auto-deleted after 72h.
• Operational push notifications: performance of a contract (Art. 6(1)(b)).
• Optional daily summary email: consent (Art. 6(1)(a)) — can be disabled at any time in profile settings.
• Technical telemetry, 5xx error logging: legitimate interest (Art. 6(1)(f)) — service reliability.
• Billing records: legal obligation (Art. 6(1)(c)) — tax / accounting retention.

11.2 Children under 16 (Art. 8)

For consent-based processing, GDPR requires parental consent for children under 16 (or the lower age set by the relevant member state, minimum 13). Child accounts in this App are created exclusively by a parent via family invitation — by performing that action the parent provides parental consent for the child's data to be processed within the family.

11.3 International transfers (Art. 44-49)

• Google (FCM, Play Billing): EU → USA under the EU-US Data Privacy Framework — Google is DPF-certified.
• Hostinger (hosting + SMTP): EU-based data centres.
• Open-Meteo: servers in Germany (within the EU). Coordinates only, no user identifier sent.

11.4 Right to lodge a complaint

If you believe your rights have not been respected, you may lodge a complaint with your local supervisory authority — for example the CNIL (France), BfDI (Germany), or ICO (United Kingdom). Full list: edpb.europa.eu.

11.5 EU representative (Art. 27)

If an EU representative has been appointed, their details will be published here: [EU representative name and address — to be filled if applicable].

11.6 Automated decision-making

The App does not use automated decision-making or profiling that produces legal or similarly significant effects (Art. 22).