Legal
Data Protection Notice
Last updated: 16 June 2026
This page explains how FrootAI(“we”, “us”) processes personal data when you visit frootai.dev. We are committed to the EU General Data Protection Regulation (GDPR, Regulation 2016/679), the German Telecommunications-Telemedia Data Protection Act (TTDSG / TDDDG, §25), and the ePrivacy Directive (2002/58/EC).
1. Controller
The data controller within the meaning of Art. 4(7) GDPR is named in the Impressum. Contact: [email protected].
2. What we collect and why
2.1 Server logs (essential, no consent required)
Our hosting provider (Cloudflare Pages, EU/global edge) automatically records technical access data whenever you load a page: IP address, user agent, referrer, requested URL, timestamp, HTTP status, bytes transferred. Logs are kept for at most 30 days for security and abuse prevention.
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, stable service).
- Retention: up to 30 days, then deleted or anonymised.
2.2 Cookies & local storage
We use the minimum necessary set. You control optional categories via the cookie banner. Your choice is stored in localStorage under fai-cookie-consent-v2 for 12 months, after which we ask again.
| Category | Purpose | Legal basis | Lifetime |
|---|---|---|---|
| Strictly necessary | Session, CSRF protection, this consent choice. | Art. 6(1)(f) GDPR · TTDSG §25(2) | Session – 12 months |
| Analytics (opt-in) | Plausible Analytics — cookieless, EU-hosted, aggregate page views. | Art. 6(1)(a) GDPR · TTDSG §25(1) | No cookies; in-memory only |
| Marketing (opt-in) | Microsoft Clarity heatmaps (only if you opt in and we have wired it). | Art. 6(1)(a) GDPR · TTDSG §25(1) | Up to 12 months |
2.3 Analytics — Plausible
We use Plausible Analytics, a privacy-first analytics service hosted in the EU (Germany / Netherlands). Plausible does not use cookies, does not collect personal data, does not create user profiles or track you across sites. Even though Plausible is widely considered consent-exempt in the EU, we still load it only after explicit opt-in to give you maximum transparency.
- Processor: Plausible Insights OÜ (Estonia).
- Data transferred: URL, referrer, viewport, anonymised device hash (rotated daily).
- No personal data, no cookies, no cross-site tracking.
2.4 Heatmaps — Microsoft Clarity (only with marketing consent)
If, and only if, you opt into the “Marketing” category, we load Microsoft Clarity to capture anonymised heatmaps and session replays that help us improve the UI. Microsoft is the controller for Clarity data. Sub-processor and transfer details: clarity.microsoft.com/terms.
2.5 Voice search (microphone)
Several search bars on this site (Search FAI, Solution Accelerator, Solution Plays, Primitives, Marketplace, Agent FAI, and others) expose an optional microphone button. Activating it asks your browser for microphone access and then uses your browser’s built-in Web Speech API to transcribe what you say into the search input. We do notrecord, store, transmit, or retain the audio. The audio stream stays inside your browser; only the text transcript reaches our search code, exactly as if you had typed it. You can revoke microphone permission at any time in your browser settings; the mic button auto-hides on browsers that don’t expose the API.
3. Third-party services
- Cloudflare Pages — hosting / CDN. Standard Contractual Clauses in place. Data Processing Addendum: Cloudflare DPA.
- GitHub — links to public repositories; loading a repo page is governed by GitHub’s privacy statement.
- Plausible Analytics — see §2.3.
- Microsoft Clarity — see §2.4 (only with consent).
3.5 Authentication providers (planned for user accounts)
FrootAI is currently an open-source project served as a static site; user accounts are not yet live. When we activate user sign-up, billing, and enterprise SSO, the following processors will handle identity and payment data on our behalf. Each is governed by Standard Contractual Clauses (SCCs) and a signed Data Processing Agreement before activation. Our internal scoping document with the full sub-processor register is in our planning repo (compliance-scoping.md).
| Processor | Role & data categories | EU residency | Notice |
|---|---|---|---|
| Cloudflare Access (Zero Trust) | Admin-tier authentication. Processes founder/operator email, OAuth identifiers (GitHub / Google), MFA factors, session JWTs, IP address, user-agent. No customer data flows through Access. | Configurable; we choose EU edge. | Cloudflare DPA |
| Clerk | User-tier authentication. Processes email address, password hash (bcrypt; we never see it), social-login identifiers, MFA factors, session JWT, profile metadata, organisation membership. Source of truth for the “who is signed in” question. | EU region available; we will select EU-west. | Clerk DPA · Privacy |
| Stripe | Billing and payments. Processes email address, name, payment-method tokens (cards/SEPA), invoice history, tax ID. Card numbers never touch our origin — they go directly from your browser to Stripe Checkout. We hold only the Stripe customer ID. PCI-DSS Level 1 certified. Stripe Connect (for marketplace authors) additionally processes KYC documents; we never see them. | EU entity (Stripe Payments Europe Ltd, Ireland). | Stripe DPA · Privacy |
| WorkOS (deferred) | Enterprise SSO (SAML / OIDC) and directory sync (SCIM). Processes enterprise-customer employee email, group memberships, directory attributes. Activated only when an enterprise customer signs an SSO contract; until then, no data is sent. | EU regions available. | WorkOS DPA · Privacy |
Tier isolation:the three identity tiers (admin via Cloudflare Access, user via Clerk, enterprise via WorkOS) use independent session mechanisms and never blend — a compromise of one tier does not cascade to another.
Lock-in mitigation: every quarter we export a portable JSON snapshot of all user records (bcrypt-compatible password hashes included) to an encrypted Cloudflare R2 bucket. If we ever need to migrate to Microsoft Entra External ID, Supabase Auth, or another OIDC-standards-compliant provider, users keep their passwords and the migration takes about one week of engineering plus one week of user communication.
Opt-out posture: when monetisation is enabled, the /pricing page and/account/billing surfaces appear. While we remain in open-source mode (our current state), Stripe is not contacted at all and no billing data is created. The toggle is one environment variable; flipping it triggers a clear notice to existing free-tier users 30 days before paid tiers go live.
4. Your rights under GDPR
You always have the right to:
- Access (Art. 15) — request a copy of personal data we hold about you.
- Rectification (Art. 16) — have inaccurate data corrected.
- Erasure / “right to be forgotten” (Art. 17).
- Restriction (Art. 18) of processing.
- Data portability (Art. 20).
- Object (Art. 21) to processing based on legitimate interest.
- Withdraw consent at any time (Art. 7(3)) — clearing your cookie choice re-opens the banner.
- Lodge a complaint with a supervisory authority (Art. 77). For Germany, the federal authority is the BfDI (bfdi.bund.de); a list of EU state authorities is at edpb.europa.eu.
To exercise any right, email [email protected].
5. International data transfers
Wherever feasible we use EU-hosted services. Where transfer outside the EU/EEA is unavoidable (e.g. parts of Cloudflare’s global edge), the transfer is covered by Standard Contractual Clauses (SCCs, Commission Decision 2021/914) and supplementary technical measures (TLS in transit, encryption at rest).
6. Security
The site is served exclusively over TLS 1.3. We apply HSTS, a strict Content-Security-Policy, Subresource-Integrity for third-party scripts, and the principle of data minimisation.
7. Children
This site is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16.
8. Changes to this notice
We may update this notice as our processing evolves. Material changes are highlighted with a new “Last updated” date and, where significant, re-trigger the consent banner.
9. Cancellation and refunds
Paid plans (Pro and Team) carry a 30-day money-back guarantee from the date of the first successful charge. To request a refund within the 30-day window, email [email protected] with your account email. Refunds are issued in full to the original payment method within 5 business days. No justification is required.
Subscriptions can be cancelled at any time via /account/billing (Stripe Customer Portal). Cancellation takes effect at the end of the current paid period; service continues until then. Partial refunds for unused time outside the 30-day window are at our discretion and considered case-by-case.
Cross-references: the same policy appears at /security; the operator runbook with payment-currency mechanics + Stripe Customer Portal flow lives in our internal docs/auth/stripe-refunds.md.
This document is provided in good faith and reflects our processing on the “Last updated” date. It is not legal advice. See also the Impressum.