FonderaRightsDeskSign in

Privacy Policy

Privacy Policy — RightsDesk

> Draft v1 — Phoenix (Fondera legal), 2026-06-12. Internal draft — Charlie approves before it goes live at rights.fondera.ai/privacy. Web-page copy for Angel to wire into the `/privacy` route.

Last updated: [DATE ON PUBLICATION]

RightsDesk is a rights-management platform operated by Fondera ([legal entity / Charlie Somerville, auto-entrepreneur, Hermonville, France]) ("we", "us"). This policy explains how we handle personal data when you use RightsDesk at rights.fondera.ai.

We act in two different roles depending on the data:

  • As controller — for the data we need to run RightsDesk as a business: your account and login details, and how you use the Service.
  • As processor — for the rights, contract, contact and royalty records you and your agency put into RightsDesk. For that content, your agency is the controller and we process it only on your agency's instructions. How we handle it is governed by our Data Processing Agreement, not this policy. If you are an author, publisher contact or co-agent whose details appear in an agency's RightsDesk account, please contact that agency to exercise your rights.

1. Data we collect as controller

| Category | Examples | Why | |---|---|---| | Account data | Name, work email, hashed password, tenant/agency, role | To create and secure your account | | Authentication & security logs | Login times, IP address, failed-login and password-reset events | Security, fraud/abuse prevention, audit | | Usage data | Pages used, features used, technical/device data | To operate, secure and improve the Service | | Communications | Support messages you send us | To respond and keep records |

We do not use third-party advertising or tracking cookies. We use only strictly necessary cookies (secure, httpOnly session cookies and CSRF tokens) to keep you logged in and the Service secure.

2. Lawful bases (UK/EU GDPR Art. 6)

  • Contract (Art. 6(1)(b)) — to provide RightsDesk to you and your agency.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, keep audit logs, and improve the product. You may object (section 6).
  • Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data by law.

3. How we use your data

To provide, secure, maintain and improve RightsDesk; to authenticate you and protect accounts; to communicate about the Service; and to comply with legal obligations. We do not sell personal data and do not use your account data for advertising.

4. Sub-processors and sharing

We share account data only with service providers acting on our behalf, under contract: Hetzner (hosting, Germany/EEA), Anthropic (AI features, where used), and Xero (invoicing, where connected). We may disclose data where required by law. We do not otherwise share your data.

5. Where your data is held

RightsDesk is hosted in the European Economic Area (Germany). If you are in the UK, the transfer of your data to the EEA relies on the UK's adequacy regulations for the EEA. We will not transfer your data outside the UK/EEA without an appropriate safeguard.

6. Your rights

Under UK/EU GDPR you have the right to access, rectify, erase, restrict, port and object to processing of your personal data, and not to be subject to solely automated decisions with legal/significant effect. To exercise these rights for your account data, contact us (section 9). For content data held in your agency's account, contact your agency (the controller). You also have the right to complain to a supervisory authority — in the UK the Information Commissioner's Office (ICO); in France the CNIL.

7. Retention

We keep account data for as long as your account is active and for a reasonable period afterwards to meet legal, security and accounting obligations, then delete or anonymise it. Authentication/security logs are kept for a limited period for security purposes. Content data is retained and deleted per the Data Processing Agreement and your agency's instructions.

8. Security

We protect your data with measures including argon2id password hashing, encryption in transit (HTTPS/TLS), per-tenant isolation, role-based access control, rate-limiting, audit logging, and EEA hosting. See the Data Processing Agreement, Annex 2, for detail.

9. Contact

Questions or rights requests: [privacy contact email]. Controller: [legal entity / Charlie Somerville, Hermonville, France].

10. Changes

We will update this policy as the Service evolves and will post the new version here with a revised "Last updated" date.

---

> Open items for Phoenix before publication: confirm (1) the legal-entity name + a dedicated privacy contact address; (2) final cookie list once the app is built; (3) Anthropic processing terms for section 4; (4) whether any analytics are added (none assumed here — keep it that way to stay strictly-necessary-cookies-only and avoid a cookie-consent banner requirement).