TinyMoments TinyMoments ← Back to home
Legal

Privacy Policy

Last updated: 8 June 2025  ·  Effective: 8 June 2025

Contents
  1. Who we are
  2. Data we collect
  3. Why we process it
  4. Third-party services
  5. How long we keep it
  6. Children's data
  7. Security
  8. International transfers
  9. Your rights
  10. Delete your account
  11. Changes to this policy
  12. Contact

Short version: TinyMoments is a private family album — not an ad platform. We collect only what is needed to run the service, we never sell your data, and everything is stored within the EU.

Section 1

Who we are (data controller)

TinyMoments is operated by DEME Digital (VAT BE1037765089), a company registered in Belgium.

For all privacy matters you can reach us at [email protected]. We aim to respond within 30 days.

As a Belgian company, TinyMoments is subject to the EU General Data Protection Regulation (GDPR) and the Belgian Data Protection Act of 30 July 2018.

Section 2

Data we collect

We collect only the data necessary to provide and improve TinyMoments. Here is what we collect and why:

Category Examples Source
Account data Email address, display name, profile photo You (via Google Sign-In or direct registration)
Family & membership data Family name, member roles, invitation status, audit log of family actions You
Child profile data Child's name, date of birth, profile photo, colour label You
Moment data Photos, videos, captions, milestone types, dates, reactions, and media metadata (GPS location, camera model, and duration read from the photo/video file itself, where present) You
Device & notification data Push notification tokens, notification preferences (day, time, timezone) Your device
Usage data Session dates, last-active timestamp, engagement state (prompts shown/dismissed) Automatically
Billing data Subscription plan, billing status, payment reference (Mollie customer/subscription IDs). We do not store full card numbers. You (via Mollie)
Share data Share tokens and expiry timestamps for 30-day share links You

Data we do not collect

  • We do not serve advertisements and do not collect advertising identifiers.
  • We do not sell, rent, or trade your personal data to third parties.
  • We do not use your content (photos, videos, quotes) for training AI or machine-learning models.
  • We do not track you across other websites or apps.
Section 3

Why we process your data (legal basis)

Performance of a contract (Art. 6(1)(b) GDPR)

Most processing — account creation, storing moments, family sharing, sending notifications — is necessary to deliver the service you signed up for.

Legitimate interests (Art. 6(1)(f) GDPR)

We process usage data and engagement signals to improve the app, fix bugs, and prevent abuse. We balance this against your privacy rights and apply the least invasive approach possible.

We also read GPS location, camera model, and duration from photos and videos you add to a moment, where your device includes that information in the file. This is stored to power a future feature (e.g. a map or timeline view of your family's moments) and is not currently shown to you or anyone else in the app.

Compliance with a legal obligation (Art. 6(1)(c) GDPR)

We retain billing records to meet Belgian accounting and tax law requirements.

Consent (Art. 6(1)(a) GDPR)

Push notifications are sent only after you explicitly grant permission on your device. You can withdraw this at any time in your device settings or in the TinyMoments app.

Section 4

Third-party services

We use a small, carefully chosen set of processors. Each is bound by a Data Processing Agreement and, where applicable, operates within the EU/EEA or provides adequate transfer safeguards.

Firebase (Google LLC)

We use Firebase for authentication, database (Firestore), file storage (Cloud Storage), and serverless backend logic (Cloud Functions). Data is stored in EU regions. Google acts as a data processor under our terms with Google Cloud.

Firebase Privacy & Security →

Google Sign-In

If you choose to sign in with Google, your Google account's name, email, and profile photo are shared with TinyMoments. You can alternatively register with email and password.

Mollie B.V.

Payments for premium subscriptions are processed by Mollie, an EU-based payment service provider regulated by De Nederlandsche Bank. Mollie collects and processes payment card data under their own privacy policy; TinyMoments only receives confirmation of payment status and a customer reference.

Mollie Privacy Policy →

Resend

We use Resend to send transactional emails (e.g. family invitations, account-related notifications). Only the recipient email address and the message content are shared.

Resend Privacy Policy →

Expo / Expo Push Service (Expo Inc.)

Push notifications are delivered via the Expo Push Service. Your device push token is sent to Expo's servers to relay notifications. Expo does not have access to the content of your family timeline.

Expo Privacy Policy →

Google Analytics

We use Google Analytics (Firebase Analytics) to collect aggregated, anonymised usage statistics — such as which screens are visited and how often. No personally identifiable information is attached to analytics events. You may opt out by adjusting your device's ad-tracking settings.

Section 5

How long we keep your data

Data category Retention period
Account & family data Until you delete your account or the family is dissolved
Moments (photos, videos, captions) Until you delete the moment or your account
Push tokens Until you disable notifications or delete your account
Billing & payment records 7 years (Belgian accounting law requirement)
Share links (tokens) Automatically expired after 30 days
Analytics data 14 months (Google Analytics default), then automatically deleted

When you delete your account, your personal data and all associated content are removed from our active systems within 30 days. Residual copies in backup systems are purged within 90 days of the deletion request.

Section 6

Children's data

TinyMoments is designed for parents and family members. The minimum age to create an account is 16 years. We do not knowingly allow users under 16 to register.

Child profiles (names, birthdates, photos) are created by adult account holders — typically parents or guardians. That adult is responsible for ensuring they have appropriate authority to add and share that child's information within their private family group.

Children's data is stored privately within your family's account and is never visible to other users or the general public.

If you believe a user under 16 has created an account, please contact us at [email protected] and we will remove it promptly.

Section 7

Security

We take the security of your family's memories seriously:

  • All data is transmitted over encrypted connections (TLS/HTTPS).
  • Data at rest is encrypted by Firebase's default encryption (AES-256).
  • Firestore Security Rules ensure that only invited family members can access your family's data — no other user or TinyMoments employee can browse your timeline.
  • Media files are stored in private Firebase Storage buckets that require authenticated access.
  • We regularly review our security practices and access controls.

Despite these measures, no online service can guarantee absolute security. If you discover a security vulnerability, please report it responsibly to [email protected].

Section 8

International data transfers

Your data is stored and processed primarily within the EU/EEA. Where any of our service providers process data outside the EU/EEA (for example, certain Google infrastructure or Expo servers), they do so under the EU Standard Contractual Clauses (SCCs) or equivalent approved transfer mechanisms.

We do not transfer data to countries without an adequate level of data protection unless the appropriate safeguards are in place.

Section 9

Your rights under GDPR

As a resident of the EU/EEA, you have the following rights regarding your personal data:

Right of access (Art. 15)

You can request a copy of the personal data we hold about you.

Right to rectification (Art. 16)

You can correct inaccurate or incomplete data — most fields can be updated directly in the app.

Right to erasure — account & data deletion (Art. 17)

You can delete your account and all associated data at any time. Here is how:

  1. Open TinyMoments and go to Profile → Settings.
  2. Scroll to the bottom and tap Delete account.
  3. Confirm the deletion when prompted.

Alternatively, send a deletion request by email to [email protected] from the address associated with your account.

What gets deleted: your account profile, family memberships, child profiles, all moments (photos, videos, captions), push tokens, and usage data.

What is retained: billing records are kept for 7 years as required by Belgian accounting law. These records contain only payment references (no card numbers) and cannot be used to identify you publicly.

Timeline: your data is removed from active systems within 30 days of the request. Residual copies in encrypted backups are purged within 90 days.

You can also request deletion of specific data only (e.g. a single moment or child profile) without deleting your entire account — email us at [email protected].

Right to data portability (Art. 20)

You can request an export of your data in a machine-readable format. Contact us at [email protected].

Right to restriction & objection (Art. 18–21)

You can ask us to restrict processing or object to processing based on legitimate interests. We will assess and respond within 30 days.

Right to withdraw consent

Where processing is based on consent (e.g. push notifications), you can withdraw consent at any time without affecting the lawfulness of prior processing.

Right to lodge a complaint

If you believe we have mishandled your data, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données):

  • Website: dataprotectionauthority.be
  • Email: [email protected]

We encourage you to contact us first — we will do our best to resolve any concern directly.

Section 10

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you in the app and update the "Last updated" date at the top of this page.

Continued use of TinyMoments after a change takes effect constitutes acceptance of the revised policy. If you do not agree with a change, you may delete your account before it takes effect.

Section 11

Contact

For any privacy-related questions, data requests, or to exercise your rights, please contact us:

DEME Digital (TinyMoments)
VAT: BE1037765089
Email: [email protected]

We aim to respond to all requests within 30 days. Complex requests may take up to 3 months under GDPR rules — we will inform you if that is the case.

TinyMoments TinyMoments
  • Home
  • Privacy Policy
  • Terms & Conditions
  • Contact

© 2025 DEME Digital. All rights reserved. TinyMoments is built and hosted in the EU.