Privacy Policy

Privacy Policy

Privacy Policy for metaFox.online
Effective date: 25.04.2026

Your privacy matters to us. This Privacy Policy explains in clear and simple terms how we process your personal data when you use our web app.

Who is responsible?

metaFox GmbH
Carl-Spitzweg-Str. 61, 90768 Fürth, Germany

Register: Amtsgericht Fürth, HRB 19366
Managing Directors: Maximilian Friedle, Tobias Weghorn

Why do we process your data?

We use your data to provide the following services:

  • Provision and operation of our web app
    This includes standard features such as account management and features for successful online coaching as presented on our website: https://metaFox.online
  • Sending transactional emails
    We send important emails such as confirmations, password resets, and notifications about your account activity.
  • Billing and subscriptions (where applicable)
    We process the data needed to offer paid plans, manage subscriptions, and handle payments.
  • Usage analytics
    We track general usage patterns to improve usability, detect technical issues, and ensure smooth operations. Optional product analytics are provided through PostHog as described below and only run when you consent.

Cookies and consent

We use essential cookies and similar technologies to keep you signed in and remember your language preference. Optional product analytics (PostHog) and the browser-side Meta Pixel on our marketing pages are only activated after you accept in the cookie banner or enable analytics in your account privacy settings. The server-side Meta Conversions API runs on our servers — independent of any cookie — for the two specific conversion events described below (sign-up and paid subscription activation), on the legal basis of our legitimate interest. Vercel Web Analytics and Vercel Speed Insights are cookie-less and do not require consent. Sentry error monitoring runs without cookies on the basis of our legitimate interest, with text, input fields, and media masked by default (see "Sentry" below).

Tools and services we use

  • Supabase
    We use Supabase for secure processing and storage of all user and usage data.
    Provider: Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992
    Website: https://www.supabase.com
    Privacy Policy: https://www.supabase.com/privacy
    Note: Our Supabase project uses the eu-central-1 region (AWS Europe, Frankfurt, Germany), so your data is processed and stored within the EU.

  • Sendpulse
    We use SendPulse to send system-generated emails (for example account confirmations and password resets) when our mail provider is configured for production.
    Provider: SendPulse Inc., 101 Spear Street, 1st Floor, San Francisco, CA 94105, USA
    Website: https://sendpulse.com
    Privacy Policy: https://sendpulse.com/privacy-policy
    Note: EU Standard Contractual Clauses apply to ensure GDPR-compliant data transfers.

  • Stripe (payments)
    When you purchase or manage a paid subscription, payment data is processed by Stripe (Stripe, Inc., USA). We do not store full payment card numbers on our own servers; card data is handled by Stripe.
    Privacy: https://stripe.com/privacy
    Note: Transfers to Stripe in the USA and related safeguards are described in Stripe’s privacy policy and data processing terms (including EU Standard Contractual Clauses where applicable).

  • PostHog
    We use PostHog for product analytics: we process information such as in-app events (for example which screens or flows you use), approximate usage context, and technical data like browser and device type, so we can improve the product, debug issues, and understand usage.
    Provider: PostHog Inc.
    Website: https://posthog.com
    Privacy policy: https://posthog.com/privacy
    Processor terms and DPA information: https://posthog.com/dpa · https://posthog.com/terms
    Legal basis: This processing is optional and only takes place if you accept analytics cookies in our cookie banner or turn analytics on in your account privacy settings (Art. 6(1)(a) GDPR – consent). You may withdraw consent at any time with effect for the future (for example via the same settings or cookie controls).
    Region / hosting: Event data is sent to PostHog Cloud EU only, via the EU ingestion endpoint (https://eu.i.posthog.com).
    Retention: Retention and further details follow our PostHog project settings and PostHog’s documentation.

  • Vercel (hosting, performance, and web analytics)
    We host and operate the web app on Vercel. Vercel processes technical data needed to deliver the application (for example HTTP requests and related metadata).
    Provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA
    Website: https://vercel.com
    Privacy Policy: https://vercel.com/legal/privacy-policy
    We also use Vercel Speed Insights for anonymous Web Vitals (page load performance, device types, approximate geographic region) and Vercel Web Analytics for aggregated, cookie-less page-view counts and route popularity. Both products are designed to operate without persistent identifiers and do not track individual users across sessions: visitor counts are derived from anonymized, salted hashes of request metadata that are rotated daily. Collection is limited to aggregated traffic and performance metrics. Data transfers are governed by EU Standard Contractual Clauses where applicable.

  • Sentry (error monitoring and session replay)
    We use Sentry for error monitoring and a masked session replay so we can detect, reproduce, and fix bugs and performance regressions. Sentry processes technical data such as error stack traces, HTTP request and response metadata, browser and device information, and a session replay of the page view in which an error occurred.
    Provider: Functional Software, Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA
    Website: https://sentry.io
    Privacy Policy: https://sentry.io/privacy/
    DPA: https://sentry.io/legal/dpa/
    What is masked. Session replays are configured with maskAllText, maskAllInputs, and blockAllMedia enabled — replays therefore record DOM structure and interactions but not the actual text you type, the contents of input fields, or images and other media. We further filter Sentry events on both the client and the server through a redactor (apps/web/lib/sentry-redact.ts, registered as beforeSend in the client, server, and edge SDKs) that strips share tokens from URLs and authorization headers before transmission.
    Sampling. We only record a session replay for the page view in which an error occurs (sampled at 100%). We do not sample regular, error-free sessions for replay (replaysSessionSampleRate: 0). Performance traces are sampled at 10%.
    Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in operating a stable, secure, and bug-free service, balanced against the masking and sampling described above. You may object at any time (see "Your rights under the GDPR").
    Region / hosting: Data is sent to Sentry's processing infrastructure (US). Transfers are governed by EU Standard Contractual Clauses as set out in Sentry's DPA.

  • Meta Pixel and Meta Conversions API
    We use Meta technologies in two distinct ways with two distinct legal bases — please read both:

    (a) Browser-side Meta Pixel — on our public marketing pages, consent-based. On our public marketing pages we load the Meta Pixel to measure the effectiveness of our advertising on Meta platforms (Facebook, Instagram). The Pixel covers the conversion events page view, sign-up started, sign-up completed, first session created, and marketing CTA clicked, together with technical data (browser, device, IP address, page URL) and the cookie-based identifiers Meta sets to match users across sessions (e.g. the _fbp cookie).
    Legal basis: Art. 6(1)(a) GDPR — consent. The browser-side Pixel only fires after you accept marketing/analytics cookies in our cookie banner; you can withdraw consent at any time via the cookie banner or your account privacy settings, and withdrawal stops further browser-side processing for the future.

    (b) Server-side Meta Conversions API — on sign-up and on paid-subscription activation, legitimate interest. Independently of the browser-side Pixel, when you complete a sign-up or activate a paid subscription, our server transmits a small server-side conversion event to the Meta Conversions API so that ad-attribution measurement remains accurate even when the browser-side Pixel is blocked (by an ad blocker, by browser tracking protection, or because you have not given consent for browser-side tracking). The events sent are CompleteRegistration (on sign-up, from packages/auth/auth.ts) and Purchase (on Stripe-confirmed paid subscription activation, from packages/payments/provider/stripe/index.ts). The data we transmit is limited to the SHA-256 hash of your email address (used by Meta for matching, never the plaintext email), the request IP address, the request user-agent, and a randomly generated event ID.
    Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in measuring the effectiveness of our advertising for sign-ups and paid conversions. We have weighed this interest against your interests, taking into account that we transmit only hashed identifiers (Meta cannot reverse a SHA-256 hash to your plaintext email), that the events are limited to two pre-defined milestones rather than continuous tracking, and that you can object to this processing at any time (see "Your rights under the GDPR" — write to the contact below).
    Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (joint controller with us for the events transmitted under (a) and (b); independent controller for further processing on the Meta platforms)
    Website: https://www.facebook.com
    Privacy Policy: https://www.facebook.com/privacy/policy/
    Joint-controller addendum: https://www.facebook.com/legal/controller_addendum
    Region / hosting: Data is transferred to Meta in the USA; transfers are governed by EU Standard Contractual Clauses and Meta's supplementary measures.

Legal basis for processing

  • Article 6(1)(b) GDPR – to provide services and manage your account
  • Article 6(1)(f) GDPR – based on our legitimate interests in improving and securing the app, including error monitoring (Sentry, with masking enabled), anonymous performance and traffic measurement (Vercel Speed Insights and Vercel Web Analytics), and server-side ad-attribution measurement for sign-ups and paid conversions via the Meta Conversions API (hashed identifiers only, two pre-defined events only)
  • Article 6(1)(a) GDPR – where you provide consent, e.g., for optional product analytics (PostHog) and the browser-side Meta Pixel on our marketing pages via the cookie banner or account privacy settings

How long do we store your data?

We store your personal data only as long as necessary for the purposes described or as required by law.
You can delete your account at any time, which also removes your personal data from our servers unless we are legally obligated to retain it.

Your rights under the GDPR

  • Request access to your stored data
  • Have incorrect or outdated data rectified
  • Request deletion or restriction of your data
  • Object to the processing of your data
  • Withdraw consent (effective for the future)
  • Receive your data in a portable format
  • Lodge a complaint with a data protection authority

Questions about privacy?

Email: tobias@metafox.eu