Privacy Policy
Explains what personal data we collect, why we collect it, and how we use it.
Last updated: May 16, 2025
F2F Face2Face Technology Inc. (“Face2Face”, “we”, “us”, “our”) is committed to protecting your privacy. This policy explains how we collect, use, disclose, and safeguard your personal data when you interact with our website, platform, and services.
1. Who We Are
- Company Name: F2F Face2Face Technology Inc.
- Website: https://face2face.io
- Business Model: B2B SaaS communication platform for startups
- Regions Served: EU & North America
2. What Data We Collect (As Controller)
When you use our website or engage with us directly (e.g. via email or signup), we collect:
Purpose | Data Collected | Legal Basis | Retention |
Marketing | Name, email | Consent | Until unsubscribe |
Account signup | Name, email, hashed password, IP | Contract | Until account deletion |
Payments | Billing address, name, payment method | Legal obligation | 7 years |
Customer support | Name, email, support messages | Contract | 2 years post-resolution |
Analytics | IP address, browser/device data | Legitimate interest | 14 months |
Recruitment | Name, email, resume, LinkedIn | Consent / Legitimate interest | 6 months |
We do not collect or process any special categories of data (sensitive data) under Article 9 of the GDPR.
3. Data We Process for Customers (As Processor)
When you use our platform, we process data about your end users on your behalf, acting as a Processor under Article 28 of the GDPR. Depending on context, Face2Face acts as either a Data Controller or Data Processor.
Activity | Data Types | Retention | Legal Role |
Interaction logging | IP, session metadata, page views | 14 months (Mixpanel) | Processor |
Call handling | Audio/video streams, connection metadata | Not stored (daily.co) | Processor |
Co-browsing | DOM elements, page metadata | Temp only (Upscope) | Processor |
Call recordings | Audio/video, participants, timestamps | Customer-defined | Processor |
Authentication | Email, password, session tokens | Until deletion | Processor |
Error logs | Crash reports, request metadata | 30 days (Grafana) | Processor |
Custom Data |
Custom Data Note: End-users may submit additional personal data via embedded Face2Face components (e.g., forms, popups, session context). This includes free-form fields such as names, emails, or internal IDs. Such data is processed only under the Controller’s instruction.
Controller Access & Deletion: Customers can manually delete any visitor data from the Face2Face dashboard by navigating to a visitor record and selecting "Delete Visitor Data". This action permanently removes associated session and identity data. Click here for step-by-step instructions.
4. Subprocessors
We use the following third-party services to support our product:
Vendor | Purpose | Location | Transfer Outside EEA | Safeguards |
Heroku | Hosting | USA | ✅ | SCCs |
MongoDB Atlas | DB Storage | Germany | ❌ | N/A |
Grafana | Logging | EU | ❌ | N/A |
Mixpanel | Analytics | EU | ❌ | N/A |
daily.co | Video Infra | EU/USA | ✅ (non-EU users) | SCCs |
Upscope | Co-browsing | EU/USA | ✅ (non-EU users) | SCCs |
Ipstack | Geolocation | Germany | ❌ | N/A |
5. Your Rights (GDPR)
You have the right to:
- Access your data
- Correct inaccurate data
- Request deletion
- Object to processing
- Request data portability
- Withdraw consent
To exercise your rights, email: privacy@face2face.io
We respond within 48 hours and resolve requests within 10 business days.
6. Data Transfers Outside the EEA
We may transfer data to the USA using Standard Contractual Clauses (SCCs) as approved by the European Commission. For subprocessors like Heroku, daily.co, and Upscope, SCCs are in place where required.
7. Security Measures
We use:
- TLS encryption for all data in transit
- Role-based access controls
- Subprocessor vetting for GDPR compliance
- Environment isolation for dev/prod
- Incident response plans
- Error monitoring via Grafana & Mixpanel
We're committed to improving security as we grow, including plans to pursue SOC 2/ISO certifications.
8. Data Retention
We retain data only as long as necessary for the purposes described above or as required by law.
- For Controller-side data: customers define their own retention rules.
- For visitor data: Controllers can manually delete records via the dashboard.
- Data entered via embedded widgets (e.g. name, email) is retained as part of session data, unless deleted by the customer.
9. Contact
If you have questions, concerns, or want to exercise your rights, contact:
Nick Tomic
Founder & Privacy Lead
Last updated on May 16, 2025