Privacy Policy

Fyreside is a creator platform operated by Fyreside ("Fyreside", "we", "us", or "our"), based in Bangalore, India. This policy explains what we collect, how we use it, who we share it with, and the rights you have over your data. We follow India's Digital Personal Data Protection Act, 2023 (DPDP Act), and in reasonable spirit the GDPR and CCPA where they apply.

If anything here is unclear, write to us at privacy@fyreside.in.

1. Who this policy applies to

Two kinds of people use Fyreside:

• Creators — people who sign up to host their courses, community, and subscriber list on Fyreside at yourname.fyreside.in.
• Subscribers — people who subscribe to a creator's newsletter, buy a course, register for a webinar, or otherwise engage with a creator on Fyreside.

We process data on behalf of creators (who are the primary Data Fiduciary for their subscribers under the DPDP Act), and directly for creators as our own customers.

2. What we collect

From creators

• Account: name, email, phone number, password (hashed with bcrypt), login method used (email+password, phone OTP, or Google).
• Profile: display name, tagline, bio, avatar, brand logo, slug (public).
• Connected accounts: access tokens for Instagram, Facebook, YouTube, WhatsApp (via WATI), Google, and similar services you choose to connect — stored encrypted at rest. We never store your third-party passwords.
• Business data: courses, lessons, pricing, subscribers (synced or imported), payment configuration.
• Usage: page views, clicks, and actions inside the Fyreside dashboard.

From subscribers

• Identifiers: name, email, phone number — collected when you sign up via a creator's landing page or microsite.
• Payment data: processed directly by our payment partners (Razorpay, Cashfree, Stripe). We receive transaction status and a payment reference, not your full card number.
• Interaction data: course progress, messages you send to the creator's AI assistant or WhatsApp inbox.

From Meta (Facebook / Instagram)

When a creator connects their Facebook Page or Instagram Business/Creator account, we receive, on an opt-in basis only:

• Page / account ID, name, handle, profile picture, cover image, bio, category.
• Aggregate follower counts and follow counts.
• Public posts published by the connected account — caption/message, media URL, thumbnail, permalink, timestamp, like/comment/share counts.

We do not request or store private messages (DMs), follower lists, audience demographics, or ad data. Specifically, the Meta permissions we use are: instagram_business_basic, pages_show_list, pages_read_engagement, and pages_read_user_content. These permissions do not let us publish, reply, or send messages on your behalf.

3. How we use your data

• To run the service — show you the dashboard, render your microsite, deliver emails, process payments.
• To sync external content you explicitly connect (Instagram posts, YouTube videos, Facebook Page stats) and display it on your microsite.
• To send transactional communication — account emails, receipts, password resets, webinar confirmations, etc. These are not marketing.
• To improve the product — aggregated, de-identified analytics on feature usage.
• To meet legal obligations and respond to lawful requests from Indian authorities.

We do not sell your personal data. We do not use your data to train AI models. We do not share data with advertisers.

4. Who we share data with

We use the following processors, each of whom is contractually bound to handle your data only on our instructions:

• Hosting & infrastructure: Hetzner Cloud (Germany/Finland), Cloudflare R2 (object storage).
• Payments: Razorpay, Cashfree, Stripe — for processing creator and subscriber payments.
• Email: Resend — transactional email delivery.
• SMS / OTP: MessageCentral (VerifyNow) — one-time codes for login.
• WhatsApp: WATI — Business API gateway for creator-to-subscriber messaging.
• Video: Bunny Stream — video hosting with DRM.
• AI: OpenRouter (proxy to Anthropic, Google, OpenAI models) — when a creator uses the AI inbox or assistant. AI providers do not retain conversation data beyond the minimum required for safety filtering.
• Authentication: Google OAuth — only if you choose Sign in with Google.
• Social APIs: Meta (Instagram Graph, Facebook Graph) — only for accounts you explicitly connect.

Some of these processors are located outside India. In each case, we take reasonable steps to ensure equivalent data protection.

5. Cookies and tracking

We set a first-party session cookie to keep you signed in. We do not use third-party advertising cookies. A small number of first-party cookies store UI preferences (theme, sidebar state). We do not use Google Analytics or similar trackers on creators' microsites.

6. Data retention

• Account data is retained while the account is active, and for up to 30 days after account deletion.
• Payment records are retained for 7 years as required by Indian tax law.
• Connected-account tokens (Instagram, Facebook, Google) are deleted immediately on disconnect.
• Aggregated analytics are retained indefinitely in de-identified form.

7. Your rights

Under the DPDP Act (and regardless of your jurisdiction), you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or outdated data. You can do most of this yourself from your Fyreside profile.
• Delete your account and the data attached to it. Instructions: fyreside.in/privacy/delete.
• Withdraw consent to specific processing — e.g., disconnect Instagram, stop WhatsApp outreach. Withdrawal doesn't affect processing that already happened.
• Data portability — export your subscriber list, courses, and settings.
• Grievance redressal — if you believe we've mishandled your data, write to our Grievance Officer at grievance@fyreside.in. We'll respond within 7 days and resolve within 30 days, per the DPDP Act.

8. Security

We take reasonable technical and organizational measures to protect your data, including TLS for all traffic, encryption at rest for sensitive fields (access tokens, passwords), principle-of-least-privilege access for our team, and regular dependency updates. No system is 100% secure, and we'll notify you and the Data Protection Board of India within 72 hours of becoming aware of any breach that's likely to harm you.

9. Children

Fyreside is not for children under 18. We do not knowingly collect data from anyone under 18. If a creator knowingly targets minors, they must obtain verifiable parental consent per the DPDP Act, and Fyreside may terminate their account.

10. Changes to this policy

If we change this policy, we'll update the "Last updated" date at the top and notify active creators by email at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact

General privacy questions: privacy@fyreside.in
Grievance Officer (DPDP Act): grievance@fyreside.in
Mailing address: Bangalore, India (exact address on request).