Privacy Policy

This Privacy Policy explains how personal data is collected, used, and shared when you use feddi (the “Service”) available at feddi.dev.

1. Who we are

The Service is operated by feddi, Inc. (in formation, Delaware) (“feddi”, “we”, “us”, “our”). feddi, Inc. is currently in the process of being incorporated in the State of Delaware, USA. Upon completion of incorporation, this Policy will continue to apply to the incorporated entity without further action by you.

Contact for privacy inquiries: privacy@feddi.dev

2. What personal data we collect

We collect only what is necessary to operate the Service:

• Account data — email address, name, organization you belong to.
• Authentication data — personal access tokens, API keys you create.
• Product metadata — subgraph schemas, persisted documents, graph and variant configurations you upload.
• Usage data — field-level GraphQL usage statistics reported by your self-hosted gateway (operation names, field coordinates, client name/version, timing, error counts).
• Technical data — IP address, browser type, referrer URL, pages viewed, timestamps.
• Communications — messages you send us via contact forms or email.

We do not receive any GraphQL query payloads, query variables, or response data from your gateway. All GraphQL traffic stays within your infrastructure.

3. How we use your data

• To provide and operate the Service (create graphs, compose schemas, serve usage analytics).
• To authenticate you and secure your account.
• To communicate with you (transactional emails, Service announcements, responses to support requests).
• To detect and prevent abuse, fraud, and security incidents.
• To improve the Service, based on aggregated usage statistics.

4. Legal basis for processing (EEA/UK users)

Under the GDPR, we rely on:

• Contract performance — to provide the Service you have signed up for.
• Legitimate interests — to secure the Service, prevent abuse, and improve the product. We balance this against your privacy rights.
• Consent — for non-essential cookies and optional communications. You can withdraw consent at any time.
• Legal obligation — to comply with applicable law.

5. Data retention

• Account data: kept while your account exists; deleted within 30 days of account deletion.
• Usage data: aggregated and retained for 30 days.
• Contact form messages: retained up to 24 months unless earlier deletion is requested.
• Backups: up to 30 days after deletion from active systems.

6. Sharing and disclosure

We do not sell personal data. We share data only with:

• Service providers acting as processors on our behalf — e.g. cloud hosting (AWS, ap-southeast-2 / Sydney), email delivery, error tracking, and privacy-friendly analytics (Plausible Analytics, EU-hosted, cookieless, no personal data stored). Each is bound by a data processing agreement.
• Legal recipients — where we are required by law (e.g. court order), or to protect our rights and users.
• Successors — if ownership or operation of the Service transfers, including upon the formal incorporation of feddi, Inc. or any later corporate reorganization.

A current list of subprocessors is available on request.

7. International transfers

The Service is hosted on AWS in the ap-southeast-2 (Sydney, Australia) region. Australia is not subject to a current EU adequacy decision; for personal data of users in the EEA or UK, we rely on EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as the legal transfer mechanism. Copies of these safeguards are available on request.

8. Your rights

GDPR (EEA/UK users)

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data.
• Restriction — limit processing in certain circumstances.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — at any time, without affecting prior lawful processing.
• Lodge a complaint — with your local supervisory authority.

CCPA/CPRA (California residents)

You have the right to:

• Know what personal information we collect and how we use it.
• Delete personal information we have collected.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information (we do not sell or share).
• Non-discrimination for exercising your rights.

To exercise any right, email privacy@feddi.dev. We will respond within 30 days (GDPR) or 45 days (CCPA).

9. Cookies and analytics

We use only strictly necessary cookies for authentication, CSRF protection, and UI state. We do not use cookies for tracking or advertising.

For aggregate usage analytics we use Plausible Analytics (plausible.io), an EU-hosted, privacy-friendly service. Plausible is cookieless: it sets no cookies, uses no device identifiers, and stores no personal data on your device. Plausible processes IP addresses transiently to generate an anonymous, daily-rotating identifier, then discards them. Because no consent-requiring cookies are set, no cookie consent banner is shown.

For full details see our Cookie Notice.

10. Children

The Service is not directed to persons under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.

11. Security

We use industry-standard measures including TLS encryption in transit, encryption at rest, access controls, and audit logging. No system is perfectly secure; you use the Service at your own risk.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced via email or in-app notice before taking effect. The “Last updated” date at the top reflects the current version.

13. Contact

feddi, Inc. (in formation, Delaware)
284 Dry Creek Rd
Aptos, CA 95003
privacy@feddi.dev