Privacy Policy

Last updated: 1 April 2026

FamlyBoard (operated by FamlyBoard BV, Belgium, privacy@famlyboard.app) is committed to protecting your personal data. This Privacy Policy explains what data we collect, why, and your rights under the GDPR (Regulation (EU) 2016/679).

1. Data Controller

The data controller is FamlyBoard BV, Belgium. Contact for privacy matters: privacy@famlyboard.app.

2. Personal Data We Collect

We collect the following categories of personal data: (a) Identity & contact: email address, full name; (b) Billing: postal address, company name, VAT number, invoice history; (c) Calendar metadata: calendar names, event titles, event times — we never read event descriptions or attendees; (d) Technical: IP address, device identifiers (pairing codes, device tokens), browser User-Agent; (e) Account security: hashed passwords (Argon2id), MFA secrets (TOTP, encrypted at rest), login timestamps.

3. Purposes of Processing

We process your data to: (a) provide the FamlyBoard service (contract performance, Art. 6(1)(b) GDPR); (b) send transactional emails — verification, password reset, invoices (contract performance); (c) issue legally required invoices and retain them for 7 years (legal obligation, Art. 6(1)(c) GDPR); (d) detect and prevent fraud and abuse (legitimate interest, Art. 6(1)(f) GDPR); (e) improve service reliability via aggregated analytics — no individual profiling (legitimate interest).

4. Legal Basis Summary

Contract performance (Art. 6(1)(b)): account creation, calendar sync, device pairing, billing. Legal obligation (Art. 6(1)(c)): invoice retention 7 years, VAT records. Legitimate interest (Art. 6(1)(f)): security event logging, fraud prevention, service improvement.

5. Sub-processors

We share data with the following sub-processors: Mollie B.V. (Netherlands) — payment processing; Lettermint — transactional email delivery; Google LLC (USA) — calendar data via Google Calendar API, covered by EU Standard Contractual Clauses (SCCs); Microsoft Corporation (USA) — Microsoft 365 calendar integration, covered by SCCs; Bunny.net (EU) — content delivery and hosting infrastructure. We do not sell your data to any third party.

6. Data Retention

Authentication data (hashed passwords, MFA secrets): retained until account deletion. Invoices and billing records: 7 years from invoice date (Belgian/EU tax law, Art. 17(3)(b) GDPR exception). Audit log entries: 2 years from creation. Security events (failed logins, rate-limit triggers): 90 days. Calendar metadata: deleted within 30 days of calendar disconnection or account deletion.

7. Your Rights

Under GDPR Articles 15–21, you have the right to: access your data (Art. 15); correct inaccurate data (Art. 16); request erasure (Art. 17) — note invoices are retained 7 years per legal obligation; data portability (Art. 20); object to processing based on legitimate interest (Art. 21). To exercise any right, email privacy@famlyboard.app. We will respond within 30 days.

8. Contact

Privacy questions: privacy@famlyboard.app. FamlyBoard BV, Belgium.

9. Right to Lodge a Complaint

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit — GBA): gegevensbeschermingsautoriteit.be, +32 2 274 48 00.

10. Cookies

We use only essential HttpOnly cookies (access_token and refresh_token). No tracking or analytics cookies are set. See our Cookie Policy for full details.

11. Changes to This Policy

We will notify registered users by email at least 30 days before any material change to this policy. The effective date at the top of this page reflects the current version.