Privacy Policy

Beaver Dash ("Beaver Dash", "we", "us", "our") is a software-as-a-service product operated by FatLoon Corporation ("FatLoon"), reachable at www.fatloon.com. Beaver Dash is available at beaver-dash.fatloon.com and helps businesses manage comments, ads, and engagement data from Meta Platforms, Inc. ("Meta" — Facebook and Instagram). This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, and the rights you have over it.

We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Meta Platform Terms, and applicable Meta Developer Data Use policies.

The data controller for personal data processed through Beaver Dash is FatLoon Corporation. For any questions about this policy, to exercise your rights, or to request data deletion, contact us at privacy@fatloon.com.

3.1 Account Data

When you create a Beaver Dash workspace, we collect:

• Email address
• Company or organization name
• Password (stored hashed and salted via Supabase Auth — we never see or store plaintext passwords)

3.2 Meta Platform Data

When you connect your Meta Business account via the official Meta OAuth flow, we request only the scopes needed to operate Beaver Dash’s features. With your explicit consent, Meta returns an access token and permission for us to read and, where you enable it, act on the following data on your behalf:

• Facebook Pages and Instagram Business accounts you administer (name, ID, profile picture, follower count)
• Advertising accounts, campaigns, ad sets, and ads (name, status, creative, targeting summary)
• Ad performance metrics (spend, impressions, reach, clicks, CTR, CPC, CPM, conversions, ROAS)
• Comments on ads and organic posts (text, author name, timestamp, reactions)
• Direct message conversations when you explicitly enable the Messaging feature (message text, sender name, timestamp)
• Instagram media metadata (post ID, media type, caption, engagement counts)
• Page-level insights (reach, impressions, engaged users) where required to calculate performance summaries

We request only the Meta permissions that correspond to features you actively use. We do not collect personal data of end-users beyond what is necessary to display comments and public engagement events; we do not receive or store Meta passwords.

3.3 Usage Data

For security and product improvement, we automatically log:

• Log-in events (timestamp, IP address, user-agent) for security auditing
• Actions within Beaver Dash (synchronizations triggered, comments moderated, settings changed)
• Aggregate, non-identifying performance metrics (request latency, error rate)

3.4 Billing Data

When you purchase a paid plan, Stripe, Inc. processes payment on our behalf and stores your card details. We receive only a Stripe customer ID, subscription status, and billing metadata (plan, amount, renewal date); we never see or store your full card number.

We use personal data strictly for the purposes below:

• Operate the Beaver Dash Service you signed up for
• Authenticate your sign-in and keep your session secure
• Read your Meta data and display it inside Beaver Dash
• Perform actions you trigger, such as replying to or hiding a comment
• Bill you for paid plans and email receipts and renewal notices
• Send critical operational email (token expiry, security, service availability)
• Detect and prevent abuse, fraud, and unauthorized access

We do not sell your data, nor do we use data obtained through the Meta Platform to train machine-learning models, build advertising profiles, or monetize outside the scope of the Service you signed up for.

• OAuth access tokens from Meta are encrypted at rest using AES-256-GCM before being written to the database.
• The database is hosted by Supabase on managed PostgreSQL with encryption at rest and in transit.
• All HTTP traffic between your browser and Beaver Dash is protected by TLS 1.2 or higher.
• Your workspace data is logically isolated from every other workspace via a tenant ID on every record; our code enforces this isolation on every query.
• Only authorized FatLoon personnel can access production systems, and all access is audit-logged.

We retain your personal data for as long as your Beaver Dash workspace is active. When you delete your account or revoke Beaver Dash’s access inside Meta, we delete all of your workspace data — including Meta tokens, synced ads and comments, and billing metadata not required for tax recordkeeping — within 30 days. Financial records required by law may be retained for up to seven years in accordance with applicable tax regulations.

We retain different categories of data for different periods:

• Ad comments and engagement data: retained while the parent ad is active in your Meta account, plus 24 months after the ad is archived.
• Operational logs: 30 days. No personal data is included in log payloads — only structured event codes and identifiers.
• Account data (your email, company, billing info): retained for the life of your account, plus 90 days after deletion, then permanently removed.
• Data request audit trail: retained for 6 years to demonstrate GDPR / PIPEDA / CCPA compliance.

You can request deletion of your Beaver Dash data in any of three ways:

• From inside Beaver Dash: Open Settings → Delete account. Confirm the action. Your workspace, Meta tokens, and all synced data are purged within 30 days.
• From Meta (Facebook): Go to Facebook → Settings & Privacy → Settings → Apps and Websites → find "Beaver Dash" → Remove. Meta notifies us via a Data Deletion callback and we purge your data within 30 days.
• By email: Write to privacy@fatloon.com from the email address on your workspace. We respond within 5 business days and complete deletion within 30 days.

Beaver Dash relies on the following sub-processors. Each is bound by a written data-processing agreement no less protective than ours.

For US sub-processors, transfers from EU / EEA / UK / Swiss data subjects rely on the European Commission’s Standard Contractual Clauses (Module 2) and the UK International Data Transfer Addendum, as documented in our DPA.

From time to time a government body, court, or other public authority may request access to personal data we process. We disclose personal data to public authorities only where we are legally compelled to do so, and we handle every such request with the following safeguards:

• Legality review — we review each request for its legal validity, jurisdiction, and scope before taking any action, and we do not comply with requests that are not legally valid.
• Challenging unlawful requests — where a request is overbroad, improperly served, or otherwise unlawful, we challenge it or seek to narrow it through the appropriate legal channels before any disclosure.
• Data minimization — where disclosure is legally required, we disclose only the minimum personal data necessary to satisfy that specific, valid obligation, and nothing more.
• Documentation — we document each request, our response, the legal reasoning applied, and the personnel involved, and we retain that record as part of our compliance audit trail.

Where we are legally permitted to do so, we notify the affected customer before disclosing their data so they may seek to protect their interests. We do not provide any government with direct, unfettered, or bulk access to personal data, and we do not weaken our security measures to facilitate such access.

Under GDPR, CCPA, and similar regimes, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (see Section 7)
• Object to or restrict processing in certain cases
• Receive a copy of your data in a portable format
• Withdraw consent at any time by disconnecting your Meta account or deleting your workspace
• Lodge a complaint with a supervisory authority in your jurisdiction

To exercise any of these rights submit our data request form (preferred — we route it directly to the privacy team and assign a tracking ID) or email privacy@fatloon.com. We respond within 30 days, in line with GDPR Article 12.3.

We process data in Canada and the United States. Where data originates in the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses with our sub-processors. You may request a copy by writing to privacy@fatloon.com.

Beaver Dash is a business tool and is not directed at anyone under the age of 13 (or 16 in the EU). We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact privacy@fatloon.com and we will delete it.

Your use of Beaver Dash is additionally governed by the Meta Platform Terms and the Meta Developer Policies. Beaver Dash uses the Meta Graph API strictly for the features you authorize and in accordance with those policies. We do not share data obtained through the Meta Platform with third parties beyond the sub-processors listed above.

We may update this Privacy Policy from time to time. Material changes will be announced via email to your workspace owner at least 14 days before they take effect. The latest version will always be available at beaver-dash.fatloon.com/privacy.