Privacy Policy

Last updated: March 24, 2026 · Effective: March 24, 2026

TinyFrame ("we," "us," "our") is a family time capsule app that helps parents capture and preserve memories for their children. This policy explains what data we collect, why, and how we protect it.

1. What We Collect

Parent account data:

• Email address (for login and account recovery)
• Birth year (for age verification — COPPA compliance)
• Age attestation timestamp

Children's data (provided by parent):

• Name and optional nickname
• Date of birth (used for time-lock unlock dates)
• Photos and videos
• Letters written by parents
• Voice notes (premium feature)

Device data:

• Unique device identifier (for authentication)
• IP address (logged by our infrastructure provider)

2. Why We Collect It

• Provide time-locked photo capsules that unlock at specified ages
• Enable parents to create and manage family chapters
• Share chapters with invited family members
• Process subscription payments
• Maintain account security

3. How Long We Keep It

• While your account is active: All data stored to provide the service
• After account deletion: Data removed from production servers within 30 days
• Backup retention: Deleted from encrypted backups within 90 days
• Billing records: Parent email retained for 1 year post-deletion for billing/tax compliance

4. Who We Share Data With

Service providers (necessary for app functionality):

• Supabase — Database, authentication, cloud storage (stores photos and metadata)
• RevenueCat — Subscription management (receives parent user ID only, not children's data)
• Apple — App Store, payment processing

Family members you invite:

• Invited users can view chapters you share with them
• Shared data remains under the parent's control

We do NOT share data with:

• Advertisers or advertising networks
• Analytics companies
• Data brokers
• Any third party for marketing purposes

5. Children's Privacy (COPPA)

TinyFrame is designed for parents, not children. Parents provide and manage all children's data. Under the Children's Online Privacy Protection Act (COPPA):

• We collect children's information only with parental consent
• Parents can review, modify, or delete their child's data at any time
• Parents can revoke consent by deleting the child's profile or their account
• We do not condition a child's participation on providing more data than necessary

We do not use facial recognition, emotion analysis, or voice identification on children's photos or recordings.

6. Your Rights

You have the right to:

• Access — View all data we store about you and your children
• Delete — Delete your account and all associated data (Settings → Account → Delete Account)
• Correct — Edit your children's information at any time
• Object — Contact us to object to specific data processing
• Export — Request a copy of your data by emailing us

7. Data Security

• All data transmitted over HTTPS (TLS 1.3)
• Database encrypted at rest
• Row-level security policies restrict data access to authorized users
• Authentication tokens stored securely on device

No system is 100% secure. We implement industry-standard protections but cannot guarantee absolute security.

8. International Users

EU Users (GDPR): Our legal basis for processing is parental consent. You have rights to access, rectification, erasure, and data portability. Our data processor is Supabase (infrastructure hosted in the US).

California Users (CCPA/CPRA): We do not sell personal information. You may request access or deletion by contacting us. We do not discriminate against users who exercise privacy rights.

9. Changes to This Policy

We may update this policy. Material changes will be communicated via in-app notification and email to account holders. Continued use after changes constitutes acceptance.

10. Contact Us

Privacy questions or requests:

• Email: privacy@tinyframe.app

Complaints:

• US: FTC
• EU: Contact your local data protection authority
• California: California AG