Legal

Privacy Policy

Effective June 27, 2026

Geneviva ("we", "us", or "our") operates genevia.app from California, USA. This policy describes what personal information we collect, how we use it, and your rights under applicable law — including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), CalOPPA, and the EU/UK General Data Protection Regulation (GDPR/UK GDPR) for users in the European Economic Area and United Kingdom.

Data controller

The data controller for personal information processed through genevia.app is Geneviva, operated by its owner, reachable at hello@genevia.app. We do not have a Data Protection Officer (DPO) as we do not meet the thresholds requiring one under GDPR Article 37.

Personal information we collect

We collect the following categories of personal information (as defined under the CCPA):

  • Identifiers: your name and email address, collected when you create an account via Google OAuth or email/password sign-up.
  • User-generated content: names, dates of birth, relationships, photos, and stories you and your invited family members add to your family tree.
  • Internet or network activity: basic interaction logs (page views, feature usage) used to improve the product.
  • Authentication data: session tokens and invite tokens used to secure your account and route family members to the correct tree.

We do not collect sensitive personal information (as defined by CPRA) beyond what is listed above. We do not collect Social Security numbers, financial information, precise geolocation, or biometric data.

Special category data (GDPR Article 9)

Geneviva includes an optional medical summary feature. If you or your family members add health-related information to a family tree profile, that constitutes special category data under GDPR Article 9. We process such data solely on the basis of your explicit consent (Art. 9(2)(a)), given when you voluntarily enter that information. You may delete it at any time. We do not use health data for any purpose other than displaying it within your private tree.

How we use your personal information — and our lawful basis (GDPR Article 6)

  • To provide and operate the service (account, tree storage, invites) — lawful basis: performance of a contract with you (Art. 6(1)(b)).
  • To improve the service (usage logs, feature analytics) — lawful basis: legitimate interests (Art. 6(1)(f)). Our interest is in making the product better; this does not override your rights as the data is not linked to your tree content.
  • To send transactional emails (invites, account notices) — lawful basis: performance of a contract (Art. 6(1)(b)).
  • To send marketing emails (if you opt in) — lawful basis: consent (Art. 6(1)(a)). You may withdraw consent at any time.
  • To enforce our Terms and protect security — lawful basis: legitimate interests (Art. 6(1)(f)).

We do not sell or share your personal information

We do not sell your personal information and have not done so in the preceding 12 months. We do not share your personal information with third parties for cross-context behavioral advertising. Because we do not sell or share data for these purposes, there is no need to opt out — but you have that right regardless.

Third parties who receive your data

Your family tree is private by default. Only people you explicitly invite can view your tree. We do not publish your family data to any public genealogy database.

We share data only with the following categories of service providers, who are contractually prohibited from using it for any purpose other than providing services to us:

  • Authentication: Google (OAuth sign-in). Google Privacy Policy.
  • Hosting and storage: our web hosting provider, which stores your data on servers in the United States.

We do not use advertising networks, data brokers, or analytics services that have access to your personal family tree content.

International data transfers (GDPR Chapter V)

Geneviva is operated from the United States. If you access the service from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal information will be transferred to and stored on servers in the United States.

The US does not have an adequacy decision from the European Commission for all transfers. We rely on the following transfer mechanisms:

  • Contractual necessity (Art. 49(1)(b)): the transfer of your account and tree data to US servers is necessary to perform the contract — i.e., to provide you with the service you signed up for.
  • Explicit consent (Art. 49(1)(a)): by creating an account and using Geneviva knowing it is a US-based service, you explicitly consent to this transfer. You may withdraw consent by deleting your account.

We acknowledge that US law may not provide the same level of protection as EEA law. If this is a concern, you should not use the service. We will implement Standard Contractual Clauses (SCCs) or seek adequacy-framework certification as the service matures.

Shine the Light (California Civil Code § 1798.83)

We do not disclose personal information to third parties for their direct marketing purposes. California residents may request information about any such disclosures by emailing hello@genevia.app, though we have none to report.

Data retention

We retain your personal information for as long as your account is active. You may request deletion at any time via our Delete Data page. We will delete your account and all associated family tree data immediately upon confirmation.

Your privacy rights

Depending on where you live, you have the following rights. All users may exercise any of these rights regardless of location — we apply them universally.

California residents (CCPA/CPRA)

  • Right to Know: request the categories and specific pieces of personal information we have collected, the sources, business purpose, and third parties we share it with.
  • Right to Delete: request deletion of personal information we hold about you.
  • Right to Correct: request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: we do not sell or share your data for advertising — no action needed.
  • Right to Limit Sensitive PI: we do not use sensitive personal information beyond service provision.
  • Right to Non-Discrimination: we will not penalize you for exercising any CCPA right.
  • Right to Portability: receive a copy of your data in a portable format.

EEA, UK, and Switzerland residents (GDPR / UK GDPR)

  • Right of access (Art. 15): obtain a copy of your personal data and information about how we process it.
  • Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): request deletion of your personal data where there is no overriding legitimate ground for us to retain it.
  • Right to restriction (Art. 18): ask us to suspend processing of your data in certain circumstances (e.g., while you contest its accuracy).
  • Right to portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint (Art. 77): you have the right to lodge a complaint with your local data protection supervisory authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the ICO.

To exercise any of these rights, email hello@genevia.app from the address associated with your account. We will respond within 30 days (extendable by up to two additional months for complex requests under GDPR; up to 45 days total under CCPA). We will verify your identity before processing requests and will not charge a fee for reasonable requests.

Do Not Track

We do not use cross-site tracking technologies. We do not respond differently to Do Not Track (DNT) browser signals because we do not track users across third-party websites regardless of DNT setting.

Cookies

We use strictly necessary cookies for session authentication only. We do not use tracking, advertising, or analytics cookies. You may disable cookies in your browser, but the service will not function without session cookies.

Children (COPPA)

Geneviva is not directed at children under 13 and we do not knowingly collect personal information from children under 13, in compliance with the Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has provided us with personal information, contact us at hello@genevia.app and we will delete it immediately.

Changes to this policy

If we make material changes, we will notify you by email or a prominent notice in the app at least 30 days before the changes take effect. The effective date at the top of this page will be updated.

Contact

Privacy questions or rights requests: hello@genevia.app.