Privacy Policy

Last updated: Loading...

Introduction

fav.ing is operated by Faving, Inc. ("fav.ing," "we," "our," or "us"). This Privacy Policy explains what information we collect when you use the fav.ing website, mobile apps, and related services (collectively, the "Service"), how we use and share that information, and the choices and rights you have.

fav.ing is a for-profit service. We are transparent about that here so the rest of this document reads as it should: we collect and use data to operate, improve, and monetize the Service, while honoring the privacy rights you have under applicable law (including the GDPR for users in the EU/UK and the CCPA/CPRA for California residents).

By using the Service, you acknowledge this Policy. If you don't agree with it, please don't use the Service.

Information We Collect

Account & Profile

  • Email address and authentication identifiers (e.g., Google or Apple sign-in IDs)
  • Display name, username, bio, profile picture, optional location
  • Optional contacts you choose to sync (used on-device to find friends; we store hashed identifiers, not raw phone numbers)

Content You Create

  • Lists, items, descriptions, current favorites, and bookmarks
  • Comments, reactions, follows, messages, and other social interactions
  • Reports of objectionable content you submit

Device & Usage Data

  • IP address, device model, OS, app version, language, and time-zone
  • Screens viewed, taps, scrolls, errors, and performance metrics (via PostHog)
  • Push-notification tokens (via Firebase Cloud Messaging / Apple Push Notification Service)
  • Cookies and similar identifiers (see Cookie Policy)

Payment Data (when applicable)

  • Payment processing is handled by our PCI-compliant processors (e.g., Stripe). We don't store full card numbers on our servers.

How We Use Your Information

  • Provide, maintain, and improve the Service
  • Create and manage your account, authenticate you, and recover access
  • Power social features (following, messaging, contact sync, recommendations)
  • Personalize your feed and surface lists, creators, and items we think you'll like
  • Send transactional notifications (replies, follows, password resets) and, where permitted, product updates
  • Measure and improve performance, debug crashes, and analyze usage
  • Operate, measure, and improve advertising, affiliate, and creator-monetization programs (now or in the future)
  • Detect, prevent, and respond to fraud, abuse, and Terms violations
  • Comply with legal obligations and enforce our Terms

Legal Bases for Processing (EU/UK Users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under one or more of the following GDPR legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the account, lists, messaging, and core features you've signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent fraud, debug, run analytics, and operate measurement for our advertising, affiliate, and creator programs. You can object to processing based on legitimate interests at any time.
  • Consent (Art. 6(1)(a)) — for non-essential cookies and similar technologies, marketing communications, optional contact sync, and any processing where consent is required by law. You can withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)) — to comply with applicable laws, court orders, and lawful requests from authorities.

How We Share Information

We share information with the following categories of recipients. Some of these arrangements may qualify as a "sale" or "sharing" of personal information under California law (CCPA/CPRA) or similar state laws — see "California Privacy Rights" below for your opt-out.

Service Providers ("Processors")

Vendors that operate the Service on our behalf under written data-processing agreements:

  • Hosting, database, and authentication: Supabase / AWS
  • Product analytics and crash reporting: PostHog
  • Push notifications: Firebase Cloud Messaging, Apple Push Notification Service
  • Email and transactional messaging: Supabase Auth / our email providers
  • Payments (when applicable): Stripe and other PCI-compliant processors

Other Users

Profiles, public lists, comments, reactions, and other content you choose to make public are visible to other users and the general internet. Bookmarks default to private and can be made public by you.

Advertising, Affiliate, and Measurement Partners

We may share data — including device identifiers, app interactions, and content engagement — with advertising networks, affiliate networks, and measurement partners to operate, evaluate, and personalize promotional or affiliate offers. These activities may be considered "sale" or "sharing" of personal information under U.S. state privacy laws.

Business Transfers

In a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, user information may be transferred or disclosed as part of that transaction. We will give notice in this Policy if your information becomes subject to a different privacy policy.

Legal & Safety

We may disclose information when required by law, subpoena, or legal process, or when we believe in good faith that disclosure is necessary to protect rights, property, safety, prevent fraud or abuse, or enforce our Terms.

California Privacy Rights (CCPA / CPRA)

California residents have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. We honor these rights for California residents and offer the same controls to all users globally where feasible.

Categories of personal information collected (last 12 months)

  • Identifiers: name, email, account ID, device identifiers, IP address
  • Customer records: profile fields, payment-processor tokens (when applicable)
  • Commercial information: products viewed, lists created, items bookmarked, affiliate clicks
  • Internet/network activity: pages and screens viewed, taps, search terms, referrers
  • Geolocation: approximate (from IP) and, with permission, precise location
  • Inferences: preferences and interests derived from your activity

Categories of personal information sold or shared

We may "sell" or "share" (as those terms are defined under CCPA/CPRA) the following categories with advertising, affiliate, and measurement partners: identifiers, internet/network activity, commercial information, and inferences. We do not knowingly sell or share the personal information of consumers under 16 years of age.

Your California rights

  • Right to know what personal information we collect, use, and disclose
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising these rights

Exercise these rights via the User Rights Portal (look for "Do Not Sell or Share My Personal Information" and "Export"/"Delete" controls), or email privacy@fav.ing.

Data Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information we process. These include:

  • TLS encryption in transit and at-rest encryption for our primary databases
  • Row-level access controls and least-privilege service credentials
  • Security review of code changes and dependency monitoring
  • OAuth and password-based authentication delegated to Supabase Auth
  • Logging and monitoring for suspicious access patterns

No system is perfectly secure, and we can't guarantee absolute security. We will notify affected users and regulators of confirmed personal-data breaches as required by applicable law.

Your Rights

Depending on where you live, you have one or more of the following rights:

  • Access: get a copy of personal data we hold about you
  • Rectification: correct inaccurate or incomplete data
  • Erasure ("right to be forgotten"): request deletion of your account and personal data
  • Portability: receive your data in a machine-readable format
  • Restriction: ask us to limit how we use your data
  • Objection: object to processing based on legitimate interests, including for direct marketing
  • Withdraw consent: where processing is based on consent
  • Lodge a complaint: with your local data-protection authority

Exercise these rights via the User Rights Portal or email privacy@fav.ing. We respond within the timeframes required by law (generally 30 days; extendable when permitted).

Cookies and Tracking

We use cookies and similar technologies (SDKs, mobile advertising identifiers, local storage) for authentication, security, performance, analytics, and personalization. You can control these via your browser settings, your device's mobile-OS controls, and our Cookie Policy.

On iOS, we ask for your permission before tracking activity across other companies' apps and websites (Apple's App Tracking Transparency framework). You can change this at any time in iOS Settings.

Data Retention

We retain personal information only as long as needed for the purposes described in this Policy. Specific retention periods include:

  • Account data (email, profile, lists, items, comments): for the lifetime of the account, plus up to 30 days after deletion to handle deletion processing and reversal of accidental deletions, after which data is purged or anonymized.
  • Backup snapshots: up to 35 days, after which deleted records are removed in normal rotation.
  • Analytics events (PostHog): up to 7 years in aggregated form; identifiable event data is purged when the account is deleted.
  • Server logs and security events: up to 90 days, except where retention is required for incident investigation or legal obligations.
  • Reports and abuse records: retained as long as needed for safety enforcement and to defend legal claims.
  • Legal/compliance records (e.g., consent records, tax records): retained for the period required by applicable law.

After a retention period ends, we delete or anonymize the data so it can no longer be associated with you.

International Transfers

fav.ing is operated from the United States, and our service providers may process data in the U.S. or other countries. Where personal data is transferred from the EU/UK or other regions with cross-border transfer rules, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by our service providers' technical and organizational measures.

Children's Privacy

fav.ing is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from them. If we learn that we have collected such information, we will delete it. If you believe a child has provided us with personal information, contact privacy@fav.ing.

Changes to This Policy

We may update this Policy. When we make material changes, we'll update the "Last updated" date and, where required by law, give you additional notice (in-app banner, email, or both). Continued use of the Service after the effective date means you accept the updated Policy.

Contact Us

Questions about this Policy or your personal data? Reach us at:

EU/UK users may also contact their local data-protection authority. California residents may contact the California Attorney General's office.