Privacy policy

1. Who we are

FuelMyArt is a creator monetization platform based in India that operates fuelmyart.com. This policy explains what information we collect, how we use it, and the rights you have over it. Effective date: 2026-05-05.

2. What we collect

• Account info - email, username, password (hashed with Argon2id; we never store plaintext).
• Profile info (creators) - display name, bio, avatar, cover image, location, website, social links, category, tags.
• Auth methods - which providers you've linked (Google, Apple, password, TOTP); for OAuth sign-in we store the provider's user ID and email.
• Two-factor - your TOTP secret (encrypted at rest) and 10 hashed backup codes.
• Activity - posts you create, comments you write, subscriptions you start or cancel, tips you send and receive, and content you view.
• Payment - handled by third-party gateways (Razorpay, Cashfree, Stripe). We store transaction IDs, status, amount, and tier. We never see card numbers, UPI VPAs, or net-banking credentials.
• Tax and compliance (creators) - PAN, GSTIN, and bank details (encrypted at rest), only when you provide them for payouts.
• Notification preferences - per-channel (email, push, SMS) and per-category toggles.
• Technical logs - IP address (truncated for retention), user-agent, timestamp of login and significant actions, and country derived from IP for fraud signals.
• Communications - emails you send to support@ or hello@, and replies we send you.

3. How we use it

• Run the platform - sign you in, host your posts, charge subscriptions, deliver notifications.
• Process payments through our gateway partners (Razorpay, Cashfree, Stripe).
• Comply with Indian tax law - issue GST invoices, withhold TDS under Section 194-O when applicable, and generate Form 26AS reports.
• Detect fraud and abuse - rate-limit, lock accounts after repeated failures, and surface suspicious activity to admin moderation.
• Send transactional email - renewal receipts, payout confirmations, password resets, and security alerts.
• Improve the product through aggregate analytics. We never sell aggregated or individual data to third parties.
• Respond to legal requests when required by law.

4. Cookies and similar technologies

• Essential - session cookies for authentication, CSRF tokens, and locale preference.
• Functional - theme preference and dismissed-banner state stored in localStorage.
• No third-party advertising cookies. No retargeting pixels. No analytics that identify individual users to outside systems.
• We use Cloudflare Turnstile for bot protection on signup, password reset, and login-after-failures. It is privacy-preserving and does not fingerprint you.

5. Who we share with

• Payment processors - Razorpay, Cashfree, and Stripe, to charge subscriptions and process payouts. We share only what's needed: amount, currency, your account email, and a transaction reference.
• Email and SMS providers - Brevo for transactional email; an SMS provider (TBD) for OTPs.
• Object storage - Cloudflare R2 (or your country's S3 region) for media you upload.
• Video hosting - Cloudflare Stream or Bunny Stream for long-form videos.
• Cloud infrastructure - Cloudflare (CDN, Tunnel) and our managed Postgres, Redis, and RabbitMQ on the same cloud account.
• Government and legal - only when compelled by valid legal process.
• We do not sell or rent your personal data to anyone, ever.

6. Where data lives and transfers

Primary processing happens in India (ap-south-1). Some processors - Stripe, Brevo, and Cloudflare - operate globally, so relevant data may transit to those providers' regions. We choose providers with appropriate safeguards in place.

7. How long we keep it

• Account data - until you delete your account, then 30 days for cancellation and dispute handling, then hard-deleted.
• Tax records - 8 years (Indian Income Tax Act minimum).
• Transaction records - 8 years (same).
• Login history and security logs - 90 days, then truncated to non-identifying aggregates.
• Soft-deleted content - 30 days, then hard-deleted with the account.
• Email signups (this landing page) - until you ask us to remove you, or 24 months after last contact, whichever comes first.

8. Your rights

Under India's DPDP Act 2023 and equivalent regulations, you can:

• Access - request a copy of what we have on you. Use the "Export my data" button in account settings; the archive arrives by email within 24 hours.
• Correct - fix anything wrong via your profile settings, or email us.
• Delete - wipe your account using "Delete account" in settings. We soft-delete immediately and hard-delete after 30 days.
• Portability - your export is a machine-readable JSON archive.
• Object or withdraw consent - opt out of any non-essential email or SMS via notification preferences. For marketing email, use the unsubscribe link in any message.
• Complaint - reach out to us first; we usually fix it. If we don't, you can escalate to the Data Protection Board of India.

9. Security

• Passwords are hashed with Argon2id. We never store them in plaintext.
• Secrets at rest are encrypted with AES-GCM.
• All transit is on TLS 1.2 or newer.
• Two-factor authentication is available; we strongly recommend it for creators.
• An audit log records every privileged action.

10. Children

FuelMyArt is not intended for users under 18, and we do not knowingly collect data from minors. If you believe we have data on a minor, email us and we'll delete it.

11. Changes

We'll update this page when material things change and notify users by email when the change affects them. The "Last updated" date at the top always reflects the most recent revision.

12. Contact

Questions, requests, or complaints: hello@fuelmyart.com.