Effective April 18, 2026

Privacy Policy for Mum’s Attic

1. Introduction

Welcome to Mum’s Attic, a service provided by Mouthbreather LLC (“we,” “our,” or “us”). We respect your privacy and are committed to protecting the memories and data you share with us. This policy explains how we collect, use, share, and protect your information when you use the Mum’s Attic app and website.

2. Information We Collect

Account Information: When you register, we collect your name and email address through Firebase Authentication.

Inventory Data: We store the photos, descriptions, voice notes, and audio stories you create and upload to your private library. This data is hosted securely in Google Firebase/Firestore and Google Cloud Storage.

Family Connections: If you invite heirs or family members, we collect their email addresses solely to facilitate the invitation and sharing process.

Device Permissions: The app requests access to your device camera (to photograph items), microphone and speech-to-text (to record audio stories and voice notes), and notification delivery (to alert you of family activity). We use these only for the features you actively choose to use.

Purchase and Subscription Information: If you subscribe to a premium plan, our payment processor RevenueCat records your subscription status, purchase history, and a pseudonymous subscriber identifier. We do not store your payment card details.

Analytics and Crash Data: We collect anonymous usage data and crash reports via Firebase Analytics and Firebase Crashlytics to improve app stability and performance. This includes device model, OS version, session duration, and feature interaction events. This data is not linked to your name or email address.

Push Notification Tokens: If you allow notifications, we store a device token to deliver alerts about family invitations and collection activity.

3. How We Use Your Information

  • To provide the core service of inventorying and sharing your items.
  • To send account notifications, password resets, and family invitations via Postmark.
  • To process and manage your premium subscription via RevenueCat.
  • To synchronize your data across your web, iOS, and Android devices.
  • To diagnose crashes and improve app performance using anonymized analytics.
  • To deliver push notifications you have opted into.

We do not sell your data. Your family stories and item inventories are private to you and the people you explicitly invite.

4. Data Sharing and Third Parties

We only share your data with the technical infrastructure required to run the app. Each third party is bound by their own privacy policies and, where required, data processing agreements with us:

  • Google Firebase / Google Cloud — Database, file storage, authentication, analytics, and crash reporting. Google Privacy Policy
  • RevenueCat — Subscription and purchase management. RevenueCat Privacy Policy
  • Postmark (Wildbit) — Transactional email delivery. Postmark Privacy Policy
  • Family Members — Your inventory and stories are shared only with the specific individuals you choose to invite to your attic. You control this list at all times.

We do not use advertising networks or sell data to data brokers.

5. Device Permissions

PermissionWhy We Need It
CameraPhotograph items to add to your inventory
MicrophoneRecord audio stories and voice notes attached to items
Speech-to-TextTranscribe voice input when creating item descriptions
NotificationsNotify you of family invitations and collection activity

You can revoke any permission at any time in your device settings. Revoking a permission disables the associated feature but does not affect the rest of the app.

6. Data Retention

  • Account and inventory data is retained for as long as your account is active.
  • Deleted items are removed from active databases within 30 days of deletion.
  • Deleted accounts result in permanent removal of all personal data and inventory records from active databases within 30 days. Encrypted backups are purged within 90 days.
  • Analytics and crash data is retained by Firebase for up to 14 months per Google’s standard retention policy.
  • Subscription records are retained by RevenueCat as required by applicable financial regulations.

7. Data Security

We use industry-standard encryption (AES-256) at rest and TLS encryption in transit. Our infrastructure is built on Google Cloud’s secure backbone. Access to production data is restricted to authorized personnel only.

8. Account Deletion

You can delete your account and all associated data directly from within the app: go to Settings → Account → Delete Account. You may also request deletion by emailing support@mumsattic.com. We will complete the deletion within 30 days and confirm by email.

9. Your Rights

All Users

  • Access: You may request a copy of the personal data we hold about you.
  • Correction: You may update your name or email at any time in Settings.
  • Deletion: See Section 8 above.
  • Portability: You may request an export of your inventory data in a standard format.

California Residents (CCPA / CPRA)

California law grants you the following additional rights:

  • Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you and the purposes for which we use it.
  • Right to Delete: You may request that we delete your personal information, subject to limited exceptions.
  • Right to Correct: You may request that we correct inaccurate personal information.
  • Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise these rights, contact us at support@mumsattic.com or via the address in Section 12. We will respond within 45 days.

European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under applicable data protection law:

  • Lawful Basis: We process your data on the basis of contract performance (to provide the service you signed up for) and legitimate interests (analytics and security). Where we rely on consent (e.g., optional notifications), you may withdraw it at any time.
  • Right of Access, Rectification, and Erasure
  • Right to Restrict Processing
  • Right to Data Portability
  • Right to Object to processing based on legitimate interests
  • Right to Lodge a Complaint with your local supervisory authority

International Transfers: Our infrastructure is hosted in the United States. If you are located outside the US, your data is transferred to and processed in the US. For EEA/UK users, these transfers are covered by Google’s Standard Contractual Clauses with the European Commission. You may request a copy of these safeguards by contacting us.

To exercise your GDPR rights, contact us at support@mumsattic.com. We will respond within 30 days.

10. Children’s Privacy

Mum’s Attic is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information without parental consent, please contact us immediately at support@mumsattic.com and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email and by posting a notice in the app. The effective date at the top of this page reflects the date of the latest revision.

12. Contact Us

If you have questions about this policy or your data, please contact us at:

Mouthbreather LLC
1659 Branham Ln #F150
San Jose, CA 95118
Email: support@mumsattic.com