Privacy Policy

GeneGraph is operated by GeneGraph / AW-FI, based in Finland. GeneGraph is the data controller for all personal data processed through this service.

For any privacy-related questions or requests, contact us at privacy@aw-fi.com.

• Email address — used as your account identifier and to send sign-in codes.
• Display name — the name shown to your family members in the app.
• Profile photo (selfie) — an optional photo you take during onboarding, stored in Cloudinary.
• Family tree data — names, birth dates, birth places, death dates, gender and relationships for people you add to your tree.
• Vault files — documents and photos you upload to the Family Vault (metadata stored in our database; files stored in Cloudinary).
• One-time passwords (OTP) — short-lived 6-digit codes stored temporarily in the database during sign-in; automatically marked as used or expire after 10 minutes.
• Session cookie — an encrypted authentication token stored in your browser to keep you signed in.

• To authenticate you and maintain your session.
• To display and manage your family tree.
• To store files you upload to the Family Vault.
• To send invite emails on your behalf when you invite a family member.
• To show your profile photo to family members you share your tree with.

We do not use your data for advertising, profiling, or sell it to third parties.

• Contract performance (GDPR Art. 6(1)(b)) — processing your account data and family tree to provide the service you signed up for.
• Legitimate interests (GDPR Art. 6(1)(f)) — security logging and session management.
• Consent (GDPR Art. 6(1)(a)) — for optional data such as your profile photo.

GeneGraph uses essential cookies only:

• next-auth.session-token — an encrypted JWT that keeps you signed in. It is set when you sign in and removed when you sign out. It expires automatically after 30 days.
• gg_sv — a small flag (value: 0 or 1) that tracks whether you have added a profile photo. Used only to show or hide the “Add photo” prompt.

These cookies are strictly necessary for the service to function. Under ePrivacy Directive rules, no consent is required for strictly necessary cookies, but we disclose them here for full transparency.

• Account and tree data is retained for as long as you have an active account.
• OTP tokens expire and are voided after 10 minutes.
• If you delete your account, all data is permanently and immediately deleted (see Section 8).

As a data subject in the EU/EEA, you have the following rights:

• Right of access (Art. 15) — request a copy of all data we hold about you.
• Right to erasure (Art. 17) — request permanent deletion of all your data.
• Right to portability (Art. 20) — download your data in machine-readable JSON format.
• Right to rectification (Art. 16) — correct inaccurate data via your Profile page.
• Right to restriction (Art. 18) — request that we restrict processing of your data.
• Right to object (Art. 21) — object to processing based on legitimate interests.

You can exercise your right to erasure and right to portability directly from your Profile page without needing to contact us. For all other requests, email privacy@aw-fi.com.

You also have the right to lodge a complaint with your national data protection authority. In Finland, this is the Office of the Data Protection Ombudsman (tietosuoja.fi).

All data is transmitted over HTTPS. Session tokens are encrypted JWTs signed with a server-side secret. Access to your family tree data is strictly scoped to your authenticated account — other users cannot access your data. Profile photos are stored in Cloudinary with unique unguessable URLs.

We may update this policy from time to time. The “Last updated” date at the top of this page will reflect any changes. Continued use of the service after changes constitutes acceptance of the updated policy.