Privacy Policy

Last updated: April 30, 2026

This Privacy Policy explains how Samla ("we", "us", "our"), developed by Holmeide Labs, collects, uses, shares and protects your personal data when you use the Samla app and related services.

In short: We only collect what's needed for the app to work. We never sell your data. We never show ads. Children's data has extra protection. All data is stored in the EU.

1. Data Controller

Holmeide Labs
Org. no: 937 102 445
Ludvig Karstens vei 12
1064 Oslo, Norway
Email: support@familiensamla.no

2. What data do we collect?

2.1 Account data

When you create an account, we collect:

  • Email address — for login and account-related communication
  • Name — for display in the app
  • Apple ID token — if you choose Apple Sign In (we never receive your Apple password)

2.2 Profile data

Information you enter in the app:

  • Person profiles — name, emoji, color code and birth year for family members
  • Home data — home name, emoji, QR invitation
  • Roles and membership — who belongs to which home, with what role

2.3 Module data

Content you and your family members create: calendar entries, tasks, shopping lists, chat messages, meal plans, routines, wishlists, budget data, packing lists, storage overview, countdowns, and data related to cabins, vehicles and pets.

2.4 Children's data

Samla has a minimum age of 13 for family membership. Younger children can participate in family logistics through their parent's profile (tasks, calendar, etc.), but do not have their own access to the app.

For children aged 13 and older, we store the following:

Children 13–15:

  • Same data as above, plus email (if they create their own account)
  • A separate Supabase account is created only after explicit guardian consent via push approval
  • Guardian receives push notification when the child requests account creation. Guardian must actively approve in the Samla app.
  • The request automatically expires after 24 hours
  • Denial or approval is logged with timestamp and guardian ID for audit trail

Children 16+: Can create their own account directly without additional guardian consent (in line with Norwegian legislation).

Visibility settings: Parents configure what each child sees in each module per home (full access, own content only, or hidden).

Birthdays: If a birth date is provided, Samla automatically creates a yearly birthday event in the family calendar and sends a push notification to family members at 7–8 AM local time on the day. This feature can be disabled in settings.

2.5 Logged guardian consents

To ensure an audit trail in line with GDPR Art. 7, we log the following consents when you create a child profile:

  • child_data_processing — general processing of child's data
  • privacy_accepted — acceptance of this privacy policy on behalf of the child
  • parental_consent_for_account — for 13–15: guardian approves account creation
  • data_minimization_acknowledged — confirmation that we only store what is necessary

Each consent is logged with policy version, app version and timestamp.

2.6 Family invitations

When you invite family members, we generate a personal invitation token containing pre-filled name, role and color code. The token is cryptographically signed (HMAC-SHA256) to prevent tampering. Invitations automatically expire after 7 days. Invitation data is deleted 30 days after expiry or use.

We do NOT collect phone numbers or email addresses for invitees. As the inviter, you receive a personal link (e.g., https://familiensamla.no/i/...) and distribute it yourself via SMS, iMessage, email, AirDrop or any other channel you prefer. Samla never learns where the link was sent or who received it, until the recipient themselves chooses to accept the invitation.

5. Transfer to third countries

The main database is located in the EU (Supabase, Stockholm). Some processors are located in the USA. Transfers are based on EU Standard Contractual Clauses (SCC) and data processing agreements. We only transfer data strictly necessary for the specific service to function.

6. Your rights

Under the GDPR, you have the right to: access, rectification, erasure ("right to be forgotten"), data portability, restriction of processing, objection, and withdrawal of consent at any time.

To exercise your rights, contact us at support@familiensamla.no. You can also delete your account directly in the app under Settings → Delete account. We respond within 30 days.

You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet): datatilsynet.no.

7. Images and Profile Photos

Samla allows users to upload profile photos for family members and pets. Here's how we handle images:

  • Storage: Images are stored in Supabase Storage (EU, Stockholm). Only your family has access.
  • Purpose: Profile photos are displayed in the app for identification in chat, calendar, and task lists.
  • Deletion: Images can be removed at any time via settings. When an account is deleted, all images are permanently removed.
  • Children's images: Only parents can upload photos for child profiles. Images are never shared outside the family.
  • No facial recognition: We never use images for facial recognition, AI training, or analysis.

9. Children and privacy

Samla takes children's privacy very seriously:

  • Samla has a minimum age of 13. We do not support accounts for children under 13 — this matches industry standard (Apple ID, Google, Instagram, etc.) and minimizes legal exposure.
  • Parents give explicit consent for processing of children's data when creating the profile. The consent is logged with version, timestamp and guardian ID.
  • In two-home families, both parents control the child's visibility settings via the child_visibility system.
  • Parents can configure exactly which modules the child sees in each home (full access, own content only, or hidden).
  • Children's chat messages in family chat can be filtered by parents.
  • Minors (under 16) cannot invite others to the family or approve parental consent requests. This is enforced both in the app and at the database level (RLS).

For children 13–15: A separate account can be created with parental consent through a push-based approval flow. When the child initiates account creation, all parents in the home receive a push notification. The child only gets access to their own account when a parent explicitly approves. The request expires after 24 hours.

For children over 15: Can create their own accounts (in line with Norwegian legislation, which sets the age of independent consent at 13, but where we as a company choose 16 as an additional precautionary measure).

Guardian rights: The guardian can at any time export everything we have about the child (Settings → Export data) or delete the child profile (Settings → Family → child profile → Delete). Deletion permanently removes all data about the child within 30 days.

Apple compatibility: Samla complies with Apple's guidelines for apps targeting children (App Store 5.1.4 and Family Sharing). We have no tracking, no advertising, no third-party data analysis, and no sharing of children's data with third parties.

9. The two-home model and data sharing

Samla supports families where children belong to two homes. Home data (calendar, shopping list, tasks, etc.) is private per home. Each home has its own private data.

11. Cookies and tracking

The Samla app does not use cookies or tracking tools. We have no third-party analytics, no ad tracking, and no social media data sharing. The website familiensamla.no does not use cookies.

12. Security

All data transfer uses HTTPS/TLS. The database is protected with Row Level Security (RLS). Authentication uses Supabase Auth with bcrypt-hashed passwords and JWT tokens. API keys are stored as server-side secrets.

13. Data breach

In the event of a data breach, we will notify the Norwegian Data Protection Authority within 72 hours if the breach poses a risk to your rights, and notify you directly if the risk is high.

14. Storage and deletion

Data is stored while your account is active. Upon account deletion, all personal data is deleted within 30 days. After subscription cancellation, data is retained for 90 days.

15. Automated decisions

Samla does not use automated decisions with legal effects.

16. Changes

We may update this policy as needed. For significant changes, we will notify you via push notification or email.

16. Contact

Holmeide Labs
Email: support@familiensamla.no
Address: Ludvig Karstens vei 12, 1064 Oslo, Norway