Privacy Policy
EBIWAWA — African Family Digital Heritage Platform
Last updated: 2 April 2026 Effective date: [INSERT LAUNCH DATE]
1. Who We Are
EBIWAWA ("we", "us", "our") is a digital heritage platform that helps African families and the global diaspora connect, preserve legacies, build family trees, and communicate securely.
Data Controller: Ebiwawa, Inc. 16192 Coastal Highway Lewes, DELAWARE 19958, USA
Contact for data enquiries: Email: privacy@ebiwawa.com
1.1 Our Representative in the EU/EEA and UK
For data subjects in the European Union, the European Economic Area, and the United Kingdom, we have appointed Data Protection Representative Limited (trading as DataRep) as our representative under Article 27 of the EU GDPR and Article 27 of the UK GDPR. DataRep is the local point of contact in the EU/EEA and UK for supervisory authorities and for data subjects exercising their rights in respect of personal data processed by Ebiwawa, Inc.
You can contact our representative:
- By email to datarequest@datarep.com — please include "Ebiwawa, Inc." in the subject line so your enquiry is correctly routed to us.
- Via DataRep's web form at www.datarep.com/data-request.
- By post to the nearest of DataRep's contact addresses across the 27 EU Member States, the United Kingdom, Norway, and Iceland — full list at /legal/datarep-eu-uk-contact.pdf. Please ensure any postal correspondence is clearly addressed to "DataRep" (not to "Ebiwawa, Inc.") so that it reaches our representative.
This representative appointment does not cover Switzerland. For matters under the Swiss Federal Act on Data Protection (FADP), please contact us directly at privacy@ebiwawa.com.
2. What This Policy Covers
This policy explains how we collect, use, store, and share your personal data when you use the EBIWAWA platform, including our website, mobile experience, and all related services.
This policy applies to:
- Users in the European Union and European Economic Area (subject to the EU General Data Protection Regulation — "EU GDPR")
- Users in the United Kingdom (subject to UK GDPR and the Data Protection Act 2018)
- Users in Canada (subject to PIPEDA and, for Quebec residents, Quebec's Act respecting the protection of personal information in the private sector — "Law 25")
- Users in the United States (subject to applicable state laws including CCPA/CPRA for California residents)
3. Data We Collect
3.1 Account Data (Provided by You)
When you register and use EBIWAWA, we collect:
| Data | Purpose | Lawful Basis (UK GDPR) |
|---|---|---|
| Email address | Account creation, login, communication | Contract performance |
| Name (first, middle, last, suffix) | Profile display, identification | Contract performance |
| Date of birth (year, month, day) | Age verification, family tree accuracy | Consent |
| Place of birth (city, state, country) | Heritage mapping, family tree context | Consent |
| Current location | Community features, heritage mapping | Consent |
| Gender | Profile display, avatar defaults | Consent |
| Occupation | Profile information | Consent |
| Languages spoken | Profile information, community features | Consent |
| Biography | Profile display | Consent |
| Profile photo/avatar | Profile display | Consent |
| User preferences (theme, notifications, language, role) | Personalisation | Contract performance |
3.2 Family Tree Data (About Third Parties)
A core function of EBIWAWA is building family trees. You may add information about family members, including people who are not users of the platform. This data includes:
- Full name, maiden name, suffix
- Date of birth and/or death
- Place of birth (city, state, country)
- Current location
- Gender
- Occupation
- Languages spoken
- Biography and personal memories
- Profile photos
- Family relationships (parent, child, spouse, sibling, etc.)
- Marriage dates
Your responsibility: By adding another person's data, you confirm that you have a legitimate familial interest in recording this information and that, where the person is alive and identifiable, you have made reasonable efforts to inform them. See Section 10 for more detail.
3.3 Content You Create
- Posts: Text, photos (up to 10 per post), and videos (up to 100MB) with privacy levels you set (private, family, or public)
- Comments and reactions on posts
- Messages: Direct and group chat messages, including text, file attachments, and read receipts
- Photos and albums: Uploaded images, photo descriptions, and tags identifying family members in photos
- Documents and media: Files you upload for preservation (documents, audio recordings)
- Family legacy data: Family sayings, traditions, and other cultural heritage information
- Calendar events: Personal and family events
3.4 Data Collected Automatically
| Data | Purpose | Lawful Basis |
|---|---|---|
| IP address | Security, abuse prevention | Legitimate interest |
| Request timestamps | Performance monitoring | Legitimate interest |
| API request performance metrics | Service reliability | Legitimate interest |
| Authentication tokens | Session management | Contract performance |
We do not use third-party analytics services, advertising trackers, or behavioural profiling tools.
3.5 Data Processed by AI Features
EBIWAWA offers an optional AI-powered Photo Analysis feature. When you choose to use it, your uploaded photo is sent to our AI sub-processor to generate a description, estimate the era of the photo, and suggest tags. The output is shown to you for review before being attached to anything.
AI usage is:
- Always initiated by you (never automatic)
- Rate-limited to a small number of requests per user per day to prevent misuse
- Not used to train AI models (governed by our AI sub-processor's data processing terms)
We may introduce additional AI features in the future (for example, story generation from family data, or transcription of audio recordings). If we do, we will update this policy to describe the new feature and what data it processes, and the feature will remain optional and user-initiated.
4. How We Use Your Data
We use your personal data for the following purposes:
- Providing the service: Account management, family tree building, messaging, content sharing, photo storage
- Personalisation: Theme preferences, notification settings, content display
- AI features: Photo analysis, story generation, document processing (only when you initiate)
- Security: Authentication, abuse prevention, blocking functionality
- Service improvement: Performance monitoring, error detection
- Communication: Service-related notifications (we do not send marketing emails)
- Trust and verification: Enabling family members to verify the accuracy of family tree data
We do not:
- Sell your personal data
- Use your data for advertising
- Profile you for marketing purposes
- Make automated decisions that have legal effects on you
5. Lawful Basis for Processing (UK and EU GDPR)
For users in the United Kingdom and in the European Union / European Economic Area, we process your data under the following lawful bases (Article references apply identically under UK GDPR and EU GDPR):
- Contract performance (Article 6(1)(b)): Processing necessary to provide the EBIWAWA service you signed up for
- Consent (Article 6(1)(a)): For optional data you choose to provide (birth details, biography, photos, AI features). You can withdraw consent at any time.
- Legitimate interest (Article 6(1)(f)): For security logging and performance monitoring, balanced against your privacy rights
Special category data: Family tree data may reveal racial or ethnic origin, which is special category data under both UK GDPR and EU GDPR. We process this under Article 9(2)(e) — data manifestly made public by the data subject — for data you choose to share publicly, and Article 9(2)(a) — explicit consent — for private family data.
6. Where Your Data Is Stored
We rely on a small number of established cloud providers to host and process your data:
| Category of recipient | Data they hold for us |
|---|---|
| Cloud infrastructure provider | Account data, messages, posts, photos and other media, and the AI processing described in §3.5 |
| Graph database provider | Family tree records (Persons, relationships, posts, events) |
All current processing occurs in the United States. A full list of our current sub-processors is available on request from privacy@ebiwawa.com.
International transfers: For UK and EU/EEA users, transfers to the United States are made under the EU-US Data Privacy Framework and its UK Extension (adequacy decisions in force since 2023), with the EU Standard Contractual Clauses and the UK International Data Transfer Addendum retained as a contractual fallback. A Transfer Impact Assessment supporting these transfers is held by us and made available to supervisory authorities on request.
For Canadian users: Transfers outside Canada are made in compliance with PIPEDA's requirements, relying on contractual protections with our service providers.
For Quebec residents: Under Law 25, we are required to conduct a privacy impact assessment before transferring personal information outside Quebec. Your data may be processed in the United States (see table above). Before any such transfer, we assess whether the receiving jurisdiction provides adequate privacy protection. We rely on our cloud sub-processors' contractual commitments and security measures to ensure equivalent protection. Details of our assessment are available on request.
7. How We Protect Your Data
We implement the following security measures:
- Authentication: strong identity-token verification on every API request
- Encryption in transit: all data transmitted over HTTPS/TLS
- Encryption at rest: industry-standard encryption-at-rest provided by our cloud sub-processors
- Access control: every API endpoint requires authentication; data access is scoped to your family tree
- Content privacy levels: you control who sees your posts (private, family, public)
- User blocking: you can block other users, which removes shared access and connections
- Secret management: sensitive credentials held in dedicated key-management infrastructure, never in source code or application logs
- Rate limiting: AI features and other sensitive endpoints are rate-limited to prevent abuse
7.1 Responsible disclosure
If you believe you have found a security vulnerability in EBIWAWA, please report it to security@ebiwawa.com. We commit to:
- Acknowledging your report within 5 business days
- Investigating in good faith and not pursuing legal action against researchers who follow this process
- Crediting you (with your permission) once the issue is resolved
Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.
7.2 Reporting unsafe behavior by another user
To report harassment, impersonation, content that violates our Terms, or other unsafe behavior, contact safety@ebiwawa.com. We review every report and take action — including content removal, account restriction, or account termination — as appropriate.
8. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Family tree data | Until deleted by a tree manager or account deletion |
| Posts and comments | Until you delete them or delete your account |
| Messages | Until you delete them or delete the conversation |
| Photos and media | Until you delete them or delete your account |
| AI processing data | Not retained — processed transiently |
| Server logs (IP, performance) | 90 days |
| Blocked user records | Until you unblock or delete your account |
We delete inactive accounts after 2 years of inactivity, with prior notice sent to the registered email address before deletion occurs.
9. Your Rights
9.1 Rights for All Users
All users have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your posts, photos, messages, and other content
- Control privacy settings on your content
- Block other users
9.2 Additional Rights — United Kingdom and European Union / EEA (UK and EU GDPR)
Residents of the United Kingdom, the European Union, and the European Economic Area have the right to:
- Access a copy of all personal data we hold about you (Article 15)
- Rectification of inaccurate data (Article 16)
- Erasure ("right to be forgotten") of your data (Article 17)
- Restrict processing of your data (Article 18)
- Data portability — receive your data in a structured, machine-readable format (Article 20)
- Object to processing based on legitimate interest (Article 21)
- Withdraw consent at any time for consent-based processing
- Lodge a complaint with your supervisory authority:
- UK residents — the Information Commissioner's Office (ico.org.uk).
- EU / EEA residents — your national Data Protection Authority. A list of all EU/EEA supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.
You can also contact our representative in the EU/EEA and UK (DataRep) using the channels listed in §1.1 to exercise any of these rights.
9.3 Additional Rights — Canada (PIPEDA)
Canadian residents have the right to:
- Access your personal information held by us
- Challenge the accuracy and completeness of your data
- Withdraw consent for collection, use, or disclosure
- File a complaint with the Office of the Privacy Commissioner of Canada
9.3.1 Additional Rights — Quebec Residents (Law 25)
If you reside in Quebec, you have the following additional rights under Quebec's Act respecting the protection of personal information in the private sector (Law 25):
- Right to data portability: Receive your personal information in a structured, commonly used technological format, or have it transferred directly to another organisation
- Right to de-indexing ("right to be forgotten"): Request that we cease disseminating your personal information or that any hyperlink associated with your name be de-indexed, where dissemination contravenes the law or a court order
- Right to be informed of automated decisions: Be informed when a decision affecting you is made exclusively by automated processing, and the right to have that decision reviewed by a person
- Right to know about cross-border transfers: Be informed when your personal information is transferred outside Quebec, including to which jurisdiction
- Explicit consent: We must obtain your express, free, and informed consent for the collection and use of your personal data. Consent must be requested separately from other information and in clear, simple language
- Consent for minors: For Quebec residents under 14, consent must be provided by a parent or guardian
- Incident notification: In the event of a confidentiality incident (data breach) involving your information, we will notify you and the Commission d'accès à l'information du Québec (CAI) if the incident presents a risk of serious injury
- Lodge a complaint with the Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca
Person in charge of the protection of personal information (as required by Law 25, §3.1-3.4): Olu Olaniyan, Founder, Ebiwawa, Inc. Contactable at privacy@ebiwawa.com.
9.4 Additional Rights — United States
California residents (CCPA/CPRA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.
Other US states: Additional rights may apply under your state's privacy law. Contact us for details.
9.5 Exercising Your Rights
To exercise any of these rights, contact us at: privacy@ebiwawa.com
We will respond within:
- UK / EU / EEA: 30 days (extendable by 2 months for complex requests)
- Canada (including Quebec): 30 days
- California: 45 days (extendable by 45 days)
We will verify your identity before processing any request.
10. Family Tree Data — Third-Party Information
EBIWAWA allows you to add personal data about family members who may not be users of the platform. This is a core feature of a genealogy service, but it carries specific responsibilities:
Your obligations when adding family members:
- You must have a genuine familial connection to the person
- For living, identifiable individuals, you should make reasonable efforts to inform them that their data appears in a family tree on EBIWAWA
- You must not add data that is malicious, defamatory, or knowingly inaccurate
- You must respect requests from individuals to remove their data
Our approach:
- Family tree data is only visible to members of that family tree, unless the data owner explicitly sets a post to public
- Any person can contact us at privacy@ebiwawa.com to request removal of their data from a family tree
- The Trust Score system allows family members to mark a person's data as verified
- Any edit to a person's record automatically clears all verifications, requiring re-verification by family members
If someone contacts us about their data in a family tree: We will balance the data subject's rights with the legitimate genealogical purpose, considering whether the person is alive, identifiable, and whether the data is sensitive.
11. Children's Data
EBIWAWA is intended for users aged 16 and over (UK), 14 and over (Quebec), and 13 and over (rest of US/Canada).
- We do not knowingly collect account data from children below these ages
- Quebec: For residents under 14, consent must be provided by a parent or guardian (Law 25, Section 14)
- Family tree data may include information about minors (e.g., children in a family tree). This data is added by their parent or guardian and is treated with the same protections as all family tree data
- If you believe a child has created an account without parental consent, contact us and we will delete the account
12. Cookies and Local Storage
EBIWAWA uses:
- Authentication tokens stored in browser local storage (essential for keeping you signed in)
- User preference data (theme, settings) stored in local storage
We do not use:
- Third-party tracking cookies
- Advertising cookies
- Analytics cookies
As we only use strictly necessary storage for service functionality, separate cookie consent is not required under UK GDPR. If we introduce non-essential cookies in the future, we will update this policy and implement a consent mechanism.
13. Third-Party Links
EBIWAWA may display content that links to external websites. We are not responsible for the privacy practices of external sites.
14. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. We will:
- Update the "Last updated" date at the top
- Notify you of material changes via the platform or email
- For significant changes affecting your rights, seek fresh consent where required
15. Contact Us
For any questions about this privacy policy or your personal data:
Email: privacy@ebiwawa.com Post: 16192 Coastal Highway Lewes , DELAWARE 19958
To lodge a complaint:
- UK: Information Commissioner's Office — ico.org.uk — 0303 123 1113
- Canada (federal): Office of the Privacy Commissioner — priv.gc.ca
- Canada (Quebec): Commission d'accès à l'information du Québec — cai.gouv.qc.ca
- US (California): California Attorney General — oag.ca.gov
16. Language / Langue
This Privacy Policy is provided in English. For Quebec residents, a French-language version of this policy will be made available. In the event of any discrepancy between the English and French versions, the French version shall prevail for Quebec residents, as required by Law 25.
Cette politique de confidentialité est fournie en anglais. Pour les résidents du Québec, une version française de cette politique sera mise à disposition. En cas de divergence entre les versions anglaise et française, la version française prévaudra pour les résidents du Québec, conformément à la Loi 25.
17. Data Protection Impact Assessment
We have conducted a Data Protection Impact Assessment (DPIA) for the EBIWAWA platform, as required for processing that is likely to result in high risk to individuals (UK GDPR) and for cross-border data transfers (Quebec Law 25). A summary is available on request.