Privacy Policy

1. Data Controller

The data controller for personal data processed by FanSpeak is the operator of fanspeak.io. Contact: privacy@fanspeak.io.

2. Data We Collect

2.1 Account data

• Email address (required for authentication)
• Name and profile picture (from Google OAuth, if you sign in with Google)
• Language preference and timezone
• Account creation and last login timestamps

2.2 External platform data

When you connect a third-party platform (e.g. YouTube), FanSpeak retrieves and stores:

• Channel/page identifiers and public metadata (name, avatar, subscriber count)
• Content items (video titles, descriptions, publication dates, thumbnails)
• Comments, replies, and related metadata (commentator username, text, timestamps, like counts) from your connected channels
• OAuth2 access and refresh tokens — stored encrypted in the database using Fernet symmetric encryption

This data is retrieved on your behalf and is used solely to power the FanSpeak inbox, search, reply tracking and analytics features.

2.3 Usage data

• IP address and User-Agent string at login (stored for security purposes)
• Reply actions and AI suggestion usage (to improve the service)

3. Legal Basis for Processing (GDPR)

• Contract performance — processing your account data and connected platform data is necessary to deliver the Service you have signed up for.
• Legitimate interest — security logging, fraud prevention and service improvement.
• Consent — marketing communications, if you opt in (you can withdraw at any time).

4. Data Retention

• Account data: retained for the lifetime of your account plus 30 days after deletion.
• External platform data (comments, content items): retained as long as the channel is connected. Deleted within 30 days of disconnecting the channel or closing your account.
• Security logs (IP, User-Agent): retained for 90 days.
• Contact form submissions: retained for 12 months.

5. Data Sharing

We do not sell your personal data. We may share data with:

• Infrastructure providers — hosting, database, email delivery (processors bound by data processing agreements).
• Anthropic — comment text is sent to the Anthropic API to generate AI reply suggestions. Anthropic processes this data subject to their privacy policy.
• Law enforcement — only when legally required and to the minimum extent necessary.

6. Your Rights (GDPR)

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Object to or restrict certain processing
• Data portability — receive your data in a machine-readable format
• Withdraw consent at any time (where processing is based on consent)
• Lodge a complaint with your national data protection authority

To exercise any of these rights, email privacy@fanspeak.io. We will respond within 30 days.

7. Security

We use industry-standard security measures: HTTPS for all communication, encrypted token storage, httponly cookies for session management, and database access restricted to application servers only. No system is perfectly secure; please report any vulnerabilities to security@fanspeak.io.

8. Cookies

FanSpeak uses only essential cookies: a session authentication cookie (httponly, secure, SameSite=Lax) and a refresh token cookie with the same attributes. We do not use advertising or tracking cookies.

9. International Transfers

Your data is processed within the European Union. If any processing occurs outside the EU (e.g. by Anthropic for AI suggestions), we ensure appropriate safeguards are in place (Standard Contractual Clauses).

10. Changes to this Policy

We will notify you by email of significant changes at least 14 days before they take effect. The current version is always available at this URL.

11. Contact

Privacy-related inquiries: privacy@fanspeak.io