Privacy Policy

Faivv Limited ("Faivv", "we", "us", or "our"), a company incorporated in Hong Kong, operates the Intellpost service — including the website at intellpost.ai, the browser extension, and the mobile application (collectively, the "Service").

This Privacy Policy explains how we collect, use, store, and share your personal data, and your rights under the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong ("PDPO"). By using the Service, you acknowledge that you have read and understood this Privacy Policy.

The Service is operated from Hong Kong and is not specifically directed at users in any particular foreign jurisdiction. If you choose to access the Service from outside Hong Kong, you do so on your own initiative and are responsible for compliance with any applicable local laws.

We collect the following categories of data:

• Account data: You may create an account using an email address and password, by signing in with Google, or by signing in with Apple (on iOS). For email/password accounts, we collect your email address. Passwords are managed entirely by Google Firebase Authentication; Faivv never stores, sees, or has access to your password. For Google sign-in, Firebase provides us with your email address, Google display name, and profile photo URL; we do not receive your Google account password or any OAuth tokens. For Apple sign-in, Firebase provides us with your Apple ID email address (or a private relay email if you choose to hide your real email) and your full name if shared during the initial authorization; we do not receive your Apple account password or any OAuth tokens. Firebase Authentication also sends transactional emails on our behalf, including email verification messages and password-reset links.
• Usage data: For each draft generation or regeneration request we process operational usage signals for reliability, abuse prevention, and service improvement. Product telemetry is written as anonymized analytics events (without user ID, guest ID, request ID, or full article URL) and may include event type, client platform, tone/length settings, request duration, coarse geographic information (country and timezone only), and an error code when applicable.
• Product analytics and diagnostics: We record product analytics events to understand feature usage, reliability, and conversion flows across website and mobile. This includes event name (for example: account actions, draft generation, regeneration, sharing, and voice-input usage), client platform, coarse device/browser context, and non-sensitive event parameters such as tone and length choices. We do not use analytics data for ad personalization or advertising profiling.
• Share history data (signed-in mobile users): If you share a draft from the mobile app while signed in, we store a History item in Firestore for that share action. Each History item may include the share timestamp, the source webpage URL, your original thoughts, the tweak text used for regeneration (if any), the exact AI-generated draft you selected to share, and the share target/app when the operating system exposes that information. Repeated shares create repeated History items.
• Content data: Article URLs and article text you submit, your reaction text, and the full text of the AI-generated drafts produced for you. Draft records — including your inputs, the AI-generated output, your original thoughts for initial generation requests, and your tweak text for regeneration requests — are stored in Firestore under your user ID or guest ID. We also cache structured article analysis (article insights) in Redis with a short time-to-live to avoid redundant processing during regeneration. On mobile, when a publisher blocks server-side retrieval, the app may perform on-device content extraction from the URL you provided (for example, via in-app WebView rendering or device-side fetch and parsing) solely to complete your generation request.
• History controls: Signed-in mobile users may delete individual History items from the in-app History screen. Deleting a History item removes that entry from the user-visible History list, but does not retroactively alter separate usage, analytics, or abuse-prevention records created for the underlying generation or share request.
• Guest identity: If you use the Service without an account, we assign a randomly generated guest ID (UUID) stored on your device. This ID is used for rate limiting and session continuity and is not linked to your real-world identity.
• Rate limiting data: We store rate limit counters in Redis keyed to your user ID, guest ID, or IP address. These counters — including any IP address used as a key — reset automatically after a rolling one-hour window and are not retained beyond that window or stored long-term.
• Preferences:Your language preference is stored in your browser's local storage (website) or on-device storage (mobile app) and is not transmitted to our servers.
• Voice input (mobile app, signed-in users only): When you use the microphone button, your voice is recorded locally on your device as a short audio clip (up to 30 seconds). That audio clip is encoded and transmitted to an AI inference provider (see Section 4) solely to generate a draft social-media post. The audio is processed in real time; it is not stored by Faivv beyond what is operationally necessary to complete the request. Voice input is available to signed-in users only and is subject to the same content handling described above.

We use the data we collect to:

• provide, operate, and maintain the Service;
• authenticate your identity and manage your account;
• generate AI-assisted draft posts in response to your requests;
• enforce rate limits and prevent abuse of the Service;
• diagnose technical problems and improve service reliability;
• monitor aggregate service usage patterns and improve product quality, performance, and cost efficiency; and
• comply with our legal and regulatory obligations.

We do not use your personal data for advertising purposes and do not sell your personal data to third parties.

We share data with the following third-party service providers who act as data processors on our behalf:

• Google Firebase (Google LLC):Authentication, Firestore database, and cloud infrastructure. Your account data and content data are stored on Firebase/Google Cloud servers. Google's privacy policy applies: policies.google.com/privacy.
• AI inference providers: We use one or more third-party AI model providers to generate draft posts from your text inputs and voice recordings. Depending on the feature used, your content (article text, reaction text, or encoded audio clip) is transmitted to the relevant provider solely to fulfil your generation request; it is not used to train models or retained beyond completing the request. Current providers include OpenRouter, DeepSeek (primary), and Alibaba Cloud DashScope. We may add, replace, or remove AI providers as the Service evolves; we will update this policy to reflect any material change in the providers used. Each provider is bound by its own data processing terms.
• Railway (Railway Corp.):Hosting and infrastructure for our backend server and Redis database. Server-side request data (including IP addresses) is processed on Railway's infrastructure.

The specific providers and platform integrations we use may change over time. We will update this policy if a material change affects how your personal data is processed.

We do not share your personal data with any other third parties except as required by applicable law or a lawful court order.

Our service providers operate outside Hong Kong, including in the United States, mainland China, Singapore, and other jurisdictions. AI inference providers in particular may process your content on infrastructure located outside Hong Kong. By using the Service, you consent to your personal data being transferred to and processed in these jurisdictions, which may have different data protection laws than Hong Kong. We take reasonable contractual and technical steps to ensure that our service providers maintain appropriate safeguards for your data.

We retain your account data and associated content data for as long as your account remains active. Guest draft records are configured to auto-delete after 30 days via Firestore TTL. User draft records are retained until you request account deletion; after you request deletion we retain your data for a fixed 30-day retention window to allow for operational processing. Following that 30-day period, all user data associated with your account (Firestore documents, subcollections, and files in Cloud Storage) will be permanently deleted automatically. During this 30-day retention window the account will not be reinstated — deletion is final after the retention period.

You may request deletion of your account and all associated personal data at any time through theAccount page, through the mobile app (Settings → Delete account), or by contacting us at contact@intellpost.ai. The deletion process is automatic: a scheduled server job runs daily and permanently removes user data once the 30-day retention period has elapsed. You do not need to take further action for the deletion to complete.

Under the Personal Data (Privacy) Ordinance (Cap. 486), you have the right to:

• Access: request a copy of the personal data we hold about you; and
• Correction: request that we correct any inaccurate personal data we hold about you.

To exercise these rights, submit a written request to contact@intellpost.ai. We will respond within the timeframes required by the PDPO. We may charge a reasonable fee for data access requests as permitted by the PDPO.

We implement reasonable technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include TLS encryption for data in transit, Firebase security rules for data at rest, and access controls on our backend systems. However, no internet-based service can guarantee absolute security, and we cannot warrant that unauthorised access will never occur.

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13 without verifiable parental consent, we will take prompt steps to delete that data.

We do not use advertising or analytics cookies. The Service uses only essential client-side storage and strictly necessary security mechanisms as described below. No non-essential cookies or third-party tracking scripts are loaded on any page of the Service.

Website: We store your language preference in browser localStorage. Firebase Authentication persists your sign-in session using browser-managed storage (IndexedDB and/or local storage, depending on your browser); this keeps you signed in between visits unless you sign out or clear site data.

Firebase App Check (reCAPTCHA Enterprise): The website uses Firebase App Check, powered by Google reCAPTCHA Enterprise, as a strictly necessary security control. Its sole purpose is to verify that requests to our backend originate from genuine users of our app and to protect the Service against automated abuse, bots, and API misuse. To perform this verification, reCAPTCHA Enterprise may read and set browser-managed state (including cookies or similar identifiers) on the intellpost.aidomain. This data is used exclusively for fraud prevention and service integrity — it is not used for advertising, ad personalization, analytics, or cross-site tracking. Because this control is strictly necessary for the security of the Service, it does not require your prior consent. For more information see Google's Privacy Policy.

Browser extension: We use chrome.storage.local (survives browser restarts) to store your guest identity UUID. We use chrome.storage.session (wiped when the browser closes; falls back to chrome.storage.local on browsers that do not support session storage) to store: your Firebase Authentication session tokens, the composer state for each tab you have open (article URL, reaction text in progress, and any generated draft), and a cached rate-limit status (the rate-limit reset timestamp). None of this session data is transmitted to our servers; it exists solely to restore your in-progress work when you reopen the extension popup.

Mobile application: We use on-device storage (AsyncStorage) for: your language preference, your guest identity UUID, Firebase Authentication session tokens (so you stay signed in between app launches), and your last-used tone and post-length preferences. Draft content and article URLs are not persisted on-device between app launches.

We do not use website or mobile analytics SDKs for advertising, ad personalization, or cross-app ad tracking.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Updated versions will be posted at intellpost.ai/privacy with a revised effective date. Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at: contact@intellpost.ai

If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner for Personal Data (Hong Kong) at www.pcpd.org.hk.