Privacy Policy | Faye Social

Faye (“we”, “us”, or “our”) is an AI-powered social media coach built in the United States. We take your privacy seriously. This policy explains exactly what data we collect, why we collect it, who we share it with, and what rights you have, in plain language, without the legalese.

Zero photo-retention guarantee. Faye never stores your photos. When you ask Faye to score or analyse a photo, the image bytes are sent to Google’s Gemini API for scoring and then immediately discarded. They are never written to our database, our servers, or any third-party storage. Only the numeric score and metadata (composition tags, mood label) are saved.

1. Who we are

Faye is an early-stage US-based company operating at fayesocial.app. For privacy inquiries, contact us at privacy@fayesocial.app.

2. Data we collect

We collect only what is necessary to provide Faye’s coaching features. Here is a full breakdown.

Account data

Email address: used to identify your account and send transactional emails.
Display name: shown inside the app.
Authentication is handled by Supabase Auth. We never see or store your password.

Connected platform tokens

When you connect Google Photos, Spotify, YouTube, Instagram, Facebook, or TikTok, we receive an OAuth access token for that platform. Every token is encrypted at rest with AES-256-GCM using a unique key per user. Tokens are used only to fetch data on your behalf and are never shared.

Photo analysis data

What we save: numeric quality score, composition tags (e.g., rule-of-thirds, lighting quality), mood label, and the photo’s Google Photos ID.
What we never save: the actual image bytes. Photos are processed entirely in memory and discarded immediately after scoring.

Content DNA

We build an aggregated preference profile from your scoring history: preferred moods, scene types, aesthetic styles, and posting goals. This is what powers personalised recommendations. It contains no photos and no personally identifying information beyond your user ID.

Social engagement data

With your permission, we fetch likes, comments, shares, and reach metrics from your connected social accounts via their official APIs. This data helps Faye learn what content resonates with your audience. For the free analyzer, we use a third-party service (Apify) to fetch publicly visible profile data (follower count, post count, biography). Connected accounts use official platform APIs only.

Onboarding data

Posting goals you set during onboarding (e.g., grow audience, document memories).
Preferred platforms and posting frequency.
Answers to the conversational onboarding chat.

Feedback signals

When you save or dismiss a recommendation, we record that signal (not the full post content) to improve future suggestions.

Payment data

Billing and subscription management are handled entirely by Stripe. We never receive or store your credit card number, CVV, or full payment details. We store only a Stripe customer ID and your current subscription tier.

Usage data

Feature interactions (which screens you visit, which actions you take).
Level progression within the app.
Request logs retained by Vercel with IP addresses hashed. No plain-text IPs stored.

Auto-posting (Creator tier)

Creator tier subscribers may enable auto-posting, which allows Faye to publish scheduled content to connected social platforms on your behalf. Auto-posting requires explicit opt-in per post and uses your existing OAuth tokens. You can cancel any scheduled post before it goes live. We log each auto-posted action (timestamp, platform, post ID) for your records.

Data we do not collect

We do not collect: raw photos • passwords • credit card numbers • location data • device fingerprints. If a feature would require any of these, we will update this policy and ask for your explicit consent first.

3. How we use your data

Provide and personalise Faye's recommendations.
Score your photos and generate AI captions (processed then discarded).
Sync engagement data to improve your Content DNA.
Send transactional emails (account confirmation, billing receipts).
Detect and prevent abuse via rate-limit checks (hashed IPs only).
Improve the product through aggregated, anonymised usage analytics.

We do not use your data to train AI models, sell to advertisers, or share with data brokers.

3b. Legal basis for processing

If you are located in the European Economic Area, we process your personal data under the following legal bases:

Contract: processing necessary to provide the Service you signed up for (account data, Content DNA, recommendations).
Consent: connecting optional third-party accounts (Google Photos, Spotify, Instagram, etc.). You can withdraw consent at any time by disconnecting the account.
Legitimate interest: aggregated, anonymised usage analytics to improve the product; fraud and abuse prevention via hashed IP rate-limit checks.

4. Third-party services

The following services receive a subset of your data to operate Faye Social. Each is bound by its own privacy policy and, where applicable, a Data Processing Agreement with us.

Service	Purpose	Data received
Google (Gemini AI)	Photo quality scoring	Photo bytes: sent for scoring only, not stored by us
Anthropic (Claude AI)	Caption generation	Text prompts containing caption context (no photos)
Supabase	Database hosting	Encrypted OAuth tokens, metadata, Content DNA (no raw photos)
Vercel	App hosting & edge functions	Request logs with hashed IPs (no PII)
Stripe	Payment processing	Billing details: we never see card numbers (PCI compliant)
Resend	Transactional email	Email address only
Upstash (Redis)	Rate limiting & caching	Hashed IPs (no PII)
Apify	Public profile data fetching (free analyzer)	Instagram username only (returns publicly visible profile stats)
Sentry	Error monitoring & performance	Error context, stack traces, hashed user IDs (no PII)

5. Data retention

Active accounts: data retained for as long as your account is active.
Deleted accounts: all personal data cascade-deleted within 30 days of deletion.
Audit logs: retained for 90 days for security and fraud detection, then auto-purged.
Photo data: never retained. In-memory processing only, discarded immediately after scoring.
Stripe billing records: subject to Stripe's own retention requirements for financial compliance.

6. International data transfers

Faye Social processes and stores data in the United States (Vercel US East, Supabase US East). If you access Faye Social from outside the US, your data will be transferred to and processed in the US. By using Faye Social, you consent to this transfer. EU users have additional rights under GDPR, described in Section 8.

Our third-party sub-processors (Google, Anthropic, Stripe, Resend, Sentry) may also process data in the United States. Each sub-processor maintains appropriate safeguards. Where required under GDPR, transfers are covered by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

7. Your rights under CCPA (California)

If you are a California resident, the California Consumer Privacy Act gives you the following rights.

Right to Know	Request a full copy of the personal information we hold about you, including the categories of data collected, the sources, the business purpose, and the third parties we share it with.
Right to Delete	Request deletion of your personal information. We cascade-delete all records within 30 days.
Right to Correct	Request correction of inaccurate personal information we hold about you.
Right to Opt-Out	Opt out of the sale or sharing of your personal information. Faye does not sell or share your data with third parties for cross-context behavioral advertising.
Right to Limit	Limit the use and disclosure of sensitive personal information. Faye does not collect sensitive PI categories (SSN, financial account numbers, precise geolocation, etc.).
Non-Discrimination	We will not discriminate against you for exercising any of your privacy rights.

To submit a CCPA request, email privacy@fayesocial.app or use the in-app privacy controls. We will verify your identity and respond within 45 days as required by law. You may also designate an authorized agent to make a request on your behalf.

8. Your rights under GDPR (EU users)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation.

Access	Obtain a copy of the personal data we hold about you.
Rectification	Correct inaccurate or incomplete personal data.
Erasure	Have your personal data deleted (“right to be forgotten”).
Portability	Receive your data in a machine-readable format to transfer to another service.
Restriction	Ask us to limit how we process your data in certain circumstances.
Object	Object to processing based on our legitimate interests.
Withdraw Consent	Withdraw consent at any time for processing based on consent (e.g., disconnect a social account).
Lodge a Complaint	Lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.

To exercise your GDPR rights, email privacy@fayesocial.app. We will respond within 30 days. Faye does not have an EU establishment, but we honour all GDPR rights for EU users as described above.

8b. Do Not Sell or Share My Personal Information

Faye does not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. There is nothing to opt out of, but if California law changes or our practices change, we will add an opt-out mechanism here and honour all Global Privacy Control (GPC) signals in your browser.

9. How to exercise your rights

You have three ways to exercise any of the rights above.

In the app: Settings → Privacy → Export Data or Delete Account.
API: GET /api/privacy/export to download your data, DELETE /api/privacy/delete to permanently delete your account.
Email: privacy@fayesocial.app and we will respond within 30 days.

10. Cookies

Faye uses a minimal cookie footprint. The only cookie we set is a short-lived session cookie required for authentication (via Supabase Auth). We do not use advertising cookies, tracking pixels, or third-party analytics cookies. For full details, see our Cookie Policy.

11. Children’s privacy

Faye is not directed at children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal data, please contact us at privacy@fayesocial.app and we will delete it promptly.

12. Security

OAuth tokens are encrypted at rest with AES-256-GCM using a unique key per user.
All data in transit is encrypted with TLS 1.2+.
Row-Level Security (RLS) is enforced on every database table. You can only access your own data.
We do not log PII. IP addresses are hashed before storage.
No raw photos are ever written to disk or database.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and notify you via email or an in-app banner at least 14 days before the changes take effect. Your continued use of Faye after that date constitutes acceptance of the revised policy.

14. Contact us

For any questions, concerns, or rights requests, reach us at privacy@fayesocial.app. We aim to respond to all privacy inquiries within 30 days.