Privacy Policy

Follow.fun(the “Service”, “we”, “us”) provides software that lets you connect your X account and direct follow-related activity and Credit transactions. For that activity, you decide why and how your data is used — so under data protection laws such as the GDPR and UK GDPR, you are the controller and we act as your processor, handling data only on your documented instructions, which these terms and your use of the Service constitute.

• We process the data you submit and the follow/credit actions you initiate solely to carry out the functions you ask the Service to perform.
• We do not use your data to build advertising profiles, and we do not sell or rent personal data to anyone.
• Third parties we rely on (such as X, payment processors, and our verification provider) act as independent controllers or processors in their own right for the data you give them directly; this policy does not govern their processing.
• We act as an independent controller only for the narrow operational matters described in Section 6 (for example, our own security logs and legally required billing records).

• “Controller” means the party that determines the purposes and means of processing personal data — for the core Service, that is you.
• “Processor” means the party that processes personal data on behalf of the controller — for the core Service, that is us.
• “Sub-processor” means a third party we engage to help process data on your behalf.
• “Personal data” means information relating to an identified or identifiable person.

We deliberately keep data collection lean. When you connect X via OAuth we receive basic public profile information, and we generate the records needed to operate Credits and follows.

• X profile basics: your handle, display name, numeric user ID, avatar URL, follower/following counts, and verification status.
• An OAuth access token that lets us verify follows on your behalf. We never receive your X password.
• Account data you create on the Service: your follow price, categories, listing settings, bio, and Credit balance.
• Transaction records: Credit purchases, signup bonus, rewards earned, and Claims — including amounts and timestamps.
• Limited technical data: IP address, device and browser type, and basic logs used for security and abuse prevention.

As your processor, we process personal data only to deliver the Service you ask for and as permitted by these terms. We will not use it for our own unrelated purposes.

• To authenticate you and confirm you control the connected X account.
• To verify, through a third-party relationship API, that a follow is genuine before releasing any Credits.
• To operate the credit economy you participate in: balances, purchases, rewards, leaderboards, categories, and the Explore feed.
• To detect and prevent bots, automation, fake engagement, fraud, and chargeback abuse.
• To provide support and send essential service notices about your account.

Because you are the controller for the core Service, you are responsible for having a lawful basis for the processing you direct and for meeting any obligations you owe to the people whose data is involved (for example, the X accounts you interact with). We will assist you in meeting those obligations to the extent reasonable, and we will:

• Process personal data only on your instructions and as needed to provide the Service or to comply with law (in which case we will inform you where permitted).
• Ensure people authorized to process the data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (see Section 9).
• Assist you, so far as reasonable, with data-subject requests and with your own security, breach-notification, and impact-assessment duties.
• On termination, delete or return the personal data we process for you, except where law requires us to retain it.

For a limited set of matters, we determine the purpose of processing ourselves and therefore act as an independent controller. This is confined to what we need to run a safe, lawful business:

• Security, fraud-prevention, and abuse-detection logs.
• Billing and transaction records we are legally required to keep for tax and accounting.
• Aggregated or de-identified statistics that no longer identify any individual.
• Responding to lawful requests from authorities and enforcing our terms.

We engage vendors to help deliver the Service, each bound by contract to protect data and use it only as needed. We remain responsible to you for their performance as sub-processors. They include:

• X (via OAuth) for sign-in and authorization — X is an independent controller for its own platform data.
• Our follow-verification API (twitterapi.io) for confirming relationships between accounts; for that check we share the two X handles or user IDs involved.
• Stripe for card payments. Stripe receives the payment details you enter and acts as an independent controller for them; we receive only a confirmation and limited metadata.
• Our crypto payment provider for on-chain purchases (for example USDC, SOL, and ETH), which processes wallet and transaction data.
• Google Firebase and other hosting, database, and infrastructure providers used to deliver and secure the Service.

Our providers may process data in countries other than yours. Where we transfer personal data internationally, we rely on appropriate safeguards (such as Standard Contractual Clauses or an equivalent mechanism) so that it remains protected to the standard required by applicable law.

We use encryption in transit, scoped access tokens, and access controls to protect data. We never store your X password or full card numbers. No system is perfectly secure, but we work to minimize what we collect and store and to limit who can access it. If a breach affects you, we will assist the relevant controller with any notification required by law.

We keep personal data only as long as your account is active or as long as needed to provide the Service, and afterwards only as required to comply with legal, tax, and anti-fraud obligations. When you delete your account, we remove or anonymize your profile data while retaining the minimum transaction records the law requires.

Depending on where you live, you may have rights to access, correct, export, delete, or restrict the processing of your personal data, and to object to certain processing. Because we usually act as a processor, where a request concerns data we process on someone's behalf we may direct it to, or fulfill it in coordination with, the relevant controller.

• Access, correct, export, or delete your account data by contacting us.
• Revoke our X authorization at any time from your X settings; this disables follow verification for your account.
• Object to or restrict certain processing, where applicable law gives you that right.
• Opt out of non-essential communications; essential service notices may still be sent.

To exercise any of these rights, email team@follow.fun. You may also have the right to complain to your local data-protection authority.

We do not sell or rent personal data, and we do not share it for third-party advertising or cross-context behavioral advertising. We share data only with the sub-processors and for the purposes described in this policy, or where required by law.

Follow.fun is not intended for anyone under 18. We do not knowingly process data from children. If you believe a child has provided data, contact us and we will delete it.

We may update this policy and will revise the “Last updated” date above when we do. For any privacy question or request, contact team@follow.fun.