Visit My Roots

Privacy Policy

Last updated: May 10, 2026. This policy explains how Visit My Roots (“we”, “us”) handles personal information when you use our heritage travel planning service.

Who we are

Visit My Roots helps you plan trips using information from family trees you upload. Our infrastructure is designed so your account data and tree-derived content stay under your control, within the limits described below.

What we collect

  • Account: email address and authentication data processed by Supabase (passwords are hashed; we never see your plaintext password).
  • GEDCOM-derived data: after you upload a GEDCOM file, we parse it on our servers. We retain structured data about deceased individuals (names, dates, places) needed for maps and guides. Raw upload files are not kept after parsing.
  • Trip and guide data: destinations, selected locations, trip-day layouts, guide status, and generated PDF storage paths as needed to provide the service.
  • Billing: if you subscribe, Stripe processes payment data; we store subscription status and Stripe customer identifiers needed to manage billing.
  • Compliance: records such as GDPR consent where applicable, and preferences like analytics opt-in stored on your account.

How we use information

We use data only to run and improve the product you signed up for, for example:

  • authenticating you and protecting your account;
  • building maps, trip plans, and AI-assisted guide content from your deceased ancestors’ records;
  • delivering PDF guides and optional share links you choose to create;
  • processing subscriptions and fraud prevention;
  • meeting legal obligations and responding to valid requests.

Deceased persons and living relatives

Information about deceased persons is processed to generate your personal guides and maps. Under EU GDPR, personal data protection generally does not extend to deceased persons (see Recital 27). We still treat all tree-derived data as yours: we do not sell it, license it for ads, or build a public search index of ancestor names across users.

Living persons identified in your GEDCOM are excluded from stored structured data, guides, and external AI processing. Only deceased persons’ records are kept for product features.

Where data is processed

We use Supabase for authentication, database, and file storage. You should create your Supabase project in an EU region if EU data residency is required for your deployment. Other processors (e.g. Stripe, Anthropic for narrative generation on paid guide creation, Resend for transactional email) process data only as needed to provide the feature you use.

Third-party services

Key subprocessors include Supabase (auth, Postgres, storage), Stripe (payments), Anthropic (guide narratives for subscribers), and Resend (transactional email). We do not sell personal information to anyone.

Retention

We keep data while your account is active and as needed for legal, security, or billing purposes. You may request deletion of your account; completing deletion removes your guides and tree-derived records subject to the flow described in our GDPR page.

Your GDPR rights

If EU/UK law applies, you have rights including access, rectification, erasure, restriction, objection (where applicable), and data portability. See GDPR — your rights for how to exercise them, including self-service options under Account settings.

Contact

Questions about this policy or privacy requests: andrewprimary@gmail.com.

← Back to homepage