Privacy Policy

Fawz is the data controller for personal data processed through this service. Fawz is an independent software product. Payments are processed by Paddle.com Market Limited, who act as our authorized reseller (Merchant of Record). Contact for privacy matters: support@fawzapp.com

Fawz handles two separate categories of data, under two different roles: Your account data (you are the data subject): your name, email address, organization details, and subscription information. We are the data controller for this. Your customers' support emails (your customers are the data subjects): the content of emails forwarded through Fawz. For this data, you — the Fawz customer — are the data controller, and Fawz acts as your data processor. You are responsible for having a lawful basis to process your customers' emails and for informing them that their requests are handled by an automated system.

When you configure a forwarding rule from your support inbox to your unique Fawz address (inbox-[your-id]@mail.fawzapp.com), every email forwarded to that address is received by Fawz. This includes: - Sender email address and display name - Subject line - Full message body (plain text) - Any content the sender included in their email Important: Fawz receives whatever your forwarding rule sends us. We strongly recommend forwarding only from your dedicated support inbox address, not from a general-purpose inbox that may also receive unrelated sensitive communications (such as internal team emails, password reset links, or financial notifications). You are responsible for scoping your forwarding rule appropriately. We also collect: - Contact memory: to provide context across separate emails, we group messages from the same sender email address within your organization and maintain a history of their previous requests together with an AI-generated summary. - Asana OAuth credentials: encrypted at rest using AES-256 for your connected Asana workspace. - Sender identity configuration (optional): if you choose to send replies from your own domain, we store the support email address and sender name you provide, and the DNS verification records generated for your domain. Adding those DNS records to your own domain is how you prove ownership; we never gain access to your email account or mailbox. - Account data: your name, email address, organization name, and subscription plan. - Billing data: name and email for checkout. Payment card details are handled exclusively by Paddle and are never accessible to us. - Usage metadata: request counts, qualification status, attempt counts, and timestamps. - Account passwords: your Fawz account password is hashed using bcrypt via Supabase Auth. We never store or have access to your plaintext password.

We use data solely to provide the Fawz service: - Read and parse forwarded support emails to extract the sender, subject, and body. - Send forwarded emails to Google Gemini AI for qualification (completeness classification). - Maintain contact memory per sender to recognize follow-ups and avoid re-asking for information already provided. - Send automated follow-up emails to your customers when information is missing. By default, these are sent from a Fawz sending address (hello@fawzapp.com) showing the sender name you choose, with the Reply-To set to your Fawz inbox address so replies route back to you. If you verify your own sending domain (by adding the DNS records we provide — see below), follow-ups and resolution confirmations are instead sent directly from your real support address. - Create structured tasks in your connected Asana project once a request is complete. - Send a resolution confirmation to the customer when the task is marked complete. - Process subscription billing via Paddle. - Diagnose service issues and improve reliability. We do not use your data or your customers' data for advertising, for training AI models, or for any purpose outside of providing the Fawz service. We do not sell data.

Email content processed through Fawz is accessible to: - Automated systems only (our servers, the Gemini AI API, Asana): this covers the normal operation of the service — qualification, task creation, and reply sending. - Fawz operator: the Fawz team has technical access to all organization data stored in the database for the purposes of operating, debugging, and securing the service. This access is not used to read individual customer support conversations for commercial purposes. It is used only when necessary for security incident response, bug investigation, or legal compliance. - You and your team members: through your Fawz dashboard, which shows request content, AI analysis, and conversation threads. No other third parties have access to email content except as described in section 6 (sub-processors).

To operate Fawz, data is shared with the following services: - Postmark (Wildbit, LLC): all inbound emails arrive via Postmark's inbound email infrastructure. Outbound replies (follow-up questions and resolution confirmations) are sent via the Postmark API. Email content passes through Postmark's servers in transit. If you verify your own sending domain, that domain is registered with Postmark on your behalf so it can be authenticated (DKIM) for sending. - Google AI Studio / Gemini: the subject, body, and thread history of support emails are sent to Google's Gemini API for AI-powered qualification. No account credentials or customer identity data beyond what appears in the email are shared with Gemini. - Asana: we create and update tasks in your connected Asana workspace on your behalf, using your OAuth credentials. Task content includes the email subject, an AI-generated summary, and relevant details. - Supabase: all application data (requests, contact memory, organization records) is stored on Supabase-hosted infrastructure. - Vercel: the application is hosted on Vercel's infrastructure. - Paddle: your name and email address are shared with Paddle for billing and tax compliance. - Resend: used for system notification emails (e.g. account confirmation). Each service operates under its own privacy policy and data processing terms.

- Active accounts: all request data, contact memory, qualification history, and audit logs are retained while your account is active. - Connector disconnection: encrypted OAuth credentials for a disconnected Asana connector are deleted immediately. - Account deletion: all your data, including contact memory and request history, is permanently deleted within 30 days of an account deletion request. - Backup data: encrypted backups are cycled within 90 days. To request deletion of your data, email support@fawzapp.com.

You have the right to: - Access: request a full export of your data at any time. - Correction: update your profile and organization information from the dashboard. - Deletion: request permanent deletion of your account and all associated data. - Portability: request your data in a structured format. - Objection: object to specific processing activities. To exercise any of these rights, email support@fawzapp.com. We respond within 72 hours. For your customers' data (which you control as data controller), you are responsible for responding to their data subject requests. Contact us if you need assistance fulfilling those requests against data stored in Fawz.

We implement the following security measures: - Asana OAuth tokens are encrypted at rest using AES-256-CBC before being stored. No plaintext tokens are ever persisted. - Account passwords are hashed using bcrypt via Supabase Auth. We cannot access or recover your password. - All data is encrypted in transit using TLS 1.2 or higher. - Database access is isolated per organization using Row Level Security (RLS) at the database level. - Inbound email webhook requests are authenticated with a secret token to prevent spoofed submissions. - Access to production infrastructure is restricted to the Fawz team only.

We use only essential cookies required for authentication and session management. We do not use tracking, advertising, or third-party analytics cookies.

We may update this Privacy Policy from time to time. We will notify you by email when material changes take effect. Continued use of Fawz after that date constitutes acceptance of the updated policy.

For any privacy questions or data requests: Email: support@fawzapp.com Response time: within 72 hours