FastPageFastPage
Get started

Legal

Privacy Policy

TODO: replace with the date this is reviewed and published.

1. Who we are

TODO: Trading entity name, ABN/ACN, registered address, contact email.

2. What this policy covers

TODO: Scope — fastpa.ge marketing site, the admin app at admin.fastpa.ge, and customer-facing sites we host on subdomains/paths. Note any third-party services this policy does not cover.

3. Information we collect

TODO: Account info (email, password hash via Supabase Auth), site content you create, billing info handled by Stripe (we never see card numbers), Google Business Profile data you import, contact form submissions, support emails. Clarify which fields are required vs optional.

4. Analytics — visitor data on your site

TODO: First-party analytics (see ANALYTICS.md). Cookie-less. We collect: page views, click events, country, hashed anonymous ID derived from IP + UA + date + site (never stored as columns). 90-day raw retention. Daily rollup kept indefinitely. No cross-site tracking. No third-party trackers shipped to visitors of your site.

5. Cookies and similar technologies

TODO: Marketing site uses no analytics cookies. Admin app uses Supabase auth cookies (required to sign in) and a `active-site-id` cookie to remember which site you're working on. List each cookie and its purpose.

6. How we use your information

TODO: Provide the service, send transactional email, handle billing, respond to support, prevent abuse. We do not sell personal information. We do not use your or your customers' data to train AI models.

7. Third parties we share data with

TODO: Supabase (database + auth), Stripe (billing), Vercel (hosting), Cloudflare (CDN + bot protection), Anthropic (AI copy generation in onboarding — only the prompts we generate, not your account data), Google Places (read-only, you initiate). Note jurisdictions for each.

8. International transfers

TODO: Where data is stored (likely AU + US), what safeguards apply.

9. Data retention

TODO: Account lifetime + grace period after cancellation. Site analytics: 90 days raw, daily rollups indefinitely. Dormant site data retention (90 days per STRIPE.md).

10. Your rights

TODO: Access, correction, deletion, export. How to make a request. Reference applicable framework — Australian Privacy Principles / GDPR if relevant.

11. Security

TODO: TLS everywhere, password hashing via Supabase, role-segregated DB access, no PAN storage (Stripe handles it). Breach notification commitment.

12. Children

TODO: Service is not directed at under-16s, etc.

13. Changes to this policy

TODO: We post material changes and notify active users by email at least N days before they take effect.

14. Contact us

TODO: Privacy contact email + postal address.

This document is a working skeleton. Each section above is a placeholder for the final policy text and must not be shipped to production in its current form.