Skip to content

Privacy Policy

This Privacy Policy explains how TamizhConnect (operated by Tharviyan Limited, Company No. 12127865) collects, uses, and protects your personal data. It applies to the TamizhConnect website, mobile apps, APIs, and related services (together, the "Services").

Tharviyan Limited is the data controller for the personal data we process under this policy. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, EU GDPR Regulation 2016/679 where it applies, and other applicable data protection laws.

1. Categories of personal data we collect

We collect different categories of data depending on how you use the Services:

  • Identity and account data: name, email address, phone number (optional), account credentials, and any display name or profile detail you set. If you sign in via an OAuth provider (Google, Facebook, Apple), we receive your name, email, and a provider-issued avatar URL from that provider.
  • Payment data: processed securely by our PCI-DSS- compliant payment providers (Stripe and PaymentSense). We do not store your card numbers on our servers; we retain a Stripe customer ID, subscription ID, and last-payment metadata to reconcile your entitlements.
  • Family-tree data: names of relatives, relationships, estimated dates, places, notes, uploaded photos, and any cultural or heritage annotations you add to your private family workspace.
  • Ancestor pins and descendant-matching data: when you pin yourself as a descendant of an ancestor record, we retain the record link, the visibility setting you choose, and any connection requests you send or receive.
  • Contributor Portal submissions: if you use the Contributor Portal, we retain your submitted records, photographs, transcriptions, oral histories, the provenance metadata you provide, and the attribution line you have set on your contributor profile.
  • Support correspondence: the content of emails you send us, any support-ticket promises made to you, and any tracking metadata associated with delivery of a promised follow-up.
  • AI-feature inputs and outputs: queries you submit to AI-assisted features, and the AI-generated outputs shown to you. See Section 5 for third-party AI provider disclosure.
  • Usage and analytics data: anonymised or pseudonymised product-usage events, page views, session length, search terms (associated with your account when you are signed in), and referral traffic source.
  • Technical data: IP address, browser type, device information, cookies, and log data associated with your access to the Services.
  • Marketing preferences: your consent to receive promotional emails or product updates, which you can withdraw at any time.

2. How we use your personal data

  • Account management: creating, maintaining, and securing your account and the family workspace linked to it.
  • Providing the Services: giving you access to search our archives, run AI-assisted research, manage your family tree, and connect with other descendants where you opt in.
  • Payments and subscription management: processing payments through Stripe or PaymentSense and managing your paid entitlements.
  • Support and communications: responding to your emails, delivering support commitments we have made to you, and sending you service notifications (e.g. billing, security).
  • Product improvement: analysing anonymised usage patterns to improve features and diagnose bugs.
  • Security and fraud prevention: protecting the Services and users from unauthorised access, abuse, and fraud.
  • Marketing (with consent): where you have opted in, sending you product updates, newsletters, or relevant genealogy content.
  • Compliance with legal obligations: retaining certain records where required by law, or where necessary to defend legal claims.

3. Lawful basis for processing (UK / EU GDPR)

The lawful bases we rely on depend on the specific processing activity:

  • Contract: processing necessary to provide the Services you have subscribed to.
  • Consent: for marketing communications, optional profile fields, and features where you explicitly opt in (for example, making an ancestor pin visible to other descendants).
  • Legitimate interests: for platform security, fraud prevention, product analytics, and improving the Services. Where we rely on legitimate interests, we have carried out a legitimate- interest assessment and consider that our interests do not override your rights.
  • Legal obligation: for compliance with tax, accounting, and regulatory obligations.

4. Data security

  • Transport security: HTTPS/TLS 1.3 for all connections between your device and our servers.
  • Application security: role-based access control and row-level security at the database layer (via Supabase).
  • Access controls: multi-factor authentication and least-privilege access for our operational staff.
  • Encryption at rest: for sensitive personal data.
  • Regular reviews: we review our security posture regularly and update it in response to threats.

Where we become aware of a personal data breach that presents a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and notify you where required.

5. Third parties and sub-processors

We do not sell, rent, or trade your personal data to third parties. We share limited data with the following categories of sub-processors, all of whom are contractually obliged to maintain equivalent data protection standards:

  • Payment providers: Stripe (payments) and PaymentSense (regional payments).
  • Database and hosting: Supabase (database and authentication), Vercel (hosting).
  • Email delivery: Resend (transactional email).
  • Analytics: PostHog and Amplitude for product analytics; Vercel Analytics for anonymised web analytics. Where possible, analytics data is anonymised or pseudonymised.
  • AI providers: Anthropic, OpenAI, and Google are used for large-language-model features. Queries you submit to AI-assisted features and the resulting outputs are sent to these providers subject to their terms. We contract with these providers on terms that prohibit them from training models on customer content.
  • Archive licensors: where archive records are licensed from third-party archives (for example, The National Archives, UK), only the anonymised search analytics and record IDs necessary for licensing reporting are shared. Your personal identity is not shared with archive licensors.
  • Compliance: governmental authorities or law enforcement where legally required.

6. Automated decision-making

We do not use automated processing (including AI features) to make decisions with legal or similarly significant effects on you (Article 22 UK GDPR). AI-assisted features surface research leads and summaries; humans (you, or our support team) remain in the loop for decisions that matter.

7. Cookies

The Services use cookies and similar technologies to keep you signed in, remember your preferences, and understand how the Services are used. Broad categories:

  • Strictly necessary cookies: required for authentication, session management, and basic functionality. These cannot be disabled without breaking the Services.
  • Preference cookies: remember settings such as language and display preferences.
  • Analytics cookies: anonymised or pseudonymised counters that help us understand product usage.
  • Marketing cookies: only set with your explicit consent, and only when we are running a marketing campaign that uses them.

You can manage cookies via your browser settings. Blocking strictly necessary cookies will prevent you from signing in.

8. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including legal, accounting, and reporting requirements. Category-specific defaults:

  • Account and family-tree data: retained for as long as your account is active. On account deletion, deleted within the timelines set out in our Data Deletion Policy.
  • Contributor Portal submissions: retained indefinitely for the benefit of other users, unless you withdraw your Contribution or delete your account. Attribution to you can be anonymised while the record remains in the archive, subject to reasonable operational timelines.
  • Support correspondence: retained for up to 6 years for defence of legal claims (UK Limitation Act default), or shorter where a specific matter has been closed.
  • Payment records: retained for 6 years or as required by UK/EU tax and accounting law.
  • Share links generated for public/preview browsing: typically expire after 30 days; the underlying record remains available to signed-in users with paid entitlements.
  • Analytics data: retained in anonymised or aggregated form for up to 24 months.
  • Deletion-request logs: retained for up to 24 months as evidence of compliance with your request (see Data Deletion Policy).

9. Your rights (UK / EU GDPR)

You have the following rights over your personal data:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: ask us to correct inaccurate data.
  • Right to erasure: request deletion in the circumstances allowed under the UK GDPR — see our Data Deletion Policy.
  • Right to restrict processing: limit how we use your data while a query is resolved.
  • Right to data portability: receive your data in a structured, commonly used format.
  • Right to object: object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent: withdraw consent you have given for optional processing.
  • Right to lodge a complaint: with the UK Information Commissioner's Office (ico.org.uk), or with your local supervisory authority in the EU.

Exercise these rights by emailing privacy@tamizhconnect.com. We respond to requests within one month, extendable by up to two months where the request is complex.

10. International data transfers

Some of our sub-processors process personal data outside the UK / EEA (for example, AI providers based in the United States). Where personal data is transferred outside the UK / EEA, we rely on:

  • UK / EU adequacy decisions where they exist, or
  • Standard Contractual Clauses (with UK addendum where required) that provide appropriate safeguards under Article 46 UK GDPR.

11. Children's privacy

The Services are not directed at children under 16, and we do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will delete it. If you believe a child has provided us with personal data, please contact us at privacy@tamizhconnect.com.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business needs. We will notify you of material changes by email or via an in-app notice. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

Business Entity: Tharviyan Limited (Company No. 12127865)
Registered Office: 5 Brayford Square, London, E1 0SG, United Kingdom
Data protection contact: privacy@tamizhconnect.com
General contact: support@tamizhconnect.com | +44 1689 810072

Related policies: Terms & Conditions, Refund Policy, Delivery Policy, Data Deletion Policy.