Privacy Policy

This Privacy Policy explains how fangorn.tech (the "Company", "we", "us") collects, uses, shares, and safeguards personal data when you use viralcutoff (the "Service").

For the purposes of the EU/UK General Data Protection Regulation (GDPR), the Company is the data controller of personal data processed through the Service. For the purposes of India's Digital Personal Data Protection Act, 2023 (DPDP Act), the Company is the Data Fiduciary.

You give us directly

• Email address — used to create your account and deliver the digest.
• Keyword preferences — the keywords, sources (TikTok or Instagram), and per-keyword view thresholds you configure.
• Email pause state — whether you have paused delivery.

Generated automatically when you use the Service

• Authentication identifiers — an opaque user ID issued by our authentication provider (Supabase).
• Session and access logs — IP address, user agent, timestamps, and request paths, retained for security and abuse-prevention purposes.
• Delivery records — which posts have been emailed to you on which dates (to avoid duplicates and to tag repeats).
• Email engagement signals — opens and link clicks reported by our email provider, where supported.

Collected by our payment processor

• Billing details — your name, billing country, postal code, and payment instrument data are collected directly by Paddle (our Merchant of Record). We receive a limited summary (subscription status, last 4 digits, country, plan) and do not store full payment card numbers.

We do not collect

We do not collect government-issued identifiers, biometric data, health information, precise GPS location, or any "special categories" of personal data under the GDPR. We do not buy or ingest personal data from data brokers.

We use personal data for the following purposes:

• Provide the Service — authenticate you, store your keyword and threshold settings, and deliver the daily digest.
• Operate billing — issue, renew, suspend, and terminate paid subscriptions through Paddle, and respond to billing queries.
• Send transactional email — daily digests, account confirmations, billing receipts, and important service-level notices.
• Improve the Service — analyse aggregated usage patterns and engagement signals to improve ranking quality and product decisions.
• Protect the Service — detect, prevent, and respond to fraud, abuse, security incidents, and violations of the Terms.
• Comply with law — meet legal, regulatory, accounting, and tax obligations, and respond to lawful requests from authorities.

If you are in the EU, UK, or other jurisdiction that requires us to identify a legal basis for processing under the GDPR, we rely on:

• Performance of a contract — to provide the Service you have subscribed to.
• Legitimate interests — to secure the Service, prevent abuse, analyse aggregate usage, and operate our business, balanced against your rights and freedoms.
• Legal obligation — to comply with tax, accounting, and law-enforcement requirements.
• Consent — where consent is required and you have given it (and you may withdraw it at any time).

For users in India, we process personal data in accordance with the DPDP Act, based on consent or legitimate uses recognised under that Act.

We share personal data with the following sub-processors strictly for the purposes described in this Policy. Each is bound by contractual obligations to protect your data:

• Supabase (United States / EU) — authentication and user identity.
• Turso (United States) — managed libSQL database hosting for application data.
• Resend (United States) — transactional email delivery, including the daily digest.
• Apify (Czech Republic / EU) — scraping infrastructure used to collect public posts from TikTok and Instagram. Apify does not receive your personal data; it receives only the keyword queries we run on your behalf.
• Paddle.com Market Limited (United Kingdom / EU) — Merchant of Record for all subscriptions, including payment processing, tax calculation, and invoicing.
• Vercel (United States) — application hosting and edge runtime for the website and dashboard.

We do not sell your personal data, and we do not share it with advertising networks or data brokers for cross-context behavioural advertising.

We may disclose personal data if required by law, court order, or valid governmental request, or to protect the rights, property, and safety of the Company, our users, or the public.

Because our sub-processors operate globally, personal data may be transferred to and processed in countries outside your country of residence, including the United States, the European Union, and the United Kingdom. Where these transfers involve personal data of EU/UK residents, they are made under the European Commission's Standard Contractual Clauses or another lawful transfer mechanism recognised under the GDPR.

We retain personal data only as long as we need it:

• Account & subscription data — for the life of your account and for up to twenty-four (24) months after account closure, to handle disputes and comply with legal obligations.
• Delivery records — for up to thirteen (13) months from the date of delivery to support repeat-hit tagging and abuse investigations.
• Billing records — for the period required by applicable tax and accounting law (typically up to eight years).
• Security logs — for up to ninety (90) days, longer if required by an active investigation.

When retention obligations expire, we either delete the data or irreversibly anonymise it for aggregate analytics.

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Correct data that is inaccurate or incomplete.
• Delete ("right to be forgotten") your account and associated personal data.
• Object to or restrict processing based on legitimate interests.
• Withdraw consent at any time, where processing is based on consent.
• Receive a portable copy of your data in a structured, machine-readable format.
• Lodge a complaint with a supervisory authority (e.g. your local Data Protection Authority in the EU, the ICO in the UK, or the Data Protection Board of India).

To exercise any of these rights, write to phani@fangorn.tech. We respond within thirty (30) days, or sooner where the law requires. You may also unsubscribe from any digest via the one-click link at the bottom of every email, or pause delivery from your dashboard, without affecting your other rights.

We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorised access, loss, misuse, or alteration. These include encrypted transport (TLS), encrypted storage at rest by our sub-processors, role-based access controls, and short-lived authentication tokens. No system is perfectly secure, however, and we cannot guarantee absolute security. If we become aware of a personal-data breach affecting you, we will notify you and applicable authorities as required by law.

We use a small number of strictly necessary cookies to:

• Maintain your authenticated session on the dashboard.
• Protect against cross-site request forgery and other security risks.
• Remember UI preferences you set in your browser (e.g. dismissed notices).

We do not use third-party advertising cookies or cross-context tracking pixels. Paddle's checkout may set its own cookies during payment; those are governed by Paddle's privacy policy.

The Service is not intended for, and we do not knowingly collect personal data from, individuals under the age of 18 (or the higher age of majority in your jurisdiction). If you believe a minor has provided personal data to us, please contact phani@fangorn.tech and we will take steps to delete it.

We may update this Policy from time to time. When we do, we will revise the "updated" date at the top of this page and, where the change is material, notify you by email or in-product before it takes effect.

For any privacy question or request: