Privacy Policy
Last updated : April 28, 2026
Publisher: Fabrik. Service concerned: https://www.fabrik.so, https://app.fabrik.so and their subdomains. Document no.: 5/10 of the Fabrik contractual corpus. Version: 2.0. Effective date: April 28, 2026. Last update: April 28, 2026. The French version is the authoritative one — translations are provided for information only.
DETAILED TABLE OF CONTENTS
Part I — Common base
Preamble
Article 1 — Definitions
Article 2 — Identity and contact details of the data controller
Article 3 — Data Protection Officer (DPO)
Article 4 — Scope and articulation with other documents
Article 5 — Categories of data processed
Article 6 — Sources of data
Article 7 — Purposes of processing and legal bases
Article 8 — Recipients and processors
Article 9 — Transfers outside the European Union
Article 10 — Retention periods
Article 11 — Security measures
Article 12 — Personal data breaches
Article 13 — Profiling and automated decisions
Article 14 — Artificial intelligence and related processing
Article 15 — Minors
Article 16 — Cookies and trackers — reference
Article 17 — Updating this Policy
Part II — Data subjects' rights by jurisdiction
Article 18 — Rights correspondence table
Article 19 — Rights under the GDPR (European Union)
Article 20 — Rights under the UK GDPR (United Kingdom)
Article 21 — Rights under the nFADP (Switzerland)
Article 22 — Rights under the CCPA / CPRA (California)
Article 23 — Rights in other US states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, Tennessee, Indiana, New Jersey, New Hampshire, Minnesota, Maryland, Kentucky, Rhode Island, and others)
Article 24 — Rights under PIPEDA (federal Canada) and Law 25 (Quebec)
Article 25 — Rights under the LGPD (Brazil)
Article 26 — Rights under the APPI (Japan)
Article 27 — Rights under the PIPL (China)
Article 28 — Rights under the DPDP Act (India)
Article 29 — Rights under POPIA (South Africa)
Article 30 — Rights under the PDPA (Singapore)
Article 31 — Rights under the Privacy Act (Australia)
Article 32 — Rights under PIPA (South Korea)
Article 33 — Rights under KVKK (Turkey)
Article 34 — Rights under the PDPA (Thailand)
Article 35 — Rights under the UAE PDPL (United Arab Emirates)
Article 36 — Rights under the SDAIA PDPL (Saudi Arabia)
Part III — Procedures for exercising rights
Article 37 — Procedures for exercising rights
Article 38 — Complaints to supervisory authorities
Article 39 — Region-specific contacts
Annexes
Annex A — Detailed table: purpose / legal basis / data / duration
Annex B — Table of processors and recipients
Annex C — Table of international transfers
Annex D — Plain language summary
PART I — COMMON BASE
PREAMBLE
Fabrik (hereinafter "Fabrik", "we", "our" or the "Publisher") attaches the utmost importance to the protection of personal data of all natural persons who use the Fabrik Service, visit its Site, enter into a commercial relationship with it, or whose data is processed in connection with that relationship.
This Privacy Policy (the "Policy") is intended to inform, in a concise, transparent, intelligible and easily accessible form, in clear and plain language, any data subject of the personal-data processing activities carried out by Fabrik, in accordance in particular with Articles 12, 13 and 14 of Regulation (EU) 2016/679 (the "GDPR") and, for data subjects from other jurisdictions, with the equivalent applicable provisions.
This Policy is drafted in such a way as to enable each data subject, regardless of their residence or location, to understand how Fabrik collects, uses, retains, shares and protects their data, and to exercise their rights in practice.
This Policy covers:
processing carried out by Fabrik as data controller (in particular: data of Site visitors, data of Service Users, data of professional prospects and customers, billing data);
by reference, processing carried out by Fabrik as a processor on behalf of its Professional customers (in particular: personal data appearing on plans uploaded by the Customer), which is governed by the Data Processing Agreement (DPA) appearing in document 7/10 of the Fabrik corpus.
ARTICLE 1 — DEFINITIONS
1.1. Capitalised terms used in this Policy have the meaning attributed to them in the ToS, the GTCS and the DPA, or, failing that, the following meaning:
1.2. "Personal Data": any information relating to an identified or identifiable natural person, within the meaning of Article 4(1) of the GDPR.
1.3. "Data subject": the natural person whose Personal Data is processed.
1.4. "Processing": any operation or set of operations performed on Personal Data, within the meaning of Article 4(2) of the GDPR.
1.5. "Data controller": the natural or legal person who, alone or jointly with others, determines the purposes and means of processing, within the meaning of Article 4(7) of the GDPR.
1.6. "Processor": the natural or legal person who processes Personal Data on behalf of the data controller, within the meaning of Article 4(8) of the GDPR.
1.7. "Supervisory Authority": the independent public authority competent to oversee the application of data-protection law in the relevant jurisdiction (CNIL in France, EDPB at EU level, ICO in the UK, FDPIC in Switzerland, CPPA/California Attorney General in California, etc.).
1.8. "Transfer": any communication, copy, consultation or making available of Personal Data to a recipient located in a country outside the European Economic Area (EEA) or to any international organisation.
1.9. "Cookies": see the Cookies and Trackers Policy (document 6/10 of the Fabrik corpus).
ARTICLE 2 — IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER
2.1. Data controller:
Name: Fabrik
Legal form: April 28, 2026
Share capital: April 28, 2026
RCS: April 28, 2026
SIRET: April 28, 2026
Registered office address: 4 rue du Four, 55500 Cousances-lès-Triconville, France
Intra-Community VAT number: April 28, 2026
General email: contact@fabrik.so
Dedicated data-protection email: legal@fabrik.so
Website: https://www.fabrik.so
2.2. EU representative. Fabrik being established in the European Union (France), the obligation to designate an EU representative under Article 27 of the GDPR does not apply.
2.3. UK representative. Fabrik not being established in the United Kingdom and possibly falling within the scope of UK GDPR due to monitoring of the behaviour of data subjects in the UK, a UK representative will be designated as soon as the thresholds of Article 27 of UK GDPR are met. The UK representative's contact details will appear in Article 39 below.
2.4. Non-EU/UK representatives. Depending on the jurisdictions in which Fabrik processes data of data subjects (in particular California, Brazil, South Korea, Turkey), a local representative or point of contact may be designated or may become mandatory depending on the applicable thresholds.
ARTICLE 3 — DATA PROTECTION OFFICER (DPO)
3.1. Designation. As of the drafting of this Policy, the designation of a DPO within the meaning of Article 37 of the GDPR is not mandatory for Fabrik, whose core activity does not consist of large-scale processing of special categories of data or large-scale, regular and systematic monitoring of data subjects.
3.2. Dedicated point of contact. Fabrik has nevertheless designated a dedicated point of contact for any question relating to the protection of Personal Data: legal@fabrik.so.
3.3. Future designation. If the evolution of the Service makes the designation of a DPO mandatory, or if Fabrik chooses to voluntarily designate one, this Policy will be updated to indicate their full contact details.
ARTICLE 4 — SCOPE AND ARTICULATION WITH OTHER DOCUMENTS
4.1. Scope. This Policy applies to any processing of Personal Data carried out by Fabrik as data controller in the context of:
visits to the Site and the Service by Visitors;
the creation and management of an Account by a User;
the use of the Service's features by a User;
subscription to and billing of a Subscription;
communications with support, sales or legal teams;
newsletter sign-up or sign-up to a communication channel;
participation in surveys, beta phases or events organised by Fabrik;
prospecting and customer-relationship operations;
recruitment (for candidates), within the limits of any separate applicable policy.
4.2. Processing as a processor. Processing carried out by Fabrik as a processor on behalf of its Professional Customers (in particular concerning Personal Data appearing in Plans or documents uploaded by the Customer) is governed by the DPA. This Policy mentions them for information but does not constitute the contractual framework applicable to such processing.
4.3. Articulation. This Policy combines with the ToS, the GTCS, the Cookies Policy, the DPA and the Security Policy. In the event of divergence, the provisions concerning the protection of Personal Data appearing in this Policy prevail, subject to the precedence of the DPA for processing carried out as a processor.
ARTICLE 5 — CATEGORIES OF DATA PROCESSED
5.1. Fabrik processes the following categories of Personal Data, depending on the context and the nature of the relationship with the Data subject:
5.1.1. Identification and Account data
Last name, first name
Email address
Password (in hashed and salted form, non-reversible)
Account identifiers, internal identification numbers
Preferred language, time zone, notification preferences
5.1.2. Professional data
Corporate name, legal form
Function, job title
Professional address
SIRET number, intra-Community VAT number, NAF/APE number
Sector of activity (ERP, fire-safety company, design office, etc.)
5.1.3. Contact data
Postal address
Email address
Telephone number
5.1.4. Billing and payment data
Billing address
Payment methods (bank-card data is not stored by Fabrik but by Stripe in a PCI-DSS environment)
History of invoices, payments, any unpaid amounts
History of Subscriptions
5.1.5. Service-usage data
Connection logs (date, time, IP address, user agent)
Pages visited, features used, session duration
Plans created, edited, exported (as metadata, without exploitation of Plan content beyond what is necessary for the Service)
Actions performed in the Service (clicks, navigations, exports)
Interactions with AI features
5.1.6. Technical data
IP address
User agent (browser, operating system, version)
Session identifiers, authentication tokens
Cookie and tracker identifiers
Error telemetry data (via Sentry)
5.1.7. Communication data
Content of emails exchanged with support or Fabrik teams
Support tickets, history of exchanges
Possible recordings of videoconferences (subject to prior consent)
5.1.8. Commercial-prospecting data
Information on prospects (source, date of collection, expressed interest)
History of commercial interactions
5.1.9. Data contained in Plans (as processor)
For Professional Customers, Plans may contain staff names, contact details of emergency responders, functions or positions held, signatures
Fabrik acts as a processor for such data; the data controller is the Customer
The DPA governs such processing
5.2. Special categories (sensitive data). In principle, Fabrik does not process any special categories of Personal Data within the meaning of Article 9 of the GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic, biometric or health data, data concerning sex life or sexual orientation).
5.3. Data relating to offences. Fabrik also does not process data relating to criminal convictions and offences within the meaning of Article 10 of the GDPR, except in the strictly limited context of dispute management or internal investigation, and within the limits of the applicable legal framework.
ARTICLE 6 — SOURCES OF DATA
6.1. Fabrik collects Personal Data:
directly from the Data subject, when they create an Account, subscribe, use the Service, contact support, sign up for the newsletter, fill in a form or communicate with Fabrik by any means;
indirectly, when they are invited to join an organisational Account by an Administrator (the identification and contact data of the invited person is then communicated by the Administrator);
indirectly, in uploaded Plans, when a Professional Customer uploads a Plan containing Personal Data of third parties (for example: name of the safety officer displayed on the Plan) — such processing is then governed by the DPA;
from third parties, when a prospect is identified by the sales team via legitimate sources (in particular LinkedIn, public databases of professional information, sector directories), in compliance with the provisions applicable to prospecting and Articles 13 and 14 of the GDPR;
from our technical processors, in particular for analytics (PostHog), error logging (Sentry), and payment processing (Stripe);
through browsing the Site and Service, via cookies, pixels, tags and other trackers, under the conditions of the Cookies Policy.
6.2. When Data is not collected directly from the Data subject, Fabrik provides the information required by Article 14 of the GDPR within a reasonable period and at the latest within one month of collection, except for legally provided exceptions.
ARTICLE 7 — PURPOSES OF PROCESSING AND LEGAL BASES
7.1. The purposes of processing carried out by Fabrik as data controller, and the corresponding legal bases under Article 6 of the GDPR, are summarised below. A detailed table appears in Annex A.
7.1.1. Provision of the Service
Purpose: creation and management of Accounts, access to features, technical support
Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
7.1.2. Billing and accounting
Purpose: issuance of invoices, collection of payments, possible recovery, accounting obligations
Legal bases: performance of a contract (Art. 6(1)(b)) and compliance with legal obligations (Art. 6(1)(c) — in particular bookkeeping, tax obligations)
7.1.3. Compliance with legal and regulatory obligations
Purpose: response to judicial and administrative requests, AML-CFT obligations, international sanctions, accounting
Legal basis: compliance with legal obligations (Art. 6(1)(c))
7.1.4. Commercial relations and prospecting
Purpose: commercial canvassing, newsletter, promotional communications
Legal bases: legitimate interest (Art. 6(1)(f)) for B2B prospecting addressed to professionals, in compliance with Article L. 34-5 of the French Postal and Electronic Communications Code; consent (Art. 6(1)(a)) where required (in particular for B2C prospecting or for certain channels such as SMS)
7.1.5. Improvement of the Service and audience measurement
Purpose: statistical analyses, usage detection, feature improvement
Legal bases: legitimate interest (Art. 6(1)(f)) for aggregated statistics; consent (Art. 6(1)(a)) for fine-grained audience measurement via PostHog, under the conditions of the Cookies Policy
7.1.6. Security and fraud prevention
Purpose: detection of suspicious behaviour, prevention of account takeovers, payment fraud and IT attacks
Legal basis: legitimate interest (Art. 6(1)(f)), this interest being qualified in accordance with recital 49 of the GDPR
7.1.7. Management of complaints, litigation and exercise of rights
Purpose: handling of complaints, defence in court, evidentiary archiving
Legal bases: performance of a contract (Art. 6(1)(b)), legitimate interest (Art. 6(1)(f)), legal obligations (Art. 6(1)(c))
7.1.8. Management of relations with prospects and candidates
Purpose: interviews, exchanges, recruitment process
Legal basis: legitimate interest (Art. 6(1)(f)) or pre-contractual measures (Art. 6(1)(b))
7.1.9. Handling of requests relating to data subjects' rights
Purpose: investigation and response to requests (access, rectification, deletion, portability, objection, restriction)
Legal basis: compliance with legal obligations (Art. 6(1)(c))
7.1.10. Cookies and trackers
Purpose: see Cookies Policy
Legal bases: consent (Art. 6(1)(a)) for non-strictly-necessary cookies; legitimate interest / performance of the service (Art. 6(1)(b) and (f)) for strictly necessary cookies
ARTICLE 8 — RECIPIENTS AND PROCESSORS
8.1. Internal recipients. Personal Data is accessible, on a need-to-know basis, to Fabrik's staff, independent contractors and consultants involved in their missions (product, engineering, support, sales, finance, legal, security teams).
8.2. Technical processors. Fabrik uses technical processors to provide the Service and manage its activity. The list of main processors appears in Annex B and is also accessible in the DPA. The main ones are:
Vercel Inc. (United States) — application hosting (frontend, serverless runtime, edge network). Safeguards: Vercel Data Processing Addendum, Standard Contractual Clauses of the European Commission (SCCs), Data Privacy Framework (DPF) certification.
Supabase (United States, with hosting in EU region — Frankfurt preferred) — database and file hosting. Safeguards: Supabase DPA, SCCs, additional contractual and technical measures.
Stripe Inc. (United States) and Stripe Payments Europe, Ltd (Ireland) — payment processing. Safeguards: Stripe is PCI-DSS Level 1 certified, Stripe DPA, SCCs for transfers to Stripe US, DPF certification.
Resend (United States) — sending of transactional emails. Safeguards: Resend DPA, SCCs, technical measures.
Sentry (United States) — error logging and telemetry. Safeguards: Sentry DPA, SCCs, DPF.
— (Google Analytics removed from the Service)
PostHog — product analytics, session replay, feature flags with consent. Safeguards: PostHog DPA, SCCs, EU-region deployment option preferred when available.
Any other processors listed in Annex B and in the latest version of the DPA.
8.3. Other recipients. The following may also be recipients, within the strict limits of the purposes pursued and Applicable Law:
Fabrik's external legal, accounting, tax counsel and auditors, in the context of their respective missions;
competent courts and authorities, upon duly formed request;
possible assignees or acquirers, in the context of a transfer of activity or a restructuring (with information of Data subjects under legal conditions);
partners or third-party providers expressly authorised by the Data subject or by the Customer under the DPA.
8.4. No sale of data. Fabrik does not sell Personal Data to third parties. Fabrik does not transfer Personal Data to third parties for commercial or advertising purposes on behalf of those third parties, unless with the express, prior and informed consent of the Data subject.
ARTICLE 9 — TRANSFERS OUTSIDE THE EUROPEAN UNION
9.1. Principle. Some processors referred to in Article 8 being established outside the European Economic Area (EEA), Personal Data may be transferred to third countries, in particular the United States.
9.2. Legal framework for transfers. Fabrik frames such transfers using one or more of the following instruments, provided for in Chapter V of the GDPR:
Adequacy decisions (Art. 45 GDPR), where the recipient country benefits from a European Commission adequacy decision (for example: EU-US Data Privacy Framework ("DPF") adequacy decision of 10 July 2023 for DPF-certified US processors; adequacy decisions for the United Kingdom, Switzerland, Canada, Japan, South Korea, Israel, Argentina, New Zealand, Uruguay, Guernsey, Jersey, Isle of Man, Faroe Islands, Andorra);
Standard Contractual Clauses (SCCs) adopted by the European Commission by Implementing Decision (EU) 2021/914 of 4 June 2021 (Art. 46(2)(c) and (d) GDPR), in their relevant modular configuration (Module 1 controller-to-controller, Module 2 controller-to-processor, Module 3 processor-to-processor, Module 4 processor-to-controller), supplemented where applicable by:
for transfers to the United Kingdom: IDTA addendum (International Data Transfer Addendum) or standalone IDTA depending on configuration;
for transfers to Switzerland: Swiss FDPIC addendum;
for transfers to China (if applicable): CAC Standard Contract;
Binding Corporate Rules (BCR), where applicable (Art. 47 GDPR);
Derogations for specific situations (Art. 49 GDPR), exceptionally and under the strict conditions provided for in that article (in particular explicit consent, performance of the contract concluded with the Data subject, important public interest, establishment of legal claims).
9.3. Additional measures post-Schrems II. In accordance with the Schrems II ruling of the Court of Justice of the European Union (CJEU, 16 July 2020, C-311/18), Fabrik carries out, for each transfer to a third country not benefiting from an adequacy decision, a Transfer Impact Assessment (TIA) to verify that the destination country offers a level of protection essentially equivalent to that of the EU. When this analysis identifies a risk, Fabrik implements technical, organisational and/or contractual additional measures, in accordance with EDPB Recommendations 01/2020, in particular:
Technical measures: encryption in transit (TLS 1.2 minimum, 1.3 recommended) and at rest (AES-256), minimisation of transferred data, pseudonymisation, minimal retention configuration, logical compartmentalisation, tokenisation of sensitive data;
Organisational measures: access-management policy, strong authentication, access traceability, staff training, procedures for responding to requests from foreign authorities;
Contractual measures: additional provisions to the SCCs, transparency clauses on government requests, legal-challenge clauses, notification clauses, commitments to resist excessive requests, in particular regarding Section 702 FISA and Executive Order 12333 for transfers to the United States.
9.4. Transfer table. A table summarising the main transfers (destination country, processor concerned, purpose, transfer instrument) appears in Annex C.
9.5. Additional information. Any Data subject may obtain, upon written request to legal@fabrik.so, a copy of the safeguards implemented or an indication of where they can be consulted, in accordance with Article 46(1) of the GDPR.
ARTICLE 10 — RETENTION PERIODS
10.1. Personal Data is kept only for the period strictly necessary to achieve the purposes for which it was collected, subject to legal archiving and limitation periods.
10.2. Indicative table of retention periods. The periods below are indicative and subject to adjustment depending on the specific purpose.
Category of data / purpose
Active duration
Archiving duration
Active Account (User)
Duration of contractual relationship
3 years from last activity, then deletion
Inactive Account (no login)
3 years of inactivity, with prior deletion notification
Deletion after 3 years
Billing data
Duration of relationship
10 years (Art. L. 123-22 French Commercial Code)
Invoices
Issuance
10 years (Art. L. 123-22 French Commercial Code, Art. L. 102 B LPF)
Payment data (Stripe, tokens)
Duration of relationship
According to Stripe policy (PCI-DSS)
B2B prospects (non-Users)
3 years from last active contact
Deletion
Newsletters (subscribers)
Until consent withdrawal
Immediate deletion upon withdrawal
Cookies and trackers
See Cookies Policy
Max 13 months for audience-measurement cookies, unless renewed consent
Connection and technical logs
12 rolling months
Anonymisation or deletion
Security and access logs
12 rolling months; 6 years in case of confirmed incident
Depending on purpose
Support tickets
Duration of relationship
3 years after closure
Disputes and complaints
Duration of proceedings
5 years after final outcome (five-year common-law limitation period)
Unsuccessful applications
2 years from last interaction
Deletion
Judicial requests
Duration necessary for response
Depending on legal framework
Data contained in Plans (as processor)
According to Customer instructions and duration of Contract
90 days post-termination for portability, then deletion; backups max 180 days
10.3. Criteria used to determine the duration. The criteria used to determine the retention period include: the purpose of the processing, the nature and sensitivity of the data, the potential risks of unauthorised processing, legal archiving obligations, applicable limitation periods for any disputes.
10.4. Intermediate archiving. At the end of the active duration, Data may be archived in a restricted-access intermediate archiving database, solely for the purposes of evidence and legal obligations, before final deletion or anonymisation.
ARTICLE 11 — SECURITY MEASURES
11.1. In accordance with Articles 5(1)(f) and 32 of the GDPR, Fabrik implements appropriate technical and organisational measures with regard to the nature, scope, context and purposes of processing, as well as the risks to data subjects' rights and freedoms.
11.2. Main measures (non-exhaustive list, detailed in the Security Policy — document 10/10):
encryption of Data in transit via TLS 1.2 / 1.3;
encryption of Data at rest via AES-256 (database and object-storage level);
strict access control, with the principle of least privilege;
strong authentication for teams with access to production systems;
logging and access traceability;
segmentation of environments (production, pre-production, development);
regular, tested backups, stored separately and securely;
vulnerability and patch-management procedures;
regular tests (vulnerability scans, pentests according to maturity);
staff awareness and training;
documented security policies;
breach-management procedure (notification within 72 hours to the Supervisory Authority, information to Data subjects when required).
11.3. Processors. Fabrik selects its processors on the basis of sufficient security guarantees and frames them contractually with a DPA compliant with Article 28 of the GDPR.
ARTICLE 12 — PERSONAL DATA BREACHES
12.1. Detection and qualification. Fabrik has an internal breach-management procedure allowing breaches to be detected, qualified and processed.
12.2. Notification to the Supervisory Authority. In the event of a breach likely to give rise to a risk to data subjects' rights and freedoms, Fabrik notifies the breach to the CNIL (or competent Supervisory Authority) within 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR.
12.3. Information to Data subjects. Where the breach is likely to give rise to a high risk, Fabrik informs Data subjects as soon as possible, in accordance with Article 34 of the GDPR, unless the conditions for exemption are met (in particular implementation of measures making the data unintelligible to third parties, adoption of subsequent measures eliminating the risk).
12.4. Breach register. Fabrik maintains an internal breach register, in accordance with Article 33(5) of the GDPR.
ARTICLE 13 — PROFILING AND AUTOMATED DECISIONS
13.1. No significant automated decision. Fabrik does not implement decisions based solely on automated processing, including profiling, producing legal effects concerning the Data subject or significantly affecting them in a similar way, within the meaning of Article 22 of the GDPR.
13.2. Automated processing without significant effect. The Service may implement automated processing without significant effect within the meaning of Article 22, in particular:
automated detection of fraudulent behaviour (suspicious login, abnormal usage) leading to human review;
content personalisation in the Service interface;
algorithmic suggestions to improve Plans by AI, without decisions replacing human validation.
13.3. Associated rights. Should Fabrik come to implement an automated decision within the meaning of Article 22, the Data subject would have the associated rights (right to obtain human intervention, to express their point of view, to contest the decision).
ARTICLE 14 — ARTIFICIAL INTELLIGENCE AND RELATED PROCESSING
14.1. AI features of the Service. The Service integrates AI features for certain tasks (in particular recognition of safety devices on an architect plan, suggestion of pictogram placement, detection of inconsistencies).
14.2. Processing implemented. These features may involve the processing of User Content, which may, for Professional Customers, contain Personal Data of third parties (names appearing on plans). Such processing is governed by the DPA when Fabrik acts as a processor.
14.3. Third-party AI providers. Fabrik may use third-party AI providers (language-model APIs, vision APIs, etc.). When such providers process Personal Data on behalf of Fabrik or its Customers, they are integrated into the list of processors and governed by a DPA.
14.4. No use for training without agreement. Fabrik prohibits using the User Content of its Customers to train AI models used for other customers, without express agreement. Anonymised and aggregated processing may be carried out for the purposes of Service improvement, fraud detection and security.
14.5. Regulation (EU) 2024/1689 — AI Act. Fabrik undertakes to comply, within the periods of progressive entry into application (from February 2025 to August 2027 depending on the provisions), with the obligations of the AI Act applicable to it, in particular as a provider or deployer of AI systems, depending on the qualification that will be retained.
14.6. Transparency. Fabrik endeavours to provide the User with clear information on processing involving AI, its purposes and limits, in particular the need for human verification of the results produced.
ARTICLE 15 — MINORS
15.1. The Service is not intended for minors. Fabrik does not knowingly accept the creation of an Account by a person under sixteen (16) years of age (threshold lowered to fifteen (15) for France pursuant to Article 7-1 of the French Data Protection Act; thresholds vary in other jurisdictions — 13 for the US COPPA, in particular).
15.2. If Fabrik becomes aware that an Account has been created by a minor in breach of these terms, the Data will be deleted as soon as possible, except for legal retention obligations. Holders of parental authority may send a request to that effect to legal@fabrik.so.
ARTICLE 16 — COOKIES AND TRACKERS — REFERENCE
16.1. The use of cookies and trackers on the Site and the Service is governed by the Cookies and Trackers Policy (document 6/10 of the Fabrik corpus), to which express reference is made for detailed information.
ARTICLE 17 — UPDATING THIS POLICY
17.1. Fabrik reserves the right to modify this Policy to take account of legislative, jurisprudential, technical or organisational changes.
17.2. Any material modification is notified to Data subjects (notification by email for Users, prominent display on the Site for Visitors), with an effective date respecting reasonable notice.
17.3. The version applicable at any given time is the one published on the Site at that date, with mention of the date of last update.
PART II — DATA SUBJECTS' RIGHTS BY JURISDICTION
ARTICLE 18 — RIGHTS CORRESPONDENCE TABLE
18.1. The table below summarises, for guidance, the main rights recognised according to jurisdiction. The procedures for exercise and exceptions vary according to the applicable text; Articles 19 et seq. specify the specifics.
Right
GDPR (EU)
UK GDPR
nFADP CH
CCPA/CPRA (CA)
PIPEDA (Canada)
LGPD (BR)
APPI (JP)
PIPL (CN)
DPDP (IN)
POPIA (ZA)
PDPA (SG)
Privacy Act (AU)
PIPA (KR)
KVKK (TR)
PDPA (TH)
UAE PDPL
PDPL KSA
Access
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
Rectification
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
Deletion
✓
✓
✓
✓
○
✓
✓
✓
✓
✓
○
○
✓
✓
✓
✓
✓
Restriction
✓
✓
✓
—
—
○
○
✓
○
✓
—
—
○
○
✓
✓
✓
Portability
✓
✓
✓
✓
—
✓
○
✓
○
—
—
—
✓
○
✓
✓
✓
Objection
✓
✓
✓
✓ (sale/sharing opt-out)
✓
✓
✓
✓
○
✓
✓
○
✓
✓
✓
✓
✓
Consent withdrawal
✓
✓
✓
✓ (sensitive)
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
Non-discrimination
—
—
—
✓
—
—
—
—
○
—
—
—
—
—
—
—
—
Automation
✓
✓
✓
✓
—
✓
○
✓
—
✓
—
—
✓
✓
✓
✓
✓
Authority recourse
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
Legend: ✓ expressly provided; ○ partially or contextually; — not explicitly provided or limited
ARTICLE 19 — RIGHTS UNDER THE GDPR (EUROPEAN UNION)
19.1. Any Data subject residing in the European Union, or whose Data is processed by Fabrik within the territorial scope of the GDPR, has the following rights, under the conditions and limits set by the GDPR and the French Data Protection Act (Law No. 78-17 of 6 January 1978 as amended):
19.1.1. Right of access (Art. 15 GDPR) Obtain confirmation as to whether or not Data concerning them is being processed and, where applicable, obtain communication of such Data, of the purposes of processing, of the categories of Data, of recipients, of the retention period, of associated rights, of the origin of the Data and, where applicable, of information relating to automated decisions and transfers.
19.1.2. Right of rectification (Art. 16 GDPR) Obtain the rectification of inaccurate Data and the completion of incomplete Data, including by means of a supplementary statement.
19.1.3. Right to erasure / right to be forgotten (Art. 17 GDPR) Obtain the erasure of Data concerning them in the cases provided for in Article 17, in particular when the Data is no longer necessary, when consent is withdrawn and there is no other legal basis, in case of objection, in case of unlawful processing, or in application of a legal obligation. Exceptions apply, in particular for the exercise of freedom of expression and information, compliance with a legal obligation, public-interest grounds, or the establishment of legal claims.
19.1.4. Right to restriction of processing (Art. 18 GDPR) Obtain restriction of processing in cases of contested accuracy, unlawful processing with objection to erasure, necessity of the Data to establish legal claims, or pending objection.
19.1.5. Right to portability (Art. 20 GDPR) Receive the Data provided by the Data subject, in a structured, commonly used and machine-readable format, and transmit it to another data controller, when processing is based on consent or contract and carried out by automated means.
19.1.6. Right to object (Art. 21 GDPR) Object, at any time, on grounds relating to the Data subject's particular situation, to processing based on legitimate interest or public interest. Object without justification to processing for commercial-prospecting purposes, including associated profiling.
19.1.7. Right to withdraw consent (Art. 7(3) GDPR) Withdraw, at any time, consent given, without such withdrawal calling into question the lawfulness of prior processing.
19.1.8. Right not to be subject to an automated decision (Art. 22 GDPR) See Article 13.
19.1.9. Right to define post-mortem directives (Art. 85 LIL) Define, at any time, directives concerning the fate of Data after death, in accordance with Article 85 of the French Data Protection Act.
19.1.10. Right to lodge a complaint with a Supervisory Authority (Art. 77 GDPR) Lodge a complaint with the CNIL (in France) or any other competent Supervisory Authority in the EU. In France: CNIL, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr, tel. 01 53 73 22 22.
19.2. Procedures. See Article 37.
ARTICLE 20 — RIGHTS UNDER THE UK GDPR (UNITED KINGDOM)
20.1. Data subjects residing in the United Kingdom or whose Data is processed within the scope of UK GDPR (post-Brexit) have rights substantially equivalent to those of the GDPR, as set out in UK GDPR and the Data Protection Act 2018 (as amended by the Data Protection and Digital Information Act 2025 or equivalent legislation then in force).
20.2. Complaint to the ICO. Any Data subject may lodge a complaint with the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom, www.ico.org.uk.
20.3. UK Representative: see Article 2.3 (designation when thresholds are met).
ARTICLE 21 — RIGHTS UNDER THE NFADP (SWITZERLAND)
21.1. Data subjects residing in Switzerland have the rights provided for by the revised Federal Act on Data Protection (nFADP), which entered into force on 1 September 2023, and its implementing ordinance (DPO), in particular:
right of information (Art. 25 nFADP);
right of access (Art. 25-26 nFADP);
right of rectification (Art. 32(1) nFADP);
right to erasure and objection (Art. 32(2) nFADP);
right to portability (Art. 28-29 nFADP);
right in case of individual automated decision (Art. 21 nFADP).
21.2. Complaint to the FDPIC. Data subjects may send a communication to the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland, www.edoeb.admin.ch.
ARTICLE 22 — RIGHTS UNDER THE CCPA / CPRA (CALIFORNIA)
22.1. Residents of California have, under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) and its implementing regulations by the California Privacy Protection Agency (CPPA), the following rights:
Right to Know / Access: know the categories and specific elements of Personal Information (PI) collected, sources, business purposes, categories of third parties to whom the PI is disclosed, and categories of PI sold or shared in the last 12 months.
Right to Delete: request the deletion of their PI, subject to legal exceptions.
Right to Correct: correct inaccurate PI.
Right to Opt-Out of Sale / Sharing: refuse the "sale" and "sharing" of their PI, in particular for cross-context targeted advertising. Fabrik makes available a "Do Not Sell or Share My Personal Information" mechanism and honours Global Privacy Control (GPC).
Right to Limit Use and Disclosure of Sensitive Personal Information (SPI): limit the use of Sensitive PI to strictly necessary purposes.
Right to Non-Discrimination: not be discriminated against (refusal of service, different pricing, degraded service level) for having exercised their rights.
Right to Data Portability: receive their PI in a portable format.
Right Regarding Automated Decision-Making Technology: specific rights related to significant automated decisions, under the conditions specified by the CPPA regulations.
22.2. Verification. Fabrik carries out reasonable verification of the requester's identity before responding.
22.3. Deadline. Response within 45 days, extendable once for reasonable reasons.
22.4. Minors under 16. Opt-in required for "sale" or "sharing" (parental opt-in for those under 13).
22.5. Statement of no sale. Fabrik does not "sell" PI within the meaning of CCPA for monetary purposes. However, certain analytics or advertising activities could be qualified as "sharing" for cross-context targeted advertising; in this case, Fabrik provides a compliant opt-out mechanism and honours the GPC signal.
22.6. Complaint. California Privacy Protection Agency (CPPA), 2101 Arena Boulevard, Sacramento, CA 95834, cppa.ca.gov. California Attorney General, oag.ca.gov/privacy.
ARTICLE 23 — RIGHTS IN OTHER US STATES
23.1. States concerned and applicable texts (evolving list):
Virginia — Virginia Consumer Data Protection Act (VCDPA), effective 1 January 2023;
Colorado — Colorado Privacy Act (CPA), 1 July 2023;
Connecticut — Connecticut Data Privacy Act (CTDPA), 1 July 2023;
Utah — Utah Consumer Privacy Act (UCPA), 31 December 2023;
Texas — Texas Data Privacy and Security Act (TDPSA), 1 July 2024;
Oregon — Oregon Consumer Privacy Act (OCPA), 1 July 2024;
Montana — Montana Consumer Data Privacy Act (MCDPA), 1 October 2024;
Iowa — Iowa Consumer Data Protection Act (ICDPA), 1 January 2025;
Delaware — Delaware Personal Data Privacy Act, 1 January 2025;
Tennessee — Tennessee Information Protection Act (TIPA), 1 July 2025;
Indiana — Indiana Consumer Data Protection Act, 1 January 2026;
New Jersey — New Jersey Data Privacy Act, 15 January 2025;
New Hampshire — New Hampshire Data Privacy Act, 1 January 2025;
Minnesota — Minnesota Consumer Data Privacy Act, 31 July 2025;
Maryland — Maryland Online Data Privacy Act, 1 October 2025;
Kentucky — Kentucky Consumer Data Protection Act, 1 January 2026;
Rhode Island — Rhode Island Data Transparency and Privacy Protection Act, 1 January 2026;
and any other State that adopts or brings into force equivalent legislation after the drafting of these terms.
23.2. Common rights. Subject to the specifics of each text and the applicability thresholds (turnover, number of consumers processed, etc.), residents of these States generally have equivalent rights, varying by text, including:
right of access / confirmation;
right of correction (except Utah and Iowa — not required);
right of deletion;
right of portability;
right of opt-out of sale, targeted advertising and profiling producing legal or significantly similar effects;
right of appeal in case of refusal.
23.3. Universal Opt-Out Mechanisms (UOOM). In States providing for it (Colorado, Connecticut, Texas, Oregon, etc.), Fabrik honours universal opt-out signals (in particular Global Privacy Control — GPC).
23.4. Minors. Protective rules for minors (in particular the Florida Digital Bill of Rights, and more generally parental consent for those under 13 under federal COPPA) are applied where relevant.
23.5. Complaints. Complaints should be addressed to the State Attorney General concerned or to the dedicated competent authority.
ARTICLE 24 — RIGHTS UNDER PIPEDA (FEDERAL CANADA) AND LAW 25 (QUEBEC)
24.1. PIPEDA (Personal Information Protection and Electronic Documents Act). Data subjects in Canada have rights of access, rectification, objection, withdrawal of consent, and complaint to the Office of the Privacy Commissioner of Canada (OPC), www.priv.gc.ca.
24.2. Law 25 (Quebec) — Act to modernise legislative provisions on the protection of personal information, which came into force progressively from 2022 to 2024. Specific rights: right of access, rectification, de-indexing, portability (since September 2024), cessation of dissemination, information on the use of automated decisions. Complaint: Commission d'accès à l'information du Québec (CAI), www.cai.gouv.qc.ca.
24.3. Breach notification. Fabrik notifies confidentiality breaches to the CAI and Data subjects under the conditions provided for in Law 25.
ARTICLE 25 — RIGHTS UNDER THE LGPD (BRAZIL)
25.1. The Lei Geral de Proteção de Dados Pessoais (LGPD, Law No. 13.709/2018) recognises the following rights for data holders (titulares) (Art. 18 LGPD): confirmation of the existence of processing; access; correction; anonymisation, blocking or deletion of unnecessary or excessive data; portability; deletion of data processed on the basis of consent; information on sharing; information on the possibility of refusing consent; revocation of consent; review of automated decisions.
25.2. Complaint: Autoridade Nacional de Proteção de Dados (ANPD), www.gov.br/anpd.
25.3. Representative in Brazil. Fabrik assesses the need for a local representative according to applicable thresholds.
ARTICLE 26 — RIGHTS UNDER THE APPI (JAPAN)
26.1. The Act on the Protection of Personal Information (APPI) recognises rights of access, rectification, suspension of use, deletion and disclosure of records of transfers to third parties.
26.2. Complaint: Personal Information Protection Commission (PPC), www.ppc.go.jp.
ARTICLE 27 — RIGHTS UNDER THE PIPL (CHINA)
27.1. The Personal Information Protection Law (PIPL), which entered into force on 1 November 2021, recognises for Data subjects: right to information and consent; right of access and copy; right of rectification; right of deletion; right of portability; right of restriction; right of withdrawal of consent; right of recourse.
27.2. Transfers outside China. Subject to a security assessment, certification or use of the CAC Standard Contract (Cyberspace Administration of China), depending on thresholds and the nature of the data.
27.3. Complaint: CAC, www.cac.gov.cn.
ARTICLE 28 — RIGHTS UNDER THE DPDP ACT (INDIA)
28.1. The Digital Personal Data Protection Act (DPDP Act) of 2023, whose implementing rules (DPDP Rules) were finalised in 2025, recognises for Data Principals: right of access to information on data and its processing; right of correction, completeness, updating and deletion; right of nomination (to designate a person to exercise rights in case of incapacity or death); right of recourse.
28.2. Complaint: Data Protection Board of India.
ARTICLE 29 — RIGHTS UNDER POPIA (SOUTH AFRICA)
29.1. The Protection of Personal Information Act (POPIA) recognises rights of access, correction or deletion, objection to processing, refusal of unsolicited electronic communications, refusal of automated decisions, and complaint to the Information Regulator (www.inforegulator.org.za).
ARTICLE 30 — RIGHTS UNDER THE PDPA (SINGAPORE)
30.1. The Personal Data Protection Act 2012 (PDPA) recognises rights of access, correction, withdrawal of consent, portability (effective subject to entry into force of the corresponding provisions) and complaint to the PDPC (www.pdpc.gov.sg).
ARTICLE 31 — RIGHTS UNDER THE PRIVACY ACT (AUSTRALIA)
31.1. The Privacy Act 1988 (Cth), as amended, and the Australian Privacy Principles (APPs), recognise rights of access, correction, objection to direct marketing, and complaint to the OAIC (Office of the Australian Information Commissioner), www.oaic.gov.au.
ARTICLE 32 — RIGHTS UNDER PIPA (SOUTH KOREA)
32.1. The Personal Information Protection Act (PIPA) recognises rights of access, correction, deletion, suspension of processing, portability, transparency on automated decisions, withdrawal of consent, and complaint to the PIPC (Personal Information Protection Commission).
ARTICLE 33 — RIGHTS UNDER KVKK (TURKEY)
33.1. The Kişisel Verileri Koruma Kanunu (Law No. 6698) recognises rights of information, access, correction, deletion, objection, compensation and complaint to the KVKK (Kişisel Verileri Koruma Kurumu), www.kvkk.gov.tr.
33.2. VERBIS register. Fabrik assesses any obligation to register with the VERBIS register according to the thresholds applicable to foreign data controllers.
ARTICLE 34 — RIGHTS UNDER THE PDPA (THAILAND)
34.1. The Personal Data Protection Act (PDPA) B.E. 2562 (2019) recognises rights of access, rectification, deletion, portability, objection, restriction, withdrawal of consent, and complaint to the Thai PDPC.
ARTICLE 35 — RIGHTS UNDER THE UAE PDPL (UNITED ARAB EMIRATES)
35.1. Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) recognises rights of access, rectification, deletion, restriction, portability, objection, refusal of automated decisions, and complaint to the UAE Data Office.
ARTICLE 36 — RIGHTS UNDER THE SDAIA PDPL (SAUDI ARABIA)
36.1. The Saudi Personal Data Protection Law (PDPL), under the authority of SDAIA (Saudi Data & AI Authority), recognises rights of information, access, request for correction, request for destruction, and complaint to SDAIA.
PART III — PROCEDURES FOR EXERCISING RIGHTS
ARTICLE 37 — PROCEDURES FOR EXERCISING RIGHTS
37.1. Channel of exercise. Any request to exercise rights may be addressed to:
Email: legal@fabrik.so;
Postal address: Fabrik — Data Protection, 4 rue du Four, 55500 Cousances-lès-Triconville, France.
37.2. Information to be provided. To enable the request to be processed, the Data subject indicates:
nature of the request (access, rectification, deletion, etc.);
identity (last name, first name, email of the Account);
elements allowing identity verification (in case of doubt, supporting documents may be requested);
in case of representation by a third party, written mandate or power of attorney.
37.3. Deadline. Fabrik undertakes to respond within one (1) month of receipt of the request, extendable by two months in the event of complexity or multiplicity of requests, in accordance with Article 12(3) of the GDPR and the equivalent provisions of other texts. The Data subject is informed.
37.4. Free of charge. The exercise of rights is in principle free of charge. However, in the event of manifestly unfounded or excessive requests (in particular by their repetitive nature), Fabrik may require payment of reasonable fees or refuse to follow up, in accordance with Article 12(5) of the GDPR.
37.5. Reasoned refusal. Any refusal is reasoned and indicates the available remedies, in particular the right to lodge a complaint with the Supervisory Authority.
37.6. Follow-up. The Data subject receives an acknowledgement of receipt as soon as possible and follow-up of the processing of their request.
ARTICLE 38 — COMPLAINTS TO SUPERVISORY AUTHORITIES
38.1. Without prejudice to any other remedy, the Data subject may lodge a complaint with the competent Supervisory Authority in their jurisdiction. The main authorities are recalled in Articles 19 to 36.
38.2. EU one-stop-shop. For data subjects residing in the EU, the one-stop-shop principle may allow the complaint to be addressed to the lead authority or the authority of the place of residence.
ARTICLE 39 — REGION-SPECIFIC CONTACTS
Region
Fabrik contact
Supervisory Authority
EU / France
CNIL — www.cnil.fr
EU / other Member States
National authority or lead authority
United Kingdom
ICO — www.ico.org.uk
Switzerland
FDPIC — www.edoeb.admin.ch
California
CPPA — cppa.ca.gov
Other US States
State Attorney General
Canada (PIPEDA)
OPC — www.priv.gc.ca
Quebec
CAI — www.cai.gouv.qc.ca
Brazil
ANPD — www.gov.br/anpd
Japan
PPC — www.ppc.go.jp
China
CAC — www.cac.gov.cn
India
Data Protection Board of India
South Africa
Information Regulator
Singapore
PDPC — www.pdpc.gov.sg
Australia
OAIC — www.oaic.gov.au
South Korea
PIPC
Turkey
KVKK — www.kvkk.gov.tr
Thailand
PDPC (Thailand)
United Arab Emirates
UAE Data Office
Saudi Arabia
SDAIA
ANNEX A — DETAILED TABLE: PURPOSE / LEGAL BASIS / DATA / DURATION
Purpose
Legal basis
Categories of data
Retention period
Account management
Performance of the contract
Identification, contact, Account
Duration of relationship + 3 years
Provision of the Service
Performance of the contract
Identification, usage, technical
Duration of relationship
Billing
Performance of the contract + legal obligation
Identification, billing, payment
10 years
B2B prospecting
Legitimate interest
Professional identification, contact
3 years from last contact
B2C prospecting
Consent
Identification, contact
Until withdrawal
Newsletter
Consent
Email address
Until withdrawal
— (removed)
Consent
Cookie identifiers, IP, usage
13 months max
Product analytics (PostHog)
Consent
Cookie identifiers, usage
13 months max
Security / anti-fraud
Legitimate interest
Logs, technical
12 months + 6 years if incident
Complaints management
Performance / obligation / legitimate interest
Communication, identification
5 years
Litigation
Legitimate interest
Depending on case
5 years after outcome
AML-CFT obligations (where applicable)
Legal obligation
Identification
5 years
ANNEX B — TABLE OF PROCESSORS AND RECIPIENTS
Processor
Purpose
Processing location
Transfer instrument
Vercel Inc.
Application hosting
United States + global edge
SCCs + additional measures + DPF (if certified)
Supabase
Database + storage
EU region (Frankfurt) preferred, possible fallback
DPA + SCCs
Stripe
Payment
United States / Ireland
SCCs + DPF
Resend
Transactional emails
United States
SCCs + DPF
Sentry
Error logging
United States
SCCs + DPF
— (removed)
— (removed)
— (removed)
— (removed)
PostHog
Product analytics
EU preferred depending on offering
SCCs if outside EU
—
April 28, 2026
April 28, 2026
April 28, 2026
ANNEX C — TABLE OF INTERNATIONAL TRANSFERS
Destination country
Processor
Data concerned
Transfer instrument
Additional measures
United States
Vercel, Stripe, Resend, Sentry, Google
Identification, usage, technical
2021 SCCs + DPF (if certified)
Encryption in transit/at rest, minimisation, TIA
Ireland
Stripe Payments Europe
Payment
EU/EEA, no transfer
N/A
Germany
Supabase (Frankfurt region)
DB + storage
EU/EEA, no transfer
N/A
Other regions (fallback)
Supabase
DB + storage
2021 SCCs depending on region
Encryption, TIA
ANNEX D — PLAIN LANGUAGE SUMMARY
Who processes your data? Fabrik, 4 rue du Four, 55500 Cousances-lès-Triconville.
What data? Your account identifier, your email, info related to your subscription, technical logs, and what you put in the Service. No sensitive data (health, religion, etc.) in principle.
Why? To provide you with the Service, bill you, respond to you, improve Fabrik, protect ourselves against fraud, and comply with our legal obligations.
Who handles it? Processors such as Vercel (hosting), Supabase (database, in EU), Stripe (payment), Resend (emails), Sentry (errors) and PostHog (analytics, with your consent).
Does it go to the US? Yes, for some processors. We frame this with the European Commission's Standard Contractual Clauses, the Data Privacy Framework where applicable, plus technical measures (encryption, minimisation) and a post-Schrems II Transfer Impact Assessment (TIA).
How long do we keep it? As long as you are a customer, plus 3 years in general. 10 years for accounting. See the table in Annex A.
What rights? Access, rectification, deletion, portability, objection, withdrawal of consent. By email to [legal@fabrik.so]. Response within 1 month.
Do we sell to third parties? No. Fabrik does not sell your data.
Are you outside the EU? You also have rights (CCPA in California, LGPD in Brazil, APPI in Japan, etc. — see Part II).
Not happy? You can refer to your supervisory authority (CNIL for France).
End of Document 5/10 — Privacy Policy — Fabrik
Fabrik Legal Corpus — Version 2.0 — April 28, 2026