Privacy Policy

Effective: May 6, 2026 · Last reviewed: May 6, 2026 · v3.0

1. Definitions

• "Customer" — a signed-in user of the Service who has paid for one or more scans or maintains a subscription.
• "Scanned individual" — a natural person whose publicly visible profile data appears in a report. Scanned individuals are also data subjects under this policy and have specific rights described in §10.
• "Personal data" / "personal information" — used interchangeably; any information relating to an identified or identifiable natural person, as defined by GDPR Art. 4(1) and analogous U.S. state laws including CCPA/CPRA Cal. Civ. Code §1798.140(v).
• "Process" — any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• "Sub-processor" — a third-party service we engage to process personal data on our behalf under a written data-processing agreement.
• "You" — context-dependent. In §2, §5–§9, and §11–§16 it means the Customer. In §3 and §10 it means the scanned individual.

2. Personal data we collect about Customers

We collect and process the following categories of personal data about Customers. For each category we list the purpose, legal basis (GDPR), retention, and recipients.

2.1 Identity and account

• Data: email address, display name, profile photo URL, OAuth subject ID.
• Source: Clerk (our authentication provider) or directly from you.
• Purpose: authenticate you, send transactional email, identify you in support correspondence.
• Legal basis (GDPR Art. 6): (b) contract.
• Retention: until you delete your account; backups for ≤30 additional days.
• Recipients: Clerk (auth), Resend (email), Convex (database).

2.2 Billing

• Data: Stripe customer ID, subscription IDs, invoice metadata, currency, country, last four digits of payment card if returned by Stripe. We do not receive full PAN, CVV, or expiry.
• Purpose: process payments, handle refunds, comply with tax and accounting obligations.
• Legal basis: (b) contract; (c) legal obligation.
• Retention: 7 years from the end of the relevant fiscal year (US tax / EU VAT minimum).
• Recipients: Stripe, Convex, our accounting providers.

2.3 Service usage

• Data: scans you have run, share tokens you have minted, credit ledger, monitor subscriptions and their settings (target handle, brand variant, alert frequency).
• Purpose: deliver the Service.
• Legal basis: (b) contract.
• Retention: until you delete your account.
• Recipients: Convex.

2.4 Communications

• Data: content of support emails you send us, replies to transactional email.
• Purpose: answer support questions, audit complaint resolution.
• Legal basis: (f) legitimate interest in providing support.
• Retention: 24 months.
• Recipients: our internal email; not shared.

2.5 Security and abuse-prevention logs

• Data: IP address, user agent, requested route, response code, timestamp, request ID.
• Purpose: detect and block fraud, abuse, brute-force authentication, and scraping of our service.
• Legal basis: (f) legitimate interest in protecting the Service and other users; legitimate-interest assessment (LIA) on file. (c) legal obligation if requested by lawful process.
• Retention: ≤90 days for routine logs; longer only for active security investigations, with documented justification.
• Recipients: Vercel, Cloudflare (where deployed), our internal team.

2.6 Product analytics

• Data: PostHog events (page views, button clicks, scan-completion outcomes), browser metadata. Session replay is disabled globally on this Service; we do not record screen sessions.
• Purpose: understand product usage in aggregate and improve the Service.
• Legal basis: (f) legitimate interest for non-EU/UK/Swiss users; (a) consent for users in jurisdictions requiring opt-in (we honor GPC and Do-Not-Track signals where the law treats them as opt-out signals — see §13).
• Retention: 13 months at event level; longer only at aggregated, non-identifying level.
• Recipients: PostHog.

We do not knowingly collect special-category data under GDPR Art. 9. California-specific treatment of "sensitive personal information" is in §17.A.

3. Data about scanned individuals

Operating the Service requires us to retrieve and store a limited set of publicly available information about people who follow the accounts our Customers scan. The data is what the source platform makes visible without login on accounts that have been voluntarily made public.

Under California law (CCPA/CPRA, Cal. Civ. Code §1798.140(v)(2)),"publicly available" information — including information lawfully made available from social-media profiles where the data subject has not restricted it — is excluded from the definition of "personal information." The data we process about scanned individuals falls within that carve-out, so California’s rules for "personal information" do not apply to it. We nonetheless honor scanned-individual deletion and opt-out requests as a matter of policy (§10, §17.A.4).

Under GDPR / UK GDPR, there is no equivalent carve-out and we treat scanned-individual data as personal data. We process it as a controller on the legal basis described in §3.4.

3.1 Categories collected

For each follower we sample, we retrieve the following fields, each of which the source platform makes publicly visible without login:

• handle (username), display name, biography text, biography link;
• profile photo URL (proxied through our CDN; not stored beyond cache TTL);
• public follower count, following count, post count;
• platform-supplied verification status;
• platform-supplied business-category label (when the account is a public business profile);
• publicly listed contact methods (e.g., an email or phone number the user voluntarily put in their bio).

3.2 What we do NOT access

• private accounts, private posts, ephemeral content (stories/reels), or any login-gated content;
• direct messages or any private communication;
• email or phone numbers not listed in the public bio;
• platform-internal identifiers other than the platform user ID needed to deduplicate cache rows;
• location, device, advertising, or behavioural data of any kind.

3.3 Cross-Customer cache and report sharing

To reduce cost and latency, classifications produced for a scanned individual are cached and may be served to a later scan run by a different Customer when the same individual appears as a follower.This means that once a scanned individual’s data is processed for any Customer, derived classifications may appear in later reports run by other Customers until the data subject exercises removal under §10 or a Customer deletes their account. The cache is keyed on (platform, platform_user_id) and its propagation is fully addressed by §10. When a Customer mints a public share link or PDF, that link is accessible to anyone the Customer chooses to share it with, until the Customer revokes the link.

3.4 Why we process scanned-individual data

• Purpose: produce the report the Customer paid for; cross-Customer cache as described in §3.3; non-identifying aggregation.
• Legal basis (GDPR Art. 6): Article 6(1)(f) legitimate interest in operating an audience-analytics service over publicly available information.

Our balancing test recognizes that creators and other public-account holders have made their accounts visible without login for the purpose of being discovered for business and creator-economy purposes. Our processing supports that purpose by surfacing the composition of those accounts’ audiences to the account owner (our Customer). The data is not enriched with private signals, not used for advertising, not sold, and not used to make significant decisions about the data subject. We provide a self-service opt-out (§10) that removes the data subject from the cache and adds them to a no-fetch list. The full legitimate-interest assessment (LIA) — covering the necessity test, balancing of interests, and the cross-Customer cache use — is documented internally and reviewed at least annually.

3.5 Article 14 / Article 13 transparency

Because we receive scanned-individual data from a third party (the source platform via the Customer’s scan request), we owe Article 14 GDPR notice to data subjects in the EEA, UK, and Switzerland. We satisfy this obligation through a layered approach:

1. This Privacy Policy is the primary disclosure, indexed and discoverable on the open web.
2. The §10 self-service removal mechanism is offered prominently to anyone who arrives at the Service’s domains, with no requirement to create an account.
3. A no-fetch list is maintained (§10) so that once a scanned individual has objected, our system stops re-fetching their data on future scans.

We rely in part on the Art. 14(5)(b) "disproportionate effort" exception for proactive, individualized notification, given the volume of scanned individuals and the fact that we have no contact channel for them other than via the source platform. We have documented this assessment and the appropriate safeguards we apply, consistent with EDPB guidance (WP260). We acknowledge the exception is narrow and the analysis is fact-dependent; we update the assessment annually.

3.6 Automated classification and large-language-model use

To label a follower with a category (e.g., "founder," "investor," "creator"), we send the public bio and display name to a large-language-model API. Our default provider is Anthropic, PBC. For data subjects whose data we identify as originating in the EEA, UK, or Switzerland, classification is routed exclusively to Anthropic, which is enrolled under the EU-U.S. Data Privacy Framework. Other classification providers (including Moonshot AI Ltd., based in China) may be used for non-EEA data only where contractually agreed and documented, and never for EEA/UK/Swiss data subjects. Current contracts with Anthropic prohibit training use on our data. We re-verify these contractual positions at least annually.

3.7 Special categories

People sometimes voluntarily include in a public bio information that would be a special category under Art. 9 (e.g., political affiliation, religion, sexual orientation). We do not target or rank by these categories and our LLM rubric does not output them as labels. If such data appears incidentally in cached fields, we treat the row under §10 on request and, in California, under the SPI right-to-limit framework in §17.A.

3.8 Minors as scanned individuals

Some social-platform users are minors aged 13–17. We do not target accounts that the source platform indicates are operated by minors, and we will remove such accounts on request under §10 even when the request comes from a parent or guardian. If we have actual knowledge that a scanned-individual record relates to a child under 13, we will delete it consistent with COPPA without requiring further verification.

3.9 Retention

• Cached scanned-individual rows are kept until the Customer’s account is deleted or until removal under §10, whichever comes first.
• LLM-classification cache rows are keyed on platform + platform user ID across Customers and persist until removal under §10.
• Backups: ≤30 days after live deletion.

4. How we use personal data

We use the data above strictly for the purposes listed per category in §2 and §3. Specifically:

• delivering scans, reports, and the dashboard;
• transactional email tied to your account (scan ready, weekly digest, daily alert), no unsolicited marketing;
• caching classifications across Customers to reduce cost on subsequent scans (see §3.3);
• aggregating anonymized usage statistics;
• detecting and preventing fraud, abuse, and Terms violations;
• complying with legal obligations and responding to lawful requests.

We do not run behavioural retargeting against you on our Service. We do not enrich your record with third-party data brokers. We do not engage in solely automated decision-making with legal or similarly significant effects on you (see §11).

Conversion measurement.When you accept our cookie consent banner, we send hashed customer data (email, name, phone, and country/postal code where you provided them at checkout) to Meta’s Conversions API and TikTok’s Events API after you complete a Purchase. This is industry-standard ad attribution — Meta and TikTok use the hashed values to confirm whether their ads led to your conversion and to optimize delivery to similar people. We never send your scanned-follower lists or report data to ad networks. If you reject the cookie banner, no pixel events are sent for your session. You can withdraw at any time via the banner toggle or by emailing privacy@whofollowsme.app to request suppression in our future fires.

5. Sub-processors

We rely on the sub-processors listed at /legal/subprocessors. Each operates under a written DPA. We will provide at least 30 days’ written notice of any new sub-processor. Customers on a paid plan may object to a new sub-processor by emailing privacy@whofollowsme.app within those 30 days; if we cannot resolve the objection we will give the Customer the opportunity to terminate without penalty for the unused portion of the term.

6. International transfers

Most sub-processors are based in the United States. For transfers from the EEA, UK, or Switzerland to the U.S., our primary transfer mechanism is the EU-U.S. Data Privacy Framework (and the UK Extension and Swiss-U.S. Framework) where the receiving sub-processor is DPF-certified. Where DPF is unavailable, we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914), Module 2 (controller-to-processor), supplemented by Schrems II–style transfer impact assessments. For UK transfers, we use the UK International Data Transfer Addendum to the SCCs. For Swiss transfers, we apply the SCCs as adapted by the Swiss FDPIC under the revFADP.

We do not transfer Customer or scanned-individual data to Moonshot AI when the data subject is in the EEA, UK, or Switzerland. For data subjects elsewhere, when Moonshot is in the routing path, we apply the SCCs and a documented risk acceptance for transfers to mainland China. We do not actively market the Service in mainland China.

7. Sharing and disclosure

We share personal data only:

• with sub-processors listed at /legal/subprocessors, for the purposes listed there;
• with public-share-link viewers, when a Customer mints a share link or PDF;
• with law enforcement or regulators in response to a legally valid request; we apply standard process review and require proper legal authority before disclosure;
• in connection with a corporate transaction, in which case we will give 30 days’ notice on this page.

7.1 "Sale" and "sharing" under U.S. state laws

We do not sell personal data. The scanned-individual data we process is "publicly available" information under Cal. Civ. Code §1798.140(v)(2) and is therefore excluded from the statutory definition of "personal information," so CCPA/CPRA "sale" and "share" rules do not attach to it.

Cross-context behavioural advertising disclosure. Sending hashed customer identifiers to Meta and TikTok for conversion measurement (described in §4 above) may qualify as "sharing" for cross-context behavioural advertising under California, Colorado, Connecticut, and Virginia law because Meta and TikTok use those identifiers to optimize ad delivery to their own audiences. We only do this after you affirmatively accept our cookie consent banner, and we honor opt-out and Global Privacy Control as described below. To opt out specifically of this measurement-driven sharing, reject the cookie banner, click /legal/do-not-sell, or email privacy@whofollowsme.app with subject "Opt out of ad-pixel sharing."

We honor opt-out requests as a matter of policy, regardless of the statutory characterization. Submit at /legal/do-not-sell or by emailing privacy@whofollowsme.app. We honor GPC signals as the equivalent opt-out from cookie-based browser sessions on our domains.

8. Retention

We maintain a record of processing activities (ROPA) under GDPR Art. 30 covering each processing purpose and category above, and review it at least annually.

9. Your rights as a Customer

Where the law gives you these rights — including under GDPR / UK GDPR Articles 12–22, the CCPA/CPRA, and the Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Montana, Florida, Delaware, New Jersey, New Hampshire, Iowa, Indiana, Tennessee, Maryland, and Minnesota laws as in force — you can:

• Access the personal data we hold about you and obtain a copy.
• Correct inaccurate personal data.
• Delete your personal data, subject to limited legal-retention exceptions (e.g., Stripe invoices).
• Restrict or object to certain processing, including objection to processing based on legitimate interest under Art. 21 GDPR.
• Port your data to another service in a structured, machine-readable format.
• Opt out of "sale," "sharing," "targeted advertising," or "profiling for significant decisions." We honor GPC as a valid opt-out signal where recognized.
• Limit use of sensitive personal information under CCPA/CPRA — see §17.A.
• Withdraw consent at any time where our processing is based on consent.
• Designate an authorized agent under CCPA/CPRA. We will verify the agent’s authority before acting.
• Lodge a complaint with your supervisory authority — see §16.

9.1 How to exercise your rights and our response time

The fastest path is the "Request my data" link in the site footer, which opens your email client with a prefilled DSAR template covering access, correction, deletion, restriction, and portability — submit from the address on your account. You can also email privacy@whofollowsme.app directly. We may need to verify your identity before acting on a request and we will not ask for more information than is necessary.

We do not discriminate against Customers for exercising any of these rights. To appeal a denial of a rights request in a state that provides an appeal right, email privacy@whofollowsme.app with the subject line "Appeal — [state]".

10. Removal requests for scanned individuals

If you are a person whose handle appears in a Service report and you would like your data removed, email privacy@whofollowsme.app with your handle and source platform. You do not need a Customer account to make this request.

We will, within the time required by applicable law (and as an internal target, within 7 business days):

1. Delete cached profile data and follower rows for that handle across all Customers’ scans in our system.
2. Delete the LLM-classification cache row keyed on (platform, platform_user_id).
3. Add the (platform, handle) pair to a no-fetch list so future scans of unrelated accounts skip you.
4. Confirm in writing.

Limitations. Reports already downloaded by a Customer (PDFs or saved share-link copies) are outside our technical control once exfiltrated; we cannot recall those. We will, however, revoke any active share token immediately and instruct the Customer to delete local copies.

11. Profiling and automated processing

The Service performs profilingwithin the meaning of GDPR Art. 4(4): automated processing of personal data to evaluate personal aspects (e.g., professional category, follower count, audience reach) relating to a natural person. Whether that profiling rises to "solely automated decision-making with legal or similarly significant effects" under Art. 22 depends on how a Customer uses the report. The Customer is the meaningful decision-maker for any downstream use of the report.

To reduce risk that our outputs are misused for adverse decisions:

• our Terms prohibit using outputs to make adverse decisions about a person without independent human verification;
• our reports include warnings that classifications are estimates, not facts;
• a scanned individual who believes our classification has been used against them may contact us under §10 — we will delete the classification and add the handle to the no-fetch list;
• in jurisdictions where Art. 22 (or analogous state laws on profiling for significant decisions) apply directly to a Customer’s use of our outputs, the Customer is responsible for the human-review and contestability obligations.

12. Lawfulness of public-data collection

We collect publicly available data in a manner we believe is consistent with applicable law. We do not bypass authentication, rate limits, or technical access controls. We do not represent that our collection complies with the terms of service of any source platform; platform terms of service are private contracts between the platform and its users, and we are not party to them. To the extent any source platform asserts that our use violates its terms, that is a contractual matter between us and the platform; it does not, by itself, render the data subject’s underlying data unlawfully held. We monitor case-law and regulatory developments in this area and adjust our practices as needed.

13. Cookies, GPC, and tracking

Marketing cookies are off until you Accept on the first-visit banner. We do not use third-party advertising cookies for behavioural retargeting; the Meta and TikTok pixels listed above are used solely for conversion measurement of paid advertising we run.

On first visit, a cookie consent banner appears at the bottom of the page where you can Accept or Reject. Your choice persists in localStorage and the banner does not re-prompt. If you Accept, the Meta and TikTok marketing pixels listed above load and fire alongside our server-side conversion events. If you Reject, no marketing pixel scripts load and our server-side conversion events also do not fire for your session. Your stored choice is the record we rely on if asked.

We honor Global Privacy Control as a valid opt-out signal for analytics and "sale"/"share" in every jurisdiction whose law recognizes it as such, including California, Colorado, Connecticut, Texas (effective Jan 1, 2025), Oregon (effective 2026), Delaware, New Jersey, New Hampshire, Minnesota, and Maryland. We will update this list as new state laws come into force.

14. Children

The Service is not directed to children. Use of the Service requires being at least 18 years old (see Terms of Service). We do not knowingly collect personal information from anyone under 18 as a Customer. For scanned individuals who may be minors aged 13–17, see §3.8. For data we may inadvertently process about a child under 13 (in either capacity), we will delete it on actual notice consistent with COPPA. Parents or guardians with concerns may email privacy@whofollowsme.app.

15. Security

• In transit: TLS 1.3 minimum, with TLS 1.2 fallback only where strictly required for legacy interoperability.
• At rest: encrypted at the storage layer by Vercel, Convex, Stripe, Clerk per their respective practices.
• Authentication: Clerk-managed; payment data never touches our servers.
• Access control: production access requires hardware-backed multi-factor authentication; access is logged.
• Vulnerability management: dependencies are patched on a rolling cadence; we monitor advisories for our sub-processors.
• Incident response:
  • To regulators: notification within 72 hours of becoming aware of a personal-data breach where required (GDPR Art. 33 and analogous state laws).
  • To affected individuals: without undue delay, consistent with GDPR Art. 34 and the outer time limits set by applicable state breach-notification statutes.

If you believe you have found a vulnerability, email security@whofollowsme.app.

16. Changes, contact, and supervisory authorities

16.1 Changes to this policy

Material changes will be announced on this page with a new effective date, notified to active Customers by email at least 14 days before they take effect when reasonably practicable, and reflected in our change log at /legal/privacy-changes. Continued use of the Service after the effective date constitutes acceptance.

16.2 Contact

• Privacy questions and rights requests: privacy@whofollowsme.app
• Security disclosures: security@whofollowsme.app
• DMCA / takedowns: dmca@whofollowsme.app
• General support: support@whofollowsme.app

16.3 Internal complaint timeline

We acknowledge any privacy complaint within 5 business days of receipt and provide a substantive response within the timeframe set out in §9.1 for the requester’s jurisdiction.

16.4 Data Protection Officer

We have not designated a Data Protection Officer because we do not currently meet the GDPR Art. 37 thresholds. We will appoint a DPO if our processing crosses those thresholds and update this policy accordingly. Privacy questions in the meantime go to the privacy email above.

16.5 Supervisory authorities

EU/EEA data subjects may complain to their local supervisory authority. UK residents may complain to the Information Commissioner’s Office (ICO). Swiss residents may complain to the FDPIC. California residents may complain to the California Privacy Protection Agency. Texas residents may complain to the Office of the Texas Attorney General. Other state residents may complain to their state Attorney General.

17. State-specific notices

17.A California (CCPA / CPRA)

17.A.1 Scope and the "publicly available" carve-out. Most of the data we process about scanned individuals is publicly available informationunder Cal. Civ. Code §1798.140(v)(2) and is therefore outside the statutory definition of "personal information." The CCPA disclosures below apply to Customer personal information (§2) and to any scanned-individual data that does not fall within the carve-out. We voluntarily extend the rights below to all scanned individuals as a matter of policy (§10).

17.A.2 Categories of personal information collected. In the prior 12 months we have collected the categories described in §2 and §3. Mapped to CCPA categories in Cal. Civ. Code §1798.140(v): identifiers; commercial information; internet or other electronic network activity; geolocation (coarse, derived from IP); professional information (where present in a public bio); and inferences (the LLM classification).

17.A.3 Sources, purposes, retention, third parties. Sources: directly from the Customer (account, billing); from the source platform’s public surface (scanned-individual data); from sub-processors listed in §5. Business purposes are listed in §4. Retention by category is in §8. Third-party recipients are in §5 and /legal/subprocessors. These tables double as the §1798.100(a) and §1798.110(c) disclosures.

17.A.4 Sale and share status. We do not sell personal information and we do not share personal information for cross-context behavioural advertising — see §7.1 for the analysis and §17.A.6 for the opt-out path. We do not knowingly sell or share the personal information of any consumer under 16 years of age.

17.A.5 Sensitive personal information.We do not collect SPI as defined by Cal. Civ. Code §1798.140(ae) for the purposes of inferring characteristics about you, except to the extent a Customer’s own communications or a scanned individual’s voluntary public bio incidentally include such data. We do not use SPI for the purposes that would trigger a "right to limit use" under §1798.121. You nonetheless have the right to limit use of SPI by emailing privacy@whofollowsme.app; we will honor the request and confirm in writing.

17.A.6 "Do Not Sell or Share My Personal Information." Submit an opt-out at /legal/do-not-sell or by emailing privacy@whofollowsme.app with the subject line "Do Not Sell or Share — [handle/email]". We honor Global Privacy Control signals as the equivalent opt-out from cookie-based browser sessions on our domains.

17.A.7 Rights, response time, and non-discrimination. California residents have the rights to know, delete, correct, opt out of sale/share, and limit use of SPI, exercisable per §9.1. We do not discriminate against Californians for exercising their rights and you may designate an authorized agent under §1798.135(c) by submitting written authorization that we may verify with you. We will publish annual rights-request metrics under Cal. Civ. Code §1798.130(a)(5) once we cross the applicable threshold.

17.B Other US states with comprehensive privacy laws

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Florida, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, Kentucky, and Nebraska have the rights described in §9 — to access, correct, delete, port (where provided), opt out of sale/share or of targeted advertising, and limit profiling for significant decisions — exercisable per §9.1. To exercise any right, email privacy@whofollowsme.app from the address on your account or use the "Request my data" link in the site footer. Appeals: subject line "Appeal — [state]". Where state law requires consent for sensitive data processing (Colorado, Connecticut, Virginia, and others), we do not knowingly process sensitive data of those residents and will seek consent before any new processing of such data.

Texas-specific disclosure. Texas Bus. & Com. Code §541.103 requires the following verbatim notices when applicable: We may sell your sensitive personal data — we do not currently sell sensitive personal data. We may sell your biometric data — we do not collect biometric data and therefore do not sell it. If our practices change we will update this section before any such processing.

Nevada.Nevada residents may opt out of any future "sale" of personal information by emailing privacy@whofollowsme.app. We do not currently sell personal information.

18. Data-broker status

We do not consider ourselves a "data broker" under California (Cal. Civ. Code §§1798.99.80–88, as amended by the DELETE Act / SB 362), Texas (Tex. Bus. & Com. Code Ch. 509), Vermont (9 V.S.A. §§2446–2447), or Oregon (ORS 646A.500 series) law. The Service provides content and audience analytics on publicly available information about accounts that have voluntarily made their profiles public for the purpose of being discovered. We are not selling the personal information of consumers with whom we have no direct relationship in the manner those statutes target.

Our position, the rights of individuals who appear in scans (§10), and the California-specific framework (§17.A) together describe how we handle scanned-individual data. Any updates to our data-broker analysis are published at /legal/data-broker.