Famli

Privacy Policy

Effective Date: March 30, 2026 · Last Updated: May 19, 2026

Famli ("we," "us," or "our") operates the Famli platform at famli.ioand associated mobile applications (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash — we never store plaintext passwords). If you sign up as a provider, we also collect your business name, vertical category, and timezone.

1.2 Family and Child Information

Family Hub users may provide child profiles created and managed by a parent or legal guardian. The information you may provide on a child's behalf includes:

  • First name and date of birth (required for age-appropriate features)
  • Allergies, medical notes, and dietary restrictions (optional — used for the Emergency Card)
  • Emergency contact details for other adults you designate (you confirm you have their permission to share)
  • Activity history, homework, practice logs, and pickup assignments (generated by your use of the Service)
  • Photos and milestone notes you choose to add to a child's timeline (optional — you control what is uploaded)

This information powers calendar aggregation, homework tracking, the Emergency Card, and the child's activity timeline. Limited fields (typically name, DOB, allergies) may be shared with kids' activity providers you explicitly link to, or shown on the Emergency Card you choose to display to coaches or instructors during handoff. We never share child information with third parties for advertising or marketing.

1.3 Activity and Usage Data

We collect data about how you use the Service, including calendar events, bookings, practice logs, homework assignments, budget entries, and messaging content within your family group. This data is scoped to your family or business account and is never shared across accounts.

1.4 Documents

The Document Vault feature allows you to upload files (medical records, waivers, registration forms). Files are stored in encrypted cloud storage (Amazon S3) and are accessible only to members of your family account.

1.5 Device and Technical Data

We automatically collect IP addresses, browser type, device identifiers, operating system, and page views for analytics, security, and performance monitoring purposes.

1.6 Location Data

Our Activity-Scoped Location Sharing feature collects real-time location data during pickup and drop-off windows only. This feature is entirely opt-in per family member. Location data is shared only with family members assigned to the same pickup and is used solely to display ETA and arrival status. We do not store location history — real-time location data is never persisted beyond the active sharing session and is discarded once the pickup window ends (typically 15 minutes after the scheduled time).

2. Children's Data (COPPA Compliance)

Famli takes the privacy of children very seriously and is designed to comply with the Children's Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501–6506, and the FTC's implementing regulations at 16 C.F.R. Part 312.

2.1 No Direct Accounts for Children Under 13

Famli does not allow children under 13 to create their own accounts. All Family Hub accounts are created and controlled by a parent or legal guardian (“Parent”).

2.2 Verifiable Parental Consent

By creating a Famli family account and entering information about your child, you represent that you are the child's parent or legal guardian and you consent to our collection, use, and storage of that information as described in this Privacy Policy. We treat the act of providing your own valid contact information (verified by email) and entering child information into the family account as the parent's verifiable consent for the limited purposes described here. If you are not the parent or guardian, do not create an account or enter child information.

2.3 What We Collect on Behalf of Children

See Section 1.2 above for the complete list of fields a parent may provide about a child. We only collect information that is reasonably necessary to operate the features the parent chooses to use, and we never require more child information than necessary.

2.4 How Children May Interact with the Service

Some features allow a child to interact with content the parent has set up — for example, viewing the family calendar on a shared device, tapping “done” on a practice log, or seeing badges earned for completed activities. Children do not create accounts, do not provide additional personal information, do not communicate with parties outside the family group, and are not shown targeted advertising or behavioral profiling.

2.5 Parental Rights

As the parent or guardian, you have the right to:

  • Review the personal information collected about your child at any time
  • Modify or correct your child's information from the Family Settings page
  • Delete your child's profile and all associated information
  • Refuse further collection of your child's information by deleting their profile
  • Request access, correction, or deletion at any time by emailing privacy@famli.io— we respond within 30 days

2.6 No Sale or Marketing of Children's Information

We never sell, rent, or share children's personal information with third parties for marketing or advertising purposes. We share child information only with: (a) service providers strictly necessary to operate the Service (listed in Section 5), (b) kids' activity providers you have explicitly linked to your family account, and (c) when required by law.

2.7 California Residents (Under 16)

California law (CCPA/CPRA) requires affirmative opt-in to any “sale” or “sharing” of personal information of minors under 16. Famli does not sell or share child data for cross-context behavioral advertising, so this does not apply — but should we ever change this practice, we would obtain opt-in consent from the parent (or the minor age 13–16) before doing so.

2.8 Data Retention for Children

Information collected about a child is retained only as long as it is needed for the features being used, the child remains in the family account, or as required by law. Upon deletion of a child's profile, all directly-identifiable child information (name, DOB, allergies, photos) is removed from our active systems within 30 days. See Section 6 for full retention details.

2.9 COPPA Contact

Parents may contact our COPPA point of contact for any questions about our practices regarding children's information: privacy@famli.io.

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Aggregate family calendars from connected providers
  • Send transactional emails (booking confirmations, reminders, daily digests)
  • Process payments and manage subscriptions
  • Improve the Service through anonymized analytics
  • Detect fraud, abuse, and security threats
  • Comply with legal obligations

4. Cookies and Analytics

We use cookies and similar technologies for session management and analytics. Specifically:

  • Essential cookies: Required for authentication, session management, and content personalization. These cannot be disabled. This includes the fh_audience cookie, which stores whether you are browsing as a provider or family user so we can display relevant content.
  • Analytics cookies: We use PostHog for product analytics. These are only activated with your explicit consent via our cookie consent banner. You may opt out at any time.

We do not use advertising cookies or sell data to ad networks.

5. Third-Party Services

We share limited data with the following service providers, each bound by their own privacy policies:

  • Stripe — Payment processing. Stripe receives your billing details (name, email, payment method) to process subscription payments and provider payouts. Famli never stores full card numbers.
  • Resend — Transactional email delivery. Resend receives recipient email addresses and email content to deliver booking confirmations, reminders, and digest emails.
  • Sentry — Error tracking and performance monitoring. Sentry receives anonymized technical data (stack traces, device info) to help us identify and fix bugs.
  • PostHog — Product analytics (with consent). PostHog receives anonymized usage events to help us understand how the Service is used and improve it.
  • Amazon Web Services (S3) — File storage for uploaded documents. Files are encrypted at rest and in transit.
  • Vercel — Hosting and infrastructure. Vercel processes requests and may log IP addresses for security purposes.

6. Data Retention

  • Account data: Retained as long as your account is active. Upon account deletion, we remove your data within 30 days, except as required by law.
  • Child profiles and child-specific data: Retained while the child remains in the family account. Upon deletion (or when the parent removes the child from the family), name, DOB, allergies, medical notes, and photos are deleted from active systems within 30 days. Anonymized aggregate usage metrics (e.g., total practice hours, with no identifying fields) may be retained longer for product improvement.
  • Family messages: Soft-deleted after 90 days.
  • Documents: Retained until you delete them or close your account.
  • Location data: Real-time only; never persisted beyond the active pickup session.
  • Analytics data: Anonymized and aggregated after 12 months.
  • Payment records: Retained for 7 years per financial compliance requirements.

7. Your Rights

7.1 GDPR (European Users)

If you reside in the European Economic Area, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Request erasure of your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability (receive your data in a structured format)
  • Withdraw consent at any time

7.2 CCPA (California Residents)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell your data)
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at privacy@famli.io.

8. Data Security

We implement industry-standard security measures including encrypted data transmission (TLS), encrypted storage for sensitive data, bcrypt password hashing, scoped database queries (business and family isolation), and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the US, your data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place in compliance with applicable data protection laws.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or your personal data, contact us at: