1. Data controller
The controller of your personal data is:
AGdev (French sole proprietorship)
SIRET: 822 262 531 00020
11 rue de la Présentation, 75011 Paris, France
Contact: contact@getfama.app
For any question relating to the processing of your data or to the exercise of your rights, please write to us at contact@getfama.app. We commit to responding within a maximum of 30 days.
2. Data collected and purposes
We only collect data strictly necessary for the service to work. No data is sold to third parties.
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Identity | First name, last name, email, Google profile picture | Account creation and management | Performance of contract (art. 6.1.b GDPR) |
| Connection | Google OAuth access token (encrypted) | Syncing Google Business Profile reviews | Performance of contract (art. 6.1.b) |
| Location | Name, address, Google identifier of your profile | Display and management of locations | Performance of contract (art. 6.1.b) |
| Reviews | Google reviews retrieved, authors, ratings, published replies | Display, AI suggestions, statistics | Performance of contract (art. 6.1.b) |
| Payment | Subscription status, Stripe identifiers | Billing, subscription management | Performance of contract + legal obligation (art. 6.1.b and c) |
| Notifications | Push endpoint (anonymous VAPID token) | Sending review notifications | Consent (art. 6.1.a) |
| Technical connection | IP address, user-agent, error logs | Security, debugging, fraud prevention | Legitimate interest (art. 6.1.f) |
| Activity log | Actions performed (publishing, invitations, team changes), author, timestamp, IP address | Traceability of team actions, security audit, GDPR compliance | Legitimate interest (art. 6.1.f) — team transparency and auditability |
3. Retention periods
- Active account: as long as your subscription is active
- After cancellation: 30 days for possible reversal, then full deletion of user data
- Invoices: 10 years (legal accounting obligation)
- Technical logs: 12 months maximum
- Synced Google reviews: deleted at the same time as the account
- Activity log: kept for the entire duration of your account's use (this log lets you and the other members of your team with the appropriate rights trace who did what on your location). Anonymised on user account deletion — historical actions are kept but are no longer linked to an identifiable name.
4. Sub-processors
To run the service, we transmit certain data to carefully selected sub-processors. Each is bound by a sub-processing contract compliant with article 28 of the GDPR.
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Render | Application hosting | Frankfurt (EU) | DPA, EU hosting |
| Supabase | Database | Paris (EU) | DPA, EU hosting, encryption at rest |
| Stripe | Payment processing | Ireland + United States | EU-US Standard Contractual Clauses, DPF certification |
| Google (Business Profile API) | Fetching and publishing reviews | EU + United States | Standard Contractual Clauses, DPF certification |
| Anthropic (Claude) | Generating reply suggestions from the text content of reviews | United States | EU-US Standard Contractual Clauses, data not used to train models |
| Resend | Transactional email delivery | United States | EU-US Standard Contractual Clauses |
| Sentry | Error tracking (debugging) | United States | Standard Contractual Clauses, filtering of personal data |
5. Use of Google API data (Limited Use)
Fama uses the Google Business Profile API to sync the reviews of your business profile and publish the replies you approve. The use, storage and sharing of data obtained through Google APIs is governed by the Google API Services User Data Policy, including its Limited Use requirements. In concrete terms, we commit to:
- Only use data obtained through Google APIs to provide the user-facing features: display your reviews in Fama, notify you the moment a new review lands, suggest a reply, publish the reply you approved to your Google profile.
- Never sell Google data nor transfer it to third parties for commercial, advertising or profiling purposes.
- Never use Google data for advertising, whether personalised, contextual or retargeting.
- Never use Google data to train general-purpose AI models, whether our own or those of third parties.
- Restrict human access to Google data to cases where you give explicit consent (for example for a support request), where it is necessary for security, or where required by law.
Processing by our AI provider (Anthropic)
To generate reply suggestions, the text content of a Google review (the body of the review, the first name of the author as publicly displayed on Google, the rating given) is sent to Anthropic, which acts as a sub-processor. This transmission is necessary for the performance of the service. In accordance with Anthropic's current commercial terms, this data is not used to train the Claude models. No other data from the Google API (OAuth token, profile identifiers, account statistics, location address) is sent to Anthropic.
Revoking Google access
You can revoke Fama's access to your Google account at any time, independently of your Fama account, from myaccount.google.com/permissions. Once access is revoked, Fama can no longer sync new reviews or publish replies to your profile, and the associated OAuth token is invalidated automatically.
Retention of Google data after disconnection
If you disconnect a Google profile from Fama (Settings → Locations) or revoke access from your Google account, the reviews and replies associated with that profile are kept for up to 30 days to allow possible reconnection without losing your history, then permanently deleted from our servers. The OAuth token is deleted immediately.
6. Transfers outside the European Union
Some sub-processors (Anthropic, Sentry, and partially Stripe and Google) process data from the United States. These transfers are governed by:
- The Standard Contractual Clauses adopted by the European Commission
- The EU-US Data Privacy Framework for certified companies
- Contractual commitments to encryption in transit and at rest
7. Your rights
In accordance with the GDPR, you have the following rights at any time:
- Right of access — know what data we hold about you
- Right of rectification — correct inaccurate data
- Right of erasure ("right to be forgotten") — delete your data
- Right to restriction — temporarily freeze processing
- Right to portability — retrieve your data in a readable format
- Right to object — refuse certain processing
- Right to withdraw consent — at any time, without justification
- Right to set post-mortem directives on the fate of your data
To exercise these rights, write to us at contact@getfama.app stating your request and, if necessary, attaching a copy of proof of identity. Response within a maximum of 30 days.
You also have the right to lodge a complaint with the French data protection authority (CNIL) — or with your own national data protection authority within the EU/UK — if you believe the processing of your data is not compliant: cnil.fr/fr/plaintes (France), or for UK residents the Information Commissioner's Office (ICO).
8. Security
We implement the following technical and organisational measures:
- Mandatory HTTPS connection on all pages
- Passwords stored with a modern hashing algorithm (bcrypt)
- Google OAuth tokens encrypted in the database via the Lockbox library
- Daily encrypted backups at Supabase
- Two-factor authentication available on all admin accounts
- Logs filtered so as never to expose sensitive user data
- Access to data restricted to what is strictly necessary
In the event of a data breach likely to give rise to a risk to your rights and freedoms, we commit to notifying the CNIL within 72 hours and to informing you as quickly as possible, in accordance with articles 33 and 34 of the GDPR.
9. Cookies
Fama only uses strictly necessary cookies (authentication session, anti-fraud CSRF token). No advertising cookies, no third-party analytics cookies, no profiling cookies. In accordance with CNIL deliberation 2020-091, these essential cookies do not require prior consent.
10. Changes
This policy may evolve in line with legal developments and changes to our service. Any substantial change will be announced by email to active users at least 30 days before it takes effect. The current version is always accessible at this address.