Privacy Policy

Momentory is operated by NorthBuilt Studios, based in Canada. That's the entity legally responsible for your data (the "data controller" in GDPR terms).

For any privacy question, data request, or to reach the person handling data protection, email support@momentory.family. We answer.

From you when you sign up and use the app:

• Your email address and password (the password is stored only as a hashed value — we never see your actual password).
• If you enable two-factor authentication: an encrypted TOTP secret and hashed backup codes.
• Your device's timezone and your quiet-hours preference, so notifications don't wake you at 3am.
• Your family's name and the display names + role of each family member.
• Each child you add to the family: their name and date of birth.
• Each moment you create: a caption, the date it happened, optional milestone tag, optional child tag, and the photos you attach (up to 25 MB per photo).
• Comments and reactions on moments.
• Notifications generated when other family members comment or react.
• Subscription state and receipts when you start a trial or pay — but the actual payment data is handled by Apple, Google, or RevenueCat (see below). We never see your card number.
• When you chat with Momo (the in-app assistant): the messages you type, the assistant's replies, and a token-usage counter.
• An audit log entry whenever you accept the Terms, accept an invite, or delete content. Each entry includes your IP address, browser/device user-agent string, and timestamp. This is required for compliance and dispute resolution.
• Rate-limit counters keyed against your account or IP (to prevent abuse).

• No analytics SDKs. No Google Analytics, no Meta Pixel, no PostHog, no Mixpanel, no Sentry, no Segment, no LogRocket. We've verified this in our codebase.
• No advertising. We have no ad SDKs and no ad business model.
• No location data. We never request GPS.
• No contact-list access.
• No microphone or camera access except when you actively tap to attach a photo from your camera roll.
• We do not sell, rent, or share your data with data brokers. Ever.

We use the following standard infrastructure providers to run the app. Each only sees the slice of data it needs to do its job.

• Supabase (Postgres + storage + auth, hosted on AWS in us-east-2 — Ohio, USA): the primary data store for everything described above. Photos, captions, comments, members, sessions.
• Anthropic (Claude API, USA): receives the text you type into Momo and the last 5 messages of that chat session, so Momo can respond. It does not receive your photos, captions, dates, milestones, or any data about your family or children. Only the literal words you type into the chat box.
• Resend (email delivery, USA): handles the email invites you send and the magic-link sign-in emails. Sees the recipient email address and the email body.
• Twilio (SMS delivery, USA): handles SMS invites. Sees the recipient phone number and the SMS body.
• RevenueCat (subscription management, USA): processes trial start and subscription state via the App Store / Play Store. Sees your account ID and purchase events. Does not see your photos or family data.
• Expo (push notification routing, USA): receives an opaque device push token (no identifying content) and routes notification payloads to Apple/Google push servers.
• Vercel (web app + API hosting, USA): standard HTTP request logs (IP, user-agent, URL).
• Apple App Store and Google Play Store: handle the actual payment for subscriptions. We never receive your card number.

That's the full list. We haven't hidden anyone.

Our primary database is hosted by Supabase in us-east-2 (Ohio, USA). If you're using Momentory from outside the United States — including from the EU, UK, or elsewhere in Canada — your data is transferred to and processed in the US.

For EU/UK users: we rely on Standard Contractual Clauses (SCCs) with each US-based processor where applicable, and where a provider participates in the EU-US Data Privacy Framework we rely on that. Contact us at the address above for the specific safeguards for a given processor.

• Contract: we process your account info, family content, and subscription data because we need to in order to actually provide the service you signed up for.
• Legitimate interest: the audit log, rate-limit counters, and security measures protect both you and us from abuse and fraud. We've balanced this against your privacy interests — the data we retain is minimal and security-specific.
• Consent: the consent you give at signup to these terms and to our processing of family/children data on your authority as account holder.
• Legal obligation: we retain the audit log because we may need to demonstrate compliance to regulators.

• Your account, family content, photos: for as long as your account exists. When you delete your account, a 30-day grace period begins (so you can recover if you change your mind). After 30 days, the entire family archive — photos, captions, comments, reactions, child profiles — is permanently and irrecoverably deleted.
• Audit log entries (consent given, invite created, family deleted): retained for up to 12 months and then purged.
• Subscription billing records: retained for the period required by tax law in our jurisdiction (currently 7 years in Canada).
• Rate-limit counters: sliding 24-hour windows. Older entries auto-expire.
• Momo chat history: retained for as long as your account exists, deleted with the account.
• Vercel and Supabase server logs: retained per their default policies (typically 7-30 days).

Depending on where you live, you have some or all of the following rights:

• Access: see what data we hold about you. Available in-app via the export feature, or email us.
• Correction: fix anything that's wrong. Most fields are editable in Settings; for the rest, email us.
• Deletion: request that we delete your account and all family content. The 30-day-grace flow in Settings → Account is the canonical path. You can cancel during the grace period to recover.
• Portability: get an export of your data in a machine-readable format. Settings → Account → Export.
• Restriction: ask us to stop processing your data for specific purposes.
• Objection: object to our processing on legitimate-interest grounds.
• Complaint: if you're in the EU/UK, you have the right to lodge a complaint with your local supervisory authority. We'd rather you talked to us first so we can fix whatever's wrong.

Email support@momentory.family to exercise any of these. We respond within 30 days.

Momentory is a service for adults documenting their families — not a service used by children directly. Children do not have user accounts. They cannot sign up. They cannot post. The only way a child's name or photo enters Momentory is when their parent or guardian — the account holder — actively uploads it.

When you add a child to your family, you're representing that you have the legal authority to do so (you're their parent or guardian) and you're consenting on their behalf to the processing of their information for the purpose of maintaining a private family record. The data we store about a child is limited to: their name, date of birth, and any photos and captions you choose to attach.

You can at any time view, edit, or delete a child's information via Settings. Deleting the entire family account removes every child's data along with everything else, with the same 30-day grace period.

We comply with COPPA (US) and GDPR Article 8 (EU) on this basis. If you have any question about a child's data, email us.

The categories of personal information we collect are listed above. We do not sell or share your personal information (as those terms are defined under the CCPA / CPRA), and we have not done so in the prior 12 months.

You have the right to know, to delete, to correct, and to limit the use of sensitive personal info. The mechanisms above (Settings → Account, or email) work for California residents the same as everyone else.

We take security seriously and use industry-standard measures: TLS for all traffic, hashed passwords, encrypted 2FA secrets, row-level security on the database, signed URLs for photo access (1-hour TTL), HSTS headers, and 2FA available to all users. No system is perfect; if you spot a security issue, please email us.

In the event of a personal-data breach that affects you, we'll notify you within 72 hours as required by GDPR (and sooner where possible).

When we change this policy materially, we bump the version number and re-prompt you to accept on next sign-in. The effective date at the top of this page reflects the current version.

support@momentory.family

NorthBuilt Studios
Canada