Privacy Policy

Factrail (“we”, “us”, “our”) is operated by [LEGAL_OPERATOR_NAME]. This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, and how you can exercise your rights.

By using Factrail, you acknowledge that you have read and understood this policy. If you do not agree with our practices, please do not use the service.

We collect only the data necessary to provide and improve the service. The categories below describe what we collect and under what circumstances.

Account Data

When you create an account, we collect your name, email address, and a password (stored using bcrypt hashing with 12 rounds — we never store or have access to your plaintext password). If you sign in with a social provider (Google, Apple, or X/Twitter), we receive your display name, email address, and profile image URL from that provider. Guest users are assigned an anonymous database record with no personal information attached.

Usage Data

We collect the investigation queries you submit, the entities you explore, and basic interaction events (page views, feature usage). Investigation queries and related text are processed by third-party AI and search providers as described in the AI Provider Data Sharing section below.

Technical Data

Our servers automatically log standard request data including IP addresses, browser type, referring pages, and timestamps. We do not collect geolocation coordinates, device fingerprints, or phone numbers.

Payment Data

Payments are handled entirely by our merchant of record, Paddle. We share your email address with Paddle to initiate billing. All payment card details are collected directly by Paddle through their PCI-compliant overlay — we never receive, process, or store your card numbers.

• Providing the service: Processing your investigation queries, generating analyses, and displaying results.
• Authentication: Verifying your identity and managing your session.
• Billing: Passing your email to Paddle to manage subscriptions and process payments.
• Product improvement: When analytics is enabled, aggregated and anonymised usage events help us understand how the product is used so we can improve it.
• Security: Detecting and preventing fraud, abuse, and unauthorised access.
• Legal obligations: Complying with applicable laws, regulations, and legal processes.

We process personal data on the following legal grounds, depending on the context:

• Contract performance: Processing necessary to provide the service you signed up for (account management, query processing, billing).
• Legitimate interests: Improving the product, maintaining security, and preventing abuse, where those interests are not overridden by your rights.
• Consent: Where we rely on your consent (for example, optional analytics), you may withdraw it at any time without affecting the lawfulness of prior processing.
• Legal obligation: Processing required to comply with applicable law.

We share data with vetted service providers who process it on our behalf. We do not sell personal data. The categories of processors we use, along with the data shared and purpose, are listed below.

Not all processors are active at all times. Analytics providers are disabled by default and only active when explicitly enabled. Translation and social authentication providers are only engaged when those features are used.

Factrail's core functionality depends on third-party AI language model providers. When you submit an investigation query, the following data may be sent to one or more AI providers for processing:

• Your search query and topic description
• Entity names and identifiers relevant to the investigation
• Evidence text retrieved from public sources during the analysis pipeline
• Structured prompts constructed by our system (which may include the above data)

This data is sent to AI providers solely for the purpose of generating analytical output. We do not send your email address, password, payment information, or other account credentials to AI providers.

Similarly, web search providers receive search queries derived from your investigation topics in order to retrieve relevant public sources.

Each provider operates under its own privacy policy and data processing terms. We select providers that offer commercial API terms prohibiting the use of API inputs for model training, but we cannot guarantee the internal practices of third-party services.

We use a small number of cookies and browser storage mechanisms, primarily for authentication and essential functionality. Analytics cookies are disabled by default and only activated when analytics is explicitly enabled.

For full details on each cookie and storage item we use, including how to manage your preferences, see our Cookie & Storage Notice.

We retain your account data for as long as your account is active. Investigation data (queries, results, dossiers) is retained while your account exists unless you request deletion.

If you delete your account, we will remove your personal data within 30 days, except where we are required by law to retain certain records (for example, billing records for tax compliance).

Anonymised, aggregated data that cannot be used to identify you may be retained indefinitely for product improvement purposes.

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal data.
• Deletion: Request that we delete your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, commonly used, machine-readable format.
• Objection: Object to processing based on legitimate interests. Where you object, we will stop processing unless we demonstrate compelling legitimate grounds.
• Withdraw consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, contact us at [PRIVACY_CONTACT_EMAIL]. We will respond within 30 days (or sooner where required by applicable law). We may need to verify your identity before fulfilling your request.

Your data may be processed by third-party providers located outside your country of residence, including in the United States. Where data is transferred internationally, we rely on appropriate safeguards such as the provider's compliance with recognised data protection frameworks, standard contractual clauses, or other legally approved transfer mechanisms.

We implement technical and organisational measures designed to protect your personal data, including:

• Passwords hashed with bcrypt (12 rounds) — we never store plaintext passwords
• Session management via httpOnly, secure cookies (JWT strategy)
• Security headers applied via middleware on all responses
• HMAC-based webhook verification for payment provider communications
• Email addresses are never sent to analytics — only a boolean flag indicating whether an account exists

No system is perfectly secure. While we strive to protect your data, we cannot guarantee absolute security against every possible threat. If we become aware of a breach affecting your personal data, we will notify you and any applicable regulators as required by law.

Factrail is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [PRIVACY_CONTACT_EMAIL] and we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated through the service (for example, via a banner or notification). The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the service after a change constitutes acceptance of the updated policy.

For privacy-related questions, data requests, or complaints, contact us at:

• Privacy enquiries: [PRIVACY_CONTACT_EMAIL]
• General support: [SUPPORT_CONTACT_EMAIL]
• Post: [CORRESPONDENCE_ADDRESS]

If you are unsatisfied with our response, you may have the right to lodge a complaint with your local data protection authority.