EBIWAWA
Privacy Policy
EBIWAWA — African Family Digital Heritage Platform
Last updated: 2 April 2026 Effective date: [INSERT LAUNCH DATE]
1. Who We Are
EBIWAWA ("we", "us", "our") is a digital heritage platform that helps African families and the global diaspora connect, preserve legacies, build family trees, and communicate securely.
Data Controller: [INSERT LEGAL ENTITY NAME] [INSERT REGISTERED ADDRESS] [INSERT REGISTRATION NUMBER IF APPLICABLE]
Contact for data enquiries: Email: [INSERT DPO/PRIVACY EMAIL]
For UK users, we are registered with the Information Commissioner's Office (ICO). ICO Registration Number: [INSERT ICO REGISTRATION NUMBER]
2. What This Policy Covers
This policy explains how we collect, use, store, and share your personal data when you use the EBIWAWA platform, including our website, mobile experience, and all related services.
This policy applies to:
- Users in the United Kingdom (subject to UK GDPR and the Data Protection Act 2018)
- Users in Canada (subject to PIPEDA and, for Quebec residents, Quebec's Act respecting the protection of personal information in the private sector — "Law 25")
- Users in the United States (subject to applicable state laws including CCPA/CPRA for California residents)
3. Data We Collect
3.1 Account Data (Provided by You)
When you register and use EBIWAWA, we collect:
| Data | Purpose | Lawful Basis (UK GDPR) |
|---|---|---|
| Email address | Account creation, login, communication | Contract performance |
| Name (first, middle, last, suffix) | Profile display, identification | Contract performance |
| Date of birth (year, month, day) | Age verification, family tree accuracy | Consent |
| Place of birth (city, state, country) | Heritage mapping, family tree context | Consent |
| Current location | Community features, heritage mapping | Consent |
| Gender | Profile display, avatar defaults | Consent |
| Occupation | Profile information | Consent |
| Languages spoken | Profile information, community features | Consent |
| Biography | Profile display | Consent |
| Profile photo/avatar | Profile display | Consent |
| User preferences (theme, notifications, language, role) | Personalisation | Contract performance |
3.2 Family Tree Data (About Third Parties)
A core function of EBIWAWA is building family trees. You may add information about family members, including people who are not users of the platform. This data includes:
- Full name, maiden name, suffix
- Date of birth and/or death
- Place of birth (city, state, country)
- Current location
- Gender
- Occupation
- Languages spoken
- Biography and personal memories
- Profile photos
- Family relationships (parent, child, spouse, sibling, etc.)
- Marriage dates
Your responsibility: By adding another person's data, you confirm that you have a legitimate familial interest in recording this information and that, where the person is alive and identifiable, you have made reasonable efforts to inform them. See Section 10 for more detail.
3.3 Content You Create
- Posts: Text, photos (up to 10 per post), and videos (up to 100MB) with privacy levels you set (private, family, or public)
- Comments and reactions on posts
- Messages: Direct and group chat messages, including text, file attachments, and read receipts
- Photos and albums: Uploaded images, photo descriptions, and tags identifying family members in photos
- Documents and media: Files you upload for preservation (documents, audio recordings)
- Family legacy data: Family sayings, traditions, and other cultural heritage information
- Calendar events: Personal and family events
3.4 Data Collected Automatically
| Data | Purpose | Lawful Basis |
|---|---|---|
| IP address | Security, abuse prevention | Legitimate interest |
| Request timestamps | Performance monitoring | Legitimate interest |
| API request performance metrics | Service reliability | Legitimate interest |
| Firebase authentication tokens | Session management | Contract performance |
We do not use third-party analytics services, advertising trackers, or behavioural profiling tools.
3.5 Data Processed by AI Features
EBIWAWA offers optional AI-powered features. When you use these features, specific data is sent to Google's Vertex AI (Gemini 2.0 Flash model) for processing:
| AI Feature | Data Sent | Purpose |
|---|---|---|
| Photo Analysis | Your uploaded photo | Generate description, estimate era, suggest tags |
| Story Generator | Person's name, birth details, occupation, biography, family relationship names | Generate biographical narrative |
| Caption Suggestions | Your uploaded photo | Suggest photo captions |
| Document OCR | Your uploaded document | Extract text from document images |
| Audio Transcription | Your uploaded audio file | Transcribe spoken content |
AI usage is:
- Always initiated by you (never automatic)
- Rate-limited to 50 requests per user per day
- Processed in the us-central1 region by Google Cloud
- Not used to train AI models (governed by Google Cloud's data processing terms)
4. How We Use Your Data
We use your personal data for the following purposes:
- Providing the service: Account management, family tree building, messaging, content sharing, photo storage
- Personalisation: Theme preferences, notification settings, content display
- AI features: Photo analysis, story generation, document processing (only when you initiate)
- Security: Authentication, abuse prevention, blocking functionality
- Service improvement: Performance monitoring, error detection
- Communication: Service-related notifications (we do not send marketing emails)
- Trust and verification: Enabling family members to verify the accuracy of family tree data
We do not:
- Sell your personal data
- Use your data for advertising
- Profile you for marketing purposes
- Make automated decisions that have legal effects on you
5. Lawful Basis for Processing (UK GDPR)
For users in the United Kingdom, we process your data under the following lawful bases:
- Contract performance (Article 6(1)(b)): Processing necessary to provide the EBIWAWA service you signed up for
- Consent (Article 6(1)(a)): For optional data you choose to provide (birth details, biography, photos, AI features). You can withdraw consent at any time.
- Legitimate interest (Article 6(1)(f)): For security logging and performance monitoring, balanced against your privacy rights
Special category data: Family tree data may reveal racial or ethnic origin, which is special category data under UK GDPR. We process this under Article 9(2)(e) — data manifestly made public by the data subject — for data you choose to share publicly, and Article 9(2)(a) — explicit consent — for private family data.
6. Where Your Data Is Stored
Your data is stored and processed using the following services:
| Service | Data Stored | Location |
|---|---|---|
| Google App Engine | Backend API processing | [INSERT REGION] |
| Neo4j AuraDB | User profiles, family trees, relationships, posts, events | Cloud-hosted |
| Google Cloud Firestore | Messages, conversations, chat metadata | [INSERT REGION] |
| Google Cloud Storage | Photos, videos, documents, avatars | [INSERT REGION] |
| Firebase Authentication | Authentication credentials | Google Cloud |
| Google Vertex AI | Temporary AI processing (not stored) | us-central1 (USA) |
International transfers: Some data processing occurs in the United States. For UK users, these transfers are governed by Google's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) / Addendum, ensuring adequate protection under UK GDPR.
For Canadian users: Transfers outside Canada are made in compliance with PIPEDA's requirements, relying on contractual protections with our service providers.
For Quebec residents: Under Law 25, we are required to conduct a privacy impact assessment before transferring personal information outside Quebec. Your data may be processed in the United States (see table above). Before any such transfer, we assess whether the receiving jurisdiction provides adequate privacy protection. We rely on Google Cloud's contractual commitments and security measures to ensure equivalent protection. Details of our assessment are available on request.
7. How We Protect Your Data
We implement the following security measures:
- Authentication: Firebase Authentication with token verification on every API request
- Encryption in transit: All data transmitted over HTTPS/TLS
- Encryption at rest: Data encrypted at rest by our cloud providers (Google Cloud, Neo4j)
- Access control: API endpoints require authentication; data access scoped to your family tree
- Content privacy levels: You control who sees your posts (private, family, public)
- User blocking: Ability to block users, which removes all shared access and connections
- Secret management: Sensitive credentials stored in Google Cloud Secret Manager
- Rate limiting: AI features capped at 50 requests/user/day to prevent abuse
8. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Family tree data | Until deleted by a tree manager or account deletion |
| Posts and comments | Until you delete them or delete your account |
| Messages | Until you delete them or delete the conversation |
| Photos and media | Until you delete them or delete your account |
| AI processing data | Not retained — processed transiently |
| Server logs (IP, performance) | [INSERT PERIOD — recommend 90 days] |
| Blocked user records | Until you unblock or delete your account |
We will implement automated deletion of inactive accounts after [INSERT PERIOD — recommend 2 years of inactivity] with prior notice.
9. Your Rights
9.1 Rights for All Users
All users have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your posts, photos, messages, and other content
- Control privacy settings on your content
- Block other users
9.2 Additional Rights — United Kingdom (UK GDPR)
UK residents have the right to:
- Access a copy of all personal data we hold about you (Article 15)
- Rectification of inaccurate data (Article 16)
- Erasure ("right to be forgotten") of your data (Article 17)
- Restrict processing of your data (Article 18)
- Data portability — receive your data in a structured, machine-readable format (Article 20)
- Object to processing based on legitimate interest (Article 21)
- Withdraw consent at any time for consent-based processing
- Lodge a complaint with the ICO (ico.org.uk)
9.3 Additional Rights — Canada (PIPEDA)
Canadian residents have the right to:
- Access your personal information held by us
- Challenge the accuracy and completeness of your data
- Withdraw consent for collection, use, or disclosure
- File a complaint with the Office of the Privacy Commissioner of Canada
9.3.1 Additional Rights — Quebec Residents (Law 25)
If you reside in Quebec, you have the following additional rights under Quebec's Act respecting the protection of personal information in the private sector (Law 25):
- Right to data portability: Receive your personal information in a structured, commonly used technological format, or have it transferred directly to another organisation
- Right to de-indexing ("right to be forgotten"): Request that we cease disseminating your personal information or that any hyperlink associated with your name be de-indexed, where dissemination contravenes the law or a court order
- Right to be informed of automated decisions: Be informed when a decision affecting you is made exclusively by automated processing, and the right to have that decision reviewed by a person
- Right to know about cross-border transfers: Be informed when your personal information is transferred outside Quebec, including to which jurisdiction
- Explicit consent: We must obtain your express, free, and informed consent for the collection and use of your personal data. Consent must be requested separately from other information and in clear, simple language
- Consent for minors: For Quebec residents under 14, consent must be provided by a parent or guardian
- Incident notification: In the event of a confidentiality incident (data breach) involving your information, we will notify you and the Commission d'accès à l'information du Québec (CAI) if the incident presents a risk of serious injury
- Lodge a complaint with the Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca
9.4 Additional Rights — United States
California residents (CCPA/CPRA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.
Other US states: Additional rights may apply under your state's privacy law. Contact us for details.
9.5 Exercising Your Rights
To exercise any of these rights, contact us at: [INSERT PRIVACY EMAIL]
We will respond within:
- UK: 30 days (extendable by 2 months for complex requests)
- Canada (including Quebec): 30 days
- California: 45 days (extendable by 45 days)
We will verify your identity before processing any request.
10. Family Tree Data — Third-Party Information
EBIWAWA allows you to add personal data about family members who may not be users of the platform. This is a core feature of a genealogy service, but it carries specific responsibilities:
Your obligations when adding family members:
- You must have a genuine familial connection to the person
- For living, identifiable individuals, you should make reasonable efforts to inform them that their data appears in a family tree on EBIWAWA
- You must not add data that is malicious, defamatory, or knowingly inaccurate
- You must respect requests from individuals to remove their data
Our approach:
- Family tree data is only visible to members of that family tree (unless set to public)
- Any person can contact us to request removal of their data from a family tree
- The Trust Score system allows family members to verify or challenge the accuracy of data
- Edits to a person's record clear all verifications, requiring re-verification
If someone contacts us about their data in a family tree: We will balance the data subject's rights with the legitimate genealogical purpose, considering whether the person is alive, identifiable, and whether the data is sensitive.
11. Children's Data
EBIWAWA is intended for users aged 16 and over (UK), 14 and over (Quebec), and 13 and over (rest of US/Canada).
- We do not knowingly collect account data from children below these ages
- Quebec: For residents under 14, consent must be provided by a parent or guardian (Law 25, Section 14)
- Family tree data may include information about minors (e.g., children in a family tree). This data is added by their parent or guardian and is treated with the same protections as all family tree data
- If you believe a child has created an account without parental consent, contact us and we will delete the account
12. Cookies and Local Storage
EBIWAWA uses:
- Firebase Authentication tokens stored in browser local storage (essential for login)
- User preference data (theme, settings) stored in local storage
We do not use:
- Third-party tracking cookies
- Advertising cookies
- Analytics cookies
As we only use strictly necessary storage for service functionality, separate cookie consent is not required under UK GDPR. If we introduce non-essential cookies in the future, we will update this policy and implement a consent mechanism.
13. Third-Party Links
EBIWAWA may display content that links to external websites. We are not responsible for the privacy practices of external sites.
14. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. We will:
- Update the "Last updated" date at the top
- Notify you of material changes via the platform or email
- For significant changes affecting your rights, seek fresh consent where required
15. Contact Us
For any questions about this privacy policy or your personal data:
Email: [INSERT PRIVACY EMAIL] Post: [INSERT POSTAL ADDRESS]
To lodge a complaint:
- UK: Information Commissioner's Office — ico.org.uk — 0303 123 1113
- Canada (federal): Office of the Privacy Commissioner — priv.gc.ca
- Canada (Quebec): Commission d'accès à l'information du Québec — cai.gouv.qc.ca
- US (California): California Attorney General — oag.ca.gov
16. Language / Langue
This Privacy Policy is provided in English. For Quebec residents, a French-language version of this policy will be made available. In the event of any discrepancy between the English and French versions, the French version shall prevail for Quebec residents, as required by Law 25.
Cette politique de confidentialité est fournie en anglais. Pour les résidents du Québec, une version française de cette politique sera mise à disposition. En cas de divergence entre les versions anglaise et française, la version française prévaudra pour les résidents du Québec, conformément à la Loi 25.
17. Data Protection Impact Assessment
We have conducted a Data Protection Impact Assessment (DPIA) for the EBIWAWA platform, as required for processing that is likely to result in high risk to individuals (UK GDPR) and for cross-border data transfers (Quebec Law 25). A summary is available on request.