Privacy Policy

1. Introduction

Flyweight Development Oy ("we", "us", "our"), Business ID 3135270-3, is a Finnish company that operates the FWD Hub service ("Service"). FWD Hub is an embeddable customer support widget providing live chat, help center, feedback board, and changelog functionality.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service, visit our website, or interact with our widget. We are committed to protecting your privacy and processing your data in accordance with the EU General Data Protection Regulation (GDPR), the Finnish Data Protection Act, and other applicable data protection legislation.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

2. Data We Collect

We collect and process the following categories of personal data:

Account Information: When you create an account, we collect your name, email address, and profile information through our authentication provider Clerk. This data is necessary to create and manage your account.

Workspace Data: Information related to the workspaces you create, including workspace name, configuration settings, team member assignments, and custom domain settings.

Support Content: Messages, conversations, help articles, feedback submissions, and changelog entries that you create or receive through the Service.

Usage Data: Information about how you interact with the Service, including pages visited, features used, and interaction patterns. This may be collected through privacy-focused analytics.

Technical Data: IP address, browser type and version, device information, operating system, and referring URLs. This data is collected automatically when you access the Service.

Payment Data: When you subscribe to a paid plan, payment information is collected and processed by our Merchant of Record, Paddle. We do not directly collect or store credit card numbers or bank account details. We receive limited transaction information from Paddle for order fulfillment purposes.

Communication Data: When you contact us via email or through the Service, we collect the content of your communications and any information you voluntarily provide.

3. How We Use Your Data

We use your personal data for the following purposes:

• Providing and operating the Service, including account management, workspace configuration, and widget functionality.
• Processing and managing your subscription, including trial periods, billing, and payment processing through Paddle.
• Communicating with you about your account, service updates, security alerts, and support inquiries.
• Sending transactional emails such as conversation notifications, email threading, and system alerts via our email provider Resend.
• Improving and developing the Service based on usage patterns and feedback.
• Analyzing Service usage through privacy-focused analytics to understand how the Service is used and to improve the user experience.
• Ensuring the security and integrity of the Service, including fraud prevention and abuse detection.
• Complying with legal obligations, including tax, accounting, and regulatory requirements.

We do not sell your personal data. We do not use your data for advertising purposes. We do not share your data with third parties for their marketing purposes.

4. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

• Contract performance (Article 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including account creation, workspace management, and support functionality.
• Legitimate interest (Article 6(1)(f)): Processing necessary for our legitimate interests, including Service improvement, security, and fraud prevention, provided these interests are not overridden by your rights.
• Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements, such as tax and accounting obligations.
• Consent (Article 6(1)(a)): Where we rely on your consent for specific processing activities, such as optional analytics. You may withdraw consent at any time.

5. Data Storage and Processing

Your application data (workspaces, conversations, articles, feedback, and changelog entries) is stored in our backend database hosted by Convex in the European Union (AWS eu-west-1 region). Convex is SOC 2 Type II compliant, HIPAA compliant, and GDPR verified.

Authentication data is processed by Clerk, which is headquartered in the United States. Clerk is certified under the EU-US Data Privacy Framework and has appointed VeraSafe as its EU representative (Cork, Ireland). See Section 10 for details on international data transfers.

Our web application is served through Cloudflare Workers, which processes requests on its global edge network. Cloudflare processes only the minimum technical data necessary to deliver the Service.

Transactional emails are sent through Resend, which processes email addresses and message content necessary for email delivery.

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and regular security assessments.

6. Third-Party Service Providers

We use the following third-party service providers to operate the Service. Each provider processes data only as necessary for their specific function:

• Convex — Backend database and real-time infrastructure. Hosted in the EU (AWS eu-west-1). Stores all application data including workspaces, conversations, help articles, feedback, and changelog entries. SOC 2 Type II, HIPAA compliant, GDPR verified.
• Clerk — Authentication and user management. US-based with EU-US Data Privacy Framework certification. Processes email addresses, names, device information, and IP addresses for authentication purposes. EU representative: VeraSafe (Ireland).
• Paddle — Merchant of Record for payment processing. Paddle acts as an independent data controller for buyer and payment data. SOC 1 & SOC 2, PCI-DSS, and GDPR compliant. We receive limited buyer data from Paddle under legitimate interest for product fulfillment and support.
• Cloudflare — Web hosting, CDN, and edge computing (Cloudflare Workers). Processes technical request data on its global network for content delivery and security.
• Resend — Transactional email delivery. Processes email addresses and message content for sending notification emails and supporting email threading.
• PostHog (EU) — Privacy-focused product analytics, hosted in the EU. May be used to collect anonymized usage data including page views and interaction patterns. No cross-site tracking. You can opt out of analytics tracking.

We ensure that all third-party providers offer appropriate data protection guarantees through Data Processing Agreements (DPAs) and, where applicable, Standard Contractual Clauses (SCCs) or Data Privacy Framework certification.

7. Cookies and Tracking

We use a minimal number of cookies that are essential for the Service to function:

• Authentication cookies: Set by Clerk to maintain your login session. These are strictly necessary and cannot be disabled while using the Service.
• Preference cookies: Used to store your language preference and theme selection. These are functional cookies that improve your experience.
• Analytics cookies: If PostHog EU analytics is enabled, it may set cookies to collect anonymized usage data. These are optional and you can opt out.

We do not use advertising cookies, cross-site tracking cookies, or any cookies that track you across other websites. We do not participate in advertising networks or data broker arrangements.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy:

• Account data: Retained for as long as your account is active. Upon account deletion, your data is removed within 30 days, except where retention is required by law.
• Workspace data: Retained for the lifetime of the workspace. When a workspace is deleted, associated data is removed within 30 days.
• Support conversations and content: Retained for as long as the associated workspace exists.
• Payment records: Retained as required by Finnish tax and accounting regulations (generally 6 years after the end of the fiscal year).
• Technical logs: Retained for up to 90 days for security and debugging purposes, then automatically deleted.
• Analytics data: Anonymized and aggregated data may be retained indefinitely. Identifiable analytics data is retained for up to 12 months.

When data is no longer needed, we securely delete or anonymize it. You may request earlier deletion of your data at any time (see Section 9).

9. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
• Right to rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
• Right to erasure (Article 17): You have the right to request deletion of your personal data when it is no longer necessary, you withdraw consent, or the data was unlawfully processed.
• Right to restriction (Article 18): You have the right to request that we restrict processing of your data in certain circumstances, such as when you contest its accuracy.
• Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local supervisory authority.

To exercise any of these rights, please contact us at hello@flyweight.dev. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

10. International Data Transfers

Your data is primarily stored and processed within the European Union. However, some of our service providers are based outside the EU/EEA. We ensure that any international data transfers are protected by appropriate safeguards:

• Clerk (United States): Transfers are protected by Clerk's certification under the EU-US Data Privacy Framework, established following the European Commission's adequacy decision of July 10, 2023.
• Cloudflare (global): Cloudflare processes request data on its worldwide edge network. Transfers are governed by Standard Contractual Clauses and Cloudflare's data processing addendum.
• Paddle (international): As Merchant of Record, Paddle processes payment data as an independent controller with its own GDPR compliance mechanisms including Standard Contractual Clauses.

For services hosted within the EU (Convex, PostHog EU), no international transfer of your application data occurs. We regularly review the data protection practices of our service providers to ensure ongoing compliance.

11. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at hello@flyweight.dev and we will promptly delete the data.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your data, please contact us:

• Flyweight Development Oy
• Business ID: 3135270-3
• Email: hello@flyweight.dev

For complaints regarding data protection, you may also contact the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) at tietosuoja.fi.