← FansChat

Data Processing Addendum

Last updated: 21 March 2026 — GDPR Article 28 compliant

1. Parties & Roles

This Data Processing Addendum (“DPA”) forms part of the FansChat Terms of Service between:

  • Data Controller: You, the creator using FansChat (“Creator”).
  • Data Processor: FansChat (“we”, “FansChat”).

As a Creator, you are the controller of personal data belonging to your subscribers (“fans”). FansChat processes this data solely on your behalf and under your instructions.

2. Processing Purposes

FansChat processes fan data for the following purposes only:

  • Receiving inbound messages from fans via connected platform APIs.
  • Generating AI-powered responses on your behalf.
  • Storing masked fan analytics to power engagement recommendations.
  • Operating churn prevention and re-engagement features.

We will not process fan data for any purpose outside the scope of providing the Service to you.

3. Fan Data Anonymisation

FansChat applies a one-way SHA-256 hash to all fan identifiers received from connected platforms. We never store real fan names, usernames, or platform IDs in a recoverable form. This anonymisation is applied at the point of ingestion and cannot be reversed.

4. Security Measures

FansChat implements the following technical and organisational security measures:

  • Encryption at rest and in transit (TLS 1.2+) for all data.
  • Row-level security (RLS) ensuring creators can only access their own data.
  • API credentials stored encrypted using environment-level secrets.
  • Access controls limiting staff access to personal data on a need-to-know basis.
  • Automated error monitoring (Sentry) with PII scrubbing where possible.
  • Regular security reviews of third-party sub-processor agreements.

5. Sub-Processors

We engage the following sub-processors to deliver the Service:

Sub-ProcessorPurposeLocation
AnthropicAI message generationUSA
SupabaseDatabase & authUSA / AWS
StripePayment processingUSA
ResendTransactional emailUSA
SentryError monitoringUSA
VercelApplication hostingUSA / Global

All sub-processors are contractually bound to process data only as instructed and to implement adequate security measures. We will notify you of any material changes to our sub-processor list with at least 14 days' notice.

6. Data Deletion on Termination

Upon termination or expiry of your FansChat subscription, we will delete all personal data processed on your behalf within 30 days, unless we are required to retain it by applicable law. You may request a certificate of deletion by contacting privacy@fanschat.app.

7. Data Breach Notification

In the event of a personal data breach affecting data we process on your behalf, we will notify you without undue delay and within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, and the measures taken or proposed.

8. GDPR Article 28 Compliance

This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation. By using FansChat you acknowledge and agree to the terms of this DPA as part of the overall Terms of Service.

9. Contact

For DPA enquiries: privacy@fanschat.app

Terms of ServicePrivacy PolicyAcceptable UseContent Moderation