Privacy Policy
1) Controller
The controller within the meaning of Art. 4(7) GDPR is the provider listed in the Imprint (Impressum) page of this website.
2) Scope
This Privacy Policy applies to the Fastry / fast3.app website, web application, and our Chrome extension (together the “Service”).
3) Data We Process, Purposes, Legal Bases, Retention
We process the following categories of personal data:
3.1 Account & Authentication Data
Data: email address, Google account identifier (uid), name, profile picture (if provided by Google), login metadata (timestamps, IP address in server logs where applicable).
Purpose: account creation, login, session management, security, fraud prevention.
Legal basis: Art. 6(1)(b) GDPR (contract/performance of service), Art. 6(1)(f) GDPR (security and abuse prevention).
Retention: for the lifetime of the account and a limited period after termination to defend against claims and prevent abuse (reasonable retention; then deletion/anonymization).
3.2 Service Data (Settings, Preferences, Usage within the App)
Data: configuration settings, preferences, feature usage signals, generation-related metadata (e.g., request timestamp, platform context, plan/limit counters).
Purpose: provide and operate the Service, enforce limits, debugging and stability.
Legal basis: Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR.
Retention: as long as necessary to operate the Service; deleted or anonymized after account deletion unless legally required.
3.3 Content Processed for AI Generation (Transient Processing)
When you generate a reply/post, the Service processes the content you choose to use for generation (e.g., text of a post or the last messages of a conversation) and your selected settings (tone, preferences, instructions).
Purpose: generate the requested output.
Legal basis: Art. 6(1)(b) GDPR.
Storage: by default, we do not store the full source content used for generation in our database. The content is processed transiently to fulfill your request. We may store minimal technical metadata (e.g., timestamp, success/error logs, usage counters) for security and billing integrity. If in the future we add optional “history” or “save prompts/replies” features, we will clearly disclose this and, where required, obtain consent.
Important: You remain responsible for how you use generated content and for complying with third-party platform rules and applicable law.
3.3.1 Chrome Extension Access
Our Chrome extension accesses page content only when you actively trigger a generation action (e.g., by clicking a generate/reply button). The extension does not automatically post content, does not run background scraping, and does not persistently store the content of posts or private messages. Access is limited to what is technically necessary to generate the requested output.
3.4 Payments & Subscriptions (Stripe)
Data: customer email, billing status, subscription identifiers, invoices/receipts, payment status and timestamps. Full payment details (e.g., card number) are processed by Stripe and are not stored by us.
Purpose: contract performance, billing, accounting, fraud prevention.
Legal basis: Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR (legal obligations), Art. 6(1)(f) GDPR (fraud prevention).
Retention: according to German commercial and tax law retention obligations for accounting documents.
3.5 Support Communications
Data: information you provide when contacting support (e.g., email, message content, attachments).
Purpose: respond to inquiries, troubleshoot, handle abuse/security reports.
Legal basis: Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR.
Retention: until request completion plus a reasonable follow-up period; then deletion/anonymization unless legally required.
3.6 Technical Logs (Server & Security)
Data: IP address, user agent, timestamps, request identifiers, error/security events.
Purpose: IT security, rate limiting, abuse prevention, incident analysis.
Legal basis: Art. 6(1)(f) GDPR.
Retention: security and server logs are stored for up to 30 days and are then deleted or anonymized, unless a longer retention is required to investigate security incidents or comply with legal obligations.
3.7 Analytics (Google Analytics 4) - Only with Consent
Data: usage events, page views, aggregated performance metrics; identifiers set via cookies/local storage may be used by Google Analytics depending on configuration.
Purpose: measure and improve reach/performance and product usability.
Legal basis: Art. 6(1)(a) GDPR (consent) and § 25(1) TDDDG (consent for storing/accessing information on your device).
Activation: Google Analytics is activated only after you explicitly opt in via our cookie banner. If you reject optional cookies, analytics remains disabled.
Technical implementation: Google Analytics scripts and related storage are not loaded or accessed before consent is given. Analytics is initialized only after an explicit opt-in via the cookie banner. If consent is rejected or withdrawn, analytics remains disabled and no analytics identifiers are stored or accessed.
Withdrawal: you can change or withdraw consent at any time via “Cookie settings” on the website.
4) Cookies / Local Storage and Consent (TDDDG)
4.1 Necessary Storage
We use necessary storage (cookies/local storage) to provide the Service, maintain sessions, security features, and essential preferences (e.g., theme). This is based on § 25(2) TDDDG (necessary storage) and Art. 6(1)(b) / Art. 6(1)(f) GDPR.
4.2 Optional Analytics Storage
Analytics storage is used only after your explicit opt-in consent (Art. 6(1)(a) GDPR; § 25(1) TDDDG). No pre-selected checkboxes are used.
5) Recipients / Processors
We use the following processors/service providers:
- Google Firebase (hosting, authentication, database): Google Ireland Limited and/or affiliates depending on the service.
- Stripe (billing and payment processing).
- Google Analytics (only if consented).
- OpenAI (AI generation API processing).
We may also use email providers or support tooling if needed for customer support; such providers will be listed here once used.
6) International Transfers
Where personal data is transferred to countries outside the EEA/UK, transfers are based on adequacy decisions and/or Standard Contractual Clauses (SCCs) with supplementary safeguards where required.
This may include processing by providers such as Google (Firebase, Analytics), Stripe, and OpenAI. Where required, transfers are safeguarded by adequacy decisions and/or Standard Contractual Clauses (SCCs) with supplementary measures.
7) Email Communications
We may send service-related emails necessary for account operation, security, and billing (e.g., payment confirmations, invoices/receipts, account notifications). We do not send marketing emails without your separate explicit opt-in. You can withdraw marketing consent at any time if such marketing is introduced.
No promotional or marketing emails are sent without a separate explicit opt-in. Service-related emails are strictly limited to what is necessary to operate the Service.
8) Your Rights (GDPR)
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and to withdraw consent at any time with effect for the future (Art. 7(3)).
You also have the right to lodge a complaint with a supervisory authority (Art. 77), especially in your place of residence or where the alleged infringement occurred.
For privacy and data subject requests (Art. 15–21 GDPR), you may contact us at: kurshalow@gmail.com. Further legal contact details are available in the Imprint.
9) Account Deletion
You can request deletion via the account settings (if available) or by contacting us via the contact details in the Imprint. We will delete or anonymize personal data unless retention is required by law (e.g., accounting).
10) Security
We use appropriate technical and organizational measures to protect personal data. No method of transmission is 100% secure.
11) Changes
We may update this policy due to legal, technical, or business changes. The current version date is shown at the top.