Privacy policy

This privacy policy explains what personal data we collect, the lawful bases on which we process it, who we share it with, how long we keep it, and the rights you have over it. It applies to all visitors and customers of follownow.io. Where mandatory data-protection law in your country of residence gives you a greater right, that right applies.

1. Data controller

The data controller is NEX BRIDGE - FZCO, trading as FollowNow (Freezone Company (FZCO)), registered in Dubai Silicon Oasis (DSO), Dubai Integrated Economic Zones Authority (DIEZ), Dubai, United Arab Emirates.

• Registration: 65437
• License: 67479
• Privacy contact: contact@follownow.io

2. EU and UK representatives (GDPR Article 27)

Because the controller is established outside the EU and UK and offers Services to data subjects in those regions, we are appointing designated representatives in both. Until appointment is complete, the controller contact above serves as the contact of record for EU and UK data subjects and supervisory authorities. Once appointed, the representatives' legal names, postal addresses, and email contacts will appear here.

• EU representative (GDPR Art. 27): appointment in progress.
• UK representative (UK GDPR Art. 27): appointment in progress.

3. What we collect and the lawful basis for it

Order data

Order email (required for confirmation), the public username / URL / post identifier you supply as the delivery target, order metadata (platform, service, tier, quantity, currency, amount). Payment information is handled by our payment processor; we never see or store card numbers.

Lawful basis (GDPR Article 6): performance of a contract (Art. 6(1)(b)) and legitimate interest in providing the service (Art. 6(1)(f)).

Usage and product-analytics data

Page views, clicks, device type, browser, and aggregate funnel metrics, via PostHog (anonymised after 90 days) and Google Analytics 4 (server-side, IP-anonymised). Event payloads are sanitised on the client so emails, raw handles, raw URLs, and supplier identifiers never reach the dataLayer.

Lawful basis: consent (Art. 6(1)(a)) and ePrivacy Directive Art. 5(3). Analytics is off by default; only loads once you accept the analytics tier in the cookie banner.

Support communication

When you email contact@follownow.io or message us through Intercom, we retain the conversation transcript and your contact details so we can respond and maintain context across follow-ups.

Lawful basis: legitimate interest in providing support and resolving disputes (Art. 6(1)(f)); performance of contract where the support relates to an order.

Target-profile data (third-party public identifiers)

When a customer enters a public profile, post URL, channel, or handle belonging to a third party, we process that public identifier to verify and fulfil the order. Where we cannot provide individual notice to the third party without disproportionate effort, this section serves as the notice required by GDPR Article 14(5)(b). We use target identifiers only to fulfil the order and we do not use them for marketing, profiling, or enrichment.

What we do NOT collect

• Passwords or credentials for any third-party social account.
• Social-platform access tokens, OAuth tokens, or session cookies.
• Biometric data or any special-category personal data under GDPR Article 9.
• Precise location data (we only see country, derived from IP).
• Government-issued identification documents.

4. Purposes of processing

• To create, fulfil, and monitor your order.
• To send transactional email: order confirmation, delivery updates, refund notices, refill notifications.
• To respond to support requests and disputes.
• To improve the product (anonymised analytics).
• To detect and prevent fraud, abuse, and chargebacks.
• To comply with legal obligations (financial-records retention, tax filings, regulatory requests, sanctions screening).

5. Sub-processors and recipients

We share data only with the following processors, only for the purposes set out above, and only under a written data-processing agreement (GDPR Art. 28) that limits processing to order fulfilment, prohibits independent use, requires confidentiality and security, controls onward sub-processors, and provides audit and termination rights.

• Stripe Payments Europe, Limited (Ireland) — payment processing, fraud detection, refund disbursement. Stripe receives card data directly from your browser (we never see it); we receive only a payment-intent ID, last-4 digits, and outcome.
• NowPayments OÜ (Estonia) — crypto payment processing, when you select that method. Receives wallet identifier, amount, currency.
• SMMGlow Ltd — upstream delivery network we route metric orders to. Receives only the public username / URL / post identifier and ordered quantity. Never receives your email, payment data, or other customer-identifying field.
• Supabase, Inc. (US-headquartered, EU-hosted Postgres instance for our project) — order database.
• Resend, Inc. — transactional email delivery.
• Intercom, Inc. — live chat support and Help Center hosting.
• Vercel, Inc. — hosting, CDN, edge routing.
• PostHog Inc. — consent-gated product analytics (EU instance).
• Sentry (Functional Software, Inc.) — consent-gated error monitoring with client-side PII scrubber.
• Google Analytics (Google LLC) — consent-gated aggregated analytics via Google Tag Manager with Consent Mode V2 and IP-anonymisation.

We do not sell, rent, or trade your personal data to third parties for their own marketing. We do not enrich your data with third-party data sets. Whether a recipient acts as a processor or an independent controller is determined by the applicable processing context; we identify controllers (e.g. payment processors for their own fraud-screening obligations) as such when consulting their own privacy policies.

6. International transfers

Where personal data is transferred outside the EEA, UK, Switzerland, Brazil, Turkey, or the UAE to a jurisdiction without an adequacy decision, we rely on appropriate safeguards:

• EU/EEA transfers: European Commission-approved Standard Contractual Clauses (SCCs) per Implementing Decision (EU) 2021/914, with a transfer-impact assessment recorded.
• UK transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs as published by the ICO.
• US-headquartered sub-processors: rely on the EU-US Data Privacy Framework where certified, plus SCCs and supplementary measures.
• Brazil: ANPD-approved standard clauses or other Art. 33 LGPD mechanism.

7. Retention

• Order records: up to 7 years from order date (financial-records retention).
• Email + support communication: 2 years from last contact, then archived in encrypted cold storage for 3 years (dispute-defence window), then deleted.
• Product analytics (PostHog): 90 days row-level, then aggregated and row-level data purged.
• Google Analytics: 14 months default retention; aggregated metrics retained longer.
• Sentry error events: 90 days, then purged.
• Consent logs: 5 years from withdrawal/expiry to evidence lawful basis.

8. Your rights

Subject to applicable law, you have the following rights. To exercise any of them, email contact@follownow.io. We respond within 30 days (GDPR / UK GDPR / LGPD / KVKK) or 45 days (CCPA), with the possibility of a 30-day extension where required by complexity. Where we cannot verify your identity, we may ask for a minimum of additional information to do so.

• Access (GDPR Art. 15 / CCPA Right to Know): a copy of your data.
• Rectification (Art. 16): correct inaccurate data.
• Erasure / Right to Delete (Art. 17 / CCPA): subject to legal-retention exceptions.
• Restrict processing (Art. 18).
• Data portability (Art. 20): JSON export.
• Object (Art. 21): including objection to direct marketing at any time.
• Withdraw consent (Art. 7(3)): the withdrawal does not affect the lawfulness of processing already carried out.
• Non-discrimination (CCPA): we do not offer different prices, products, or services based on whether you exercise your privacy rights.
• Complain to your supervisory authority (EU national DPA, UK ICO, California CPPA, Brazil ANPD, Turkey KVKK Board, or applicable equivalent).

9. California privacy notice (CCPA / CPRA)

We collect the following categories of personal information from California residents in the past 12 months. For each, we list the sources, business or commercial purpose, and whether we sell or share it for cross-context behavioural advertising. We do not sell personal information for monetary consideration.

• Identifiers (email, IP, device ID): from you directly when you order or contact us, and from device automatically. Purpose: order fulfilment, fraud prevention, support. Not sold. Not shared for cross-context behavioural advertising unless you opt in to marketing cookies.
• Commercial information (order history): from you at the time of order. Purpose: order fulfilment, refunds, accounting. Not sold or shared.
• Internet activity (page visits, clicks): collected with your consent via PostHog and Google Analytics. Purpose: product improvement. Not sold. Shared for cross-context behavioural advertising only with marketing-cookie consent.
• Geolocation (country-level only, derived from IP): from IP. Purpose: pricing, currency, fraud screening. Not sold.
• Customer-records information (support transcripts): from you when you contact us. Purpose: support and dispute resolution. Not sold.

We do not knowingly collect sensitive personal information as defined by the CCPA. We honour the Global Privacy Control (GPC)signal as a valid opt-out request for sale and sharing where applicable. Your “Do Not Sell or Share” choice is reflected via our cookie banner and any GPC signal received in your browser.

10. Brazil (LGPD) and Turkey (KVKK) overlays

Brazil (LGPD): we process personal data under Articles 7 (legal bases: contract performance, legitimate interest, consent) and 11 (sensitive data, which we do not knowingly process). Data subjects have the rights set out in Article 18 (access, correction, anonymisation, portability, deletion, information on sharing, revocation of consent). International transfers from Brazil rely on the mechanisms in LGPD Article 33 (adequacy, SCCs as approved by ANPD Resolution 19/2024, or other lawful mechanism).

Turkey (KVKK): we process personal data under Article 5 (legal bases including explicit consent and necessity for the establishment or performance of a contract). Data subjects have the rights listed in Article 11 (information, access, correction, deletion, objection, compensation). Cross-border transfers from Turkey follow the framework introduced by the March 2024 amendment to Article 9, including adequacy, contractual commitments, or explicit consent for one-off transfers.

11. Automated decision-making

We use automated checks for fraud and abuse to refuse or hold orders. Inputs include payment-risk signals, velocity, device and session signals, target-mismatch, sanctions and geography risk, and prior dispute indicators. Where a decision is made solely by automated means and materially affects you, you have the right under GDPR Article 22 to request human review, to contest the decision, and to submit additional information. Email contact@follownow.io with your order ID; a human reviewer will respond within 5 business days.

12. Children

The Services are not intended for users under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to us, email contact@follownow.io and we will delete the data and close the account.

13. Security

We apply technical and organisational measures appropriate to the risk, including TLS for transport, encryption at rest for the order database, role-based access control for our admin tooling, audit logging for sensitive operations, and a documented incident-response procedure. If you believe your account has been compromised, email contact@follownow.io immediately.

14. Breach notification

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware (GDPR Art. 33), and notify affected data subjects without undue delay where the breach is likely to result in a high risk (Art. 34). Equivalent timelines apply under UK GDPR, LGPD, and KVKK.

15. Cookies

Cookie usage is detailed in our cookie policy. Essential cookies are always on; analytics and marketing cookies require your explicit consent through the cookie banner.

16. Changes

We may update this policy. Material changes will be emailed to known customers and the “Last updated” date at the top will reflect the most recent change. A material change is one that meaningfully reduces your rights or expands our processing in ways you would not reasonably expect.

17. Contact

For privacy questions or to exercise any right above, email contact@follownow.io.