Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account data: name, email address, profile photo (from your authentication provider)
• Billing data: subscription tier, transaction history (payment card details are handled by Stripe and not stored by us)
• Prompts and generated content: text prompts you submit and applications the Service generates
• Communications: support emails and feedback you send us
• Linked integrations: GitHub account information if you connect GitHub sync

1.2 Information Collected Automatically

• Usage data: features used, generation history, credit consumption, session duration
• Log data: IP address, browser type, operating system, referring URLs, error logs
• Device data: device type, screen resolution, timezone
• Cookies and similar technologies: see Section 5

1.3 Information from Third Parties

When you sign in via a third-party provider (e.g., Google, GitHub via Clerk), we receive basic profile information such as your name and email. We do not receive your passwords.

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account and authenticate you
• Provide, operate, and improve the Service
• Process payments and manage subscriptions
• Track credit usage and enforce plan limits
• Send transactional emails (account creation, billing receipts, password reset)
• Send lifecycle emails to help you get value from the Service (you may opt out)
• Detect, investigate, and prevent fraud, security incidents, and abuse
• Comply with legal obligations
• Analyze aggregate usage trends to improve the product

We do not use your prompts or generated content to train AI models or sell your data to third parties for advertising.

3. Legal Bases for Processing (EEA/UK)

If you are in the EEA or UK, we process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service, manage your account, process payments, and deliver generated applications.
• Legitimate interests: Fraud prevention, security, improving our services, sending lifecycle emails to active users (you may opt out), and analytics for product development.
• Legal obligation: Processing required by applicable law (e.g., financial record-keeping, responding to lawful requests).
• Consent: Analytics cookies, marketing pixels, and session-recording tools are only activated after you provide consent via our cookie banner. You may withdraw consent at any time.

4. Who We Share Data With

We share personal data only with vendors and partners necessary to operate the Service ("sub-processors") and as required by law. We do not sell your personal data.

We may also disclose data: (a) to comply with legal obligations or respond to lawful requests from public authorities; (b) to protect our rights, property, or safety or that of our users; or (c) in connection with a merger, acquisition, or sale of all or a portion of our assets, in which case we will notify you before your data is transferred to a new entity.

5. Cookies and Tracking

We use the following categories of cookies and similar technologies:

• Necessary: Essential for authentication, security, and core functionality. Cannot be disabled.
• Analytics: PostHog and Google Analytics collect aggregated usage statistics to help us improve the product. Activated only with your consent.
• Functional: The Crisp support chat widget uses cookies to maintain conversation state. Activated only with your consent.
• Advertising: The Meta Pixel tracks conversion events (e.g., signups) for advertising measurement. Activated only with your consent.

You can manage cookie preferences through our cookie banner or your browser settings. Withdrawing consent for non-essential cookies does not affect the lawfulness of prior processing. For more details, see our Cookie Policy.

6. Data Retention

We retain personal data for as long as necessary to provide the Service and comply with legal obligations:

• Account data: Retained for the lifetime of your account plus 30 days after deletion to enable account recovery.
• Billing records: Retained for 7 years to comply with financial and tax regulations.
• Prompt and generation data: Retained while your account is active. You may delete individual projects at any time.
• Log data: Retained for up to 90 days for security and debugging purposes.
• Analytics data: Retained in aggregated or anonymized form for up to 2 years.
• Email logs: Retained for up to 1 year for deliverability and compliance verification.

After account deletion, we will delete or anonymize your personal data within 30 days except where longer retention is required by law.

7. International Data Transfers

We are based in the United States. If you access the Service from the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the USA and other countries that may not have equivalent data protection laws.

We rely on the following transfer mechanisms to ensure adequate protection:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to the USA
• UK International Data Transfer Agreements (IDTAs) for transfers from the UK
• The EU-U.S. Data Privacy Framework for vendors certified thereunder

You may request a copy of the applicable transfer safeguards by contacting us at support@fabricate.build.

8. Security

We implement administrative, technical, and organizational safeguards appropriate to the risk, including encryption in transit (TLS), access controls, and security monitoring. No security system is perfect; we cannot guarantee absolute security. If we become aware of a security breach affecting your personal data, we will notify you and relevant authorities as required by applicable law.

9. Children's Privacy (COPPA)

The Service is not directed to children under 13 years of age, and we do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at support@fabricate.build and we will promptly delete it. Users between 13 and 17 years old may use the Service with parental or legal guardian consent, as described in our Terms of Service.

10. Your Privacy Rights

10.1 General Rights (All Users)

Regardless of your location, you may:

• Access and download your account data
• Correct inaccurate information in your account
• Delete your account and associated data
• Opt out of lifecycle emails using the unsubscribe link in any email
• Manage cookie preferences via our cookie banner

10.2 EEA, UK, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the GDPR and equivalent laws:

• Access: Obtain a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request that we limit processing of your data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time for consent-based processing
• Lodge a complaint: File a complaint with your local supervisory authority. For EU residents, this is the Data Protection Authority in your member state. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise these rights, contact us at support@fabricate.build. We will respond within 30 days (extendable by an additional 60 days for complex requests). We may ask you to verify your identity before fulfilling certain requests.

10.3 California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you additional rights:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
• Delete: Request deletion of personal information we have collected
• Correct: Request correction of inaccurate personal information
• Opt-out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising
• Limit sensitive personal information use: We use sensitive information only as necessary to provide the Service
• Non-discrimination: We will not discriminate against you for exercising these rights

To submit a CCPA request, contact us at support@fabricate.build or use the unsubscribe link in any email we send. We will respond within 45 days (extendable to 90 days with notice).

Categories of personal information collected in the past 12 months: Identifiers (name, email, IP address); commercial information (subscription and billing history); internet activity (usage logs, session data); professional information (generated applications and prompts); and inferences drawn from the above. We collected this information for the business purposes described in Section 2.

11. Do Not Track

We currently do not respond to "Do Not Track" browser signals because no industry standard for such signals has been established. You can control analytics tracking via our cookie banner.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically. Continued use of the Service after the effective date of the updated policy constitutes acceptance.

13. Contact Us

For privacy questions, requests, or complaints, contact us at support@fabricate.build.

EEA/UK residents may also contact our representative or lodge a complaint with your local data protection authority.