Privacy Policy

How we collect, use, and protect your information

Last updated: February 2026

1. Introduction

WebGeno ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our genogram builder application ("the Service").

Please read this policy carefully. By using the Service, you consent to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address and password when you create an account
  • Profile Information: Display name and preferences you choose to provide
  • Genogram Data: Family relationship data, health conditions, notes, and other information you input into genograms (stored only if you use cloud features)
  • Payment Information: Billing details processed securely through Stripe (we do not store full payment card details)

2.2 Automatically Collected Information

  • Usage Data: Features used, actions taken, and time spent on the Service
  • Device Information: Browser type, operating system, and device identifiers
  • Log Data: IP address, access times, and referring URLs

3. How We Use Your Information

We use the collected information to:

  • Provide, maintain, and improve the Service
  • Process transactions and send related information
  • Send administrative messages, updates, and security alerts
  • Respond to your comments, questions, and support requests
  • Monitor and analyze usage patterns to improve user experience
  • Detect, prevent, and address technical issues and fraud
  • Comply with legal obligations

4. Data Storage and Security

4.1 Local Storage

When using the free tier without cloud features, your genogram data is stored locally on your device. We do not have access to locally stored data.

4.2 Cloud Storage

Professional tier users who enable cloud storage benefit from end-to-end encryption. Your genogram data is encrypted on your device using AES-256-GCM encryption before being transmitted to our servers. The encryption keys are derived from your password and never leave your device. This means only you can decrypt your data - WebGeno administrators cannot access your genogram content, even if legally compelled.

Data is also encrypted in transit using TLS and at rest on servers provided by Supabase.

4.3 Security Measures

We implement appropriate technical and organizational measures to protect your data, including encryption, access controls, and regular security assessments. However, no method of transmission over the Internet is 100% secure.

5. Third-Party Services

We use the following third-party services:

  • Supabase: Authentication and database services. Privacy Policy
  • Stripe: Payment processing. Privacy Policy
  • Anthropic (Claude): AI-powered genogram generation (Professional feature). Privacy Policy
  • Sentry: Error tracking and performance monitoring (no cookies used). Privacy Policy
  • Google Analytics: Usage analytics for this marketing website (psychologysmarttools.com). Note: the WebGeno application itself does not use Google Analytics. Privacy Policy

These services have their own privacy policies, and we encourage you to review them.

6. AI-Powered Features

Our Professional tier includes AI-powered genogram generation and editing. When using these features:

  • Personal names are automatically detected and anonymized before transmission
  • Anonymized data is sent to Anthropic's Claude API for processing
  • Original names are restored locally on your device after processing
  • We do not use your data to train AI models
  • Generated content is stored according to your cloud storage preferences
  • You can delete AI-generated content at any time

Privacy-by-Design Limitations: Our automatic name detection may not identify all names, particularly uncommon, foreign, or misspelled names. Users are responsible for verifying that all personal identifiable information is properly anonymized before AI processing. We provide manual tagging tools ([brackets] and Ctrl+B) to help you identify names our system may have missed.

Alignment with EU Regulations: Our AI features are designed with privacy-by-design principles aligned with GDPR and the EU AI Act's transparency requirements. The anonymization process ensures that identifiable client information does not leave your device in readable form.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in these circumstances:

  • Service Providers: With third-party vendors who assist in providing the Service
  • Legal Requirements: When required by law or to respond to legal process
  • Protection of Rights: To protect our rights, privacy, safety, or property
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

8. Your Rights and Choices

You have the right to:

  • Access: Request a copy of the personal data we hold about you (see limitation below)
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data and account
  • Export: Export your genogram data at any time directly from the application
  • Withdraw Consent: Withdraw consent for data processing where applicable
  • Account Deletion: Delete your account and associated data

Important limitation regarding encrypted data: Cloud-stored genograms are protected by end-to-end encryption (AES-256-GCM). Encryption keys are derived from your password and never leave your device. This means we cannot access, read, or provide copies of your encrypted genogram content — not even if you request it or if legally compelled. If you lose your password and recovery phrase, your encrypted data cannot be recovered by anyone, including WebGeno. We can only provide access to non-encrypted account data (email, subscription status, usage metadata). You are responsible for exporting your genogram data directly through the application while you have access.

To exercise your rights regarding non-encrypted data, please contact us at the email address provided below.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we may retain certain information as required by law or for legitimate business purposes for up to 30 days.

Locally stored genogram data remains on your device and is under your control.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. International Data Transfers

Your information may be transferred to and processed in countries outside your country of residence. Specifically:

  • Supabase: Database and authentication services hosted in the EU and/or United States
  • Stripe: Payment processing in the United States
  • Anthropic: AI processing in the United States (Professional tier only)
  • Sentry: Error tracking in the United States

For transfers from the European Economic Area (EEA) to countries without an EU adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the appropriate safeguard mechanism. You may request a copy of the applicable SCCs by contacting us at support@psychologysmarttools.com.

12. GDPR Compliance (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to lodge a complaint with a supervisory authority

Our specific legal bases for processing are:

  • Consent — account creation and optional communications (you may withdraw consent at any time)
  • Contract performance — delivering the Service you subscribed to, including processing payments
  • Legitimate interests — anonymous aggregate usage analytics and platform security monitoring, where these do not override your fundamental rights
  • Legal obligation — retaining tax and transaction records as required by applicable law

13. Local Storage and Tracking

This marketing website (psychologysmarttools.com) uses Umami Analytics (a privacy-focused, GDPR-compliant alternative to Google Analytics) to understand how visitors use the site. Umami does not use cookies, does not track you across sites, and does not collect any personally identifiable information. All data is aggregated and anonymous. Learn more at umami.is.

The WebGeno application itself does not use cookies or third-party analytics. The application uses browser localStorage exclusively for:

  • Session tokens: Supabase authentication tokens to keep you logged in across sessions
  • Anonymous usage tracking: A randomly generated UUID (not linked to your identity or email) to understand aggregate feature usage patterns
  • App state: Your last-opened genogram, UI preferences, and other local application settings

localStorage data remains on your device and is never transmitted to third parties for advertising purposes. You can clear it at any time through your browser settings, which will log you out of the Service.

We use Sentry for error tracking and performance monitoring. Sentry receives technical error data (stack traces, browser type, OS) but does not use cookies and does not receive personal health data or genogram content.

14. Data Sub-processors

We use the following sub-processors to deliver the Service:

  • Supabase — Database and authentication (EU and/or US)
  • Stripe — Payment processing (US)
  • Anthropic — AI genogram generation (US, Professional tier only)
  • Sentry — Error tracking and monitoring (US)
  • Hostinger — Web hosting (US)

All sub-processors are bound by data processing agreements and are required to handle your data in accordance with applicable privacy laws. We review sub-processors periodically and will update this list when sub-processors change.

15. Data Processing Agreement (DPA)

When mental health professionals and other users input client data into WebGeno, they act as data controllers and WebGeno acts as a data processor. If your professional practice, institutional policy, or applicable law (including GDPR Article 28) requires a formal Data Processing Agreement, you may request one by contacting us at support@psychologysmarttools.com. We will provide a DPA at no charge.

16. Health Data Sensitivity

Genograms may contain sensitive health, psychological, and family information. You are responsible for:

  • Complying with health data regulations applicable in your jurisdiction (e.g., HIPAA in the United States, GDPR in the EU/EEA, and equivalent local laws)
  • Obtaining appropriate informed consent from individuals whose data you input
  • Adhering to your professional ethics codes and licensing body requirements regarding client confidentiality
  • Independently determining whether WebGeno meets your specific regulatory and professional requirements before processing client data

WebGeno's end-to-end encryption for cloud storage is designed to support compliance efforts, but we make no warranty that use of WebGeno satisfies any specific regulatory requirement in any jurisdiction.

17. Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Our notification will include:

  • A description of the nature of the breach and categories of data affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects
  • Contact details for obtaining further information

18. Data Protection Officer

For all data protection enquiries — including exercising your GDPR rights, requesting a Data Processing Agreement, or raising a concern about how we handle your data — please contact our Data Protection Officer:

Email: support@psychologysmarttools.com

You also have the right to lodge a complaint with your local data protection supervisory authority at any time. In Portugal, this is the CNPD (Comissão Nacional de Proteção de Dados) at www.cnpd.pt.

19. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

20. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: support@psychologysmarttools.com