Fanfusion Hub
Legal

Privacy Policy

Last updated: 2026-04-21

This Policy explains what personal data Fanfusion Hub collects, why, how we handle it, and the rights you have over it. It applies to our websites, product, and APIs. Where we process data on behalf of a customer, the customer is the controller and we are the processor.

1. Data we collect

Account data. Name, email, organization, role, and authentication credentials.

Usage data. Log entries, device identifiers, IP address (hashed for long-term storage), product events, approvals decisions, and operator actions — used to operate the service, prevent abuse, and generate auditable records.

Customer content. Conversation transcripts, knowledge base content, attachments, and any data you submit for processing. This data belongs to you; we process it only to deliver the service.

Payment data. Billing address and purchase history. Card numbers are handled exclusively by our payments provider (Stripe) and never stored on our servers.

2. How we use data

  • Operate, maintain, and secure the service
  • Provide customer support and respond to inquiries
  • Generate audit records for approvals, policy decisions, and operator actions
  • Detect and prevent abuse, fraud, and security incidents
  • Comply with legal obligations and enforce our Terms
  • Send operational notices and, when you opt in, product updates

3. Legal bases (GDPR)

We rely on the following lawful bases: performance of a contract (to deliver the service), legitimate interests (to secure and improve the service), consent (for optional marketing), and legal obligation (for regulatory requirements).

4. Sharing data

We do not sell personal data. We share data only with: (a) service providers under confidentiality and data-processing obligations (managed Postgres, object storage, email delivery, payments, analytics); (b) AI model providers, scoped to the minimum input required and only when the request is authorized by the customer's squad configuration; (c) authorities, when legally required; (d) acquirers, in the event of a merger or acquisition, with prior notice.

5. AI model providers

When agents use third-party AI models, we send the minimum content required to generate a response. A redaction layer scrubs common PII patterns (emails, phones, card-like strings) before the call unless the customer explicitly allows raw content. We do not use customer content to train third-party or first-party models without explicit opt-in.

6. International transfers

Where data crosses borders, we rely on Standard Contractual Clauses and equivalent safeguards. Enterprise customers may request regional storage preferences (EU or US).

7. Retention

We retain account and usage data for the life of the account and for a period after closure consistent with our backup cycles (up to 30 days on Pro, up to 90 days on Enterprise), unless longer retention is required by law or contract. Audit logs are retained for a minimum of 12 months.

8. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal data, object to or restrict processing, and withdraw consent. To exercise these rights, email legal@fanfusionhub.com. We verify identity before acting on a request.

9. Security

Our controls are described on the Security page: row-level security tenant isolation, encryption at rest, secrets rotation, approvals, audit logs, and incident-response tooling. We align with SOC 2 and ISO 27001 principles; formal certification is on our roadmap but not yet completed.

10. Children

Fanfusion Hub is not directed at children under 16. If you believe we have collected data from a child, contact us and we will delete it.

11. Changes

We may update this Policy. Material changes take effect 30 days after notice. The "Last updated" date at the top reflects the most recent version.

12. Contact

For privacy questions, data subject requests, or DPA requests, email legal@fanfusionhub.com. For security disclosures, email security@fanfusionhub.com.