Privacy Policy

FamilyBrain is a UK-based family assistant product that helps households organise their calendar events, store important documents, capture memories, and manage daily life — all through WhatsApp. FamilyBrain is operated as a private product and is not currently a registered company; the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 is the FamilyBrain service operator.

For any privacy-related enquiries, please contact us at privacy@familybrain.co.uk.

We collect only the data necessary to provide the FamilyBrain service. The table below describes each category of data we process.

We use your data solely to provide and improve the FamilyBrain service. We do not sell your data, share it with advertisers, or use it for any purpose unrelated to the service you have requested.

AI Processing (OpenAI)

When you send a message to FamilyBrain, the text content is sent to OpenAI's API to extract structured information (such as event details, document type, and action items), generate a semantic embedding for search, and compose a helpful reply. OpenAI processes this data as a data processor acting on our instructions. Your messages are not used to train OpenAI's models under our API agreement.

Calendar Synchronisation (Google Calendar API)

If you choose to connect your Google Calendar, FamilyBrain will read your upcoming events to provide reminders and context, and will write new events when you ask the bot to add something to your calendar. This connection is entirely optional and can be revoked at any time from your Google Account settings at myaccount.google.com/permissions.

Document Storage (Supabase / PostgreSQL)

Extracted text from your messages, documents, and photos is stored in a PostgreSQL database hosted by Supabase. This allows FamilyBrain to answer questions about information you have previously shared. All data is stored in the European Union (Ireland region) and is encrypted at rest and in transit.

WhatsApp Messaging (Meta Platforms, Inc.)

All WhatsApp messages are sent and received via the Meta WhatsApp Cloud API. Meta Platforms, Inc. processes your phone number and message content in order to route messages to and from the FamilyBrain bot. Meta's data processing is governed by their Data Processing Addendum.

Morning Briefings & Alerts

FamilyBrain may send you proactive WhatsApp messages, such as a morning summary of the day's events or an alert about an upcoming document expiry. These are generated from data you have already stored and are sent only to registered family members.

Under UK GDPR, we rely on the following legal bases for processing your personal data:

We use a small number of carefully selected third-party data processors. Each processor is bound by a Data Processing Agreement (DPA) and processes your data only on our instructions.

We keep your data for as long as your FamilyBrain account is active. We do not automatically delete your data after a fixed period of time — your memories, calendar events, documents, and family information stay in FamilyBrain for as long as you want them there.

You are in control. You can delete your personal data at any time using the /delete-my-data command, or request a full family data wipe using the /delete-all-family-data command. See Section 8 for full details of our tiered deletion process.

There is one narrow exception to this principle:

• Google Calendar tokens — if you disconnect your Google Calendar (either from within FamilyBrain or via your Google Account settings), the OAuth access token is deleted immediately and automatically, as it is no longer needed.

Note on files: Raw images, PDFs, and voice notes are stored securely alongside their extracted text or transcriptions. They are subject to the same retention rules as all other data and are not automatically deleted after processing.

If you close your account or ask us to delete your data by email, we will complete the deletion within 30 days and confirm once it is done.

As a data subject under the UK GDPR and the Data Protection Act 2018, you have the following rights. You can exercise any of these rights by contacting us at privacy@familybrain.co.uk or by using the in-bot commands described in Section 8.

We will respond to all rights requests within one calendar month. In complex cases we may extend this by a further two months, in which case we will notify you within the first month.

Because FamilyBrain is a shared household tool, we use a tiered deletion system to ensure you can always delete your own data, while preventing one person from accidentally deleting the entire family's shared history without consensus. Deletion is permanent and cannot be undone.

Tier 1: Personal Deletion (Instant)

To delete only the data that you submitted, send the following command to the bot:

/delete-my-data

The bot will ask you to confirm by replying DELETE. Once confirmed, all memories, documents, and calendar events submitted from your phone number will be permanently deleted immediately. This does not require approval from other family members.

Tier 2: Full Family Wipe (Consensus Required)

To delete all data for the entire family (including data submitted by other members), send:

/delete-all-family-data

Because this affects everyone, it requires consensus. When you send this command, the bot will message all registered adult members of your family asking them to confirm. All members must reply YES within 48 hours. Once the final member confirms, the entire family's data is permanently deleted, including:

• All stored memories, notes, and document extracts
• All raw PDF, image, and audio files
• All calendar events
• All briefing and notification logs
• Any generated emergency PDF files

If 48 hours pass without full consensus, the request expires and no data is deleted.

Option 3: Email request

You can also send an email to privacy@familybrain.co.uk with the subject line "Data Deletion Request" and include the WhatsApp phone number(s) associated with your family. We will complete the deletion within 30 days and confirm by email.

Children as data subjects

Although children are not users of FamilyBrain, information about children may be stored as part of a family's data. For example, an adult user may store a child's name in a calendar event (such as a school sports day), a school letter, or a medical appointment. In these cases:

• The child is a data subject but not a user of the service.
• The adult account holder acts as the data controller in relation to their child's information, and FamilyBrain processes that information on the adult's behalf.
• Children's data stored in this way is subject to the same retention, deletion, and security rules as all other family data (see Section 6 and Section 8).
• Children's data is never shared with third parties beyond the data processors listed in Section 5, and is never used for advertising, profiling, or any purpose unrelated to providing the family assistant service.

Parental responsibility

By using FamilyBrain and storing information that relates to a child under the age of 18, the adult account holder confirms all of the following:

• They have parental responsibility for the child, or are otherwise legally authorised to store and process information about that child.
• They have considered whether it is appropriate to store the child's information in the service, and are satisfied that doing so is in the child's best interests.
• They understand that the child's information will be processed by the data processors listed in Section 5 (OpenAI, Meta Platforms, Inc., Supabase, Google Calendar API, Railway) as part of the normal operation of the service.
• They accept responsibility for ensuring that any information stored about a child is accurate and up to date.

No direct collection from children

FamilyBrain does not knowingly collect personal data directly from children. The service requires a WhatsApp account and active engagement with the bot; both of these require the user to be an adult. If we become aware that a child has accessed the service directly, we will take steps to remove their data and close their access.

Scope of the UK Children's Code

The UK Age Appropriate Design Code (Children's Code) applies to online services that are likely to be accessed by children. FamilyBrain is an adults-only service. We do not market to children, we do not design features to appeal to children, and we require users to confirm they are 18 or over at onboarding. Accordingly, the Children's Code does not apply to FamilyBrain. Should our service scope change in future, we will reassess this position and update this policy accordingly.

FamilyBrain uses only essential session cookies on its web pages (such as the family calendar page). We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookies of any kind.

Because we use only strictly necessary cookies, we are not required by law to obtain your consent before setting them. However, we inform you of their use here in the interest of full transparency.

Some of our data processors are based outside the UK or process data in countries outside the UK. Where this occurs, we ensure that appropriate safeguards are in place as required by UK GDPR Chapter V.

We may update this Privacy Policy from time to time to reflect changes in the service, changes in applicable law, or feedback from users. When we make material changes, we will notify registered family members via WhatsApp at least 14 days before the changes take effect.

The "Last updated" date at the top of this page will always reflect the most recent revision. We encourage you to review this policy periodically. Continued use of FamilyBrain after the effective date of any changes constitutes your acceptance of the updated policy.

Previous versions of this policy are available on request by emailing privacy@familybrain.co.uk.

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please contact us using the details below.