privacy policy · v1.0
Privacy Policy.
Last updated: 2026-05-11.
The short version.
Your family's content — calendar, tasks, notes, members — never leaves the device. There are no accounts and no servers holding your data. We do collect anonymous crash reports and screen-view counters via Google Firebase so we can fix bugs and prioritise features; you can switch both off in Settings → Privacy. When you delete the app, every byte goes with it.
1. Who we are
Pamily is published by Axel Trajano, a sole developer based in New Zealand. Contact: dev.puhgeh@gmail.com.
2. Scope
This policy applies to the Pamily mobile application for iOS and Android (bundle id com.puhgeh.pamily) and to this marketing website at pamily.puhgeh.com.
3. What information the app processes
All of the information you enter into Pamily — family member names, dates of birth, avatars, events, tasks, notes, subscriptions — is stored only on the device you typed it on. It is held in the app's private storage area, encrypted at rest by the operating system (Apple Data Protection on iOS, Android Keystore-backed file encryption on Android).
The app does not transmit this content to us or to anyone else. There is no server-side copy. There is no advertising SDK. We do not share, sell, or rent any user data.
The app does send a small set of diagnostic signals to Google Firebase so we can keep Pamily stable and prioritise development. Two services are used:
- Firebase Crashlytics — when the app crashes, a stack trace and a small set of environment values (OS version, device model, app version, free memory at crash) are sent so we can fix the bug. The report is linked only to a per-install random identifier and contains nothing from your calendar, tasks, notes, or family records.
- Google Analytics for Firebase — anonymous counters of which screens are visited and which features are used (for example: "Tasks tab opened", "Backup exported"). Event payloads never include personal content. Data is linked only to a per-install random identifier. Google Signals and Google Ads personalisation are disabled in the Firebase project, so this data is not joined with any advertising profile.
Both services can be switched off independently in Settings → Privacy. When switched off, the SDKs stop transmitting and any pending payload is discarded. Local-only mode also forces both off automatically.
Sync (optional, subscription-gated)
The app offers an optional Sync feature that converges shared lists across the devices in a single household. The storage backend is your own iCloud Drive or Google Drive — you pick which. Pamily writes end-to-end encrypted blobs to a folder inside your chosen cloud account. The encryption key is generated on your first device and stored in the platform keychain on every device that joins the household; we never see the key, and we never see the contents.
Sync is gated behind an in-app auto-renewing subscription managed by the App Store or Google Play. The subscription pays for ongoing development of the app, not for cloud storage — the cloud storage is the user's own. Cancellation is handled in the store's subscription settings; after cancel, existing synced data remains readable, only new writes pause until you resubscribe or revert to local-only mode.
While Sync is enabled, the app exchanges HTTPS requests with the cloud provider you picked:
- Apple iCloud Drive (
*.icloud.com) via the standard iOS Files / iCloud Documents APIs. - Google Drive (
www.googleapis.com/drive/*) via the narrowdrive.appdatascope (an app-only folder; the rest of your Drive is invisible to Pamily).
4. What information this website processes
This website is hosted by Cloudflare Pages. Cloudflare may log standard request data (IP address, user agent, referrer) for security and abuse prevention. We do not place tracking cookies, we do not run analytics scripts, and we do not embed third-party social widgets.
5. Third-party services
The mobile app uses the following third parties:
- Google Firebase — Crashlytics and Analytics, as described in §3. Privacy policy: firebase.google.com/support/privacy. Google's role: data processor for these signals.
- Apple App Store / Google Play (billing) — when you start, manage, or cancel a Pamily Sync subscription. The store charges your payment method on file and tells Pamily whether the subscription is active. Pamily never sees your card number, billing address, or store account. Apple privacy: apple.com/legal/privacy. Google privacy: policies.google.com/privacy.
- Apple iCloud Drive and Google Drive — when you enable Sync, the app writes end-to-end encrypted blobs into a folder in your chosen account. You are the controller of that account; we cannot access it. Both providers may log standard request metadata under their own policies.
- Apple Keychain (iOS) and Android Keystore — to store the local encryption key used by the encrypted backup feature and (when enabled) by Sync. Keys never leave the device.
- The system file picker (Apple Files, Android Storage Access Framework) — when you choose to import or export an encrypted backup file. The destination is whatever you pick (iCloud Drive, Google Drive, Dropbox, AirDrop, local storage). We never see where you stored it.
- The system image picker — if you choose to attach a photo as a family member avatar. The image stays on the device.
This website embeds web fonts from Google Fonts (fonts.googleapis.com, fonts.gstatic.com). Google may receive your IP address and user-agent when fonts are loaded. To avoid this, you can self-host the fonts in a future revision; we may do so before v1.1.
6. Encryption
The optional Encrypted Backup feature uses AES-GCM, an industry-standard symmetric cipher. The encryption key is generated locally and stored in the platform's secure keychain. The exported file is unreadable without that key. Apple has classified this use as exempt under U.S. export regulations (EAR §740.17(b)(2)).
7. Children
Pamily is designed for adults managing a household. It is not directed at children under 13 and we do not knowingly collect any data from anyone — including children — because the app collects no data at all. If a parent uses the "Kid-safe mode" toggle when adding a child as a family member, that toggle is stored locally on the device and does not transmit anything.
8. Retention
Your data lives on your device until you choose to delete it. Use Settings → Wipe data on this device to clear everything in one tap, or simply uninstall the app — both remove all stored content.
9. Your rights
Your family content stays on your device, so the standard data-subject rights (access, rectification, erasure, portability, objection) are exercised directly there:
- Access & portability: use Export encrypted backup. The exported file is yours.
- Erasure: use Wipe data on this device or uninstall the app.
- Rectification: edit any entry directly in the app.
For the diagnostic signals sent to Firebase (§3):
- Opt out: Settings → Privacy → toggle "Send crash reports" and/or "Send anonymous diagnostics" off. Each switch stops the corresponding SDK immediately and discards any queued payload.
- Reset the device identifier: uninstalling and reinstalling generates a fresh Firebase Installation ID and App Instance ID, severing the link to anything previously sent.
- Deletion of previously sent data: Google retains analytics events according to the retention setting in our Firebase project (currently 14 months) and crash reports for a comparable period; thereafter they are aggregated and individual records are deleted. You can also request deletion directly via Google: support.google.com/analytics/answer/9450800.
If you believe we are processing data about you that we do not realise we are processing, write to dev.puhgeh@gmail.com and we will investigate within 30 days.
10. Disclosures to authorities
We do not hold a copy of your family content, so a request directed at us cannot produce one. For the diagnostic signals held by Google, any lawful request would be served on Google directly under its own policy.
11. International transfers
Your family content does not leave your device. The diagnostic signals sent to Firebase are processed on Google's global infrastructure and may transit between regions per Google's standard practice. The marketing site is served from Cloudflare's global network; the response payload contains no personal data of yours beyond a transient IP-level log on Cloudflare's side.
12. Changes to this policy
If we add features that change what is processed — for example, a future opt-in sync layer, or opt-in crash reporting — we will publish a new version of this policy with the change history, post a banner inside the app, and require explicit consent for any new collection. The current version is always at pamily.puhgeh.com/privacy.
13. Governing law
This policy is governed by the laws of New Zealand.
14. Contact
Questions, requests, or feedback: dev.puhgeh@gmail.com.