Beaver Dash Privacy Policy

1. Introduction

Beaver Dash ("Beaver Dash", "we", "us", "our") is a software-as-a-service product operated by FatLoon Corporation ("FatLoon"), reachable at www.fatloon.com. Beaver Dash is available at beaver-dash.fatloon.com and helps businesses manage comments, ads, and engagement data from Meta Platforms, Inc. ("Meta" — Facebook and Instagram). This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, and the rights you have over it.

We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Meta Platform Terms, and applicable Meta Developer Data Use policies.

2. Data Controller

The data controller for personal data processed through Beaver Dash is FatLoon Corporation. For any questions about this policy, to exercise your rights, or to request data deletion, contact us at privacy@fatloon.com.

3. Data We Collect

3.1 Account Data

When you create a Beaver Dash workspace, we collect:

• Email address
• Company or organization name
• Password (stored hashed and salted via Supabase Auth — we never see or store plaintext passwords)

3.2 Meta Platform Data

When you connect your Meta Business account via the official Meta OAuth flow, we request only the scopes needed to operate Beaver Dash’s features. With your explicit consent, Meta returns an access token and permission for us to read and, where you enable it, act on the following data on your behalf:

• Facebook Pages and Instagram Business accounts you administer (name, ID, profile picture, follower count)
• Advertising accounts, campaigns, ad sets, and ads (name, status, creative, targeting summary)
• Ad performance metrics (spend, impressions, reach, clicks, CTR, CPC, CPM, conversions, ROAS)
• Comments on ads and organic posts (text, author name, timestamp, reactions)
• Direct message conversations when you explicitly enable the Messaging feature (message text, sender name, timestamp)
• Instagram media metadata (post ID, media type, caption, engagement counts)
• Page-level insights (reach, impressions, engaged users) where required to calculate performance summaries

We request only the Meta permissions that correspond to features you actively use. We do not collect personal data of end-users beyond what is necessary to display comments and public engagement events; we do not receive or store Meta passwords.

3.3 Usage Data

For security and product improvement, we automatically log:

• Log-in events (timestamp, IP address, user-agent) for security auditing
• Actions within Beaver Dash (synchronizations triggered, comments moderated, settings changed)
• Aggregate, non-identifying performance metrics (request latency, error rate)

3.4 Billing Data

When you purchase a paid plan, Stripe, Inc. processes payment on our behalf and stores your card details. We receive only a Stripe customer ID, subscription status, and billing metadata (plan, amount, renewal date); we never see or store your full card number.

4. How We Use Your Data

We use personal data strictly for the purposes below:

• Operate the Beaver Dash Service you signed up for
• Authenticate your sign-in and keep your session secure
• Read your Meta data and display it inside Beaver Dash
• Perform actions you trigger, such as replying to or hiding a comment
• Bill you for paid plans and email receipts and renewal notices
• Send critical operational email (token expiry, security, service availability)
• Detect and prevent abuse, fraud, and unauthorized access

We do not sell your data, nor do we use data obtained through the Meta Platform to train machine-learning models, build advertising profiles, or monetize outside the scope of the Service you signed up for. We comply with Meta’s Platform Terms and Developer Policies.

5. How We Store and Protect Your Data

• OAuth access tokens from Meta are encrypted at rest using AES-256-GCM before being written to the database.
• The database is hosted by Supabase on managed PostgreSQL with encryption at rest and in transit.
• All HTTP traffic between your browser and Beaver Dash is protected by TLS 1.2 or higher.
• Your workspace data is logically isolated from every other workspace via a tenant ID on every record; our code enforces this isolation on every query.
• Only authorized FatLoon personnel can access production systems, and all access is audit-logged.

6. Data Retention

We retain your personal data for as long as your Beaver Dash workspace is active. When you delete your account or revoke Beaver Dash’s access inside Meta, we delete all of your workspace data — including Meta tokens, synced ads and comments, and billing metadata not required for tax recordkeeping — within 30 days. Financial records required by law may be retained for up to seven years in accordance with applicable tax regulations.

7. Data Deletion Instructions

You can request deletion of your Beaver Dash data in either of two ways:

• From inside Beaver Dash: Open Settings → Delete account. Confirm the action. Your workspace, Meta tokens, and all synced data are purged within 30 days.
• From Meta (Facebook): Go to Facebook → Settings & Privacy → Settings → Apps and Websites → find “Beaver Dash” → Remove. Meta notifies us via a Data Deletion callback at https://beaver-dash.fatloon.com/api/meta/deletion, and we purge your data within 30 days and return a confirmation URL.
• By email: Write to privacy@fatloon.com from the email address on your workspace. We respond within 5 business days and complete deletion within 30 days.

8. Third-Party Processors

Beaver Dash relies on the following sub-processors, each subject to their own privacy policies:

• Supabase — database and authentication (PostgreSQL, hosted in the US/EU)
• Fly.io — application hosting (primary region: Toronto, Canada)
• Meta Platforms, Inc. — source of the advertising and social data you authorize
• Stripe, Inc. — payment processing for paid plans
• Resend — transactional email delivery
• Sentry — error and performance tracking (no comment content is logged)
• Cloudflare — DNS and edge routing

9. Your Rights

Under GDPR, CCPA, and similar regimes, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (see Section 7)
• Object to or restrict processing in certain cases
• Receive a copy of your data in a portable format
• Withdraw consent at any time by disconnecting your Meta account or deleting your workspace
• Lodge a complaint with a supervisory authority in your jurisdiction

To exercise any of these rights, email privacy@fatloon.com. We respond within 30 days.

10. International Transfers

We process data in Canada and the United States. Where data originates in the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses with our sub-processors. You may request a copy by writing to privacy@fatloon.com.

11. Children

Beaver Dash is a business tool and is not directed at anyone under the age of 13 (or 16 in the European Union). We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact privacy@fatloon.com and we will delete it.

12. Use of the Meta Platform

Your use of Beaver Dash is additionally governed by the Meta Platform Termsand the Meta Developer Policies. Beaver Dash uses the Meta Graph API strictly for the features you authorize and in accordance with those policies. We do not share data obtained through the Meta Platform with third parties beyond the sub-processors listed above, and only for the purposes described in this policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to your workspace owner at least 14 days before they take effect. The latest version will always be available at beaver-dash.fatloon.com/privacy.

14. Contact