FanWake← Back to home

Privacy Policy

Effective date: 15 March 2026 · Last updated: 15 March 2026

1. Who We Are

This Privacy Policy applies to FanWake, operated by Nord Ecom Oy, a Finnish limited liability company with Business ID 3319424-3, registered in Finland ("we", "us", "our").

Nord Ecom Oy is the data controller for the personal data of creators who register and use the FanWake platform. For fan personal data processed on behalf of creators, Nord Ecom Oy acts as a data processor — see Section 4 for the distinction.

Privacy contact: hello@fanwake.app

2. Scope of This Policy

This Policy covers how we collect, use, store, and protect personal data relating to:

  • Creators — individuals who register a FanWake account (direct relationship).
  • Fans — third-party individuals whose data is accessed indirectly via a creator's Fanvue OAuth connection (we act as processor for this data).
  • Website visitors — individuals who visit fanwake.app without registering.

3. Data We Collect

3.1 Creator Account Data

  • Email address and password (stored as a hash via Supabase Auth — we never store plaintext passwords).
  • Subscription plan, billing status, and payment history (managed via Stripe — we do not store card numbers).
  • IP address and device metadata collected by Cloudflare at the edge layer.
  • CAPTCHA interaction data (Cloudflare Turnstile) for bot protection.

3.2 Creator Configuration Data

  • AI persona settings (character name, tone/vibe, biography).
  • Autopilot settings: approval mode, strategy, conversation rules, custom prompts.
  • Re-engage settings: targeting thresholds, message approaches, batch and timing configuration.
  • PPV templates: media references, pricing, descriptions, performance metrics.
  • AI model preferences and language settings.
  • Telegram user ID (if Telegram notifications are enabled — optional).
  • Fanvue OAuth access token and refresh token.

3.3 Fan Data (Processed on Creator's Behalf)

This data is sourced from the creator's Fanvue account via OAuth. We process it solely to provide the Service. The creator is the data controller for this data.

  • Fanvue fan identifiers and display names.
  • Fan subscription status and lifetime spend history.
  • Complete message history (fan-sent messages and AI-generated replies).
  • Fan language detection results.
  • Fan lifecycle status, engagement scores, and re-engagement state.
  • Draft message content and its approval, rejection, or delivery history.

3.4 Operational and Technical Data

  • AI model usage counts and message delivery status.
  • Error logs and diagnostic information (no personally identifiable content).
  • Session tokens (stored in browser cookies — see Section 10).

4. Our Role: Controller vs. Processor

Data CategoryOur RoleController
Creator account & billing dataData ControllerNord Ecom Oy
Creator configuration dataData ControllerNord Ecom Oy
Fan personal dataData ProcessorThe Creator

The Data Processing Agreement governing fan data processing is embedded in Section 16 of our Terms of Service.

5. Legal Basis for Processing (GDPR Article 6)

Performance of a contract (Art. 6(1)(b))

Creator account data, configuration data, and fan data — all necessary to provide the Service you have subscribed to.

Legal obligation (Art. 6(1)(c))

Billing and financial records — retained to comply with the Finnish Accounting Act (Kirjanpitolaki) and tax law.

Legitimate interests (Art. 6(1)(f))

Security logs, fraud prevention, and service improvement analytics. Our interest: maintaining a secure, functional platform. Your interest: protecting your account.

Consent (Art. 6(1)(a))

Marketing communications and optional integrations (e.g., Telegram). You may withdraw consent at any time.

6. How We Use Your Data

  • To provide, operate, and maintain the FanWake platform and all its features.
  • To generate AI-driven messages on your behalf using your configured persona and settings.
  • To process your subscription payments and manage billing.
  • To send you service notifications, account updates, and (with consent) product news.
  • To detect and prevent fraud, abuse, and Terms violations.
  • To comply with applicable legal obligations.
  • To improve the reliability and performance of the Service through aggregated, anonymised analytics.

We do not sell your personal data or fan data to third parties. We do not use fan message content for AI model training.

7. Sub-processors and Third-Party Services

We share data with the following sub-processors to operate the Service. Each is bound by data processing agreements consistent with GDPR requirements.

Sub-processorLocationPurpose
Supabase Inc.USA (AWS)Database, authentication, and edge functions hosting
Stripe Inc.USAPayment processing and subscription management
Cloudflare Inc.USA (global CDN)CDN, bot protection (Turnstile), and edge hosting
AI Model Providers*USA / EULanguage model inference for message generation
Telegram Messenger Inc.UAE / globalOptional draft approval notifications (creator opt-in only)

* AI Model Providers include, depending on your selected model: Google LLC (Gemini), OpenAI LLC (GPT), Meta Platforms Inc. (Llama), DeepSeek AI, xAI Corp. (Grok), and Mistral AI SAS. When generating a message, the relevant portion of the fan conversation is transmitted to the selected provider. We select providers that offer appropriate data processing terms and do not use submitted prompts for model training by default.

8. International Data Transfers

Several of our sub-processors are based in the United States or other non-EEA countries. When we transfer personal data outside the European Economic Area, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including:

  • Standard Contractual Clauses (SCCs) — EU Commission-approved model clauses incorporated into our agreements with US-based sub-processors.
  • Adequacy decisions — where the European Commission has determined a country provides adequate protection.

9. Data Retention

Data CategoryRetention Period
Creator account & settings dataActive account + 30 days after deletion
Fan personal dataActive account + 30 days after creator account deletion
Message history & draftsActive account + 30 days after creator account deletion
Billing and payment records7 years (Finnish Accounting Act)
Security and access logsUp to 90 days
Database backupsUp to 90 days (rolling)

10. Cookies and Tracking

We use a minimal cookie footprint consistent with our service-only operation model.

Session cookieEssential

Maintains your authenticated session. Set by Supabase Auth. Expires at session end or after 7 days.

Turnstile cookieEssential

Cloudflare bot protection on login and signup forms. No advertising profile is built.

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. We do not use Google Analytics or equivalent tracking tools.

11. Your Rights Under GDPR

If you are based in the European Economic Area, you have the following rights:

Right of accessRequest a copy of the personal data we hold about you.
Right to rectificationRequest correction of inaccurate or incomplete data.
Right to erasureRequest deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restrictionRequest that we limit processing of your data in certain circumstances.
Right to data portabilityReceive your data in a structured, machine-readable format.
Right to objectObject to processing based on legitimate interests.
Right to withdraw consentWhere processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at hello@fanwake.app. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Fan Data Subject Requests

Fans whose data is processed by FanWake are the data subjects of the creator (data controller), not of Nord Ecom Oy directly. Fans wishing to exercise their GDPR rights in respect of data held by a creator should contact the creator directly. We will assist creators in fulfilling such requests upon written request.

12. Data Security

We implement industry-standard security measures to protect personal data, including:

  • Encryption of all data in transit (TLS 1.2+) and at rest (AES-256 via Supabase).
  • Row-level security policies enforcing strict multi-tenant data isolation.
  • OAuth token storage using server-side encryption with restricted access.
  • Access controls limiting data access to authorised personnel only.
  • Cloudflare edge security for DDoS protection and bot mitigation.

Despite these measures, no system is completely secure. In the event of a personal data breach affecting your data, we will notify you and, where required, the relevant supervisory authority within the legally required timeframe.

13. Adult Content and Age Verification

FanWake is designed exclusively for creators operating on Fanvue, which is a platform restricted to adults aged 18 or over. By using FanWake, you confirm that you are at least 18 years of age and that your Fanvue account is in compliance with Fanvue's own age verification and content policies.

We do not knowingly collect personal data from individuals under 18. If we become aware that a person under 18 has created an account, we will terminate the account and delete all associated data.

14. AI and Automated Decision-Making

FanWake uses AI models to generate message content on behalf of creators. This constitutes automated processing within the meaning of GDPR Article 22, however:

  • Messages generated by the AI are directed at fans as part of the creator's commercial activity — they are not used to make decisions that produce legal or similarly significant effects on fans.
  • Creators retain full control: in Manual and Threshold modes, every message requires human review before sending. Auto-send mode is an explicit creator choice.
  • AI-generated content does not determine or affect fan subscription status, pricing, or account access.

Regarding the EU AI Act (Regulation 2024/1689): FanWake is a provider and distributor of an AI system. Creators who deploy the system to interact with fans are the "deployers" within the meaning of the Act and bear primary responsibility for compliance with transparency and disclosure obligations toward fans.

15. Supervisory Authority and Complaints

You have the right to lodge a complaint with the competent data protection supervisory authority. In Finland, this is:

Office of the Data Protection Ombudsman

Tietosuojavaltuutetun toimisto

tietosuoja.fi

We encourage you to contact us directly first at hello@fanwake.app — we aim to resolve privacy concerns promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. The updated date at the top of this page will always reflect the most recent revision. Continued use of the Service after the effective date constitutes your acceptance of the updated Policy.

17. Contact

Nord Ecom Oy — Privacy

Business ID: 3319424-3

Finland

hello@fanwake.app

This Privacy Policy was prepared with AI assistance and reviewed by the operator. It is intended to reflect our actual data practices and applicable EU/Finnish law. For matters of significant legal consequence, consult a qualified Finnish or EU data protection attorney.

Terms of ServiceBack to FanWake