Privacy Policy | FeedFusion

Last updated: 2026-05-09

§1. Who we are

FeedFusion is built and operated by one person. Joana Parente, sole trader based in Faro, Portugal, is the data controller for everything collected through this service.

Contact for privacy questions: privacy@feed-fusion.com

General contact: hello@feed-fusion.com

No Data Protection Officer has been appointed. FeedFusion does not meet the thresholds requiring one under Article 37 of the GDPR.

§2. What we collect and why

For each category below, we list the data, why we collect it, the legal basis under the GDPR, and how long we retain it.

Email address, name, password hash — account management and authentication. Legal basis: contract (Article 6(1)(b) GDPR). Retention: until account deletion, plus 30 days for backup rotation.
Billing information via Stripe — processing payments. Legal basis: contract (Article 6(1)(b) GDPR). Retention: 10 years (Portuguese tax law, Código Comercial Article 40).
Instagram access tokens (encrypted) — fetching your feed from the Instagram Graph API. Legal basis: contract (Article 6(1)(b) GDPR). Retention: until you disconnect your account or delete it.
Feed content (cached posts) — serving your feed via API and widget. Legal basis: contract (Article 6(1)(b) GDPR). Retention: while your account is active; 30 days after deletion.
API request logs (IP address, timestamp, endpoint) — rate limiting, abuse prevention, and troubleshooting. Legal basis: legitimate interest (Article 6(1)(f) GDPR) — service security. Retention: 90 days.
Google Analytics cookies — understanding how the product is used. Legal basis: consent (Article 6(1)(a) GDPR). Retention: 14 months (Google Analytics 4 maximum on the free tier).
Vercel Analytics (cookieless aggregate) — page performance monitoring. Legal basis: legitimate interest (Article 6(1)(f) GDPR). Retention: 30 days aggregated.
Sentry error data (URL, browser, error trace) — debugging crashes and service errors. Legal basis: legitimate interest (Article 6(1)(f) GDPR) — service stability. Retention: 90 days.
Support emails — responding to your requests. Legal basis: legitimate interest (Article 6(1)(f) GDPR). Retention: 2 years after last contact.

§3. Cookies and tracking

Essential (always on) — session, csrf, consent-state. Authentication, security, and your cookie preference. Provider: FeedFusion / Supabase.
Analytics (consent required) — _ga, _ga_*. Usage analytics. Provider: Google Analytics 4.
Analytics (consent required) — va_*. Page performance. Provider: Vercel Analytics.

You can change your cookie preferences at any time using the "Cookie preferences" link in the footer.

We use the following processors to run the Service. We have signed Data Processing Agreements with each. None of these processors sells your data.

Supabase (database and authentication): EU region. Some support access from the US is covered by Standard Contractual Clauses.
Vercel (hosting and edge network): EU plus global edge. US edge regions are covered by Standard Contractual Clauses.
Sanity (content management): EU region.
Stripe (payment processing): Stripe Payments Europe Ltd, Ireland; Stripe Inc., US (EU-US Data Privacy Framework certified).
Google Analytics 4: Google LLC, US (EU-US Data Privacy Framework certified). Only loaded after you accept analytics cookies.
Sentry (error tracking): US (Standard Contractual Clauses).
Resend (transactional email): US (Standard Contractual Clauses).

§5. International data transfers

When personal data is transferred outside the European Economic Area, we rely on one of the following safeguards:

EU-US Data Privacy Framework (Stripe, Google Analytics 4)
Standard Contractual Clauses (Vercel US edge, Sentry, Resend, Supabase support)

You can request a copy of the relevant safeguards by emailing privacy@feed-fusion.com.

§6. How long we keep your data

When you request deletion of your account, we erase your data from our active systems within 30 days. Encrypted backups continue to hold your data until they are overwritten in our standard rotation cycle, which happens within 90 days. During that window, backups are not accessed except for disaster recovery. If a backup is ever restored, your erasure request is re-applied.

Billing records are retained for 10 years under Portuguese tax law (Código Comercial, Article 40).

§7. Your rights

Under the GDPR, you have the right to:

Access the personal data we hold about you
Rectify inaccurate data
Erase your data (subject to legal retention obligations) — see Data Deletion for self-serve steps
Restrict or object to processing
Receive your data in a portable format
Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, email privacy@feed-fusion.com. We respond within 30 days, with a possible extension of up to 90 days for complex requests.

You also have the right to lodge a complaint with the Portuguese supervisory authority:

Comissão Nacional de Protecção de Dados (CNPD), at www.cnpd.pt.

§8. Children's data

FeedFusion is not intended for use by children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided personal data through the Service, contact us at privacy@feed-fusion.com and we will delete it promptly.

§9. Security and data breaches

We use industry-standard security measures: encryption in transit (TLS), encryption at rest, role-based access controls, and audit logs. If a data breach is likely to put your rights and freedoms at high risk, we will notify you without undue delay. We will notify the CNPD within 72 hours of becoming aware of the breach.

Joana Parente, em nome individual

Faro, Portugal

Full registered details (NIF, registered address) are provided on invoices and on request.