The Family Code
Legal

Privacy Policy

Your privacy is important to us. This policy explains how we collect, use, and protect your personal information — and the rights you hold under GDPR, CCPA/CPRA, COPPA, and other applicable laws.

Last updated: February 27, 2026

Data Security

Encrypted in transit (TLS 1.3) and at rest, with role-based access controls

Transparency

Named processors, legal bases, and retention periods — no vague language

Your Control

Full GDPR and CCPA/CPRA rights: access, correct, delete, export, limit, and object

Table of Contents

  1. 1. Data Controller
  2. 2. Information We Collect
  3. 3. Legal Basis for Processing
  4. 4. How We Use Your Information
  5. 5. Automated Decision-Making and Profiling
  6. 6. Information Sharing and Third-Party Processors
  7. 7. Data Security
  8. 8. Your Rights — GDPR (EU/EEA Users)
  9. 9. Your Rights — CCPA/CPRA (California Residents)
  10. 10. Do Not Sell or Share My Personal Information
  11. 11. Children's Privacy
  12. 12. Data Retention
  13. 13. International Data Transfers
  14. 14. Email Marketing
  15. 15. AI Data Processing Notice
  16. 16. Changes to This Policy
  17. 17. Contact Us

1. Data Controller

The data controller for your personal data is Raman Navarych (sole proprietorship registered in Poland), operating under the project name "The Family Code."

Contact Details

Address: ul. Franciszka Klimczaka 7/81, 02-797 Warszawa, Poland

NIP: 9512577983 | REGON: 526409740

privacy@the-family-code.com

As a data controller established in the European Union, this Privacy Policy complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Children's Online Privacy Protection Act ("COPPA"), the CAN-SPAM Act, and other applicable data protection laws.

Data Protection Officer (DPO)

No Data Protection Officer (DPO) has been formally appointed. Under GDPR Art. 37, a DPO is mandatory only for (a) public authorities, (b) controllers engaged in large-scale systematic monitoring of individuals, or (c) controllers processing special-category data on a large scale. As a micro-enterprise and sole proprietorship whose processing activities do not meet these thresholds, appointment of a DPO is not required under Polish law or GDPR Art. 37.

All data protection enquiries, rights requests, and privacy complaints are handled directly by the data controller at privacy@the-family-code.com.

2. Information We Collect

We collect information you provide directly to us and information generated through your use of the Service. Under CCPA categories:

  • Identifiers: Name, email address, account credentials, and unique consent ID.
  • Personal Records: Birth date, time, and location (city/country) provided by you for Human Design calculations.
  • Family Information: Names, birth details, and relationship types of family members you add, including children's birth data entered by parents or guardians.
  • Commercial Information: Subscription status, purchase history, and billing records via Apple App Store or Google Play Store. We do not receive or store your payment card details.
  • Internet/Network Activity: IP address, device type, operating system, browser type, pages visited, and interaction data.
  • Geolocation Data: Birth location (city/country, provided by you for chart calculations — not real-time GPS tracking).
  • Inferences: Human Design type, profile, strategy, authority, and AI-generated personality insights derived from the above data.

Sensitive Personal Information (CPRA)

Birth date, time, and location data may constitute sensitive personal information under the CPRA. Children's information added by parents/guardians is treated with additional protections. We use sensitive personal information only to provide the core Service (generating Human Design charts and AI-generated insights). We do not use sensitive personal information for purposes beyond those necessary to provide the Service. You may request limitation of our use of your sensitive personal information at any time (see Section 9).

Information We Do NOT Collect

We do not collect: Social Security numbers, driver's license numbers, financial account numbers, health or medical information, biometric data, precise geolocation (GPS), racial or ethnic origin, religious beliefs, sexual orientation, or union membership.

3. Legal Basis for Processing — GDPR Art. 6

For users in the EU/EEA, we process your personal data only where we have a valid legal basis. The table below lists each processing purpose and its corresponding legal basis.

PurposeLegal Basis
Account creation and managementContract performance (Art. 6(1)(b))
Human Design chart generationContract performance (Art. 6(1)(b))
AI-generated insights and recommendationsContract performance (Art. 6(1)(b)) and Legitimate interest (Art. 6(1)(f))
Analytics and website improvementConsent (Art. 6(1)(a)) — only with your opt-in
Marketing cookies and advertisementsConsent (Art. 6(1)(a)) — only with your opt-in
Email newslettersConsent (Art. 6(1)(a)) — unsubscribe at any time
Fraud prevention, chargeback defense, and securityLegitimate interest (Art. 6(1)(f))
Legal and regulatory complianceLegal obligation (Art. 6(1)(c))
Processing children's dataConsent (Art. 6(1)(a)) via verifiable parental consent
Subscription billing and payment dispute resolutionContract performance (Art. 6(1)(b)) and Legitimate interest (Art. 6(1)(f))

4. How We Use Your Information

We use the information we collect to:

  • Generate your Human Design chart and provide personalized insights
  • Process your data using artificial intelligence (OpenAI) to generate Human Design interpretations, parenting tips, communication strategies, and forecasts
  • Provide personalized content and recommendations tailored to your family
  • Send daily affirmations, communication tips, and notifications (where enabled)
  • Improve, optimize, and develop our app and services
  • Communicate with you about updates, new features, and support requests
  • Process subscription payments through Apple App Store and Google Play Store
  • Ensure security, prevent fraud, detect abuse, and defend against chargebacks
  • Comply with legal obligations, including tax and regulatory requirements
  • Enforce our Terms of Service, including investigating violations, fraudulent chargeback activity, and abusive refund patterns

5. Automated Decision-Making and Profiling — GDPR Art. 22

The Family Code uses artificial intelligence (powered by OpenAI) to generate Human Design interpretations, parenting recommendations, communication tips, daily affirmations, and forecasts. These AI-generated outputs are:

  • Based on your birth data (date, time, location) and Human Design chart calculations
  • Provided for informational and entertainment purposes only
  • NOT used to make any legally binding or similarly significant decisions about you
  • NOT used for automated hiring, credit, insurance, or any other consequential decision-making
  • Inherently unpredictable and may contain errors, inaccuracies, or hallucinations

Profiling vs. Automated Decision-Making — distinction under GDPR

Profiling (GDPR Art. 4(4)) — does occur: Generating your Human Design chart and producing personalised insights from your birth data constitutes "profiling" under Art. 4(4) GDPR — i.e., automated processing to evaluate personal aspects about you. The legal basis for this profiling is contract performance (Art. 6(1)(b)) — it is the core purpose of the Service you requested.

Automated Decision-Making with legal effects (GDPR Art. 22) — does NOT occur: No automated decision producing legal effects or similarly significantly affecting you is made solely by our systems without human involvement. AI-generated content is delivered as informational output to you; no access, credit, employment, insurance, or other consequential determination is made about you by our algorithms.

You have the right to request human review of any AI-generated insight, express your point of view, and contest outputs. Contact privacy@the-family-code.com.

6. Information Sharing and Third-Party Processors

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

We share data only with the following named recipients, all bound by data processing agreements (DPAs) meeting GDPR standards.

Service Providers (Data Processors)

OpenAI, Inc.

San Francisco, CA, USA

AI processing for generating Human Design insights. Data shared: birth data, chart data. OpenAI does not use data submitted via the API to train its models.

Transfer mechanism: Standard Contractual Clauses (SCCs) Privacy Policy

Google LLC (Analytics)

Mountain View, CA, USA

Google Analytics for website usage analytics (only with your consent). Data shared: anonymized usage data.

Transfer mechanism: EU-US Data Privacy Framework and SCCs Privacy Policy

Google Cloud Platform

USA

Cloud infrastructure hosting. Data shared: all data processed by the Service.

Transfer mechanism: Standard Contractual Clauses (SCCs) Privacy Policy

Neon Inc.

USA

Serverless PostgreSQL database hosting. Data shared: all stored data.

Transfer mechanism: Standard Contractual Clauses (SCCs) Privacy Policy

Apple Inc. / Google LLC

USA

App Store payment processing. We do not receive or store your payment card details. Payment data flows directly to the respective store.

Transfer mechanism: Not applicable — payment data goes directly to the store

Other Disclosures

  • With your explicit consent
  • With family members you invite to your family group (limited profile data)
  • When required by law, regulation, or valid legal process
  • To protect rights, safety, or property
  • In connection with payment dispute resolution, chargeback defense, or fraud investigation, to payment processors and app store operators

7. Data Security

We implement technical and organizational measures to protect your personal information, including:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest for all stored personal data
  • Role-based access controls limiting data access to authorized personnel
  • Regular security reviews and vulnerability assessments
  • Incident response procedures in line with GDPR Art. 33 requirements

However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (per GDPR Art. 33) and affected users as required by applicable law, including the CCPA/CPRA breach notification requirements.

8. Your Rights — GDPR (EU/EEA Users)

If you are located in the EU or EEA, you have the following rights under the GDPR:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal exceptions.
  • Right to Restrict Processing (Art. 18): Limit how we use your data in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on our legitimate interests.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right Not to Be Subject to Automated Decision-Making (Art. 22): See Section 5 for details on our AI processing.
  • Right to Lodge a Complaint: Lodge a complaint with UODO (Urząd Ochrony Danych Osobowych) or any supervisory authority in your EU/EEA Member State.

How to exercise your rights

Email privacy@the-family-code.com. We will respond within 30 days (extendable by 60 days for complex requests per GDPR Art. 12(3)). Exercising your rights is free of charge.

9. Your Rights — CCPA/CPRA (California Residents)

This section applies to California residents under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you, the sources, the purposes, and the third parties with whom it is shared.
  • Right to Delete: Request deletion of your personal information, subject to legal exceptions (e.g., security, legal obligations, completing transactions).
  • Right to Correct: Request correction of inaccurate personal information that we maintain about you. We will use commercially reasonable efforts to correct the information.
  • Right to Opt Out of Sale/Sharing: We do NOT sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide a clear opt-out mechanism.
  • Right to Limit Use of Sensitive Personal Information: Birth data (date, time, location) may qualify as sensitive personal information under the CPRA. We use it only to provide the core Service (Human Design chart generation and AI insights). You may request that we limit the use of your sensitive personal information to that which is necessary to perform the Service.
  • Global Privacy Control (GPC): We honor the GPC signal as a valid opt-out of the sale or sharing of personal information.
  • Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights. We will not deny you goods or services, charge different prices or rates, provide a different level or quality of goods or services, or suggest that you may receive a different price or rate or quality of goods or services.
  • Financial Incentives: We do not offer financial incentives in exchange for the retention or sale of personal information.
  • Authorized Agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization and we may require identity verification from you.

Submitting a CCPA/CPRA Request

Contact privacy@the-family-code.com. We will respond within 45 days (extendable by an additional 45 days for complex requests with notice to you). We verify identity by matching your email address and account information. We will not fulfill requests where we cannot verify identity.

10. Do Not Sell or Share My Personal Information

The Family Code does not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months as defined under the CCPA/CPRA.

If our data practices change in the future, we will update this Privacy Policy and provide a conspicuous "Do Not Sell or Share My Personal Information" link on our website and within the app, as required by the CCPA/CPRA.

We honor the Global Privacy Control (GPC) signal as a valid opt-out of any future sale or sharing of personal information. To enable GPC, visit globalprivacycontrol.org.

11. Children's Privacy — COPPA and GDPR Art. 8

Age Requirements

  • You must be at least 16 years old (or the applicable minimum in your EU Member State) to create an account under GDPR.
  • In the United States, you must be at least 13 years old, consistent with COPPA.
  • If under 18, you need parent or guardian permission.

COPPA Compliance (US) — Children's Data Added by Parents/Guardians

  • We do NOT knowingly collect data directly from children under 13 without verifiable parental consent.
  • All children's data (name, birth date, time, and location) is entered by the parent or guardian through their authenticated account.
  • By adding a child's information, the parent provides verifiable parental consent under COPPA.
  • Parents can review, update, or delete their child's data at any time via account settings or by contacting us.
  • We do NOT condition participation on disclosure of more information than is reasonably necessary to provide the service.
  • Children's data is NEVER shared with third parties for marketing purposes.
  • Children's data is NEVER made publicly available.

GDPR — Children's Data (Art. 8)

Under GDPR Art. 8, processing of children's data based on consent requires parent or guardian consent. Parents may exercise all GDPR rights on behalf of their children by contacting us at privacy@the-family-code.com.

If we discover we have collected a child's data without proper consent, we will delete it promptly. Please contact privacy@the-family-code.com immediately if you believe this has occurred.

12. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy. The table below specifies retention periods per data category.

Data CategoryRetention PeriodJustification
Account data (name, email)Duration of account + 30 days after deletionContract performance; recovery grace period
Birth data and Human Design chartsDuration of account + 30 days after deletionCore service functionality
Children's dataDuration of account or immediately upon parent requestCOPPA compliance
Cookie consent records3 years from last interactionGDPR proof of consent
Usage and analytics data26 monthsAnalytics improvement (Google Analytics default)
Payment records7 yearsTax and legal obligations
Server logs90 daysSecurity and fraud prevention
Email marketing dataUntil unsubscription + 30 daysCAN-SPAM compliance
Chargeback and dispute records7 years from resolutionPayment dispute defense and legal obligations
AI processing logs90 daysService quality and error resolution
Arbitration opt-out recordsDuration of service + 5 yearsLegal compliance; dispute resolution

13. International Data Transfers

Your data may be transferred to and processed in the United States, where our infrastructure providers (Google Cloud, Neon, and OpenAI) are located. As a data controller established in Poland (EU), we ensure the following safeguards for transfers outside the EU/EEA under GDPR Chapter V:

  • Standard Contractual Clauses (SCCs): Used for transfers to OpenAI, Google Cloud, and Neon.
  • EU-US Data Privacy Framework: Google LLC is certified under the EU-US DPF for eligible data transfers.
  • All processors are bound by DPAs meeting GDPR Chapter V requirements.
  • UK Users (post-Brexit): For transfers of personal data from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU SCCs, as applicable under the UK GDPR and Data Protection Act 2018. Where a UK adequacy decision applies to a recipient country, we rely on that decision.

You may request a copy of the applicable Standard Contractual Clauses or UK IDTA by contacting privacy@the-family-code.com.

14. Email Marketing — CAN-SPAM Compliance

We may send marketing emails only with your prior, freely given consent.

GDPR Legal Basis for Marketing Emails (EU/EEA Users)

For EU/EEA users, the legal basis for sending marketing communications is your freely given, specific, informed, and unambiguous prior consent under GDPR Art. 6(1)(a). Consent to receive marketing emails is voluntary and entirely separate from — and not a condition of — using or paying for the Service. You may withdraw consent at any time by using the unsubscribe link in any marketing email or visiting the-family-code.com/unsubscribe. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal (GDPR Art. 7(3)).

In compliance with the CAN-SPAM Act:

  • Every marketing email includes a clear and conspicuous unsubscribe mechanism.
  • Unsubscribe requests are honored within 10 business days (CAN-SPAM, US users). EU/EEA users' requests are processed promptly — typically within 24–48 hours — in accordance with GDPR Art. 7(3).
  • We do not use deceptive subject lines or false header information.
  • All emails clearly identify The Family Code as the sender.
  • Our physical mailing address is included in every email: ul. Franciszka Klimczaka 7/81, 02-797 Warszawa, Poland.

To unsubscribe: use the link in any marketing email or visit the-family-code.com/unsubscribe.

15. AI Data Processing Notice

In accordance with transparency obligations under the GDPR and the EU AI Act (Regulation (EU) 2024/1689), we provide the following information about how your data is processed by artificial intelligence systems:

Compliance with EU AI Act (Regulation (EU) 2024/1689)

In accordance with Article 50 of the EU AI Act, users are informed within the application interface — before or at the start of AI-generated content delivery — that the content has been generated by an artificial intelligence system. This in-app notification is separate from the disclosure in this policy and applies each time AI-generated insights, parenting tips, affirmations, or forecasts are displayed. Users may contact privacy@the-family-code.com to request human review of any AI-generated output.

  • AI Provider: OpenAI, Inc. — we use OpenAI's API to process your birth data and generate Human Design interpretations, parenting tips, affirmations, and forecasts.
  • Data Shared with AI: Birth date, time, and location; Human Design chart calculations; family member names and types. We do not share your email address, account credentials, or payment information with OpenAI.
  • AI Training: Data submitted via the OpenAI API is not used by OpenAI to train its models, per our data processing agreement with OpenAI.
  • Output Accuracy: AI-generated content is inherently unpredictable and may contain errors, inaccuracies, hallucinations, or misleading information. The Company does not warrant the accuracy of AI outputs. See our Terms of Service, Section 8.
  • Human Review: You may request human review of any AI-generated output by contacting privacy@the-family-code.com.

AI-generated content is provided for informational and entertainment purposes only. It does not constitute professional advice of any kind. You should not rely on AI-generated content as a substitute for professional medical, psychological, therapeutic, or legal advice.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. We will notify you of any material changes by posting the updated policy on our website. The "Last updated" date at the top of this page will be revised accordingly.

If we make material changes that affect how we process your personal data, we will notify you directly (for example, by email) and, where required by GDPR, re-request your consent through our cookie consent mechanism. For EU/EEA users, we will provide at least 30 days' notice for material changes. We encourage you to review this policy periodically to stay informed.

17. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us using the details below.

Data Controller

Raman Navarych

ul. Franciszka Klimczaka 7/81, 02-797 Warszawa, Poland

NIP: 9512577983 | REGON: 526409740

privacy@the-family-code.com

Request Timelines

GDPR requests: response within 30 days

CCPA/CPRA requests: response within 45 days

CAN-SPAM unsubscribe: within 10 business days

All requests are free of charge

Lead Supervisory Authority (EU) — UODO

If you are unsatisfied with our response, you have the right to lodge a complaint with the Polish data protection authority (the lead supervisory authority for this controller), or with the supervisory authority in your EU/EEA Member State of habitual residence.

UODO — Urząd Ochrony Danych Osobowych

ul. Stawki 2, 00-193 Warszawa, Poland

Tel: +48 22 531 03 00 | Fax: +48 22 531 03 01

uodo.gov.pl | kancelaria@uodo.gov.pl