Privacy Policy
Effective date: April 7, 2026
1. Who we are
Family Butler is operated by MXH Technologies, Inc., a New York S-Corporation (“we”, “us”, or “Family Butler”). You can reach us about anything in this policy at michaelhhuang@gmail.com.
2. What this policy covers
This Privacy Policy describes the data practices for the Family Butler service, which includes the web dashboard at ourbutler.aiand the per-family AI assistant (“Butler”) that runs in your iMessage or WhatsApp group on infrastructure we provision and operate on your behalf. It applies to anyone who creates a Family Butler account or interacts with Butler in a connected family chat.
3. Information we collect
Account information
When you sign up, we collect the email address you use to log in via magic link. We do not collect or store passwords.
Family profile
During onboarding you may provide:
- Family name
- Names of parents or primary adults in the household
- Optional first names and ages of children in the household (up to ten)
- Optional home address (street, city, state, ZIP)
- Time zone (auto-detected, adjustable)
Address is used to provide weather, travel time, and local recommendations relevant to where you live. Children’s names and ages are used only as context Butler needs to coordinate the household (see Section 10).
Calendar and email content (only when you grant access)
If you choose to connect Google Calendar, we request the scopes calendar.readonly and calendar.events so Butler can read your events and create new ones on your behalf. If you later ask Butler to monitor your email, you will be prompted to grant an additional gmail.readonly scope. We store the OAuth access and refresh tokens encrypted at rest. We never request the ability to send email from your account or to delete events.
Conversations and assistant memory
Butler stores the messages you exchange with it, the scheduled reminders and tasks you create, and the contextual notes it builds about your household over time (for example, “piano lessons are on Thursdays” or “Lily takes Vitamin D drops”). These live in a SQLite database on a storage volume that is dedicated to your family and not shared with any other family.
Billing information
Subscription billing is handled by Stripe. Stripe collects and stores your payment method directly; Family Butler never sees your card number. We retain Stripe customer and subscription identifiers, plan status, trial dates, and invoice history so we can show your billing page and enforce plan limits.
Operational logs
We log Butler’s actions (briefings sent, calendar events created, purchases proposed, billing events) so you can review activity in your dashboard and so we can investigate problems.
4. How we use your information
We use your data to:
- Operate Butler and answer your requests
- Send the briefings, reminders, and notifications you opt into
- Process subscription billing and prevent abuse
- Provide customer support and respond to your questions
- Diagnose and fix bugs and security issues
- Comply with applicable law and enforce our Terms of Service
We do not sell your data, share it with advertisers, or use it to train AI models. Family Butler has no advertising business.
5. Subprocessors
Family Butler is built on a small set of trusted infrastructure providers. Each one receives only the data necessary to perform its specific function:
| Subprocessor | Purpose | Data shared |
|---|---|---|
| Anthropic (Claude API) | The AI model that powers Butler’s reasoning | Conversation messages plus the family context Butler needs to answer. Used under Anthropic’s commercial API terms; Anthropic does not train models on this data. |
| Google (Calendar / Gmail APIs) | Calendar coordination and (optional) email triage | Only what your granted OAuth scopes permit |
| Stripe | Subscription billing and payments | Customer name, email, and Stripe-tokenized payment method |
| Supabase | Account database and authentication | Profile data, encrypted OAuth tokens, billing identifiers, activity logs |
| Railway | Hosting for the per-family Butler agent (your dedicated instance) | Everything Butler stores locally for your family: chat history, tasks, encrypted credentials |
| Vercel | Hosting for the web dashboard | HTTP request logs; no persistent user data |
| Resend | Magic-link login emails and operator notifications | Your email address and login token |
| Blooio | iMessage / WhatsApp message delivery | Message content and the handles of senders and recipients in your family group |
| Brave Search | Product research and local business search | Search query text only |
| OpenWeatherMap | Weather forecasts | Latitude and longitude derived from your address |
| Google Maps | Travel time and route calculations | Origin and destination addresses |
| LiveKit | Outbound voice calls (e.g., restaurant reservations) when you ask Butler to make one | The phone number to call, the call objective and context, and the call transcript |
We will update this list when we add or remove subprocessors and will post a notice in the dashboard at least 14 days before any material change takes effect.
6. AI processing
Butler is powered by Anthropic’s Claude. When you message Butler, the conversation and a summary of the household context Butler has built about your family are sent to the Claude API so the model can generate a response. This data is processed under Anthropic’s commercial API terms, which state that customer prompts are not retained for model training. We do not opt in to any data-sharing or model-training programs.
7. How we protect your data
Security is the foundation of how Family Butler is built. The protections below are not aspirations — they are present in the code today:
- Encryption in transit. All connections between you, our dashboard, your Butler instance, and our subprocessors use HTTPS/TLS.
- Encryption at rest for OAuth tokens. Google access and refresh tokens are encrypted with AES-256-GCM, using a unique random salt and initialization vector per token, before being written to our database.
- Per-family encryption keys.Each family’s dedicated Butler instance is provisioned with its own randomly generated 256-bit encryption key. Local secrets are encrypted with that key, so even in the unlikely event of unauthorized access to one family’s storage, no other family is exposed.
- Database row-level security.Our cloud database enforces row-level security policies on every table that contains family data, so an authenticated user can only ever read or write their own family’s rows.
- Signed webhooks. Inbound webhooks from Stripe are verified against an HMAC signature before any handler runs, so we will never act on a forged billing event.
- CSRF-protected OAuth.Google’s consent flow uses a cryptographically signed state token with a 10-minute expiry to prevent cross-site request forgery.
- Bring your own API key (BYOK). If you prefer to run Butler against your own Anthropic account, your API key is encrypted at rest using the same scheme as OAuth tokens and is accessible only to your dedicated instance.
No system can be guaranteed perfectly secure, but we treat any suspected vulnerability seriously. If you discover one, please email michaelhhuang@gmail.com.
8. Health information
Butler can help you keep track of family health logistics — appointment dates, doctor names, vaccination milestones, prescription names, and pharmacies. By design, Butler does notstore clinical detail. We have a built-in guardrail that prevents Butler from recording diagnoses, medication dosages, symptoms, test results, or other protected health information. If you share clinical detail with Butler in a message, Butler will redirect you to your healthcare provider’s patient portal.
Family Butler is not a healthcare provider and is not subject to HIPAA. Do not use Butler as a substitute for medical advice or as a system of record for medical information.
9. Children’s privacy
Family Butler is designed for adults running households. Account creation is restricted to users aged 18 or older. Although you may provide your children’s first names and ages so Butler can coordinate the household calendar and reminders, we do not knowingly collect personal information directly from anyone under 13. Butler is configured with a sender allowlist that ignores messages from any family member who has not been registered as a parent, so children in your group chat cannot interact with Butler directly even if they are present.
If you believe a child has provided us personal information without appropriate parental involvement, please email michaelhhuang@gmail.com and we will delete the information promptly.
10. Your rights and choices
You can, at any time:
- Disconnect Google Calendar from your Connected Accounts page. This deletes the encrypted OAuth tokens for your family from our database.
- Update your family profile (names, ages, address) from the Settings page.
- Remove a BYOK API key from the Connected Accounts page.
- Cancel your subscription at any time via the Stripe Customer Portal linked from your Billing page.
- Opt out of optional notifications (morning briefings, evening briefings, purchase notifications) from the Settings page.
- Request full account deletion by emailing michaelhhuang@gmail.com. We will honor verified deletion requests within 30 days. Deletion removes your family’s database records, your dedicated Butler instance, and all data on its storage volume. We may retain minimal information required for legal, tax, or anti-fraud purposes.
Depending on where you live, you may have additional rights under laws like the California Consumer Privacy Act. To exercise any such right, email michaelhhuang@gmail.com and we will respond within the timeframe required by the applicable law.
11. Data retention
We retain your account data for as long as your account is active. When you cancel or request deletion, we remove your family’s records from our database and tear down your dedicated Butler instance within 30 days. Operational logs and billing records may be retained for a longer period as necessary to meet tax, accounting, and legal obligations.
12. International users
Family Butler is currently offered in the United States only. Our infrastructure providers operate primarily in the U.S. If you access the service from outside the U.S., you understand that your data will be processed in the U.S. We do not currently offer GDPR-specific guarantees and will update this policy when we expand internationally.
13. Changes to this policy
We will post any material changes to this policy on this page and notify you by email and in the dashboard at least 14 days before they take effect. Continuing to use Family Butler after changes take effect means you accept the updated policy.
14. Contact us
Questions, concerns, deletion requests, or anything else — email michaelhhuang@gmail.com and we will respond.