Privacy Policy
Far & Wide is built around one privacy principle: the audit processes public web content and AI engine outputs, not your customer data. We deliberately keep our GDPR surface small.
1. Who's the data controller
For account data and billing, Far and Wide B.V. (Amsterdam, NL — KvK registration in progress) is the controller. For data you supply about your own brand and customers (which we strongly recommend you don't send to us), you remain the controller and we are your processor — seethe Terms of Service §8 and the DPA available on request.
2. What personal data we collect
| Data | Purpose | Lawful basis |
|---|---|---|
| Account email + password hash | Authentication, billing, sending receipts | Contract (GDPR Art. 6(1)(b)) |
| Brand profile fields (name, domain, description) | Configuring audits you triggered | Contract |
| Payment information | Processed by Stripe; we receive only the last 4 digits + brand of the card | Contract |
| Server logs (IP, user-agent, route, response time) | Security monitoring + abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Aggregated, de-identified analytics (Plausible) | Improving the platform | Legitimate interest — Plausible does not use cookies and does not collect PII |
We do not collect: marketing-tracking cookies, third-party ad pixels, social plugins, behavioural profiling.
3. Where data is stored
- Account data, brand profiles, runs, payments, audit log: Supabase, EU region (eu-central-1, Frankfurt).
- Run artifacts (diagnostic HTML, screenshots, JSON): Supabase Storage, same EU region.
- Audit pipeline computation: Hetzner GmbH server in the EU (Falkenstein or Nuremberg, Germany).
- AI engine queries: sent to Anthropic, OpenAI, Google, Perplexity (all US) — only the query text + the brand profile metadata you configured. No PII enters these requests.
4. Sub-processors
Each sub-processor we use is listed at /legal/subprocessors, including their role, location, and the transfer mechanism (Standard Contractual Clauses, EU-US Data Privacy Framework) where personal data leaves the EEA. We notify enterprise account holders by email before adding a new sub-processor.
5. Retention
- Account: while the account is active + 12 months after closure (for legal/tax reasons).
- Run history + artifacts: 12 months after the run, then automatically deleted.
- Audit log of platform events: 24 months (security / compliance).
- Stripe payment records: 7 years (Dutch tax law).
6. Your rights under GDPR
You can exercise any of these by emailing privacy@farandwide.io from your account address:
- Access (Art. 15) — a copy of the data we hold about you.
- Rectification (Art. 16) — correct anything inaccurate.
- Erasure (Art. 17) — delete your account and all associated data. Stripe records may be retained as required by Dutch tax law.
- Restriction (Art. 18).
- Portability (Art. 20) — your account data + audit history in JSON.
- Object (Art. 21) — to processing based on legitimate interest.
- Lodge a complaint with the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
7. Security
- All connections HTTPS only.
- Data encrypted at rest (Supabase + Hetzner disk encryption).
- Database access scoped per-user via row-level security.
- Service-role credentials kept in restricted env vars only on trusted servers.
- Every meaningful platform event recorded in an append-only audit log.
Report a vulnerability to security@farandwide.io — we respond within 72 hours.
8. International transfers
Where personal data is transferred to a sub-processor outside the EEA (notably US-based AI providers), we rely on Standard Contractual Clauses (SCCs)per the European Commission's 2021 implementing decision, supplemented by the EU-US Data Privacy Framework (DPF) for certified providers. A Transfer Impact Assessment is available on request.
9. Children
Far & Wide is a B2B platform not intended for individuals under 16. We do not knowingly collect data from minors.
10. Changes to this policy
Material changes are emailed to account holders at least 14 days before they take effect.
Questions: privacy@farandwide.io.