1. Data Controller
The controller responsible for the processing of your personal data within the meaning of the General Data Protection Regulation (GDPR) is:
Davida Online
Liechtenstein
Email: privacy@fautor.li"Fautor" is a brand operated by Davida Online. When we refer to "Fautor," "we," "us," or "our" in this policy, we mean Davida Online.
2. What This Policy Covers
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Fautor platform at fautor.li (the "Platform"), whether as a supporter ("Fautor"), an athlete, or a visitor.
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use the Platform.
3. Personal Data We Collect
3.1 Data You Provide Directly
- Account registration: email address, password (stored in hashed form), age confirmation, and the timestamp of your consent to our Terms of Service.
- Athlete application: display name, email address, sport, country, competition level, competitive goal, athletic story, and proposed support tiers (names and prices).
- Athlete profile: display name, biography, headline, welcome messages, personal bests, profile photo, hero image, and any posts you publish (text, images up to 5 MB, videos up to 100 MB).
- Payment information: when you subscribe to support an athlete, your payment details (card number, expiration, CVC) are collected and processed directly by Stripe Inc. We do not store your payment card details on our servers. We store only your Stripe customer ID, subscription ID, and tier selection.
- Payout information (athletes): bank account details provided during Stripe Connect onboarding are collected and stored by Stripe. We store only your Stripe Connect account ID and onboarding status.
3.2 Data Collected Automatically
- Session cookies: we use strictly necessary cookies to maintain your authenticated session. These are secure, HTTP-only cookies managed by our authentication provider. We do not use advertising, analytics, or tracking cookies.
- Functional cookies: we store minimal UI preferences (e.g., sidebar state) in cookies to improve your experience.
We do not use any third-party analytics, tracking pixels, fingerprinting, or behavioural profiling technologies.
4. Legal Bases for Processing (Art. 6 GDPR)
We process your personal data on the following legal bases:
- Performance of a contract (Art. 6(1)(b) GDPR): processing necessary to provide the Platform services you requested — account creation, athlete profile management, subscription processing, and payouts.
- Consent (Art. 6(1)(a) GDPR): where you have given explicit consent, such as confirming your age (18+) and accepting our Terms of Service at registration.
- Legitimate interest (Art. 6(1)(f) GDPR): sending transactional emails (subscription confirmations, payout notifications, application status updates), preventing fraud and abuse (rate limiting), and ensuring platform security.
- Legal obligation (Art. 6(1)(c) GDPR): retaining financial transaction records as required by applicable tax and commercial law.
5. How We Use Your Data
- Provide, operate, and maintain the Platform and your account.
- Process athlete applications and communicate decisions.
- Process recurring subscription payments and athlete payouts.
- Send transactional emails: application confirmations, payment receipts, new-backer notifications, payout confirmations, and cancellation notices.
- Enforce our Terms of Service and prevent misuse (rate limiting, CSRF protection).
- Comply with legal obligations (financial record-keeping, fraud prevention).
We do not use your data for automated decision-making or profiling. We do not sell, rent, or trade your personal data.
6. Third-Party Service Providers (Data Processors)
We share personal data only with the following service providers, each of which processes data on our behalf under a Data Processing Agreement (DPA) in compliance with Art. 28 GDPR:
Supabase Inc. — Infrastructure & Authentication
Hosts our database, authentication system, and file storage. Processes: email, hashed password, account metadata, athlete profiles, posts, and uploaded media. Servers located in the EU (Frankfurt region). Privacy policy: supabase.com/privacy
Stripe Inc. — Payment Processing
Handles all payment card processing, subscription billing, athlete payouts (via Stripe Connect), and KYC/AML verification for athletes. Stripe is a certified PCI-DSS Level 1 service provider. We do not store card details. Data transfers to the US are covered by Stripe's Data Processing Agreement and Standard Contractual Clauses. Privacy policy: stripe.com/privacy
Resend Inc. — Transactional Email
Delivers transactional emails on our behalf. Processes: recipient email address and email content (names, amounts, dates). Privacy policy: resend.com/legal/privacy-policy
Vercel Inc. — Hosting & Deployment
Hosts and serves the Platform. May process IP addresses and request metadata in server logs for a limited period. Privacy policy: vercel.com/legal/privacy-policy
We do not share your personal data with any other third parties, unless required by law or a court order.
7. International Data Transfers
Our primary database is hosted in the EU (Frankfurt). Some of our service providers (Stripe, Resend, Vercel) are based in the United States. Where personal data is transferred outside the EEA/Liechtenstein, we ensure appropriate safeguards are in place through:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- The EU–U.S. Data Privacy Framework, where applicable.
- Data Processing Agreements with each provider.
8. Data Retention
- Account data: retained for as long as your account is active. Upon account deletion, your personal data is deleted, except where retention is required by law.
- Athlete application data: retained for the duration of the application review process and, if approved, for as long as the athlete profile is active. Rejected applications are retained for 12 months to prevent duplicate submissions, then deleted.
- Financial records: transaction data (amounts, dates, subscription IDs) is retained for 10 years after the calendar year in which the transaction occurred, as required by Liechtenstein commercial law.
- Uploaded media: deleted when you remove the content or when your account is deleted.
- Consent records: timestamps of your age confirmation and Terms of Service acceptance are retained for the lifetime of your account plus 3 years, to demonstrate GDPR compliance.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) and at rest for all stored data.
- Passwords are hashed using industry-standard algorithms and never stored in plain text.
- Row-Level Security (RLS) on all database tables, ensuring users can only access their own data.
- CSRF protection, rate limiting, and security headers (HSTS, X-Frame-Options, Content-Security-Policy).
- Private storage buckets with signed URLs for media access.
- Payment data processed exclusively by PCI-DSS Level 1 certified Stripe.
Despite these measures, no method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately at privacy@fautor.li.
10. Your Rights Under the GDPR
Under the GDPR (and the Liechtenstein Data Protection Act), you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain confirmation of whether we process your data and request a copy.
- Right to rectification (Art. 16): correct inaccurate data or complete incomplete data.
- Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction (Art. 18): restrict processing under certain circumstances.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format (JSON).
- Right to object (Art. 21): object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)): withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, contact us at privacy@fautor.li. We will respond within 30 days. If your request is complex or we receive a high number of requests, we may extend this period by a further 60 days, and we will inform you of any such extension.
11. Cookies
We use only strictly necessary cookies and functional cookies. We do not use any advertising, analytics, or third-party tracking cookies. Because we use only strictly necessary cookies, no cookie consent banner is required under GDPR/ePrivacy Directive.
| Cookie | Purpose | Duration |
|---|
| Supabase auth cookies | Maintain your authenticated session (strictly necessary) | Session |
| Sidebar state | Remember your sidebar open/closed preference (functional) | Persistent |
12. Children's Privacy
The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. Age confirmation is required at registration. If we learn that we have collected personal data from a person under 18, we will delete that data promptly.
13. Right to Lodge a Complaint
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority for Liechtenstein is:
Datenschutzstelle Fürstentum Liechtenstein
Städtle 38, Postfach 684
9490 Vaduz, Liechtenstein
www.datenschutzstelle.liYou may also lodge a complaint with the supervisory authority in the EU/EEA member state of your habitual residence, place of work, or the place of the alleged infringement.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email or by posting a prominent notice on the Platform at least 14 days before the changes take effect. Your continued use of the Platform after such changes constitutes acceptance of the updated policy.
15. Contact
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:
Davida Online
Email: privacy@fautor.liThis privacy policy applies to all services provided via fautor.li. Governing law: Liechtenstein, subject to mandatory GDPR provisions.