Data Storage
Where Your Data Lives
Fanaura stores all data in a secure PostgreSQL database, hosted in Frankfurt, Germany (EU — eu-central-1). This means:- Your fan database, campaign history, flow data, and account information are stored in the European Union.
- EU data residency provides a strong privacy foundation, as EU data protection laws are among the strictest in the world.
- All data in transit is encrypted via TLS/SSL.
- Database backups are maintained for disaster recovery.
What Data Is Stored
| Data Type | Examples | Where Stored |
|---|---|---|
| Fan profiles | Name, email, phone, location, birthday | EU (Frankfurt) |
| Engagement history | Presaves, email opens, clicks, purchases, RSVPs | EU (Frankfurt) |
| Campaign data | Blast content, send history, delivery stats | EU (Frankfurt) |
| Flow data | Flow configurations, execution logs | EU (Frankfurt) |
| Integration credentials | API keys, OAuth tokens | EU (Frankfurt), encrypted |
| Artist profiles | Account details, settings, preferences | EU (Frankfurt) |
| Asset data | Music, tour, merch, extra metadata | EU (Frankfurt) |
GDPR Compliance
The General Data Protection Regulation (GDPR) is the EU’s comprehensive data protection law. Fanaura is designed with GDPR compliance at its core:EU Data Residency
All personal data is stored within the EU (Frankfurt, Germany), satisfying GDPR’s data residency preferences and avoiding complex cross-border data transfer issues.Lawful Basis for Processing
Fanaura processes fan data based on explicit consent:- Fans actively submit their information through smart link data wrappers.
- Consent is collected at the point of data entry, not assumed or buried in terms of service.
- Each data collection point clearly explains what data is being collected and why.
Right to Access
Fans have the right to know what data you hold about them. Fan profiles in Fanaura contain a complete record of all data associated with each fan, making it straightforward to fulfill access requests.Right to Deletion
Fans have the right to request deletion of their personal data. Fanaura supports data deletion:- Fan records can be deleted from your database.
- Associated engagement history, tokens, and activity logs are removed.
- Deletion is permanent and cannot be undone.
Consent Tracking
Every piece of data collected through Fanaura tracks:- When consent was given (timestamp).
- How consent was given (which smart link, which form).
- What was consented to (email marketing, SMS marketing, data collection).
Data Minimization
Fanaura’s smart link data wrappers are configurable. You can collect only the data you actually need:- Required: Email address (minimum for communication).
- Optional: First name, last name, phone number, birthday, location.
CCPA Compliance
The California Consumer Privacy Act (CCPA) gives California residents specific rights over their personal data. Fanaura supports CCPA requirements:Right to Know
California fans can request a copy of all personal data collected about them. Fanaura’s fan profiles provide a comprehensive view of all stored data.Right to Delete
California fans can request deletion of their personal data, which Fanaura supports through fan record deletion.Right to Opt-Out of Sale
Fanaura does not sell fan data to third parties. Your fan data belongs to you and is never shared, sold, or monetized by Fanaura.Non-Discrimination
Fans who exercise their privacy rights are not treated differently. Opting out of data collection does not result in degraded service or retaliation.Fan Consent
Smart Link Data Wrappers
Every smart link in Fanaura includes a data wrapper — a privacy-compliant consent screen that fans see before accessing your content:- Fan visits your smart link.
- The data wrapper appears, explaining:
- What data is being collected (email, name, etc.)
- Why it is being collected (to receive updates from the artist)
- How it will be used (marketing emails, SMS, etc.)
- Fan enters their information and submits.
- Consent is recorded with a timestamp.
- Fan proceeds to the content (presave, streaming links, merch, etc.).
Email Opt-In
When fans provide their email through a smart link:- They are opting in to receive marketing emails from you.
- The consent is logged and timestamped.
- You can include an explicit consent checkbox for additional clarity.
SMS Opt-In
SMS consent requires a separate, explicit opt-in:- Fans must actively check an SMS consent box (it is not pre-checked).
- The consent message explains that they will receive text messages.
- The
sms_opt_infield in the fan record tracks this consent.
Opt-Out Mechanisms
Email Unsubscribe
Every marketing email sent through Fanaura includes a one-click unsubscribe link in the footer:- Fans click the link and are immediately unsubscribed.
- Their email opt-in status is updated in real time.
- They will no longer receive marketing emails from you.
- This complies with CAN-SPAM, GDPR, and CCPA requirements.
SMS Opt-Out
Fans can opt out of SMS by texting STOP to your Telnyx number:- Fanaura automatically processes STOP messages.
- The fan’s
sms_opt_infield is set to false. - They will no longer receive SMS from you.
- This complies with TCPA regulations.
No Manual Re-Opt-In
When a fan opts out, you cannot manually re-add them to your mailing or SMS list. They must re-subscribe themselves. This protects fans from unwanted re-enrollment and protects you from legal liability.Row Level Security (RLS)
Fanaura uses Row Level Security at the database level to ensure data isolation between artists:- Each artist can only access their own fans, assets, campaigns, and settings.
- Database queries are automatically filtered by the authenticated artist’s ID.
- Even if two artists share a fan (the same person presaved music from both artists), each artist only sees their own interaction data.
- This prevents any possibility of one artist accessing another artist’s fan data.
Encryption
Data at Rest
Sensitive data stored in the database is encrypted:- API keys: Telnyx, Shopify, and other integration credentials are encrypted before storage.
- OAuth tokens: Spotify and Instagram access tokens are encrypted.
- Passwords: User passwords are hashed using industry-standard algorithms (never stored in plain text).
Data in Transit
All communication between your browser and Fanaura’s servers is encrypted:- HTTPS/TLS: Every request uses encrypted connections.
- API calls: All calls to third-party services (Telnyx, Shopify, Spotify, etc.) use encrypted connections.
Session Management
Fanaura’s security model includes active session management:- Active session tracking: See which devices are logged into your account.
- Device identification: Each session shows the browser, operating system, and approximate location.
- Session revocation: Revoke individual sessions or all sessions at once.
- Session heartbeat: Sessions periodically refresh to stay active and provide accurate “last active” timestamps.
Data Export
On the Complete plan, you can export your complete fan database and engagement data:- Fan profiles with all fields.
- Engagement history (presaves, opens, clicks, purchases).
- Campaign results and delivery stats.
- Export in standard formats (CSV) for use in external tools.
Third-Party Data Handling
When Fanaura connects with third-party services, data flows in both directions. Here is how each integration handles data:| Integration | Data Sent | Data Received | Data Stored |
|---|---|---|---|
| Telnyx | SMS content, phone numbers | Inbound SMS, delivery status | Message logs, phone numbers |
| Resend | Email content, fan emails | Delivery status, opens, clicks | Email logs, engagement data |
| Shopify | None (read-only) | Products, orders | Product data, purchase history |
| DM content | DM messages, comments, mentions | Message logs, trigger data | |
| Spotify | Presave commands | Authorization tokens, metadata | Tokens, song metadata |
| Apple Music | Library additions | Authorization tokens | Tokens |
| Stripe | Subscription data | Payment status, invoices | Subscription state |