Built to keep your content & data safe
FanofUs.co takes security seriously. Here's a plain-English overview of how we protect your account, your generated content, and your payment information.
Last updated: April 20, 2026
Encryption everywhere
All traffic is encrypted in transit with TLS 1.2+. Data at rest in our database and backups is encrypted with AES-256.
Authentication
Email + password sign-in with hashed credentials. Passwords are checked against the Have I Been Pwned database to block known-leaked passwords. Sessions use rotating short-lived JWTs.
Row-level data isolation
Every database table enforces row-level security (RLS) policies. Users can only ever read or modify their own content, subscriptions, and account data — enforced at the database layer, not just the application.
PCI-compliant payments
All card data is collected, tokenised, and stored by Stripe (PCI-DSS Level 1). FanofUs.co never sees, touches, or stores card numbers, CVCs, or expiry dates.
Hardened infrastructure
Hosted on Cloudflare's global edge with DDoS protection. Database functions use fixed search_path to prevent injection. Service-role keys are never exposed to the browser.
Minimal data collection
We only collect what's needed to run your account: email, generated content, subscription status, and basic usage logs. We do not sell or rent your data — ever.
Data we collect & why
- Email & auth identifier — to sign you in and contact you about your account.
- Content inputs & outputs — the niche, goals, and prompts you submit, plus the generated plans, captions, hashtags, and titles. Stored against your user ID so only you can read them.
- Subscription state — plan tier, status, and billing period from Stripe (no card data).
- Operational logs — request timestamps, IP address, and error events for security monitoring and abuse prevention.
How AI processing works
When you generate content, your prompt is sent over an encrypted channel to our AI gateway, which forwards it to a vetted model provider (e.g. Google, OpenAI). Providers process the prompt only to return a response. We do not use your inputs or outputs to train models, and we do not sell them to third parties.
Sub-processors
We use a small set of trusted vendors to operate the platform:
- Cloudflare — application hosting, edge runtime, and DDoS protection.
- Supabase — managed Postgres database and authentication.
- Stripe — payment processing and subscription management (PCI-DSS Level 1).
- Mailgun — transactional email delivery from
notify.fanofus.co. - AI model providers — Google and OpenAI via our AI gateway, used only to fulfill your generation requests.
Account controls
- Change your email or password from your account settings at any time.
- Cancel or change your subscription from the billing portal — no email or phone gauntlet required.
- Request full account deletion from your account page; we delete your data within 30 days of confirmation.
- Unsubscribe from all marketing email with a single click from any email footer.
Incident response
If we discover a security incident affecting your data, we will notify affected users without undue delay (and within the timeframes required by GDPR, UK GDPR, and CCPA), describe the scope and impact in plain language, and explain what we are doing to fix it and what you should do.
Responsible disclosure
Found a vulnerability? Please report it privately to info@fanofus.co with steps to reproduce. We commit to acknowledging your report within 3 business days, keeping you informed as we investigate, and crediting you (with your permission) once the issue is resolved. Please do not exploit the issue or access data that isn't yours.
Contact
Security questions or concerns? info@fanofus.co