FamiFacts
Privacy Policy
Last updated: April 22, 2025
1. Data controller
SIA NGGYU ("we", "us", "our") is the data controller for all personal data processed through the FamiFacts application and website at famifacts.com.
Registered address: Latvia (EU)
Registration number: available on request
Privacy contact: [email protected]
General contact: [email protected]
We do not have a designated Data Protection Officer (DPO) as we do not meet the Article 37 GDPR thresholds that make one mandatory. Privacy enquiries are handled directly by our team at the address above.
2. What personal data we collect and why
We collect only the data we need to run the service. The table below sets out each category, the legal basis under GDPR Article 6, and the purpose.
| Data category | Examples | Legal basis (GDPR Art. 6) | Purpose |
|---|---|---|---|
| Account data | Name, email address, hashed password, language, timezone, role (adult / child) | Art. 6(1)(b) — contract performance | Creating and maintaining your account; authentication; email verification; password reset |
| Preference data | Interest categories (e.g. science, history), age group, notification channel and delivery time | Art. 6(1)(b) — contract performance | Personalising daily AI-generated facts to your age, language and interests |
| Content data | AI-generated facts scheduled for your account, quiz answers, bookmarks, read/skip status | Art. 6(1)(b) — contract performance | Delivering the core service; tracking progress; generating challenges |
| Device & push token | Firebase Cloud Messaging (FCM) device token | Art. 6(1)(b) — contract performance | Routing push notifications to your device |
| Subscription & billing data | Subscription tier (free / basic / family), Stripe customer ID, RevenueCat user ID, payment status | Art. 6(1)(b) — contract performance; Art. 6(1)(c) — legal obligation (tax / accounting) | Processing web payments (Stripe); processing in-app purchases (RevenueCat); managing your plan; fulfilling VAT obligations |
| Family data | Family name, membership links between parent and child accounts, per-member notes set by parent | Art. 6(1)(b) — contract performance | Enabling family plans; allowing parents to manage children's fact feeds |
| Error & diagnostic data | Stack traces, request paths, error codes — collected by Sentry. IP addresses are masked before storage. | Art. 6(1)(f) — legitimate interest (service reliability) | Identifying and fixing bugs; maintaining service stability |
| Free-tool usage | Input text submitted to public AI tools (Fun Facts Generator, Explain It To A Kid, etc.); IP address for rate limiting (stored in cache, not persisted to database) | Art. 6(1)(f) — legitimate interest (abuse prevention) | Generating AI responses; preventing API abuse |
What we do not collect
- Payment card or bank account numbers (handled entirely by Stripe, Google Play, or Apple — we never see raw card data).
- Precise or approximate location data.
- Contact list, photos, microphone, or camera data.
- Sensitive personal data (health, race, religion, political opinion, etc.) — we do not ask for this and you should not include it in free-text inputs.
3. Cookies and similar technologies
The FamiFacts website uses a small number of cookies and browser storage items:
| Name / type | Purpose | Duration | First or third party |
|---|---|---|---|
famifacts_session |
Stores your authenticated web session. Strictly necessary. | Session / 2 hours of inactivity | First party |
XSRF-TOKEN |
CSRF protection token required for all form submissions. Strictly necessary. | Session | First party |
| Rate-limit cache keys (server-side) | IP-based counters used to prevent brute-force and API abuse. Never sent to your browser. | 1–60 minutes | First party (server only) |
We do not use advertising cookies, third-party tracking cookies, or fingerprinting scripts. We do not run Google Analytics or Facebook Pixel. If we add analytics tools in future, this section will be updated and a cookie consent notice will be displayed.
4. Third-party processors (subprocessors)
We share data with the following subprocessors under binding data processing agreements (DPAs). Each processes data only as instructed by us and may not use it for their own purposes.
| Processor | Purpose | Data shared | Location | Transfer safeguard |
|---|---|---|---|---|
| OpenAI, L.L.C. | AI fact generation via gpt-4o-mini |
Interest categories, age group, language — no names or email addresses | USA | EU Standard Contractual Clauses (SCCs) via OpenAI DPA |
| Stripe, Inc. | Web payment processing and subscription management | Name, email, payment card data (tokenised), billing history | USA / EU | EU SCCs; Stripe Privacy Policy |
| RevenueCat, Inc. | Mobile in-app purchase management (iOS / Android) | Anonymised user ID, subscription events and entitlements | USA | EU SCCs; RevenueCat Privacy Policy |
| Google Firebase (FCM) | Push notification delivery to mobile devices | Device FCM token; notification payload (fact title) | USA / EU | EU SCCs; Firebase Privacy |
| Sentry (Functional Software, Inc.) | Application error monitoring | Stack traces, request paths, error codes. IP addresses are scrubbed. No personal identifiers are intentionally sent. | USA | EU SCCs; Sentry Privacy Policy |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | All web traffic passes through Cloudflare's network; IP addresses are visible to Cloudflare | USA / global PoPs | EU SCCs; Cloudflare Privacy Policy |
| Hosting provider | Server infrastructure and database hosting | All data stored in our database | EU (Latvia or nearest EU region) | GDPR-compliant DPA with hosting provider |
We do not sell your personal data to third parties. We do not share data with advertisers.
5. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account profile, preferences, content | Until you delete your account | Contract performance |
| Billing records and invoices | 7 years from the transaction date | Latvian and EU accounting / tax law obligation |
| Application error logs (Sentry) | 90 days | Debugging; Sentry default retention |
| Server access logs | 30 days, then auto-purged | Security; abuse investigation |
| Rate-limit counters (cache) | 1–60 minutes | Abuse prevention; automatically expires |
| Email verification and password-reset codes | 20 minutes from issue, then deleted | Security |
| Deleted account residual backups | Up to 30 days in encrypted database backups, then permanently purged | Operational continuity; backup rotation cycle |
6. Your rights under GDPR
As a person in the EU/EEA, you have the following rights. All requests are free of charge and responded to within 30 days (or 3 months for complex requests, with notice).
| Right | What it means | How to exercise it |
|---|---|---|
| Access (Art. 15) | Obtain a copy of all personal data we hold about you | Email [email protected] |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Update in Settings, or email us |
| Erasure (Art. 17) | Delete your account and all associated personal data | Self-service: Settings → Delete Account (immediate). Or email [email protected] — we will action the request within 30 days. Note: billing records required by law are retained for 7 years. |
| Restriction (Art. 18) | Ask us to pause processing while a dispute is resolved | Email [email protected] |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format (JSON) | Email [email protected] |
| Objection (Art. 21) | Object to processing based on our legitimate interest | Email [email protected] |
| Supervisory authority complaint | Lodge a complaint with your local data protection authority | Our lead supervisory authority is the Data State Inspectorate of Latvia (DSI). You may also contact the DPA in your country of residence. |
To verify your identity before processing an access or erasure request, we will ask you to confirm from the email address registered to your account.
7. Children's data
FamiFacts is designed to be used by families including children. For child accounts (role: "child"), a parent or guardian with a Family plan must create and manage the account. We rely on the parent's consent (GDPR Art. 8 and Recital 38) for processing data of users under 16.
We collect from child accounts only:
- Name (used to personalise push notifications), email (for account access), age group, language, and selected interests.
- Facts received, read/skip status, and quiz scores — to power the service.
We do not use children's data for profiling, advertising, or any purpose beyond delivering age-appropriate daily facts. Parents can review, modify, or delete a child's account and data at any time from the Family section of their account.
If you believe a child under 13 has registered without parental consent, please email [email protected] and we will delete the account promptly.
8. Security measures
We implement the following technical and organisational measures to protect your data:
- All passwords are stored as bcrypt hashes — we never store or log plain-text passwords.
- All data is transmitted over TLS 1.2+ (HTTPS enforced; HTTP redirects to HTTPS).
- Authentication tokens (Sanctum) are rotated on each login and revoked on logout or password change.
- Rate limiting is applied to all authentication endpoints to prevent brute-force attacks.
- Short-lived one-time codes (20-minute expiry) are used for email verification and password reset.
- Database access is restricted to application-layer connections; no public database port.
- Cloudflare provides DDoS protection and WAF in front of our infrastructure.
No system is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights, we will notify you and the Data State Inspectorate of Latvia within 72 hours of becoming aware, as required by GDPR Art. 33–34.
9. International data transfers
Our primary infrastructure is hosted within the EU. However, some subprocessors listed in Section 4 (OpenAI, Stripe, RevenueCat, Firebase, Sentry, Cloudflare) are headquartered in the United States. Transfers to these processors are protected by EU Standard Contractual Clauses (SCCs) as adopted by the European Commission under Decision 2021/914, and/or by the processor's participation in a recognised data transfer framework. Links to each processor's transfer safeguards are provided in Section 4.
10. Changes to this policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. The "Last updated" date at the top of this page will always reflect the most recent version. For material changes — for example, a new category of data collected or a new subprocessor — we will notify you by email and in-app notification at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact
For any privacy-related questions, data subject requests, or concerns, please contact us:
SIA NGGYU
Email: [email protected]
Subject line: Privacy Request — [your request type]
For general support: [email protected]