We cannot read
your data. By design.

§ 1 Data Controller Identity

The data controller for FamilyCompass is AI Pieces Ltd, a company incorporated in Ireland, operating under the jurisdiction of the Data Protection Commission (DPC) of Ireland as the EU supervisory authority, and the Information Commissioner's Office (ICO) as the UK supervisory authority for UK data subjects.

AI Pieces Ltd is subject to Regulation (EU) 2016/679 (GDPR), the UK General Data Protection Regulation and Data Protection Act 2018, and the United States Federal Trade Commission's Children's Online Privacy Protection Rule (COPPA) in respect of its US users.

§ 2 Applicable Law by Jurisdiction

§ 3 Lawful Basis for Processing

Under GDPR Article 6, every processing activity requires a documented lawful basis. AI Pieces relies on the following:

• Contract performance (Art. 6(1)(b)): Account creation, family group management, location sharing, calendar synchronisation, and messaging are necessary to perform the FamilyCompass service contract.
• Explicit consent (Art. 6(1)(a) / Art. 9(2)(a)): Real-time GPS location sharing, biometric authentication enrolment, and health-adjacent data (elderly care monitoring, baby development tracking) require explicit, granular, revocable consent at the point of enabling each feature.
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and technical logging — balanced against user rights, with interests assessment documented and available on request.
• Legal obligation (Art. 6(1)(c)): Retention of certain records where required by applicable law in Ireland, the UK, or the US.

§ 4 Personal Data Processed

FamilyCompass processes the following categories of personal data, each with a documented purpose, retention period, and lawful basis:

• Identity data: Display name, email address, family role. Purpose: account management and family group membership. Retention: duration of account plus 30 days after deletion request.
• Location data: Real-time GPS coordinates, geofence trigger events, last-known location. Encrypted end-to-end — not readable by AI Pieces. Purpose: family compass feature. Consent-gated. Retention: configurable by user; default 24-hour rolling window.
• Communication content: Messages, call metadata, shared media. Encrypted end-to-end using Signal Protocol. Content is not accessible to AI Pieces. Metadata (timestamp, sender ID — not content) retained for 72 hours for delivery assurance.
• Calendar data: Events, schedules, availability. Encrypted at rest. Synced with device calendar only with explicit user permission. Retention: duration of account.
• Technical data: App version, device OS type (not device ID), crash reports (anonymised). Purpose: service quality. No advertising identifiers are collected or processed.
• Children's data (where applicable): Subject to COPPA and GDPR Art. 8 — processed only with verifiable parental consent for users under 13 (US) or under 16 (EU/UK default, may vary by member state).

§ 5 Cryptographic Standards & Technical Security

The following cryptographic primitives and standards govern data security across FamilyCompass. All implementations conform to published, peer-reviewed specifications. No proprietary cryptography is used.

Hardware-backed key storage — iOS and Android:

§ 6 Data Retention & Storage Limitation

Under the storage limitation principle of GDPR Article 5(1)(e), personal data must not be retained longer than necessary for its stated purpose. AI Pieces implements the following retention schedule:

• Real-time location data: User-configurable. Default: 24-hour rolling window. Maximum: 30 days. Location history beyond the user's retention setting is irreversibly deleted from all servers on a daily basis.
• Encrypted message content: Stored only until delivered and acknowledged. Undelivered messages held maximum 30 days, then purged. Delivered messages: content lives only on end-user devices; server holds only encrypted delivery receipts for 72 hours.
• Calendar events: Retained for the duration of the account. Permanently deleted within 30 days of account deletion request.
• Authentication logs: 90 days for security monitoring purposes (legitimate interest lawful basis). Anonymised thereafter.
• Crash reports and technical logs: 30 days, anonymised at ingestion (no linkage to user identity).
• Account data post-deletion: All personal data purged within 30 calendar days of confirmed deletion request. Cryptographic keys are destroyed; encrypted records become permanently unrecoverable.

§ 7 Your Rights as a Data Subject

Under EU GDPR, UK GDPR/DPA 2018, and COPPA (for US users with children's accounts), you hold the following enforceable rights:

To exercise any of these rights, contact support@aipieces.org. Requests are fulfilled within one calendar month. Complex requests may be extended by a further two months with notification. Requests are fulfilled at no charge. You also have the right to lodge a complaint with your supervisory authority: DPC Ireland (EU), ICO (UK), or FTC (US).

§ 8 Third-Party Processors & Data Sharing

AI Pieces does not sell, rent, trade, or share personal data with third parties for commercial purposes. No advertising networks, data brokers, or behavioural analytics platforms have access to user data. This is consistent with the FTC's January 2024 enforcement action against location data brokers, and positions FamilyCompass in direct contrast to data-monetising family tracking applications.

• Supabase (database and authentication infrastructure): Processes encrypted data only. Data processed under a Data Processing Agreement (DPA) compliant with GDPR Art. 28. Data residency: EU (Ireland/EU-West). Supabase has no access to plaintext family data. Supabase Privacy Policy ↗
• Apple Push Notification Service (APNs) / Google Firebase Cloud Messaging (FCM): Delivery of push notifications. Notification content is end-to-end encrypted; only a notification trigger (not content) passes through these services. Subject to Apple's Privacy Policy and Google's Privacy Policy.
• Legal disclosure: AI Pieces will comply with valid legal process (court orders, warrants) as required by applicable law. Due to zero-knowledge architecture, the maximum we can provide is encrypted ciphertext. We will notify affected users of legal demands to the extent permitted by law, and will contest overbroad demands.

§ 9 International Data Transfers

FamilyCompass user data is stored in the European Union (Ireland / EU-West). Where data must transit to non-EEA countries (e.g., push notification delivery through US-based infrastructure), AI Pieces ensures that transfers comply with GDPR Article 46 through: Standard Contractual Clauses (SCCs) adopted by the European Commission, adequacy decisions (the UK holds an EU adequacy decision granted in 2021), or Binding Corporate Rules where applicable.

For UK-to-EU transfers, the EU's adequacy decision for the UK under GDPR Article 45 permits data to flow without additional safeguards. For US-to-EU transfers involving US service processors, SCCs are in place for all data processing agreements.

§ 10 Children's Privacy — COPPA & GDPR Art. 8

FamilyCompass includes features designed for family use that may involve children: geofence alerts for school arrivals, shared calendar entries, and messaging. AI Pieces takes children's privacy seriously across all applicable frameworks.

• Age threshold — US: Under the COPPA Rule (16 CFR Part 312), verifiable parental consent is required before collecting any personal data from children under 13.
• Age threshold — EU/UK: Under GDPR Article 8, consent for information society services requires parental authorisation for children under 16 (some EU member states permit lower thresholds down to 13; AI Pieces applies 16 as the default).
• No behavioural advertising: Children's data is never used for advertising, profiling, or AI training. No advertising SDK is present in the codebase.
• Parental access and deletion: Parents may at any time request access to, correction of, or deletion of their child's data by contacting support@aipieces.org with account verification.
• Additional encryption: Children's data (location records, messages) receives the same AES-256-GCM and Signal Protocol protections as all other user data, with no derogations.

§ 11 Privacy by Design & Default — GDPR Art. 25

GDPR Article 25 requires controllers to implement data protection by design and by default — taking into account state of the art, cost, and risk at the time of determining the means of processing. FamilyCompass was architected from first principles to satisfy and exceed this obligation:

• Privacy by design: End-to-end encryption is not a feature that can be disabled — it is the underlying transport. Location sharing is disabled by default and requires active opt-in from each family member individually.
• Privacy by default: The most privacy-protective settings are the defaults. GPS precision degrades gracefully when battery-saving mode is active. No data is shared with any family member without explicit configuration.
• Data minimisation by design: The app requests only the permissions necessary for each feature (location access requested contextually, not at install). No omnibus permission requests on first launch.
• EDPB compliance: Architecture is consistent with the European Data Protection Board's Guidelines 4/2019 on Article 25 Data Protection by Design and by Default.

§ 12 Security Incident Response

In the event of a personal data breach, AI Pieces will comply with the mandatory notification obligations under GDPR Article 33 (notification to supervisory authority within 72 hours) and Article 34 (notification to affected data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms). Identical obligations apply under UK GDPR.

§ 13 Changes to This Policy

Material changes to this Privacy Policy will be communicated via in-app notification and email at least 30 days before the effective date. The version history of this policy is maintained and previous versions are available on request. Continued use of FamilyCompass after the effective date of changes constitutes acceptance of the updated policy. Where changes require new consent (e.g., a new processing purpose), a fresh consent flow will be presented in-app.

Effective date: 26 February 2026  ·  Last reviewed: 26 February 2026  ·  Version: 3.0  ·  Next scheduled review: 26 August 2026