Privacy Policy

This policy explains how beinand ("we", "us") processes personal data when you and your relatives use our private family network, in line with the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

1. Who is responsible

In short: we run and secure beinand; your household decides what to record about people, and we share responsibility for that.

The controller is Philipp Zöchner, Sackstraße 26, 8010, Graz (VAT ). For any data-protection matter — including to exercise your rights, withdraw consent, or request our processor list or transfer safeguards — contact us at hello@beinand.app. Full operator details are in our Imprint. We have not appointed a Data Protection Officer.

For the family content you and your relatives create, we act as a joint controller with your household (Art. 26 GDPR) in respect of the functions we organise. In essence: we are responsible for hosting and storage, security, the visibility engine, retention and for answering your data-subject requests; your household (represented by its founder/owner) is responsible for the accuracy and lawfulness of the content it enters about people. You can exercise your rights against us directly (Art. 26(3) GDPR); where needed we route a request to the right place. We are the sole controller for your account, billing, security and operational logs. The essence of the arrangement is summarised here; the full terms are available on request.

2. What data we process

In short: your account, the family content you and your relatives create, photos, and the technical data needed to run the service.

• Account data: name, email address, language preference, password hash, two-factor/passkey credentials, sessions.
• Family-tree & wiki content: names, dates, places, relationships, stories, notes and documents about you and your relatives — living and deceased.
• Photos and their metadata. When you select a photo, we read its embedded EXIF data to pre-fill the capture date and, if present, the GPS coordinates of where it was taken; you can confirm, change or clear these before saving, and the place name is a free-text field you type yourself. If you save coordinates, they are stored with the photo and visible to the same household members who can see the photo. To share less, remove location data from a photo before uploading, or simply clear the suggested coordinates. We read only what we need for these features (data minimisation, Art. 5(1)(c) GDPR). Where enabled, we also process biometric face data (a mathematical face template) used to recognise people.
• Special categories of data (Art. 9 GDPR) that family records can contain — for example religion, health (including cause of death), ethnic origin or relationships.
• Usage & technical data needed to run and secure the service (log files, device/browser data, and push-notification subscriptions you opt into — you can turn push notifications off again at any time under Settings, or in your browser or device settings).
• Billing/sponsorship data where a member pays for a household plan.

3. Why we process it, and our legal bases

In short: to give you the service, on the legal grounds the GDPR requires for each purpose.

• To provide the service (your account, the app's features) — performance of a contract, Art. 6(1)(b).
• Your own profile and content — your consent and/or the contract, Art. 6(1)(a)/(b).
• Data about living relatives entered by other members — our and the family's legitimate interest, Art. 6(1)(f). Our specific interest is operating the family-history service our members signed up for and keeping the shared tree accurate, connected and useful; the family's interest is preserving its shared history. We carried out a balancing test (a legitimate-interests assessment), which we make available on request; this basis does not extend to making anyone's data public, and you can object at any time (section 10).
• Face recognition (biometric data) — your explicit consent, Art. 9(2)(a). It is off by default and opt-in per person; we only compute and store a face template for the deceased or for a living person who has switched recognition on for themselves. A non-biometric alternative (manual tagging) is always available, and you can withdraw at any time, after which we delete your template.
• Other special-category data in records (e.g. health, religion) — only on the basis of explicit consent or another Art. 9(2) condition. Please do not enter sensitive data about living people who have not agreed to it; where such data is entered without a valid basis, we will restrict or erase it on request or objection.
• Security, abuse prevention and logging — our legitimate interest in a safe service, Art. 6(1)(f).
• Proof of your consent and acceptance — when you sign up, we record which version of these terms and of this policy you accepted, and when. We keep this short record so we can demonstrate the legal basis for processing (accountability, Art. 7(1) GDPR); it is part of your account data and is removed when your account is deleted.
• Billing — contract and our legal record-keeping obligations, Art. 6(1)(b)/(c).

The table below summarises how we use the main categories of data. It is a quick reference only; the binding detail is in sections 2, 3 and 9.

4. Is providing data required?

In short: only your name and email are required; everything else is optional.

Your account data (name, email) is necessary to create and operate your account — without it we cannot provide the service. Everything else — profile content, photos, turning on face recognition, any sensitive entries — is voluntary; not providing it only means reduced functionality, with no other consequence.

5. If a relative entered your data

In short: when someone adds you, you still have all your rights, and this is how we inform you.

Much of the information here is provided by one family member about another, rather than by you directly. Where we hold data about you that we did not receive from you, the categories are those listed in section 2, and the source is the relevant member of your family (and, in some cases, a genealogy file such as a GEDCOM that a member imported, which may itself draw on family documents or publicly accessible registers). We provide this Art. 14 GDPR information when you are invited or first contacted; where you have no account and cannot reasonably be contacted, the law (Art. 14(5)(b)) recognises that individual notice may not be possible, and this public policy serves that purpose. You have the same rights as everyone else (section 10).

6. Who can see your data

In short: only your family, within your sharing settings — never advertisers, and we never train AI on your content.

Family content is visible only within your household, and within it only to the people your sharing settings allow. Living people are private by default. We do not sell your data, not use it for advertising or profiling, and never train artificial-intelligence or machine-learning models on your content. Our staff access a household's data only where necessary to provide support or operate or secure the service.

7. Processors and recipients

In short: a few named EU providers help us run the service, under strict contracts.

We use a small number of vetted service providers ("processors") under data-processing agreements (Art. 28 GDPR), each bound to act only on our instructions: Hetzner (hosting and database), Bunny.net (media storage and delivery, and encrypted backups) and Lettermint (transactional email delivery, hosted in the EU). Biometric face matching runs on our own self-hosted software within our EU service environment (at Hetzner) and is not sent to any separate face-recognition vendor. A current list of processors, including those not named here, is available from the contact address above. We disclose data to authorities only where legally required.

8. Where your data is stored (international transfers)

In short: your family content stays in the EU/EEA, with legal safeguards for any rare exception.

We host and store family content within the EU/EEA. Some providers are companies based outside the EU or may provide support from outside the EEA; where any processing takes place in a third country without an EU adequacy decision, we rely on appropriate safeguards under Art. 46 GDPR — the European Commission's Standard Contractual Clauses (and, where a provider is certified, the EU-US Data Privacy Framework). You can obtain a copy of the safeguards from hello@beinand.app.

9. How long we keep it

In short: as long as you use the service, then deleted on clear timelines.

• Account & content: while your account and household exist and the service is provided to you.
• Account deletion: deactivated immediately and irreversibly purged after a 30-day recovery window; your shared contributions remain in the family archive but are anonymised, and your personal/contact data is erased.
• Household deletion: the household and all its data are permanently purged after a 28-day recovery window.
• Data exports you request are deleted from our servers 24 hours after they are generated.
• Security & abuse logs: kept for up to 12 months, then deleted.
• Billing records: kept for 7 years to meet Austrian bookkeeping law (§ 132 BAO).
• Backups: encrypted, stored in the EU, and overwritten on a rotating cycle (within 30 days), so deleted data also disappears from backups within that window.
• Withdrawing face-recognition consent deletes your stored face templates.

10. Your rights

In short: you can access, correct, delete, export and object — and complain to the authority.

You have the right to:

• Access your data (Art. 15) — members can download a copy from settings; otherwise contact us;
• Rectification of inaccurate data (Art. 16);
• Erasure (Art. 17);
• Restriction of processing (Art. 18);
• Data portability (Art. 20); and
• Withdraw consent at any time, without affecting processing before the withdrawal (Art. 7(3)).

You also have the right to object (Art. 21 GDPR), at any time and on grounds relating to your particular situation, to our processing of your data that is based on legitimate interest (section 3) — after which we stop unless we show compelling legitimate grounds that override your interests.

To exercise any right, contact us at hello@beinand.app. You also have the right to lodge a complaint with the Austrian Data Protection Authority (Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at, dsb.gv.at).

11. Automated decisions

In short: nothing important about you is decided automatically; face recognition only suggests.

We do not make decisions with legal or similarly significant effects about you by automated means. Face recognition only suggests who may be in a photo for a person to confirm; it never tags, publishes or decides anything about you on its own.

12. Children

In short: in Austria you can consent from age 14; for younger children a parent must.

In Austria, a minor may consent to online services from the age of 14 (§ 4(4) DSG); for a younger child, the holder of parental responsibility must consent. Please only enter a child's data, or set up an account for a child, in line with this.

13. Deceased persons

In short: the GDPR does not cover the deceased, but living relatives keep their rights.

The GDPR does not apply to the personal data of deceased people, so we can record and recognise ancestors without their consent. Where information about a deceased person also reveals personal data about a living relative, that living person keeps their full rights under this policy.

14. Cookies

In short: only the essentials to sign you in — no tracking, no banner needed.

We use only strictly necessary cookies/local storage to sign you in and keep the app working (for example your session and security tokens) and to remember your language. We do not use advertising or third-party tracking cookies, so no cookie-consent banner is required.

15. Changes

In short: if this policy changes meaningfully, we will tell you in the app.

We may update this policy as the service evolves. We will post the new version here and, for significant changes, notify you in the app.