Family Museum is designed around a simple promise: the voices of the people who raised you belong to your family, not to us. The app is built so that promise is architectural, not aspirational.
The rest of this policy explains exactly what that means, including your rights under the European Union’s GDPR, the California Consumer Privacy Act, the Texas Data Privacy and Security Act, and similar laws.
Family Museum (“Family Museum”, “we”, “us”, or “our”) is a software company based in Houston, Texas, United States. We publish an iOS application of the same name, and this marketing website at familymuseum.co.
For the purposes of the GDPR, Family Museum acts as the data controller for the limited data described in this policy. For personal data stored within your own iCloud account, Apple Inc. operates the underlying infrastructure, and you control access.
We collect three narrow categories of information.
Your recordings, transcripts, photos, memories, family tree, and every other piece of content you create in Family Museum are stored in your own iCloud account, inside Apple’s CloudKit Private Database. Apple protects this data with end-to-end encryption tied to the Secure Enclave on your devices. The keys that unlock your archive never leave your devices. Family Museum does not hold them; Apple does not hold them.
When you share an archive with a family member, Apple’s CloudKit Shared Database is used. Sharing is always explicit and scoped to the people you invite. You can revoke a share at any time from inside the app, which removes the recipient’s access.
If you close your iCloud account, the archive goes with it. We cannot recover the recordings, because we never held a copy.
Speech recognition, speaker identification, voice biometric modeling, and the “Ask the Archive” retrieval and question-answering feature all run on your device, using Apple’s Neural Engine and on-device machine-learning frameworks. No audio, transcripts, or voice embeddings are transmitted to Family Museum or to any third-party service for processing.
Your family’s voices, transcripts, faces, and stories are not part of any training set we use, license, sell, or otherwise touch. The on-device models we rely on are provided by Apple under Apple’s policies, which likewise do not train on your personal Family Museum data.
If this ever changes — for example, if we were to introduce a feature that requires cloud processing — we would notify you in advance, make participation strictly opt-in, and update this policy.
We keep the list of third parties who touch any of your data as short as we can make it.
We do not integrate advertising software development kits, social tracking pixels, session-replay tools, or data-broker services.
Family Museum is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided information to us, please contact us at privacy@familymuseum.co and we will delete it.
Parents may of course record their own children’s voices and keep those recordings in their own iCloud archive; that content is the parent’s to manage. The app should be installed and set up by an adult.
Because we hold almost no personal data about you, most data-subject requests come down to deleting the app and its data from your iCloud account. Still, regardless of where you live, you have the following rights with respect to the limited data we do hold:
To exercise any of these rights, email us at privacy@familymuseum.co. We respond within 30 days, or sooner where required by law.
If you are located in the European Economic Area, United Kingdom, or Switzerland, the limited data we hold about you may be transferred to the United States, where we and some of our vendors are based. We rely on the European Commission’s Standard Contractual Clauses, the United Kingdom Addendum, and the EU – U.S. Data Privacy Framework where applicable. You may request a copy of the safeguards in place by emailing us.
If you are a Texas resident, the Texas Data Privacy and Security Act grants you the rights listed in Section 10. We do not use your data for targeted advertising, do not sell personal data, and do not engage in profiling that produces legal or similarly significant effects.
If we deny a request, you may appeal by replying to our response. If the appeal is denied, you may contact the Texas Attorney General at texasattorneygeneral.gov.
We retain anonymized usage and subscription-validation records for up to 24 months, after which they are deleted or further anonymized beyond any reasonable ability to link them to you. Server logs are retained for up to 30 days.
Your recordings, transcripts, and family tree are retained for as long as you keep them in your iCloud account — we have no control over, or visibility into, that timeline.
The architecture of Family Museum is itself a security measure: we cannot lose what we never hold. For the limited data we do receive (anonymized analytics and subscription records), we use industry-standard encryption in transit (TLS 1.3) and at rest, and we restrict access to the small number of engineers who need it.
No system is perfectly secure. If we ever discover a breach that affects any data we hold about you, we will notify you promptly and cooperate with the appropriate regulators.
If we change this policy in a way that affects your rights, we will notify you inside the app and update the effective date at the top of this page. Material changes will not be applied retroactively without your consent.
Questions, concerns, or data-subject requests can be directed to the address below. We are a small team and we read every message.