Privacy Policy

Last Updated: April 1, 2026

1. Introduction

Fervae LLC (“we,” “us,” or “our”) operates the web application available at fervae.com (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Service.

Our legal bases for processing your personal information vary by purpose: we process data necessary to perform our contract with you (Art. 6(1)(b) GDPR); to comply with legal obligations (Art. 6(1)(c)); or where we have a legitimate interest in operating and improving the Service that is not overridden by your rights (Art. 6(1)(f)). Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing. If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

2.1 Information from Account Sign-In

When you create an account, you sign in through our authentication provider, WorkOS AuthKit, which supports Google Sign-In and email-based authentication. We receive the following information:

• Your name
• Your email address
• Your profile picture (if provided by your sign-in method)

We do not receive or store your password. Authentication is handled entirely by WorkOS and Google’s OAuth 2.0 protocol.

2.2 Information from Connected Social Media Platforms

When you connect third-party social media platforms (such as Bluesky, Instagram, Threads, Facebook, TikTok, or YouTube) to the Service, we receive and store:

• Authentication tokens (OAuth tokens) that allow the Service to interact with your accounts on those platforms
• Profile information from those platforms (such as account name and profile data) as necessary to provide the Service
• Post-level analytics and engagement metrics (likes, comments, shares, views) for posts you manage through Fervae

We do not access or store your private messages, direct messages, follower or following lists, contact lists, or any content not published through the Service from your connected platforms. Data collected from connected platforms is limited to public profile information and engagement metrics for posts you manage through Fervae. We do not store your passwords for any connected platform. Access is managed through secure authentication tokens provided by each platform.

2.3 Content You Create

When you use the Service, we store the content you create, including:

• Drafts, posts, and scheduled content
• Sources, citations, and links you add through the Source Verify and Citations features
• Notes, templates, and workflow data from the Content Pipeline
• Brand Kit assets you upload (logos, color palettes, font preferences)

2.4 Usage Information

We collect limited technical information necessary to operate and maintain the Service:

• Log data such as your IP address, browser type, and access times
• Device information such as operating system and screen resolution
• General usage patterns within the Service (features used, pages visited)

We do not use third-party behavioral analytics, advertising analytics, or user-tracking services such as Google Analytics. We do not use tracking cookies for advertising purposes. We do use Sentry for technical error monitoring and performance diagnostics (see Section 4.2); this is limited to detecting and fixing bugs, not tracking user behavior.

2.5 Merchandise Order Information

When you purchase merchandise through the Service, we collect:

• Your name and shipping address (street address, city, state, ZIP code)
• Your email address (for order confirmations and shipping notifications)
• Order details (items purchased, sizes, quantities, order total, and order status)

Shipping address and order information are shared with our fulfillment partner (Printful) and shipping carriers solely for the purpose of producing and delivering your order. We do not use this information for marketing purposes.

2.6 Information We Do Not Collect

We want to be transparent about what we do not collect:

• We do not collect payment card numbers or bank account information directly. Payment processing for subscriptions and merchandise purchases is handled entirely by our third-party payment processor (see Section 5).
• We do not collect biometric data.
• We do not collect precise geolocation data.
• We do not knowingly collect personal information from children under 13 (see Section 9).

3. How We Use Your Information

3.1 Providing the Service

• To create and manage your account
• To authenticate you when you sign in
• To connect and interact with your third-party social media accounts
• To store and manage your content, drafts, schedules, and workflow data
• To provide source verification and citation generation features
• To display analytics and performance data for your connected platforms
• To provide business tracking and management tools
• To process, fulfill, and deliver merchandise orders
• To handle defect claims and customer service inquiries related to merchandise

3.2 Improving the Service

• To understand how the Service is used and identify areas for improvement
• To diagnose technical issues and maintain the security of the Service
• To develop new features and functionality

3.3 Communication

• To send you important notices about the Service (such as changes to this Privacy Policy, security alerts, or account-related communications)
• To respond to your inquiries and support requests

We do not send marketing emails unless you have opted in to receive them, and you may opt out at any time.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We share your information only in the following limited circumstances:

4.1 Third-Party Social Media Platforms

When you publish or schedule content through the Service, your content is transmitted to the third-party platforms you have connected. This sharing is initiated by you and governed by the privacy policies of those platforms.

4.2 Service Providers (Sub-Processors)

We use the following third-party service providers to help us operate the Service. Each provider processes data only as necessary for their stated function:

• Vercel — hosting, infrastructure, and edge network (SOC 2 Type II)
• WorkOS — authentication and user management (SOC 2 Type II)
• Google — authentication (Google Sign-In via WorkOS)
• Stripe — processing payments for subscriptions and merchandise purchases (PCI DSS Level 1)
• Neon — PostgreSQL database hosting and storage (SOC 2 Type II)
• Cloudflare — media file storage (R2) and content delivery (SOC 2 Type II)
• Resend — transactional email delivery (SOC 2 Type II)
• Sentry — error monitoring and performance tracking (SOC 2 Type II). Text and form inputs in session replays are masked.
• Groq — AI-powered coaching and content evaluation via API. Groq is contractually prohibited from using your data for model training or fine-tuning. Request data may be retained for up to 30 days for service reliability purposes. (SOC 2 Type II)
• Giphy — GIF search and selection for content creation. Only search queries are transmitted; no personal data is shared.
• Printful — print-on-demand merchandise fulfillment (US shipping only). Receives customer name, shipping address, and order details for the sole purpose of producing and shipping merchandise within the United States. Printful may share shipping information with carriers (such as USPS, UPS, or FedEx) for delivery.

These service providers have access to your information only to the extent necessary to perform their functions and are contractually obligated to protect your information. We will provide at least 30 days’ notice before adding or materially changing a sub-processor by updating this page and notifying affected users by email, consistent with our Data Processing Addendum.

4.3 Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to:

• Comply with a legal obligation, court order, or legal process
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public

4.4 Business Transfers

If Fervae LLC is involved in a merger, acquisition, or sale of substantially all of its assets, your information may be transferred as part of that transaction. We will provide at least 30 days’ advance notice via email before your information is transferred and becomes subject to a materially different privacy policy. Following notice, you may request deletion of your account and associated data before the transfer takes effect by contacting us at legal@fervae.com.

5. Payment Processing

Payments for paid subscription plans and merchandise purchases are processed by Stripe, Inc. (“Stripe”), our third-party payment processor. When you subscribe to a paid plan or purchase merchandise:

• Your payment information (such as credit card number) is collected and processed directly by the payment processor.
• We do not receive, access, or store your full payment card details.
• We may receive limited transaction information (such as the last four digits of your card, transaction amount, and billing status) for account management purposes.
• The payment processor’s use of your information is governed by their own privacy policy.

6. Data Storage and Security

6.1 Storage

Your data is stored across our infrastructure providers: application servers and edge compute (Vercel), relational database (Neon), and media files (Cloudflare R2). Data may be stored and processed in the United States or other countries where these providers maintain facilities.

6.2 Security Measures

We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of all data in transit using HTTPS/TLS with HSTS preload
• AES-256-GCM encryption of platform authentication tokens at rest
• Secure authentication through OAuth 2.0 (no passwords stored)
• Automatic token revocation when platforms are disconnected
• Rate limiting and CSRF protection on all API endpoints
• Content Security Policy (CSP) headers to prevent code injection
• Access controls limiting data access to authorized workspace members

6.3 No Absolute Security

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee the absolute security of your information.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account information is retained until you delete your account.
• User Content (drafts, posts, citations, business data) is retained until you delete it or your account.
• Authentication tokens for connected platforms are retained until you disconnect the platform or delete your account.
• Log and usage data is retained for a reasonable period for operational and security purposes, typically no longer than 12 months.
• Merchandise order records (including shipping addresses, order details, and transaction amounts) are retained for up to 7 years after the transaction date as required for tax, accounting, and legal compliance purposes.

Upon account deletion, we will delete or anonymize your personal information within 30 days, except where we are required by law to retain it for a longer period (such as merchandise order records retained for tax and accounting obligations). Encrypted backup copies may persist for up to 90 days after active deletion before being permanently purged. Shipping and order information previously shared with our fulfillment partner and shipping carriers cannot be recalled after fulfillment.

8. Your Rights and Choices

8.1 Access and Portability

You have the right to request a copy of the personal information we hold about you. You may also request that we export your User Content in a structured, commonly used, machine-readable format (such as JSON or CSV). We will fulfill data portability requests within 30 days.

8.2 Correction

You have the right to request correction of inaccurate personal information we hold about you.

8.3 Deletion

You have the right to request deletion of your account and personal information. You can initiate this by contacting us at the email address below. We will process deletion requests within 30 days. If we are unable to complete your request within 30 days due to technical or legal complexity, we will notify you of the reason for the delay and the expected completion date, which shall not exceed an additional 60 days. If you believe your request has not been handled in accordance with applicable law, you may file a complaint with your local data protection authority (see Section 8.8). Please note that merchandise order records may be retained after account deletion as required for tax, accounting, and legal compliance (see Section 7).

8.4 Disconnecting Platforms

You may disconnect any third-party social media platform from the Service at any time. When you disconnect a platform, we revoke the authentication token with the platform and delete it from our systems.

8.5 Authentication Revocation

If you revoke access through your authentication provider (for example, removing Fervae from your Google account permissions), this does not delete your Fervae account or the data associated with it. To delete your account and associated data, you must use the account deletion feature within the Service or contact us directly.

8.6 Opt-Out of Communications

You may opt out of non-essential communications from us at any time by following the unsubscribe instructions in the communication or by contacting us directly.

8.7 California and Other U.S. State Residents

If you are a California resident, you have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), including: the right to know what personal information we collect and how it is used; the right to request deletion; the right to correct inaccurate information; the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising; and the right to non-discrimination for exercising these rights. We do not sell or share personal information with third parties for advertising purposes. Residents of Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA) have similar rights under their respective state laws. To exercise any of these rights, contact us using the information in Section 13.

8.8 European Economic Area and United Kingdom Residents

If you are located in the EEA or the United Kingdom, you have rights under the GDPR and UK GDPR respectively, including: the right of access; the right to rectification; the right to erasure (“right to be forgotten”); the right to restriction of processing; the right to data portability; the right to object to processing; and rights in relation to automated decision-making. Our legal bases for processing are performance of our contract with you (Art. 6(1)(b)), compliance with legal obligations (Art. 6(1)(c)), and our legitimate interests in operating and securing the Service where not overridden by your interests or fundamental rights (Art. 6(1)(f)). Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with your local supervisory authority — in the EU, the data protection authority in your member state; in the UK, the Information Commissioner’s Office (ICO). To exercise your rights, contact us using the information in Section 13.

8.9 International Data Transfers

We are based in the United States. If you are located in the EEA, the UK, or another jurisdiction with restrictions on international data transfers, please be aware that your personal information is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and where applicable the UK International Data Transfer Agreement (IDTA), as the transfer mechanism for EEA and UK personal data sent to our US-based sub-processors. You may request a copy of the applicable transfer mechanism by contacting us at the address in Section 13.

9. Children’s Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us immediately at the email address below. If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will take steps to delete that information promptly.

Users between the ages of 13 and 18 may use the Service with the consent of a parent or legal guardian. If you are located in the EEA, the minimum age for digital services may be higher in your member state (up to 16 years under GDPR Article 8). If you are under the applicable digital age of consent in your jurisdiction, you may not use the Service without verifiable parental consent.

10. AI and Automated Processing

10.1 How We Use AI

The Service uses AI-powered features (such as communication coaching and content evaluation) provided by third-party large language model APIs. When you use these features:

• Your content is sent to the AI provider via API for processing. Request data is not retained beyond what is required for service reliability and abuse prevention (up to 30 days), and may be deleted sooner.
• The AI provider is contractually prohibited from using your data for model training or fine-tuning.
• No cross-user data sharing occurs — each request is processed independently.
• AI outputs are advisory only. No automated decisions are made without your initiation and confirmation.

10.2 AI Data Minimization

We send only the minimum data necessary for each AI feature to function. Personal identifiers are not included in AI requests unless required for the specific feature you are using.

11. Cookies and Similar Technologies

11.1 Essential Cookies

We use only essential cookies that are strictly necessary for the operation of the Service, such as authentication session cookies that keep you signed in. These cookies do not track you across other websites. For a full list of cookies, their purposes, and expiration durations, see our Cookie Policy.

11.2 No Advertising or Tracking Cookies

We do not use advertising cookies, tracking pixels, or similar technologies. We do not participate in ad networks or serve targeted advertising. We do not share cookie data with third parties for advertising purposes.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and by posting the updated Privacy Policy on the Site, updating the “Last Updated” date at the top of this page. Material changes will take effect no sooner than 30 days after notification, giving you time to review and, if you do not agree, to request deletion of your account before the new policy takes effect.

For non-material changes (such as corrections, clarifications, or adding new sub-processors with equivalent protections), the updated policy takes effect immediately upon posting. Your continued use of the Service following such non-material changes constitutes acceptance.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Fervae LLC
Email: legal@fervae.com

We will respond to all privacy-related inquiries within 30 days.