Data Protection Policy

1. Overview

FavPik is committed to protecting the personal data of all users in compliance with the General Data Protection Regulation (GDPR) for users within the European Economic Area (EEA), the United Kingdom GDPR for UK users, and the Digital Personal Data Protection Act, 2023 (DPDP Act) for users in India. This Data Protection Policy outlines our approach to data protection and the rights of our users.

2. Data controller

FavPik acts as the data controller for personal data collected through the Platform. For all data protection inquiries, the designated point of contact is:

FavPik — Data Protection

Email: hello [at] favpik [dot] com

3. Data protection principles

We adhere to the following principles in all data processing activities:

Lawfulness, fairness, and transparency: We process data lawfully, fairly, and in a transparent manner. This policy and our Privacy Policy explain what data we collect and why.

Purpose limitation: We collect data only for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.

Data minimisation: We collect only the data that is necessary for the purposes for which it is processed. We do not collect unnecessary personal information.

Accuracy: We take reasonable steps to ensure personal data is accurate and up to date. Users can update their information through their account settings.

Storage limitation: We retain personal data only for as long as necessary for the purposes for which it was collected, as detailed in our Privacy Policy.

Integrity and confidentiality: We implement appropriate security measures to protect data against unauthorised access, alteration, disclosure, or destruction.

Accountability: We are responsible for and able to demonstrate compliance with these principles.

4. Data we process

Category 1 — Account data: email address, name, account creation date, last login date. Purpose: authentication, account management, communication. Retention: until account deletion + 30 days.

Category 2 — Poll data: poll titles, descriptions, options created by users. Purpose: service delivery. Retention: indefinitely (may be anonymised after account deletion).

Category 3 — Voting data: browser fingerprint hash, IP address, user agent, timestamp. Purpose: duplicate prevention, fraud detection, security. Retention: 12 months for IP and user agent; fingerprint hash retained with the vote.

Category 4 — Technical data: server logs, error logs, performance metrics. Purpose: platform operation and improvement. Retention: 90 days.

5. Your rights under GDPR

If you are located in the EEA or UK, you have the following rights under GDPR:

Right of access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to access that data.

Right to rectification (Article 16): You have the right to request correction of inaccurate personal data.

Right to erasure (Article 17): You have the right to request deletion of your personal data ("right to be forgotten") under certain circumstances.

Right to restriction (Article 18): You have the right to request restriction of processing in certain situations.

Right to data portability (Article 20): You have the right to receive your data in a structured, commonly used, machine-readable format.

Right to object (Article 21): You have the right to object to processing based on legitimate interests or direct marketing.

Right to withdraw consent (Article 7): Where processing is based on consent, you may withdraw consent at any time.

Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority.

6. Your rights under DPDP Act (India)

If you are located in India, you have the following rights under the Digital Personal Data Protection Act, 2023:

Right to access: You can request information about the personal data we process about you.

Right to correction and erasure: You can request correction of inaccurate data or erasure of data that is no longer necessary.

Right to grievance redressal: You can raise grievances about data processing with our designated contact.

Right to nominate: You can nominate another individual to exercise your rights in case of your death or incapacity.

7. International data transfers

Your data may be transferred to and processed in countries outside your country of residence. Our primary infrastructure providers are located in the United States (Vercel, Anthropic, Resend) and Singapore (Neon database). For EEA and UK users, we ensure appropriate safeguards through Standard Contractual Clauses (SCCs) or adequacy decisions. For Indian users, cross-border transfers comply with the provisions of the DPDP Act and any rules notified by the Indian government.

8. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: notify the relevant supervisory authority within 72 hours (GDPR) or as required under the DPDP Act, notify affected users without undue delay if the breach is likely to result in a high risk, and document the breach, its effects, and remedial actions taken.

9. Data protection impact assessments

We conduct Data Protection Impact Assessments (DPIAs) before implementing any new processing activity that is likely to result in a high risk to individuals' rights and freedoms. This includes new features involving large-scale data collection, automated decision-making, or processing of sensitive data.

10. Sub-processors

We use the following sub-processors to deliver our services:

Vercel Inc. (USA) — hosting and deployment. Neon Inc. (Singapore region) — PostgreSQL database. Resend Inc. (USA) — transactional email delivery. Anthropic PBC (USA) — AI-powered content moderation. Google LLC (USA) — reCAPTCHA bot protection. Cloudflare Inc. (USA) — DNS and CDN services.

All sub-processors are bound by data processing agreements that require them to protect your data to standards at least equivalent to those in this policy.

11. Exercising your rights

To exercise any of the rights described in this policy, contact us at hello [at] favpik [dot] com. We will verify your identity before processing your request. We will respond within 30 days. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period. There is no fee for exercising your rights, except in cases of manifestly unfounded or excessive requests.