Last updated: 8 June 2025 · Effective: 8 June 2025
Short version: TinyMoments is a private family album — not an ad platform. We collect only what is needed to run the service, we never sell your data, and everything is stored within the EU.
TinyMoments is operated by DEME Digital (VAT BE1037765089), a company registered in Belgium.
For all privacy matters you can reach us at [email protected]. We aim to respond within 30 days.
As a Belgian company, TinyMoments is subject to the EU General Data Protection Regulation (GDPR) and the Belgian Data Protection Act of 30 July 2018.
We collect only the data necessary to provide and improve TinyMoments. Here is what we collect and why:
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, display name, profile photo | You (via Google Sign-In or direct registration) |
| Family & membership data | Family name, member roles, invitation status, audit log of family actions | You |
| Child profile data | Child's name, date of birth, profile photo, colour label | You |
| Moment data | Photos, videos, captions, milestone types, dates, reactions, and media metadata (GPS location, camera model, and duration read from the photo/video file itself, where present) | You |
| Device & notification data | Push notification tokens, notification preferences (day, time, timezone) | Your device |
| Usage data | Session dates, last-active timestamp, engagement state (prompts shown/dismissed) | Automatically |
| Billing data | Subscription plan, billing status, payment reference (Mollie customer/subscription IDs). We do not store full card numbers. | You (via Mollie) |
| Share data | Share tokens and expiry timestamps for 30-day share links | You |
Most processing — account creation, storing moments, family sharing, sending notifications — is necessary to deliver the service you signed up for.
We process usage data and engagement signals to improve the app, fix bugs, and prevent abuse. We balance this against your privacy rights and apply the least invasive approach possible.
We also read GPS location, camera model, and duration from photos and videos you add to a moment, where your device includes that information in the file. This is stored to power a future feature (e.g. a map or timeline view of your family's moments) and is not currently shown to you or anyone else in the app.
We retain billing records to meet Belgian accounting and tax law requirements.
Push notifications are sent only after you explicitly grant permission on your device. You can withdraw this at any time in your device settings or in the TinyMoments app.
We use a small, carefully chosen set of processors. Each is bound by a Data Processing Agreement and, where applicable, operates within the EU/EEA or provides adequate transfer safeguards.
We use Firebase for authentication, database (Firestore), file storage (Cloud Storage), and serverless backend logic (Cloud Functions). Data is stored in EU regions. Google acts as a data processor under our terms with Google Cloud.
If you choose to sign in with Google, your Google account's name, email, and profile photo are shared with TinyMoments. You can alternatively register with email and password.
Payments for premium subscriptions are processed by Mollie, an EU-based payment service provider regulated by De Nederlandsche Bank. Mollie collects and processes payment card data under their own privacy policy; TinyMoments only receives confirmation of payment status and a customer reference.
We use Resend to send transactional emails (e.g. family invitations, account-related notifications). Only the recipient email address and the message content are shared.
Push notifications are delivered via the Expo Push Service. Your device push token is sent to Expo's servers to relay notifications. Expo does not have access to the content of your family timeline.
We use Google Analytics (Firebase Analytics) to collect aggregated, anonymised usage statistics — such as which screens are visited and how often. No personally identifiable information is attached to analytics events. You may opt out by adjusting your device's ad-tracking settings.
| Data category | Retention period |
|---|---|
| Account & family data | Until you delete your account or the family is dissolved |
| Moments (photos, videos, captions) | Until you delete the moment or your account |
| Push tokens | Until you disable notifications or delete your account |
| Billing & payment records | 7 years (Belgian accounting law requirement) |
| Share links (tokens) | Automatically expired after 30 days |
| Analytics data | 14 months (Google Analytics default), then automatically deleted |
When you delete your account, your personal data and all associated content are removed from our active systems within 30 days. Residual copies in backup systems are purged within 90 days of the deletion request.
TinyMoments is designed for parents and family members. The minimum age to create an account is 16 years. We do not knowingly allow users under 16 to register.
Child profiles (names, birthdates, photos) are created by adult account holders — typically parents or guardians. That adult is responsible for ensuring they have appropriate authority to add and share that child's information within their private family group.
Children's data is stored privately within your family's account and is never visible to other users or the general public.
If you believe a user under 16 has created an account, please contact us at [email protected] and we will remove it promptly.
We take the security of your family's memories seriously:
Despite these measures, no online service can guarantee absolute security. If you discover a security vulnerability, please report it responsibly to [email protected].
Your data is stored and processed primarily within the EU/EEA. Where any of our service providers process data outside the EU/EEA (for example, certain Google infrastructure or Expo servers), they do so under the EU Standard Contractual Clauses (SCCs) or equivalent approved transfer mechanisms.
We do not transfer data to countries without an adequate level of data protection unless the appropriate safeguards are in place.
As a resident of the EU/EEA, you have the following rights regarding your personal data:
You can request a copy of the personal data we hold about you.
You can correct inaccurate or incomplete data — most fields can be updated directly in the app.
You can delete your account and all associated data at any time. Here is how:
Alternatively, send a deletion request by email to [email protected] from the address associated with your account.
What gets deleted: your account profile, family memberships, child profiles, all moments (photos, videos, captions), push tokens, and usage data.
What is retained: billing records are kept for 7 years as required by Belgian accounting law. These records contain only payment references (no card numbers) and cannot be used to identify you publicly.
Timeline: your data is removed from active systems within 30 days of the request. Residual copies in encrypted backups are purged within 90 days.
You can also request deletion of specific data only (e.g. a single moment or child profile) without deleting your entire account — email us at [email protected].
You can request an export of your data in a machine-readable format. Contact us at [email protected].
You can ask us to restrict processing or object to processing based on legitimate interests. We will assess and respond within 30 days.
Where processing is based on consent (e.g. push notifications), you can withdraw consent at any time without affecting the lawfulness of prior processing.
If you believe we have mishandled your data, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données):
We encourage you to contact us first — we will do our best to resolve any concern directly.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you in the app and update the "Last updated" date at the top of this page.
Continued use of TinyMoments after a change takes effect constitutes acceptance of the revised policy. If you do not agree with a change, you may delete your account before it takes effect.
For any privacy-related questions, data requests, or to exercise your rights, please contact us:
DEME Digital (TinyMoments)
VAT: BE1037765089
Email: [email protected]
We aim to respond to all requests within 30 days. Complex requests may take up to 3 months under GDPR rules — we will inform you if that is the case.