Family Roots Family Roots ← Back

🔒 Privacy & Data Use

A plain-language explanation of what Family Roots stores, where it's stored, and what happens when you use its optional AI features. Written to describe how the app actually works, not as a substitute for formal legal advice.

Last updated: July 2026
This is not a formal legal document. It's an honest, technical description of how this particular Family Roots installation handles data, written by the people who built it. It has not been reviewed by a lawyer. If this site is ever used beyond a private family group — for example opened up more widely, or run as a paid product — the site's admin should have proper Terms of Service and a Privacy Policy drafted or reviewed by a qualified professional before doing so.
Contents
What This Site Does Your Account Where Data Is Stored (Supabase) Photos, Documents & Files AI Features (Anthropic) Live Updates & Chat Family Members Without Accounts Data Retention & Deletion Changes to This Page Contact
🌳

What This Site Does

Family Roots is a private, invite-only space for a single family group to record and share its history: family member profiles, a family tree, photos, diaries, letters, scanned documents, written stories, physical objects/heirlooms, a shared map of places connected to the family, and a group chat.

Everything you add belongs to one "family" group. Only people who have been approved to join that family (via its join code, approved by an admin) can see its content. Nothing is public or searchable outside the family.

👤

Your Account

Creating an account requires an email address, a password, and your name. This is used only to sign you in and to identify your contributions (e.g. who uploaded a photo, who wrote a diary entry) to other members of your family.

Your account can belong to more than one family if you've been invited to or created more than one. Each family's content stays isolated from the others.

🗄️

Where Data Is Stored

All data — accounts, family tree entries, photo metadata, diary and document text, chat messages, map locations, and so on — is stored in a Supabase project (a hosted PostgreSQL database, with authentication and file storage layered on top). Supabase is a third-party infrastructure provider; it hosts the database and storage on the site owner's behalf but does not itself use family content for any purpose beyond providing that hosting.

Access is controlled by database-level rules (Row Level Security) so that:

  • Only members of a family can read or write that family's data.
  • Only family admins can change family-wide settings, approve join requests, or remove a member's account access.
  • A family member can generally only edit or delete content they added themselves, unless they're an admin.
📷

Photos, Documents & Files

Uploaded images (profile photos, family photos, scanned documents/diary pages, object photos, and dashboard cover photos) are stored in a private Supabase Storage bucket — not a public folder. Files are never given a permanent public URL; instead the app generates short-lived "signed" links each time a page loads them, which expire and have to be regenerated. Someone without a valid family login cannot access these files by guessing or sharing a link.

🤖

AI Features — What Goes to Anthropic

Family Roots can optionally use Anthropic's Claude AI models to read text out of scanned photos (old handwriting, letters, inscriptions) and translate it. This is entirely opt-in: it only happens if a family admin has added their own Anthropic API key in Admin → AI Settings, and only when someone clicks 🤖 Extract Text on a photo (or, if the admin has turned it on, automatically when a diary/document page is uploaded).

What actually happens when this feature is used:

  • The specific photo you're extracting text from (as image data), plus your family's chosen translation language, is sent from Family Roots' server-side function to Anthropic's API for processing.
  • Your Anthropic API key is stored in the database and is only readable by your family's admins in the app UI; the key itself is only ever used server-side — it is never sent to, or visible in, any family member's browser.
  • No other family data (member profiles, other photos, chat messages, etc.) is sent to Anthropic as part of this feature — only the one image being processed at that moment.
  • Anthropic's handling of API data is governed by Anthropic's own terms and privacy policy, not by Family Roots. As of when this page was written, Anthropic states that API inputs and outputs are not used to train its models by default for commercial API usage — but you should check Anthropic's current privacy policy and commercial terms for the authoritative, up-to-date statement, since these can change.
  • Any usage costs for these API calls are billed by Anthropic directly to whichever family admin's account owns the API key — separate from anything related to using Family Roots itself.

If no API key has been added, none of this happens — the extract/translate buttons simply won't work, and no image data leaves the app for this purpose.

⚡

Live Updates & Chat

Family Roots uses Supabase's real-time features so that when one family member adds a photo, member, or chat message, other logged-in family members can see it appear (or get a banner offering to refresh) without reloading the page. This stays entirely within Supabase's infrastructure and your own family's data — it isn't shared with any other third party.

Chat messages are stored in the same Supabase database as everything else and are only visible to the participants of that specific chat (the whole family, a group, or a direct message between two people).

🧓

Family Members Without Accounts

A family tree naturally includes people who never created an account — deceased ancestors, relatives who aren't online, children, and so on. Their profile information (name, dates, photos, biography) is entered by other family members, not by themselves, and they have no ability to log in, view, or remove what's written about them.

Responsibility for making sure this information is accurate, appropriate, and something the family is comfortable recording rests with whoever adds it and with the family's admins — not with Family Roots itself.

🗑️

Data Retention & Deletion

Content stays in the database until someone with permission deletes it. Family admins can permanently delete an entire family's data (members, photos, stories, objects, documents, diary entries) from Admin → Danger Zone — this cannot be undone, so admins are encouraged to export a backup first via Admin → Export All Data.

Removing a person's account access (Admin → Account Members → remove) revokes their ability to log in, but does not delete the content they previously added — that stays as part of the family's shared history unless separately deleted.

📝

Changes to This Page

This page describes the app as it currently works. If features change in a way that affects what data is collected or where it goes (for example, adding a new third-party service), this page should be updated to match before that feature is used.

✉️

Contact

This installation does not have a dedicated public support address. A family admin only controls in-app settings (join codes, page visibility, family content) — they do not control the underlying hosting, database, or any third-party service (like Anthropic) this installation relies on, and aren't able to answer on their behalf.