FM2Y

Privacy Policy

Last updated: July 4, 2026. Effective immediately.

FM2Y ("we," "our," or "us") is a private family memory platform operated by Trimble Digital LLC. This Privacy Policy explains in full detail what information we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have over it. We believe in complete transparency because you are trusting us with some of the most personal moments of your family's life.

1. Who this policy covers

This policy applies to all users of FM2Y, including timeline owners (the person who creates and administers a timeline), contributors (people invited to add memories), beneficiaries (the future recipient of a timeline), custodians (people designated to receive a timeline on handoff), and visitors to our marketing pages who have not created an account.

2. Information we collect

2.1 Account information

  • Email address — required for account creation, login, and communications. Stored in Supabase Auth.
  • Display name — the name you choose to display on the platform. You control this.
  • Password — stored as a one-way bcrypt hash. We never store or transmit your plaintext password.
  • Profile photo — optional. Stored in Cloudflare R2 private storage.

2.2 Timeline and subject information

  • Subject name — the first name (and optionally last name) of the person the timeline is for.
  • Date of birth — used to calculate the child's age, determine design era (baby years vs. teen years), compute Fund It Fully pricing proration, and trigger the age-18 contribution lock and the post-funding download window (through age 21 for Fund It Fully timelines). This is a sensitive field and is never exposed publicly.
  • Timeline username — a unique identifier you choose, used in the URL (e.g., fm2y.com/t/username). This is the only piece of timeline data that is semi-public (it appears in invite links).
  • Subject profile photo — optional. Stored in Cloudflare R2 private storage. Never publicly accessible.

2.3 Content you upload

  • Photos and images — stored in Cloudflare R2 private object storage. No public URLs are ever generated. Every access requires a valid signed URL issued by our server after authentication verification.
  • Videos — stored the same way as photos. Large video files are handled with chunked upload directly to R2 to avoid our server becoming a bottleneck.
  • Voice notes and audio recordings — stored in Cloudflare R2. Same access controls as photos.
  • Written posts and letters — stored in our Supabase PostgreSQL database, encrypted at rest.
  • Sealed letters — stored with an unlock date. The content is not readable by anyone (including FM2Y staff) until the unlock date arrives. The unlock is triggered by our server-side cron job, not by any human action.
  • Milestones — structured data (text, date, optional photo) stored in our database.
  • Memory metadata — date of the memory, who posted it, when it was posted, visibility settings, and whether it has been approved (for moderated timelines).

2.4 Billing and payment information

We use Stripe to process all payments. We do not store your credit card number, CVV, or full card details on our servers at any point. What we store is:

  • Your Stripe customer ID (a reference token, not financial data)
  • Subscription status, plan tier, and billing interval
  • The date through which your timeline is paid ("paid_through_at")
  • Payment amounts in cents (for internal accounting and Founding 100 tracking)
  • Stripe checkout session IDs (for idempotency, so a webhook that fires twice doesn't charge you twice)

Stripe's privacy policy governs how Stripe handles your card data. Stripe is PCI-DSS Level 1 certified.

2.5 Contributor and invite data

  • Invite tokens — a one-time token stored temporarily when you are invited to a timeline. It expires after 7 days.
  • Contributor permissions — a structured record of what each contributor is allowed to do on each timeline (view, post, upload, approve, manage).
  • Contributor email — stored when you invite someone, used to send them an invite email and to match their account when they sign up.

2.6 Usage and technical data

  • IP address — logged on every media access event (see Section 6, Media Security). Also logged by Cloudflare at the network level as standard infrastructure practice.
  • User agent string — the browser or app identifier logged on media access events.
  • Push notification tokens — if you enable push notifications in our mobile app, your device's Expo push token is stored in your profile. This is used only to send you notifications from FM2Y.
  • Session data — Supabase Auth manages session tokens (JWTs) stored in httpOnly cookies or secure local storage. Sessions expire automatically.
  • PostHog analytics — we use PostHog to track anonymous product usage events (which features are used, how often, where users drop off). PostHog does not receive your name, email, or any timeline content. Events are pseudonymous and keyed to a randomly generated user ID.
  • Sentry error tracking — we use Sentry to capture application errors. Error reports include stack traces and may include the URL you were on when the error occurred. They do not include your timeline content or media files.

2.7 Waitlist data

  • Email address, name, and optionally a child's name provided when joining the waitlist.
  • Your position in the queue, referral code, and referral source.
  • Whether you were approved, when, and by which admin.

3. How we use your data

  • To operate the service — providing timelines, managing contributor access, delivering sealed letters on unlock dates, handling subscription billing, and sending service notifications.
  • To improve the product — anonymous usage analytics help us understand which features matter and which are broken.
  • To contact you about your account — billing reminders, grace period warnings, waitlist updates, and invite notifications. We do not send marketing emails without your explicit opt-in.
  • To enforce our Terms of Service — if abuse is reported or detected.
  • To calculate pricing — the subject's date of birth is used to calculate Fund It Fully pricing proration. Fund It Fully is priced at $100 for every year remaining until the child turns 18, so older children cost less.
  • To trigger automated workflows — age-based events (age-18 contribution lock, the end of the download window at age 21, Transfer to custodian) are triggered by comparing the subject's date of birth to the current date in our nightly cron job.

4. Legal basis for processing (GDPR)

For users in the European Economic Area or United Kingdom, our legal bases for processing are:

  • Contract performance — processing necessary to provide the service you signed up for (account data, timeline content, billing).
  • Legitimate interests — fraud prevention, abuse detection, error tracking, and anonymous product analytics.
  • Legal obligation — compliance with applicable laws, including responding to valid legal requests.
  • Consent — push notification tokens, where required by platform rules.

5. Third-party processors

We share your data only with the service providers necessary to operate FM2Y. Every processor is contractually bound to use your data only for the purposes we specify.

  • Supabase — database (PostgreSQL), authentication, and row-level security. Data is hosted on AWS us-east-1. Supabase is SOC 2 Type II certified.
  • Cloudflare R2 — object storage for all media files (photos, video, audio). Data is stored in Cloudflare's US data centers. Cloudflare is ISO 27001 and SOC 2 certified. R2 does not expose public URLs for our bucket.
  • Stripe — payment processing. PCI-DSS Level 1 certified. Stripe stores card data; we do not.
  • Postmark — transactional email delivery (invites, waitlist confirmations, billing alerts). Email content is transmitted securely. Postmark does not use your emails for advertising.
  • Expo (notifications) — mobile push notification delivery. We send push tokens and notification payloads to Expo's push service, which delivers them to Apple APNs and Google FCM. Expo does not store notification content.
  • PostHog — anonymous product analytics. PostHog is GDPR-compliant and offers data residency in the EU on request.
  • Sentry — application error monitoring. Error reports do not contain timeline content or media files.
  • Vercel — web hosting and edge network. Our Next.js application runs on Vercel's infrastructure. Vercel processes request logs in the US.
  • RevenueCat — mobile in-app purchase management for iOS and Android subscriptions. RevenueCat receives your app store receipt and purchase metadata but not your financial card data.

We do not sell your data to any third party. We do not use your data for advertising.

6. Media security and access control

Media security is the most critical part of our infrastructure. Here is exactly how it works:

  • No public URLs. Every media file stored in Cloudflare R2 uses our private bucket. The bucket has no public access policy. There is no URL you could guess or share that would open a file directly. Every file access goes through our authenticated server.
  • Signed URLs with expiry. When you view a photo or play a voice note, our server generates a temporary signed URL that is valid for one hour. After one hour, the URL stops working. A screenshot of that URL is useless after expiry.
  • Access control on every request. Before generating a signed URL, our server checks that the requesting user is the timeline owner or an active contributor with permission to view that specific post. Non-members receive a 403 error. This check happens server-side on every request, not just at login.
  • Audit logging. Every media access event is recorded in our database with: the user's ID, their display name, the timeline ID, the specific media key accessed, the timestamp, the requesting IP address, and the user agent string. Timeline owners can review this log at any time in the admin panel. This log is retained for as long as the timeline is retained.
  • Private Memory Shield (paid plans). On paid timelines with Shield enabled, every photo passes through our image proxy (/api/img) before being served. The proxy burns a server-side watermark into the image pixels. The watermark includes the viewer's display name and a timestamp. This happens server-side before the image reaches the browser or app, so it cannot be circumvented by disabling JavaScript or using a modified app. The watermark is designed to deter unauthorized distribution: if a watermarked image appears somewhere it should not, the watermark identifies who accessed it and when.
  • View history. Paid timelines record every post view event. The timeline owner can see who opened a specific photo, letter, or voice note, and when. This is distinct from the media access log (which records raw file fetches) and provides a higher-level view of engagement.
  • Encryption in transit. All data is transmitted over TLS 1.2 or higher. We enforce HTTPS everywhere. HTTP requests are redirected to HTTPS.
  • Encryption at rest. Supabase (PostgreSQL) and Cloudflare R2 both encrypt data at rest using AES-256 encryption managed by their respective infrastructure providers.
  • What we cannot prevent. We cannot prevent a device-level screenshot (someone pressing the screenshot button on their phone or computer). This is an OS-level capability that no web or app platform can block. The Memory Shield watermark is our deterrence mechanism: it makes screenshots attributable and therefore far less likely to be shared maliciously.

7. Children's privacy (COPPA)

FM2Y timelines are created to capture memories about children, not to collect personal information from children. Children do not create FM2Y accounts. Children do not interact with the platform until the handoff at age 18.

The data we store about a child is limited to: their first name, their date of birth, and the content their parents and loved ones have chosen to upload on their behalf. This data is provided by the adult who created the timeline, with explicit acknowledgment that they are the parent or legal guardian.

We do not knowingly collect personal information directly from children under 13. If you believe we have inadvertently received information from a child under 13 without verifiable parental consent, please contact us immediately at hi@shmo.me and we will delete that information promptly.

At age 18, the timeline ownership can be transferred to the child (now a legal adult) by the original timeline owner or designated custodian. At that point, the person becomes a full adult account holder under this Privacy Policy.

8. Data retention

  • Active timelines — retained indefinitely while the account is active and in good standing.
  • Suspended timelines — timelines whose funding has lapsed are moved to download-only mode and retained for a grace period of three (3) years from the lapse date. Owners may export their data at any time throughout the grace period. After the grace period ends, content may be permanently deleted, with at least 30 days' prior notice to the owner's registered email.
  • Fund It Fully timelines — retained through the coverage period (funded to age 18, held through age 21) and the subsequent download window. After the download window closes, we will contact the account holder before taking any action on the data.
  • Deleted accounts — if you request account deletion, we will delete your profile data, contributor records, and associated content within 30 days, subject to legal holds and billing record retention requirements (we retain Stripe billing metadata for 7 years per financial record-keeping requirements).
  • Waitlist data — retained until your spot is approved, you request removal, or 24 months after your last activity, whichever comes first.
  • Media access logs — retained indefinitely as a security and audit record.
  • Error logs (Sentry) — retained for 90 days.

9. Your rights

You have the following rights over your data:

  • Access — you can request a copy of all personal data we hold about you.
  • Correction — you can update your profile, display name, and timeline information at any time from your account settings.
  • Portability — timeline owners can export their full timeline (all posts, photos, audio, video, and letters) as a ZIP archive from the timeline settings page.
  • Deletion — you can request deletion of your account and associated data by contacting us at hi@shmo.me. Note that deleting your account does not delete a timeline you own unless you explicitly request that; contributors you have invited may have their own copies of content they created.
  • Restriction — you can remove contributors, revoke invite permissions, or switch a timeline to view-only mode at any time from the timeline settings.
  • Objection (GDPR) — you may object to processing based on legitimate interests. Contact us to discuss.
  • Withdraw consent — you can disable push notifications in your device or app settings at any time.

To exercise any of these rights, contact us at hi@shmo.me. We will respond within 30 days.

10. Cookies and tracking

We use the following cookies and local storage mechanisms:

  • Authentication session cookie — an httpOnly, secure cookie that stores your Supabase session token. This is strictly necessary for you to be logged in. It expires when your session expires (typically 1 week) or when you log out.
  • PostHog analytics cookie — a pseudonymous identifier used to count unique users in our product analytics. You can opt out by enabling "Do Not Track" in your browser, which PostHog respects.
  • No advertising cookies. We do not use cookies from Facebook, Google Ads, or any advertising network.

11. International data transfers

FM2Y is operated from the United States. Our infrastructure providers (Supabase on AWS us-east-1, Cloudflare R2 US data centers, Vercel US edge) process data in the United States. If you are accessing FM2Y from outside the United States, your data will be transferred to and processed in the United States. By using FM2Y, you consent to this transfer.

For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) in our agreements with US-based sub-processors where required.

12. Security practices

In addition to the media security measures described in Section 6, we employ the following security practices across the platform:

  • Row-level security (RLS) on all database tables, enforced by Supabase. No query can return data from a timeline you are not authorized to access, even if our application code had a bug.
  • SECURITY DEFINER database functions for sensitive operations (invite claiming, beneficiary designation) that require elevated privileges without exposing the service role key to the client.
  • HMAC-signed image proxy URLs for Private Memory Shield. The signature is verified server-side before any image is served through the proxy, preventing URL tampering.
  • Cron job authentication via a CRON_SECRET bearer token. The cron endpoint is not publicly accessible without this secret.
  • Stripe webhook signature verification on every incoming webhook event. We reject any webhook that does not carry a valid Stripe signature.
  • Service role key isolation. The Supabase service role key (which bypasses RLS) is only available in server-side code and never exposed to the browser or mobile app.
  • Regular dependency updates via automated tooling.

No system is perfectly secure. If you discover a security vulnerability in FM2Y, please report it responsibly to hi@shmo.me before disclosing it publicly.

13. Governing law and disputes

This Privacy Policy is governed by the laws of the State of Texas, United States, without regard to its conflict of law provisions. Any disputes arising under this policy shall be resolved in the courts of Travis County, Texas, unless you are a consumer in a jurisdiction with mandatory local court rules that override this.

14. Limitation of liability

To the maximum extent permitted by applicable law, FM2Y and its affiliates, officers, employees, and contractors shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of the service or any breach of this policy, including but not limited to loss of data, loss of profits, or any other intangible losses, even if we have been advised of the possibility of such damages.

15. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the address on your account) at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of FM2Y after a policy update constitutes acceptance of the updated policy.

16. Contact us

If you have any questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern, please contact us:

  • Email: hi@shmo.me
  • Mailing address: Trimble Digital LLC, Austin, Texas, United States

Terms of Service