Privacy Policy

Last updated: 2026-05-08.

What we collect

• Account data: email address, sign-in timestamps, tenant membership.
• Content you upload: photos, tags, memories, family-tree data. Uploads are auto-scanned for CSAM via Cloudflare's CSAM Scanning Tool.
• Face data: when face-recognition is enabled, AWS Rekognition generates a 128-dimensional face descriptor (a vector, not a photo) which we store in a private R2 collection and use to suggest tags within the same tenant.
• Operational logs: request IPs, user-agent strings, error stack traces. Retained 30 days for abuse response.
• Billing data: paid plans are not yet active. When they are, payments will be processed by a third-party Merchant of Record; we will never see card numbers, and this section will be updated with the specific processor before any charges occur.

How we use it

• Operate the service: serve images, process tags, send sign-in emails.
• Bill: meter usage and charge for paid plans.
• Safety: detect CSAM, abuse, and ToS violations.
• Communicate: tenant-related notices and security-critical announcements.

We do not sell your data. We do not use your photos to train AI models. We do not show your data to anyone outside your tenant unless legally compelled or to investigate a credible safety report.

Subprocessors

• Cloudflare — Pages, Workers, R2 storage, D1 database, CSAM scanning.
• Amazon Web Services — Rekognition (face descriptors only; the face image is sent at request time and not stored on AWS).
• Resend — transactional email delivery (sign-in codes).

A payment processor will be added to this list before paid plans go live.

Face-recognition opt-out

Workspace hosts can disable face-recognition for the entire workspace in Settings. When disabled, no new descriptors are generated and existing descriptors are deleted within 30 days.

Children

KindredPics is not directed at children under 13. Uploads of children appear in a family archive context only with explicit consent from a parent or legal guardian. We do not knowingly collect personal information directly from children under 13.

Your rights (GDPR / CCPA / similar)

• Request a copy of your data: privacy@kindredpics.com — we'll deliver a ZIP within 30 days.
• Request deletion: workspace hosts can delete the entire workspace from Settings; this wipes D1 rows + R2 objects within 7 days. Members can delete their own uploads at any time.
• Request a copy held by a subprocessor: we'll route the request to them on your behalf or give you their direct contact.

Retention

• Photos and tags: until you delete them, or until 30 days after subscription cancellation grace period ends.
• Magic-link tokens: 15 minutes (live) plus 30 days (audit).
• Operational logs: 30 days.
• Billing records: 7 years (legal requirement).

Security

All transport over TLS. R2 objects accessible only via auth-gated Worker. D1 access via parameterized prepared statements. Magic-link tokens stored as SHA-256 hashes (the raw token never touches the database). HttpOnly + Secure + SameSite=Strict cookies.

Data location

Cloudflare colos and R2 buckets are globally distributed; for new tenants we default to the closest CF region. AWS Rekognition runs in us-west-2.

Contact

Privacy questions: privacy@kindredpics.com.