Privacy Policy
Last updated: 16 May 2026
Stamboom (“the Service”, available at stamboom.xyz) is a personal-use web application for viewing and sharing family-tree data parsed from Haza-Data backup (HZB) files. This page describes what data we collect, why, and how it is handled.
1. Who runs Stamboom
Stamboom is operated by Julian de Groot as a personal project. There is no company behind it. You can reach the operator at julianthegroot@gmail.com.
2. What we collect
When you create an account or use the Service we collect:
- Account data. Your email address and a securely hashed password, or, if you sign in with Google, your Google profile email, name and profile picture URL.
- Profile data. An optional display name and language preference.
- Two-factor authentication data. If you enable 2FA, a TOTP secret used to verify the codes from your authenticator app.
- Family-tree data you upload. The contents of any HZB file you upload, including the names, dates, places and relationships of the individuals in that file. This data may include information about other (living) people related to you.
- Technical data. Your IP address and basic request metadata are processed for short-term rate limiting (to prevent brute-force login attempts).
- Session cookies. Cookies set by our authentication provider so we can keep you signed in.
3. Why we collect it
- To authenticate you and keep your account secure.
- To store and display the family-tree data you choose to upload.
- To send transactional emails (verification, password reset, invites).
- To prevent abuse (rate limiting login attempts).
We do not use your data for advertising, profiling, or analytics tracking, and we do not sell or share it with third parties for their own purposes.
4. Google sign-in
If you sign in with Google, we receive only the basic profile information you consent to: your email address, name and profile picture. Stamboom’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to serve advertisements, and we do not share it with third parties.
5. Who processes your data
We use the following sub-processors to operate the Service:
- Supabase (database, authentication, file storage). Data is hosted in the EU region.
- Resend (sending transactional emails).
- Vercel (web hosting).
- Google (only if you choose to sign in with Google).
These providers process data on our behalf under their respective privacy terms.
6. How long we keep your data
We keep your account and uploaded data until you delete it or request deletion. You can delete your account by emailing julianthegroot@gmail.com. Once deleted, your account and the family-tree data attached to it are removed from the active database; backups containing residual copies are rotated out within 30 days.
7. Your rights
Under the EU GDPR you have the right to access, correct, export or delete your personal data, and to object to its processing. To exercise any of these rights, email julianthegroot@gmail.com. You can also lodge a complaint with the Dutch Autoriteit Persoonsgegevens.
8. Security
Passwords are hashed by our authentication provider; data is encrypted in transit (HTTPS) and at rest. We offer two-factor authentication and recommend you enable it. No system is perfectly secure, but we follow industry-standard practices for a small application.
9. Children
Stamboom is not directed at children under 16. Do not create an account if you are below the age of digital consent in your country.
10. Changes to this policy
If we change this policy in a material way, we will update the date above and notify signed-in users by email when reasonably possible.