Privacy Policy
Version 1.0.0 — Effective 2026-03-28 — Last updated 2026-03-28
Table of Contents
1. Introduction
Welcome to Fabrika42 ("we", "us", "our"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use our service.
This policy applies to all visitors and registered users of our platform.
2. Information We Collect
2.1 Information You Provide
- Account information: name, email address, and password when you register.
- Profile information: any additional details you add to your profile (e.g., avatar).
- Payment information: processed by our merchant of record (see Section 7). We never receive or store your payment card details.
- Communications: messages you send to our support team.
2.2 Information Collected Automatically
- Usage data: pages viewed, features used, session duration.
- Device information: browser type, operating system, screen resolution.
- IP address: used for security, fraud prevention, and approximate location.
- Cookies: see our Cookie Policy for details.
2.3 Information From Third Parties
- Social login providers: if you sign in via Google, GitHub, or Microsoft, we receive your name, email, and profile picture from the provider.
3. How We Use Your Information
We use your personal data to:
- Provide, maintain, and improve our service.
- Process transactions and manage your subscription.
- Send transactional emails (account verification, password resets, security alerts).
- Send marketing communications (only with your consent; you can opt out at any time).
- Monitor and prevent fraud, abuse, and security incidents.
- Comply with legal obligations.
4. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
| Legal Basis | Purpose |
|---|---|
| Contract performance | Providing the service, managing your account, processing payments |
| Legitimate interests | Security monitoring, fraud prevention, service improvement |
| Consent | Marketing emails, analytics cookies |
| Legal obligation | Tax records, responding to lawful requests |
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Lifetime of account + 30-day deletion cooling-off period |
| Session data | Deleted immediately upon expiry or revocation |
| Security audit logs | 90 days |
| Credit transactions | Lifetime of the organization |
| Webhook events | 90 days |
| Data export files | 24 hours after generation |
| Broadcast email records | 1 year (recipients); indefinite (summary records) |
6. Your Rights
Under GDPR and applicable data protection laws, you have the right to:
- Access your personal data (via the "Export Data" feature in Settings).
- Rectification — correct inaccurate data (via your Profile settings).
- Erasure — request permanent deletion of your account and data (via Settings > Delete Account). Deletion has a 30-day cooling-off period.
- Data portability — download your data in a machine-readable format (JSON).
- Withdraw consent — for marketing emails and analytics cookies at any time.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, visit your account settings or contact us at [email protected].
7. Third-Party Data Processors
We use the following third-party services to operate our platform:
| Processor | Purpose | Data Shared | Data Location | DPA |
|---|---|---|---|---|
| Resend | Transactional & marketing email delivery | Email address, user name | US/EU | Resend DPA |
| Lemonsqueezy | Payment processing (merchant of record) | Email address, organization ID | US/EU | Lemonsqueezy DPA |
| Sentry | Error monitoring & performance tracking | IP address, browser info, anonymized user ID, page URL | US/EU | Sentry DPA |
| Google Analytics | Website analytics (via GTM, with consent) | Anonymized usage data, device info, approximate location | US/EU | Google DPA |
All processors are required to comply with GDPR. We maintain Data Processing Agreements (DPAs) with each processor.
8. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (HTTPS/TLS) and at rest.
- Password hashing using industry-standard algorithms.
- API key secrets are stored as SHA-256 hashes; raw keys are never retained.
- Session tokens are invalidated on logout and password change.
- Rate limiting and brute-force protection on authentication endpoints.
- Regular security monitoring and audit logging.
9. International Data Transfers
Your data may be processed in countries outside of your residence. Where transfers occur outside the EEA, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).
10. Children's Privacy
Our service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected].
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or an in-app notification and ask for your renewed consent where required. The "Last updated" date at the top reflects the most recent revision.
12. Contact Us
If you have questions about this Privacy Policy or your personal data, contact us:
- Email: [email protected]
- Company: Fabrika42
- Address: [Address]