Far & Wide
How it worksCase studyPricingHow we measure
Log inGet my free snapshot →
Legal
Terms of ServicePrivacy PolicyRefund PolicySub-processors

Operator: Far and Wide B.V.
Amsterdam, the Netherlands
(KvK / BTW registration in progress)

Privacy Policy · v1.0 · 29 June 2026

Privacy Policy

Far & Wide is built around one privacy principle: the audit processes public web content and AI engine outputs, not your customer data. We deliberately keep our GDPR surface small.

1. Who's the data controller

For account data and billing, Far and Wide B.V. (Amsterdam, NL — KvK registration in progress) is the controller. For data you supply about your own brand and customers (which we strongly recommend you don't send to us), you remain the controller and we are your processor — seethe Terms of Service §8 and the DPA available on request.

2. What personal data we collect

DataPurposeLawful basis
Account email + password hashAuthentication, billing, sending receiptsContract (GDPR Art. 6(1)(b))
Brand profile fields (name, domain, description)Configuring audits you triggeredContract
Payment informationProcessed by Stripe; we receive only the last 4 digits + brand of the cardContract
Server logs (IP, user-agent, route, response time)Security monitoring + abuse preventionLegitimate interest (Art. 6(1)(f))
Aggregated, de-identified analytics (Plausible)Improving the platformLegitimate interest — Plausible does not use cookies and does not collect PII

We do not collect: marketing-tracking cookies, third-party ad pixels, social plugins, behavioural profiling.

3. Where data is stored

  • Account data, brand profiles, runs, payments, audit log: Supabase, EU region (eu-central-1, Frankfurt).
  • Run artifacts (diagnostic HTML, screenshots, JSON): Supabase Storage, same EU region.
  • Audit pipeline computation: Hetzner GmbH server in the EU (Falkenstein or Nuremberg, Germany).
  • AI engine queries: sent to Anthropic, OpenAI, Google, Perplexity (all US) — only the query text + the brand profile metadata you configured. No PII enters these requests.

4. Sub-processors

Each sub-processor we use is listed at /legal/subprocessors, including their role, location, and the transfer mechanism (Standard Contractual Clauses, EU-US Data Privacy Framework) where personal data leaves the EEA. We notify enterprise account holders by email before adding a new sub-processor.

5. Retention

  • Account: while the account is active + 12 months after closure (for legal/tax reasons).
  • Run history + artifacts: 12 months after the run, then automatically deleted.
  • Audit log of platform events: 24 months (security / compliance).
  • Stripe payment records: 7 years (Dutch tax law).

6. Your rights under GDPR

You can exercise any of these by emailing privacy@farandwide.io from your account address:

  • Access (Art. 15) — a copy of the data we hold about you.
  • Rectification (Art. 16) — correct anything inaccurate.
  • Erasure (Art. 17) — delete your account and all associated data. Stripe records may be retained as required by Dutch tax law.
  • Restriction (Art. 18).
  • Portability (Art. 20) — your account data + audit history in JSON.
  • Object (Art. 21) — to processing based on legitimate interest.
  • Lodge a complaint with the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

7. Security

  • All connections HTTPS only.
  • Data encrypted at rest (Supabase + Hetzner disk encryption).
  • Database access scoped per-user via row-level security.
  • Service-role credentials kept in restricted env vars only on trusted servers.
  • Every meaningful platform event recorded in an append-only audit log.

Report a vulnerability to security@farandwide.io — we respond within 72 hours.

8. International transfers

Where personal data is transferred to a sub-processor outside the EEA (notably US-based AI providers), we rely on Standard Contractual Clauses (SCCs)per the European Commission's 2021 implementing decision, supplemented by the EU-US Data Privacy Framework (DPF) for certified providers. A Transfer Impact Assessment is available on request.

9. Children

Far & Wide is a B2B platform not intended for individuals under 16. We do not knowingly collect data from minors.

10. Changes to this policy

Material changes are emailed to account holders at least 14 days before they take effect.

Questions: privacy@farandwide.io.

Far & Wide

The AI visibility platform. Measure how ChatGPT, Gemini, Perplexity, Claude, and Google AI Overviews describe your brand, then ship the fixes that move them.

Product
How it worksPricingHow we measureCase study
Legal
TermsPrivacyRefundSub-processors
Contact
HelpStatushello@farandwide.iollms.txt
© 2026 Far and Wide B.V. · Amsterdam, NLThe AI visibility platform