A plain-language explanation of what Family Roots stores, where it's stored, and what happens when you use its optional AI features. Written to describe how the app actually works, not as a substitute for formal legal advice.
Family Roots is a private, invite-only space for a single family group to record and share its history: family member profiles, a family tree, photos, diaries, letters, scanned documents, written stories, physical objects/heirlooms, a shared map of places connected to the family, and a group chat.
Everything you add belongs to one "family" group. Only people who have been approved to join that family (via its join code, approved by an admin) can see its content. Nothing is public or searchable outside the family.
Creating an account requires an email address, a password, and your name. This is used only to sign you in and to identify your contributions (e.g. who uploaded a photo, who wrote a diary entry) to other members of your family.
Your account can belong to more than one family if you've been invited to or created more than one. Each family's content stays isolated from the others.
All data — accounts, family tree entries, photo metadata, diary and document text, chat messages, map locations, and so on — is stored in a Supabase project (a hosted PostgreSQL database, with authentication and file storage layered on top). Supabase is a third-party infrastructure provider; it hosts the database and storage on the site owner's behalf but does not itself use family content for any purpose beyond providing that hosting.
Access is controlled by database-level rules (Row Level Security) so that:
Uploaded images (profile photos, family photos, scanned documents/diary pages, object photos, and dashboard cover photos) are stored in a private Supabase Storage bucket — not a public folder. Files are never given a permanent public URL; instead the app generates short-lived "signed" links each time a page loads them, which expire and have to be regenerated. Someone without a valid family login cannot access these files by guessing or sharing a link.
Family Roots can optionally use Anthropic's Claude AI models to read text out of scanned photos (old handwriting, letters, inscriptions) and translate it. This is entirely opt-in: it only happens if a family admin has added their own Anthropic API key in Admin → AI Settings, and only when someone clicks 🤖 Extract Text on a photo (or, if the admin has turned it on, automatically when a diary/document page is uploaded).
What actually happens when this feature is used:
If no API key has been added, none of this happens — the extract/translate buttons simply won't work, and no image data leaves the app for this purpose.
Family Roots uses Supabase's real-time features so that when one family member adds a photo, member, or chat message, other logged-in family members can see it appear (or get a banner offering to refresh) without reloading the page. This stays entirely within Supabase's infrastructure and your own family's data — it isn't shared with any other third party.
Chat messages are stored in the same Supabase database as everything else and are only visible to the participants of that specific chat (the whole family, a group, or a direct message between two people).
A family tree naturally includes people who never created an account — deceased ancestors, relatives who aren't online, children, and so on. Their profile information (name, dates, photos, biography) is entered by other family members, not by themselves, and they have no ability to log in, view, or remove what's written about them.
Responsibility for making sure this information is accurate, appropriate, and something the family is comfortable recording rests with whoever adds it and with the family's admins — not with Family Roots itself.
Content stays in the database until someone with permission deletes it. Family admins can permanently delete an entire family's data (members, photos, stories, objects, documents, diary entries) from Admin → Danger Zone — this cannot be undone, so admins are encouraged to export a backup first via Admin → Export All Data.
Removing a person's account access (Admin → Account Members → remove) revokes their ability to log in, but does not delete the content they previously added — that stays as part of the family's shared history unless separately deleted.
This page describes the app as it currently works. If features change in a way that affects what data is collected or where it goes (for example, adding a new third-party service), this page should be updated to match before that feature is used.
This installation does not have a dedicated public support address. A family admin only controls in-app settings (join codes, page visibility, family content) — they do not control the underlying hosting, database, or any third-party service (like Anthropic) this installation relies on, and aren't able to answer on their behalf.