Privacy.
Information on processing of personal data in the context of the FanClaw service, pursuant to Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”) and French Law No. 78-17 of 6 January 1978 as amended. This policy complements the Legal notice and Terms.
Identity and contact.
The controller, within the meaning of Article 4(7) of the GDPR, is Thomas Berthou, trading under the commercial name “FanClaw”, registered in the French SIRENE registry under SIRET 938 157 062 00010 (the “Controller”).
The FanClaw service uses a local-first architecture: content, conversations and audience data processed by the user are stored in an encrypted local store on the user's device. These elements are not hosted by the Controller. The processing operations described herein only cover the data of which the Controller has control.
Data Protection Officer. The Controller has not designated a Data Protection Officer, considering that it does not fall within the mandatory designation cases under Article 37 GDPR. Requests are sent to legal@fanclaw.ai.
Article 28 GDPR qualification. Where a professional user makes use of the service to process personal data of its own audience or customers, the user acts as controller within the meaning of Article 4(7) GDPR. To the extent the service performs, on the user's device, processing operations on the user's behalf, the Controller acts as processor within the meaning of Article 4(8) GDPR. The sub-processing relationship is governed by these Terms, which serve as an agreement under Article 28(3) GDPR. A dedicated sub-processing addendum may be agreed for tailored offerings (e.g. agencies operating third-party creator accounts).
Data protection by design (Article 25 GDPR). The local-first architecture of the service, which limits transfers to what is strictly necessary and keeps content within an encrypted local store on the user's device, constitutes a data-protection-by-design and by-default measure within the meaning of Article 25 GDPR. The associated security measures are summarised in Article 10 and detailed in the Security commitments.
Framework. This policy satisfies the information obligation set out in Articles 12 to 14 GDPR.
Who is covered.
Users. Natural persons holding an account or acting on behalf of a legal entity holding an account.
Prospects and applicants. Natural persons interacting with the Controller through contact, application or subscription forms.
Visitors. Natural persons accessing fanclaw.ai without holding an account.
Sub-processor / partner contacts. Natural-person contacts of sub-processors, partners or suppliers.
User audience (out of scope). The natural persons composing the user's audience on third-party platforms, and the content processed by the user, are not subject to processing by the Controller. Such processing falls under the user's responsibility, as controller in relation to their audience.
Strictly necessary. Nothing else.Article 3
Categories of data collected.
Account. Email address, password (hashed), licence identifier, technical identifiers of authorised devices. Mandatory. Without them, the account cannot be created.
Billing. Name and billing address, tokenised payment identifiers issued by the payment processor, transaction history, VAT number where applicable, invoices. Mandatory. Without them, the subscription cannot be entered.
Technical data. IP address at licence-server requests, application version, operating-system identifier, anonymised event signatures. Automatically collected.
Optional telemetry. Where the user expressly authorises, aggregated and pseudonymised usage indicators (within the meaning of Article 4(5) GDPR) excluding user content and directly identifying information. Optional. Refusal has no effect on service access.
Communications. Content of support or commercial communications, provided at the data subject's initiative.
Visitor data. Strictly necessary technical identifiers and, where consent is obtained, audience measurement (see Article 5).
Source. Data are, as a rule, collected directly from the data subject. Technical data are collected automatically when using the service. No data is acquired from data brokers.
Data not collected. The content processed by the user via the service, the conversations exchanged on third-party platforms, the media and the audience data are not transmitted to the Controller. Third-party platform identifiers are not transmitted either.
Why and on what basis.
Contract performance (Art. 6.1.b). Account creation and management, licence activation, billing, support, transactional communications.
Legitimate interests (Art. 6.1.f). Fraud and abuse prevention, licence-server security, anonymous stability statistics, internal management, defence of rights. The user may object on grounds relating to particular situation under Article 21 GDPR.
Legal obligation (Art. 6.1.c). Accounting record-keeping, tax and social-security filings, responses to lawful requests from competent authorities.
Consent (Art. 6.1.a). Optional telemetry, non-strictly-necessary trackers, marketing communications. Consent can be withdrawn at any time; withdrawal does not affect prior processing lawfulness.
No special-category data. The Controller does not knowingly process data of categories listed at Article 9 GDPR. The user shall not transmit such data via the service without an appropriate legal basis.
No automated decision-making within the meaning of Article 22 GDPR. The service implements algorithmic processing (task prioritisation, strategy recommendations, pricing suggestions, audience scoring, content classification). These processing operations do not, of themselves, produce any legal or similarly significant effect on the data subject: any external action resulting therefrom is subject to the user's prior decision and validation in the user's capacity as controller of their audience. Accordingly, the Controller does not subject any data subject to a decision based solely on automated processing within the meaning of Article 22 GDPR. The user, as controller of their audience, is solely responsible for the implementation of the safeguards required by Article 22 where the configuration retained by the user would lead to a fully automated decision without effective human intervention.
Trackers on the website.
Strictly necessary trackers. Deposited without prior consent: session, authentication, presentation preferences, security.
Trackers subject to consent. Deposited after free, informed, specific and unambiguous consent: audience measurement outside the exemption scope, non-essential personalisation, communication-performance trackers.
Audience measurement. Where implemented within the CNIL exemption framework, audience measurement may be deposited without consent. Otherwise, prior consent is collected.
Refusal. Refusal of consent-based trackers has no impact on website availability or service access. Consent withdrawal is as easy as collection and can occur at any time from the preferences-management panel.
Detailed information. The list of trackers, their purpose, duration and emitters is accessible in the preferences-management panel.
Collection and conservation of choices. Consent collection, choice storage and retention duration are aligned with current CNIL guidelines, in particular Deliberation No. 2020-091 and the recommendation of 17 September 2020. In line with that recommendation, consent to trackers is retained for a maximum of thirteen (13) months and refusal for a maximum of six (6) months from its expression. Choices may be modified at any time from the preferences-management panel.
No minors' data processed.
Principle. The service is not designed for, nor likely to be used by, minors. The Controller does not knowingly collect minors' personal data.
Discovery of collection. If the Controller becomes aware that minor data has been transmitted without appropriate legal basis, it deletes such data without delay.
User obligations. The user shall not process, via the service, personal data of minors in their jurisdiction. This prohibition is recalled in the Acceptable Use Policy.
Technical service providers.
Payment. Stripe Payments Europe Ltd. (Ireland), processing of subscription payments.
Transactional emails. Resend Inc. (United States), technical emails related to the account.
Website & licence-server hosting. Vercel Inc. (United States), hosting of fanclaw.ai and operation of the licence server.
Cloud inference. OpenRouter LLC (United States), routing of inference requests issued by the application at the user's request.
Optional telemetry. PostHog Inc. (United States), when telemetry is activated by the user.
Onward sub-processors (Article 28(4) GDPR). Certain sub-processors engage onward sub-processors. In particular, for cloud inference, OpenRouter LLC may, at the request issued by the application on the user's instruction, transmit the request to a third-party AI-model provider, in particular Anthropic Inc., OpenAI Inc., Mistral AI SAS, Google LLC or any equivalent provider. The precise list applicable at a given date may be obtained on request to legal@fanclaw.ai. Inference requests are governed by the relevant sub-processor's terms, in particular its no-retention and no-training-reuse commitments.
Right of objection to new sub-processors (Article 28(2) GDPR). The Controller informs the user of any substantial change to the sub-processor list by electronic means, with thirty (30) days' notice before the change takes effect. During this period, the user may object to the change by terminating the contract under Article 9 of the Terms.
Updates. The applicable version of the sub-processor list is the one published at this URL. Details of responsibility allocation are available on request.
Rights granted by the GDPR.
Right of access. Confirmation of processing and access to data, with related information.
Right of rectification. Correction of inaccurate or incomplete data.
Right of erasure. Deletion in the cases of Article 17 GDPR, subject to legal retention obligations.
Restriction. Restriction of processing under Article 18 GDPR.
Portability. Receipt of data in a structured, commonly used, machine-readable format, and transmission to another controller, under Article 20 GDPR.
Objection. Objection, on grounds relating to particular situation, to processing based on legitimate interests; objection at any time to direct-marketing processing.
Withdrawal of consent. Withdrawal at any time for consent-based processing, without affecting prior lawfulness.
Post-mortem directives. Pursuant to Article 85 of French Law No. 78-17, directives may be given for the fate of data after death.
Exercise. Requests are sent to legal@fanclaw.ai. The Controller replies within the one-month period of Article 12 GDPR, extendable under that article. Proof of identity may be sought in case of reasonable doubt.
Complaint. A complaint may be filed with the CNIL, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, or via www.cnil.fr. Users habitually resident in another Member State of the European Union may also seise their own national supervisory authority, in accordance with Article 77 GDPR.
Right to compensation (Article 82 GDPR). Any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to obtain compensation from the controller or the processor for the damage suffered, under the conditions set out in Article 82 of that Regulation. The controller's general liability framework and the limitations stipulated by the Terms apply within the limits authorised by mandatory law.
Durations proportionate to purposes.
Account. Retained for the contractual duration, then deleted within a reasonable period after termination, save legal obligations or defence of rights.
Accounting and tax records. Retained for the durations provided by applicable French law, notably Article L. 123-22 of the Commercial Code and the Tax Procedures Code.
Technical and security logs. Retained for the period necessary for security and traceability, in accordance with applicable regulation.
Optional telemetry. Retained in aggregated and pseudonymised form within the meaning of Article 4(5) GDPR; linking to an identifiable person is technically prevented at collection.
Marketing. Retained until withdrawal of consent or the applicable prospecting expiry.
Support communications. Retained for handling and archived within applicable prescription periods.
Intermediate archiving. After the period of administrative use, data may be archived for the applicable prescription duration in a restricted-access system for defence of rights or response to legal obligations.
Framework for non-EU transfers.
Transfer framework. Where a transfer outside the EU is necessary, it is based on: (i) a Commission adequacy decision where available, including the EU-US Data Privacy Framework adopted by Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 for sub-processors established in the United States that have certified to that framework; (ii) failing that, the Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914 of 4 June 2021), complemented where appropriate by additional measures consistent with EDPB recommendations 01/2020; (iii) or any other appropriate-safeguards mechanism recognised by Chapter V GDPR.
Locations of main sub-processors. By way of illustration on the date of publication: Stripe Payments Europe Ltd (Ireland, European Union); Resend (United States, DPF); PostHog (United States and European Union); OpenRouter LLC (United States, DPF); cloud-storage providers (European Union as a priority). This list is indicative and supplements the sub-processor list referred to in Article 7.
Information. A copy of the transfer safeguards (Standard Contractual Clauses, DPF certificates) may be obtained, subject to confidentiality, by request to legal@fanclaw.ai.
Security measures (Article 32 GDPR). The controller implements technical and organisational measures appropriate to the risk, including in particular: local-first architecture with encrypted storage on the user's device; encryption of transmissions; restricted access on a need-to-know basis to the limited data hosted by the controller; logging of administrative actions; periodic review of the security posture; incident-management procedure including, where applicable, notification under Articles 33 and 34 GDPR. The detail of these measures and the related practices is presented in the Security commitments.
Modification of this policy. This policy may be amended to reflect legal, regulatory, jurisprudential or technical changes. The applicable version is the one published at this URL. The controller will inform users of any material change by electronic means, with reasonable notice before its entry into force, save for changes imposed by mandatory regulation requiring immediate application.
Authoritative version. In case of conflict between this English version and the French version available at /privacy, the French version prevails.
End of document.
Continue with Acceptable Use.
Any data-related request can be sent to legal@fanclaw.ai.