Legal
Privacy Policy
How myGenogram collects, uses, and protects your personal data. Covers cookies, email subscriptions, third-party services, and your rights under GDPR.
Updated April 20266 min read
This policy explains what personal data myGenogram collects, why we collect it, who processes it, and what rights you have. It applies to everything that happens on mygenogram.com.
We keep this policy as short and clear as we can. If anything is unclear, write to us and we will explain.
Who we are
myGenogram is operated by My Ally Monika Wirżajtys, a sole proprietorship registered in Poland.
- Address: ul. 3 Maja 26/3, 85-016 Bydgoszcz, Poland
- Tax ID (NIP): 8441939035
- Contact: contact@fam-roots.com
- Website: mygenogram.com
For the purposes of the EU General Data Protection Regulation (GDPR), My Ally Monika Wirżajtys is the data controller — the entity that decides what data is collected and how it is used.
What data we collect and why
We collect personal data only when you interact with the site in specific ways. We do not collect data passively beyond what is described in the cookies section below.
When you request a free resource
When you submit the lead magnet form to download a free resource (cheat sheet, template, guide), we collect:
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Deliver the resource, send related emails, and marketing communication about our linked services: Healingtale, myGenogram, and FamRoots | Consent (your explicit checkbox) |
| IP address | Audit log proving when and where consent was given | Legal obligation (GDPR Article 7(1)) |
| Consent timestamp | Record of when you agreed | Legal obligation |
| Source page | Which page you subscribed from | Legitimate interest (analytics) |
| Resource requested | Which resource to deliver | Contract (fulfillment of your request) |
After you confirm your email by clicking the link we send, we also record:
| Data | Purpose | Legal basis |
|---|---|---|
| Confirmation timestamp | Verify you own the email address | Contract (fulfillment) |
| Subscriber identifier | Link your confirmation to your request | Contract |
When you unsubscribe
When you click the unsubscribe link in any email, we record the unsubscribe timestamp on your subscriber row. This ensures we stop sending you emails. The legal basis is your withdrawal of consent, which we are obligated to honor.
When you browse the site
If you accept analytics cookies via the cookie consent banner, Google Analytics collects anonymized usage data (pages visited, time on page, referral source). If you decline, no analytics data is collected. See the cookies section for details.
Cookies and local storage
myGenogram sets a small number of cookies and uses browser local storage. Here is the complete list.
First-party cookies
| Name | Purpose | Contents | Duration | Flags |
|---|---|---|---|---|
mg_s | Identify returning subscribers so you do not need to repeat the captcha or re-enter your email | Your subscriber UUID (not your email) | 1 year | httpOnly, secure, sameSite=lax |
This cookie is set only after you confirm your email address. It contains a random identifier, not your email or any other personal information. You can delete it at any time via your browser settings.
Local storage
| Key | Purpose | Duration |
|---|---|---|
cookie-consent | Remember whether you accepted or declined analytics cookies | Until you clear browser data |
Third-party cookies
| Provider | Cookies | Purpose | Set when | Duration |
|---|---|---|---|---|
| Google Analytics | _ga, _ga_* | Anonymous site usage analytics | Only if you click "Accept" on the cookie banner | Up to 2 years |
| Cloudflare (Turnstile) | cf_clearance, __cf_bm | Bot protection on the lead magnet form | When the captcha loads | Session |
Google Analytics cookies are never set unless you explicitly consent. Cloudflare cookies are strictly necessary for the bot protection that keeps the form functional and are set by Cloudflare, not by us.
Who processes your data
We use a small number of third-party services to operate myGenogram. Each processes personal data only to the extent necessary for their function.
| Service | Provider | Location | What they process |
|---|---|---|---|
| Email delivery | Brevo (Sendinblue SAS) | France (EU) | Your email address, email content |
| Bot protection | Cloudflare, Inc. | United States | IP address, browser fingerprint |
| Analytics | Google LLC | United States | Anonymized browsing data (only if consented) |
| Hosting | Vercel Inc. | United States | All HTTP requests (IP, headers, page content) |
| Database | Neon Inc. | United States | Subscriber records (email, timestamps, tokens) |
International data transfers
Brevo processes data within the EU. Cloudflare, Google, Vercel, and Neon are US-based companies. Data transfers to the United States rely on EU Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms maintained by each provider. Each of these providers publishes their own GDPR compliance documentation:
How long we keep your data
| Data | Retention |
|---|---|
| Confirmed subscriber records | Until you unsubscribe, then 30 more days for the audit trail, then permanently deleted |
| Unconfirmed subscriber records (never clicked confirm) | Deleted after 30 days |
| Resource delivery history | 90 days |
| Analytics data | Per Google Analytics default retention (14 months) |
| Consent and unsubscribe audit logs | Retained as long as required for GDPR compliance proof |
Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Access — You can request a copy of all personal data we hold about you.
- Rectification — You can ask us to correct inaccurate data.
- Erasure — You can ask us to delete your data. If you unsubscribe, deletion happens automatically after 30 days.
- Restrict processing — You can ask us to stop using your data while a dispute is resolved.
- Data portability — You can request your data in a machine-readable format.
- Object — You can object to processing based on legitimate interest.
- Withdraw consent — You can withdraw consent at any time by clicking the unsubscribe link in any email we send, or by contacting us directly.
To exercise any of these rights, email contact@fam-roots.com. We will respond within 30 days. If you believe we have not handled your request adequately, you have the right to lodge a complaint with the Polish data protection authority (UODO — Urząd Ochrony Danych Osobowych) or your local supervisory authority.
Children
myGenogram is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
Changes to this policy
When we make material changes to this policy, we update the date at the top of the page. If the change affects how we handle data of existing subscribers, we will notify them by email before the change takes effect.
You can always find the current version of this policy at mygenogram.com/privacy.
A note on this policy
This privacy policy was drafted in good faith by the myGenogram team. It has not been reviewed by a data protection lawyer. For definitive legal advice about your rights or our obligations, consult a qualified professional. We are committed to protecting your data and will update this policy as our understanding of best practices evolves.
When you're ready
Build your genogram with FamRoots
A guided experience for transforming family history into healing narrative, built by the same team behind these resources. Pay per genogram, not per month.