Privacy Policy

Last updated: February 2026 | Effective: February 2026

1. Overview

FISM (operated from UK/EU) is committed to transparency in data handling. This Privacy Policy explains what personal data we collect, how we use it, your rights, and how we protect it. It applies to all users globally and complies with:

  • UK: UK GDPR + Data Protection Act 2018 + PECR (cookie consent)
  • EU: GDPR + ePrivacy Directive 2002/58/EC
  • US: CCPA (California), FTC regulations, CAN-SPAM Act

2. Data We Collect & Collect Method

Information You Provide Directly:

  • Account signup: Name, email, phone, business type, company size, website URL
  • Payment info: Billing address, company name (card details processed by Stripe only)
  • Profile content: Social media handles, brand guidelines, business description
  • Newsletter/signup forms: Email, name, interests, referral codes
  • Contact form submissions: Message content, support category, attachments
  • Support tickets: Communications with our team regarding technical issues

Information Collected Automatically:

  • PostHog analytics: Page views, clicks, scroll depth, session duration, user journey (hosted on EU servers)
  • Session recordings: Anonymized video of your interactions (input fields masked)
  • Browser/device data: IP address, browser type, OS, device type
  • Cookies: Authentication tokens, preferences, referral tracking
  • Campaign metrics: Posts created, emails sent, engagement rates, open rates
  • API usage: Calls made to third-party platforms (Facebook, Instagram, LinkedIn, TikTok, Gmail, SendGrid)

3. Legal Basis for Processing

Under UK GDPR & EU GDPR (Articles 6 & 9):

  • Contract performance (Article 6(1)(b)): Providing your subscription service, processing payments, platform functionality
  • Legitimate interests (Article 6(1)(f)): Service improvement, fraud prevention, security monitoring, understanding user behavior
  • Consent (Article 6(1)(a)): Marketing emails, analytics/tracking, optional cookies
  • Legal obligations (Article 6(1)(c)): Tax records, accounting (3-year retention), anti-money laundering

Under CCPA (California): Business purposes including service provision, security, and internal analytics.

4. How We Use Your Data

  • Provide, maintain, and improve our social media and email automation services
  • Process subscription payments and manage billing (non-refundable monthly/annual subscriptions)
  • Send service announcements, security alerts, and account updates
  • Respond to support inquiries (24-hour response target)
  • Generate campaign performance analytics and reporting
  • Detect, prevent, and investigate fraud, abuse, unauthorized access, and security threats
  • Test new features and improve platform functionality (via aggregated PostHog data)
  • Send marketing communications (only with opt-in consent; unsubscribe included in every email)
  • Comply with legal obligations (tax, accounting, regulatory audits, law enforcement requests)
  • Process referral rewards and track attribution for affiliate commissions

5. Data Retention & Deletion Timelines

  • Active accounts: All data retained while subscription is active
  • After account deletion: Personal data deleted immediately; campaign/content backups deleted after 30 days
  • Database backups: Deleted data may persist in encrypted backups for 60 days
  • PostHog analytics: Retained for 12 months (then aggregated/anonymized)
  • Tax/accounting records: Retained 3 years for statutory compliance
  • Support tickets: Retained 2 years for dispute resolution
  • Newsletter list: Retained until unsubscribe or account deletion
  • Contact form inquiries: Retained 90 days unless you opt into marketing
  • Referral tracking: Retained for 12 months (for commission reconciliation), then deleted
  • Security logs: Retained 1 year for breach investigation

6. Your Rights Under GDPR (UK/EU)

If you are located in the UK or EU, you have the right to:

  • Right of access: Request a copy of all personal data we hold about you
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten"): Request deletion (with limited exceptions for legal obligations)
  • Right to restrict processing: Limit how we use your data while a complaint is investigated
  • Right to data portability: Receive your data in a machine-readable format (CSV/JSON) and transfer to another service
  • Right to object: Opt out of direct marketing, automated decision-making, or processing based on legitimate interests
  • Right to withdraw consent: Stop processing your data if it's based on your consent
  • Rights related to automated decision-making: You have the right not to be subject to automated decisions that produce legal or similarly significant effects

How to exercise your rights: Email privacy@fism.bot with your request and proof of identity. We respond within 30 days (60 for complex requests).

7. CCPA Rights (California Residents)

Under the California Consumer Privacy Act, California residents have the right to:

  • Know: What personal information we collect, use, and share
  • Delete: Request deletion of personal information we collected from you (with legal exceptions)
  • Opt-out: Opt out of the sale or sharing of personal information
  • Correct: Request correction of inaccurate personal information
  • Non-discrimination: We do not discriminate against you for exercising your rights (no price/service changes)
  • Appeal: Appeal our decision if we deny your request

To submit a CCPA request: Email privacy@fism.bot. We verify requests within 10 days and respond within 45 days.

Note: We do not "sell" personal information for monetary value. We use third-party service providers (Stripe, PostHog, SendGrid) on a legitimate interest basis.

8. PostHog Analytics & Session Recording

We use PostHog (hosted on EU servers: eu.i.posthog.com) for product analytics and feature tracking.

PostHog Captures:

  • Page views, scroll depth, button clicks, form interactions
  • Session duration and user navigation flow
  • Anonymized session video recordings (sensitive inputs masked: email, passwords, API keys)
  • Feature flags and A/B test participation

PostHog Compliance:

  • EU-hosted with GDPR standard contractual clauses in place
  • Personal data transferred only with appropriate safeguards
  • PostHog Data Processing Agreement restricts their use to our benefit

Your Control: You can disable PostHog analytics in your account settings. This is a consent-based processing.

9. Cookies & Tracking Technologies

Essential Cookies (Always Enabled, No Consent Required):

  • Session authentication and login tokens
  • CSRF/security tokens to prevent attacks
  • User interface preferences (theme, layout)

Analytics/Functional Cookies (Consent Required):

  • PostHog event tracking (opt-in via cookie banner)
  • A/B testing and feature flag assignment
  • Number of page visits since signup

Marketing/Referral Cookies (Consent Required):

  • Referral code tracking (utm_source, utm_campaign parameters)
  • Newsletter signup source tracking
  • Affiliate/attribution tracking for referral rewards

Cookie Duration: Session cookies expire when you close your browser. Persistent cookies expire in 12 months.

Manage Cookies: You can update preferences in account settings or your browser settings. Note: Disabling essential cookies will prevent login.

UK PECR Compliance: We obtain consent before storing non-essential cookies and provide an easy opt-out mechanism.

10. Referral Program & Affiliate Tracking

Our referral system allows users to share discount codes and earn commissions.

  • When you use a referral link, we store the code in cookies to track your subscription
  • Referrer's email is recorded to process referral payments
  • Data is processed on "legitimate interest" basis (benefit to both parties)
  • Referral records retained 12 months for commission reconciliation, then deleted

11. Newsletter & Contact Form Data

Newsletter Signups:

  • We store email, name, business info, and stated interests
  • You receive a welcome email confirming signup
  • Every email includes an unsubscribe link (CAN-SPAM + GDPR compliant)
  • We process this on "consent" basis (Article 6(1)(a))
  • Marketing emails sent only to opted-in users

Contact Forms:

  • Contact inquiries stored for 90 days for support follow-up
  • If you opt into marketing, data retained on newsletter list
  • Phone numbers used only to contact you regarding your inquiry

12. Third-Party Integrations & Data Sharing

We Do NOT Sell Personal Data. We only share data with essential service providers under Data Processing Agreements:

  • Stripe: Payment processing (US-hosted with SCCs in place, PCI-DSS compliant)
  • SendGrid / AWS SES: Email delivery for campaigns and transactional emails
  • PostHog: Analytics, EU-hosted, GDPR DPA in place
  • Third-party social platforms: We send your content to platforms you authorize (Facebook, Instagram, LinkedIn, TikTok, Twitter/X)
  • Law enforcement: When required by valid legal process (subpoena, court order, law enforcement request)
  • Fraud prevention: To third-party fraud detection services if necessary

We Never Share With: Marketing agencies, data brokers, non-service AI companies, or other unauthorized parties.

13. International Data Transfers

FISM serves users globally. Our primary data storage is EU-compliant.

When transferring data outside EU/UK:

  • We use EU Commission-approved Standard Contractual Clauses (SCCs) for legally adequate transfers
  • Stripe (US payment processor) has its own transfer mechanisms and DPA in place
  • PostHog EU hosting ensures most analytics stay in EU
  • Impact assessments conducted for each transfer

Important Note: Some third-party services may process data in the US. You accept this by using FISM.

14. Data Security Measures

  • All data transmitted over HTTPS/TLS 1.3 (encrypted in transit)
  • Database encryption at rest (AES-256 encryption)
  • Role-based access controls (employees access only what they need)
  • Regular security audits and penetration testing (annual third-party audit)
  • Incident response team on-call 24/7
  • Employee data protection training required annually
  • Vendor security assessments for all third-party integrations

Breach Notification: If a data breach occurs, we notify affected users and regulatory authorities within 72 hours (GDPR Article 33 requirement).

Disclaimer: No online service is 100% secure. You acknowledge inherent internet risks.

15. Contact & Exercise Your Rights

For Privacy Inquiries or to Exercise Rights:

  • Email: privacy@fism.bot
  • Form: Use the contact form on fism.bot
  • Response time: 24-48 hours initial acknowledgment, 30 days full response

To Lodge a Complaint with Data Protection Authorities:

  • UK: Information Commissioner's Office (ico.org.uk) | Tel: 0303 123 1113
  • EU Member States: Your national data protection authority
  • US (CCPA violations): Federal Trade Commission (ftc.gov) or California Attorney General

16. Children's Privacy

FISM is not intended for users under 18 (or local age of digital consent). We do not knowingly collect data from children. If we discover such data, we delete it immediately. Parents/guardians concerned should contact privacy@fism.bot.

17. Changes to This Policy

We may update this Privacy Policy. Material changes are notified 30 days before taking effect (via email or prominent website notice). Your continued use after the effective date indicates acceptance. Non-material changes take effect immediately.

18. Additional Information

Automated Decision-Making: We do not make decisions based solely on automated processing that produce legal or significant effects on you (except fraud detection for account security).

Marketing Preferences: Update preferences in account settings or unsubscribe via any marketing email link.

Data Subject Access Requests (DSAR): Free for first request per year. Subsequent requests may incur reasonable administrative fees.