Privacy Policy
Last updated: 27 May 2026
This Privacy Policy describes how FantoClient ("FantoClient", "we", "us") collects, uses, stores, and shares the personal data you provide when you use fantoclient.com and the FantoClient web application. We comply with the EU General Data Protection Regulation (GDPR) and applicable national laws.
1. Who is the data controller?
FantoClient is operated by FantoClient. Contact for privacy matters: contact@fantoclient.com.
If you are an EU resident and we cannot resolve your concern, you may lodge a complaint with your national supervisory authority (in France: the CNIL — cnil.fr).
2. What data we collect
2.1 Account data
- Name and email address (provided at signup or via OAuth)
- Authentication identifiers (hashed password or OAuth tokens from Google / GitHub when you sign in via social login)
- Preferred locale (FR / EN / ES / IT / DE)
- Organization slug + member roles
2.2 X (Twitter) data we read on your behalf
When you connect an X account, we receive — through X's official OAuth 2.0 flow with your explicit consent — the following:
- Your X user ID, handle, display name, profile image URL, bio, follower count
- Your most recent 50 tweets (used to train your voice profile)
- Engagement signatures on your last 7 days of tweets (who liked, retweeted, quoted, or replied — used by Phantom Lead Scoring™)
- For Auto-DMs: the recipient X user IDs of leads above your score threshold
We encrypt your X OAuth tokens at rest using AES-256-GCM before storing them in our database.
2.3 Content you create
- Generated posts (drafts and published), scheduled queue, DM templates and history
- Custom notes you write on individual leads
- Files and images uploaded for posts
2.4 Billing data
- Subscription plan, billing period, payment status
- We never see your credit card number. Payment is processed by Stripe, who returns to us only a customer ID and a charge status (see § 4 Sub-processors).
2.5 Usage telemetry
- Pages visited inside the app, feature usage counts (for product analytics)
- Error reports (if you opt in)
- We do not use third-party tracking cookies for advertising. See our Cookies Policy.
3. Why we use your data (legal basis)
| Purpose | Legal basis |
|---|---|
| Provide the FantoClient service (read tweets, score leads, generate content, send DMs) | Performance of contract (Art. 6(1)(b) GDPR) |
| Process payments and manage subscriptions | Performance of contract (Art. 6(1)(b) GDPR) |
| Send transactional emails (sign-in OTP, password reset, billing) | Performance of contract (Art. 6(1)(b) GDPR) |
| Improve the product through aggregated analytics | Legitimate interest (Art. 6(1)(f) GDPR) |
| Send marketing emails (newsletter, product updates) | Consent (Art. 6(1)(a) GDPR) — opt-out from any email |
| Comply with legal obligations (tax records, fraud detection) | Legal obligation (Art. 6(1)(c) GDPR) |
4. Who processes your data on our behalf (sub-processors)
We use the following sub-processors to operate FantoClient. All have signed Data Processing Agreements ensuring GDPR-equivalent protections:
| Sub-processor | Purpose | Hosting region |
|---|---|---|
| Convex (convex.dev) | Database + serverless backend | United States, with EU read replicas |
| Vercel (vercel.com) | Web hosting (Edge runtime) | Global edge network |
| Stripe (stripe.com) | Payment processing, invoicing | United States + EU |
| Resend (resend.com) | Transactional email | United States |
| OpenAI (openai.com) | AI inference for content generation + DM personalization | United States — note: prompts are processed without training the underlying models per OpenAI's API terms |
| X / Twitter (x.com) | Source of your follower and engagement data via official OAuth 2.0 API | United States |
| Cloudflare R2 (cloudflare.com) | Object storage for uploaded images | Global, S3-compatible |
| Better Auth (better-auth.com) | Authentication library — runs inside Convex, not a separate processor |
We do not sell your data. We do not share it with advertisers.
5. International transfers
Some sub-processors are based in the United States. We rely on the EU-US Data Privacy Framework and Standard Contractual Clauses for these transfers, per Art. 46 GDPR.
6. How long we keep your data
| Data | Retention |
|---|---|
| Account data | Until you delete the account (Settings → Danger Zone) |
| X OAuth tokens | Until you disconnect the X account or delete the org |
| Tweets used for voice profiling | Last 50 only; refreshed on demand |
| Lead engagement signatures | Rolling 7-day window per scan |
| DM history | Until you delete the org |
| Billing records | 10 years (legal requirement, French Commercial Code) |
| Aggregated analytics | Indefinitely, in non-identifying form |
One-click deletion: Settings → Danger Zone wipes every record associated with your organization (account, X tokens, tweets, leads, DMs, generated posts, voice profile). Billing records are retained per legal obligation.
7. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you
- Rectify any inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Restrict or object to certain processing
- Portability — export your data in a machine-readable format (JSON)
- Withdraw consent at any time (does not affect prior lawful processing)
- Lodge a complaint with a supervisory authority
To exercise any right, contact us at contact@fantoclient.com. We reply within 30 days.
8. Security
- All traffic is TLS 1.3 encrypted in transit.
- X OAuth tokens are AES-256-GCM encrypted at rest.
- Passwords (when used) are hashed via Better Auth using industry-standard algorithms.
- Stripe customer IDs are stored, not card data.
- Internal access is role-gated; only platform admins can access org data, and only for support tasks you initiate.
9. Children
FantoClient is not intended for users under 18. We do not knowingly collect data from minors.
10. Changes to this policy
We will notify you by email and post a banner inside the app if we materially change this policy. The "Last updated" date at the top reflects the latest revision.
11. Contact
For any question about this policy or to exercise your rights, write to contact@fantoclient.com.