Privacy Policy
Last updated: 12 March 2026 — Version 2.0
MOLDEREZ-CONSULT SRL · BE 0842.262.084 · Bruxelles/Brussel
1 Data Controller
The controller of personal data collected through the Famylio platform is:
MOLDEREZ-CONSULT SRL
Private limited company under Belgian law
Enterprise number: BE 0842.262.084
Registered office: Square Valère-Gille, 13 box 5 — 1050 Ixelles, Belgium
Email: hello@famylio.com
This policy applies to all data processing carried out via famylio.com and all associated services, in accordance with Regulation (EU) 2016/679 (GDPR) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
2 Data Protection Officer
MOLDEREZ-CONSULT SRL has appointed a data protection contact (DPO):
Email: dpo@famylio.com
Post: DPO Famylio — Square Valère-Gille, 13 box 5 — 1050 Ixelles, Belgium
The DPO is your primary contact for any questions regarding the processing of your personal data and the exercise of your rights.
3 Data We Collect
We collect the following categories of data in accordance with the principle of data minimisation (Art. 5.1.c GDPR):
Identification data: surname, first name, email address, family name, city, country, profile picture (optional).
Connection data: session IDs, IP address, access logs, date and time of access, browsing data.
Family data: information voluntarily entered by the user in platform modules (family calendar, tasks, budget, health, documents, contacts, etc.).
Billing data: transaction history, amounts, payment dates, payment method (full banking details are never stored on our servers — they are processed by our PCI-DSS certified payment provider).
Technical data: device type, operating system, browser version, language, screen resolution, time zone.
4 Purposes and Legal Bases
Your data is processed for the following purposes, each based on a specific legal basis under Article 6 GDPR:
Performance of contract (Art. 6.1.b): account creation and management, service delivery, family member management, customer support, payment processing.
Legitimate interest (Art. 6.1.f): platform security, fraud prevention, service improvement, anonymised statistical analysis, abuse detection, dispute management.
Legal obligation (Art. 6.1.c): retention of billing data under Belgian tax law, response to judicial requests.
Consent (Art. 6.1.a): marketing communications and non-essential cookies. You may withdraw your consent at any time.
5 Children's and Family Data
Famylio is a family platform. Protecting children's data is our absolute priority.
In accordance with Article 8 GDPR and the Belgian Act of 30 July 2018:
Minimum age: Only persons aged 13 or over (Belgian threshold) may create a Famylio account. In other EU countries, the local age threshold applies (13–16 years).
Children's data: Information about children under 16 is entered exclusively by parents or legal guardians and stored under their full responsibility and control.
Parental consent: For users under 16, verifiable consent from the holder of parental responsibility is required (Art. 8.1 GDPR).
No profiling of minors: No automated decision-making, profiling or targeted advertising is performed on minors' data.
Right to erasure: Any parent or legal guardian may request full deletion of a child's data at any time by contacting dpo@famylio.com.
Health data: Famylio's health modules may contain special category data within the meaning of Article 9 GDPR, processed on the basis of explicit consent (Art. 9.2.a), encrypted at rest and in transit, and never shared with third parties.
6 Retention Periods
We apply the principle of storage limitation (Art. 5.1.e GDPR):
Active account data: retained for the duration of the contractual relationship.
After account deletion: personal data is irreversibly anonymised or permanently deleted within 30 calendar days. Encrypted backups are purged within 90 days.
Billing data: 7 years under Belgian tax law.
Connection and security logs: 12 rolling months.
Marketing consent records: proof of consent retained for 3 years after withdrawal, for evidentiary purposes.
7 Recipients and Sub-processors
Your personal data is never sold, rented or transferred to third parties for commercial purposes.
It may be shared with:
Technical sub-processors (Art. 28 GDPR): hosting provider (EU servers), payment provider (PCI-DSS certified), transactional email service (EU servers), encrypted storage services (EU servers). All bound by GDPR-compliant Data Processing Agreements. Full list available on request from dpo@famylio.com.
Competent authorities: only under mandatory legal obligation or court order.
Family members: data you choose to share within your Famylio family space is accessible only to members you have invited and authorised.
8 International Transfers
Your data is hosted and processed exclusively within the European Economic Area (EEA).
If, exceptionally, a transfer to a third country were necessary, we would implement appropriate safeguards under Chapter V GDPR (Art. 44–49): adequacy decision (Art. 45), standard contractual clauses (Art. 46.2.c), or binding corporate rules (Art. 47). Copies available from dpo@famylio.com.
9 Your Rights
Under Articles 15 to 22 of the GDPR, you have the following rights:
Right of access (Art. 15) — confirmation and copy of your personal data.
Right to rectification (Art. 16) — correction of inaccurate data.
Right to erasure (Art. 17) — deletion of your data ("right to be forgotten").
Right to restriction (Art. 18) — restriction of processing.
Right to data portability (Art. 20) — your data in a structured, commonly used and machine-readable format (JSON/CSV).
Right to object (Art. 21) — objection to processing based on legitimate interest, including direct marketing.
Right to withdraw consent (Art. 7.3) — at any time, without affecting the lawfulness of prior processing.
How to exercise your rights: email dpo@famylio.com with a copy of your ID. Response within 30 days (extendable to 60 days for complex requests).
Right to lodge a complaint: with the supervisory authority in your country of residence. In Belgium: the Data Protection Authority (DPA) — www.dataprotectionauthority.be — Rue de la Presse, 35 — 1000 Brussels — +32 2 274 48 00. If you reside in another EU country, you may contact your national data protection authority.
10 Automated Decision-Making and Profiling
Under Article 22 GDPR, you have the right not to be subject to a decision based solely on automated processing producing legal effects or significantly affecting you.
Famylio does not carry out any automated decision-making within the meaning of Article 22 GDPR. We may use anonymised and aggregated data for statistical purposes, with no legal or significant effect on individuals.
11 Cookies and Trackers
Famylio uses cookies in accordance with Directive 2002/58/EC (ePrivacy Directive) as transposed by the Belgian Act of 13 June 2005.
Strictly necessary cookies (exempt from consent): session cookie (PHPSESSID), language preferences (12 months), CSRF token (session), theme preference (12 months).
Non-essential cookies: no advertising, tracking or behavioural analysis cookies without your explicit prior consent.
You can manage your cookie preferences through your browser settings.
12 Data Security
MOLDEREZ-CONSULT SRL implements appropriate technical and organisational measures under Article 32 GDPR:
Technical: TLS 1.2+ encryption, AES-256 encryption for sensitive data, bcrypt password hashing, CSRF protection, HTTP security headers, WAF and 24/7 monitoring.
Organisational: need-to-know access, personal data access logging, staff training, documented incident response procedures, regular security testing.
13 Data Breach Notification
Under Articles 33 and 34 GDPR:
Authority notification (Art. 33): within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
Individual notification (Art. 34): where the breach is likely to result in a high risk, we will inform you without undue delay by email and/or platform notification.
MOLDEREZ-CONSULT SRL maintains a register of all data breaches (Art. 33.5 GDPR).
14 Changes to This Policy
Minor changes: editorial updates — effective upon publication.
Substantial changes: notification by email and/or platform notification at least 30 days before taking effect. If you disagree, you may delete your account before the changes take effect.
The current version is always available at /legal/privacy.php.