Privacy Policy

1. Who We Are

Fantommind ("we", "us", "our") operates the website at fantommind.com and the Fantommind desktop application. This policy explains what personal data we collect, how we use it, and your rights.

2. What Data We Collect and Why

a) Email address — magic-link authentication

To access your license account at /account, you enter your email address. We use this address to send you a one-time magic-link via Resend (resend.com), our transactional email provider. The link expires in 5 minutes and is single-use. We do not store passwords. Your email is retained for the duration of your account to enable future logins and to contact you about your subscription.

b) Session cookies

After you verify a magic-link, we set an HMAC-signed session cookie in your browser. This cookie is HTTP-only, Secure, and SameSite=Strict. It contains your email and an expiry timestamp — no server-side session store is used. The cookie expires after 7 days of inactivity or immediately on logout.

c) Short-lived rate-limit and magic-link guard data

To prevent abuse, we store short-lived records in Cloudflare KV:

• A single-use token keyed to your email (TTL: 5 minutes) — ensures magic-links cannot be replayed.
• A rate-limit counter keyed to your email (TTL: 1 hour) — prevents magic-link spam.

These records contain no browsing data and expire automatically.

d) Billing and license data — handled by Polar

All payments and billing are processed by Polar (polar.sh), our Merchant of Record. Fantommind does not receive or store your payment card details. We receive from Polar: your email address, subscription status, and license key. Polar's privacy policy governs your payment data: polar.sh/legal/privacy.

e) Desktop app — local data

The desktop application stores browser profiles, run history, tasks, schedules, and LLM API keys locally on your device in an encrypted SQLite database. Fantommind has no access to this data. See the local-first section below and our Terms of Service for details.

f) Website analytics

We use Cloudflare Web Analytics — a cookie-free, privacy-preserving tool that measures page views without tracking individuals across sites. No personal data is collected by analytics. We do not use Google Analytics, Meta Pixel, or any other third-party tracking scripts.

3. Third Parties We Share Data With

• Polar (polar.sh) — subscription billing and license management (Merchant of Record).
• Resend (resend.com) — transactional email delivery for magic-links.
• Cloudflare — website hosting (Cloudflare Pages), KV storage, and Web Analytics. Cloudflare processes data as our infrastructure provider.

We do not sell, rent, or share your personal data with any other third parties for marketing, advertising, or data-broker purposes.

4. Data Retention

• Magic-link tokens: auto-deleted after 5 minutes.
• Rate-limit counters: auto-deleted after 1 hour.
• Session cookies: expire after 7 days; cleared on logout.
• Email / subscription records: retained for the duration of your subscription plus 90 days post-cancellation, then deleted unless required by law.
• Local desktop data: retained on your device until you uninstall the app.

5. Your Rights (GDPR / Data Subject Requests)

If you are in the European Economic Area or United Kingdom, you have the right to access, correct, restrict, port, and delete your personal data. To exercise these rights, email us at support@fantommind.com with subject line "Data Deletion Request". We will respond within 30 days.

What deletion involves: we will deactivate your Polar subscription and licenses, delete your Polar customer record, purge any active KV keys associated with your email, and confirm in writing. Local desktop data remains under your control — uninstall the app to remove it.

6. Cookies Summary

We use one first-party session cookie (set only when you log in) and one localStorage key (fmm-cookie-ack) to remember that you dismissed the cookie notice. We do not use advertising cookies or cross-site tracking cookies.

7. Children's Privacy

Fantommind is not directed at children under 16. We do not knowingly collect data from minors. Contact us immediately if you believe a minor has created an account.

8. Security

Session cookies are HMAC-signed and set with Secure + HttpOnly + SameSite=Strict flags. Magic-link tokens are single-use and short-TTL. All data in transit uses TLS. KV records contain no sensitive personal data beyond an email address. LLM API keys in the desktop app are AES-encrypted at rest.

9. Changes to This Policy

Material changes will be communicated via email to your address on file and by updating the "Last updated" date above. Continued use after the effective date constitutes acceptance.

10. Contact

Privacy questions or data requests: support@fantommind.com