Privacy Policy

Last updated: April 5, 2026

1. Introduction

Fantastic Online Stores PTY LTD (ABN 39 655 964 784), located at Melbourne VIC 3064, Australia ("Company", "we", "us", "our"), operates Distribit ("Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

We are committed to protecting your privacy and handling your data transparently and responsibly.

2. Information We Collect

2.1 Account Information

When you register, we collect:

  • Email address
  • Authentication credentials (managed by Supabase Auth)
  • OAuth profile data if you sign in with Google

2.2 Product and Activity Data

When you use the Service, we collect:

  • Product names, descriptions, and URLs you create
  • Channel configurations and daily target settings
  • Action logs (type, timestamp) that you record
  • Streak and ring progress calculated from your activity
  • Timezone information for accurate day boundary calculations

2.3 Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card number, expiry date, or CVC. We store your Stripe customer ID and subscription status to manage your plan.

2.4 Usage Data

We collect anonymized usage data via PostHog, including:

  • Pages visited and features used
  • Onboarding completion and drop-off points
  • Button clicks and interaction patterns
  • Device type, browser, and screen size
  • IP address (for rate limiting and abuse prevention only)

3. Legal Bases for Processing (GDPR)

If you are in the EEA or UK, we process your data under the following legal bases:

  • Contract performance: to provide the Service, manage your account, and process subscriptions
  • Legitimate interest: to improve the Service, prevent abuse, and analyze usage patterns
  • Consent: for optional analytics and marketing communications
  • Legal obligation: to comply with applicable laws and regulations

4. How We Use Your Information

  • Provide and maintain the Service (rings, streaks, projections)
  • Process subscription payments via Stripe
  • Generate shareable streak cards with your activity data
  • Send transactional emails (welcome, streak-at-risk warnings, weekly summaries)
  • Analyze usage to improve the product experience
  • Prevent abuse and enforce our Terms of Service

5. Data Sharing

We do not sell your personal information. We share data only with the following sub-processors as necessary to operate the Service:

  • Supabase (authentication, database hosting)
  • Stripe (payment processing)
  • Vercel (application hosting)
  • PostHog (product analytics)
  • Resend (transactional email delivery)

If you generate a shareable streak card, the data in that card (streak count, ring progress, weekly consistency) is embedded in a publicly accessible image URL.

6. International Data Transfers

Your data may be processed in the United States and other countries where our sub-processors operate. For transfers from the EEA/UK, we rely on EU-US Data Privacy Framework certifications, Standard Contractual Clauses (SCCs), or adequacy decisions as applicable.

Australian customers: by using the Service, you acknowledge that your data may be processed outside Australia in accordance with the Australian Privacy Act 1988.

7. Data Retention

  • Account data is retained while your account is active
  • Action logs are retained according to your plan (Free: 7 days, Pro: 90 days, Premium: indefinite)
  • Upon account deletion, personal data is anonymized within 30 days
  • Aggregated, anonymized analytics data may be retained indefinitely

8. Your Rights (GDPR)

If you are in the EEA or UK, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Eraseyour data ("right to be forgotten")
  • Restrict processing of your data
  • Port your data to another service
  • Object to processing based on legitimate interest
  • Withdraw consent at any time

To exercise these rights, contact privacy@distribit.app. We will respond within 30 days.

9. Your Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Request correction of inaccurate personal information
  • Opt out of the sale of personal information (we do not sell data)
  • Non-discrimination for exercising your rights

We will respond to verified requests within 45 days.

9A. Your Rights (Australian Privacy Act 1988)

If you are an Australian resident, you have the right to:

  • Access your personal information (APP 12)
  • Request correction of inaccurate information (APP 13)
  • Make a complaint about our handling of your information

Contact our Privacy Officer at privacy@distribit.app. We will respond within 30 days. If unsatisfied, you may escalate to the Office of the Australian Information Commissioner (OAIC).

10. Cookies

We use the following cookies:

  • Essential cookies (Supabase): required for authentication and session management
  • Analytics cookies (PostHog): used to understand how the Service is used. PostHog is configured with a reverse proxy to respect ad blockers
  • Preference cookies: theme selection (dark/light/system) stored in localStorage

We do not use advertising or tracking cookies.

11. Security

We implement the following security measures:

  • HTTPS encryption for all data in transit
  • Supabase Row Level Security (RLS) policies on all database tables
  • Application-level ownership verification on all database queries
  • Stripe webhook signature verification for all payment events
  • Input validation via Zod schemas on all user inputs
  • Parameterized database queries to prevent SQL injection

No system is 100% secure. We encourage you to use a strong, unique password for your account.

11A. Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) per the Australian Privacy Act. For EEA/UK residents, we will notify the relevant supervisory authority within 72 hours as required by the GDPR.

12. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal information, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated with at least 30 days' notice via email or in-app notification. The "Last updated" date at the top reflects the most recent revision.

14. Contact

For questions or concerns about this Privacy Policy, contact us at privacy@distribit.app.

Fantastic Online Stores PTY LTD
ABN 39 655 964 784
Melbourne VIC 3064, Australia