FAROContact

Legal

Privacy Policy

Effective: 2026-06-01Last updated: 2026-05-18

This Privacy Policy describes how Mažoji bendrija FARO applications (“FARO Applications”, “we”, “us”, “our”) collects, uses, and shares personal data when you use our products — currently Hunter Reborn (iOS and Android) and Storyforge (web). It applies to this website (faroapplications.com) and any FARO Applications service that links to this policy.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Lithuanian Law on Legal Protection of Personal Data.

1. Who we are

The data controller is Mažoji bendrija FARO applications, a Lithuanian mažoji bendrija registered under code 307725118, with its registered office at J. Savickio g. 4-7, LT-01108 Vilnius, Lithuania. For privacy-related questions, contact privacy@faroapplications.com.

2. What data we collect

2.1 Common to all products

  • Account data: email address and an encrypted password (handled by Supabase Auth). Optional display name.
  • Technical data: IP address, device type, OS version, app version, language, and timestamps of requests. Used for security, rate-limiting, and debugging.
  • Support correspondence: if you contact us by email (support@, privacy@, legal@), the message itself and your email address. Retained for the duration of the support thread plus 24 months, then deleted unless we are required to keep it longer for a legal claim.

2.2 Marketing-site signup form

On this website you can submit your email address to be notified when Hunter Reborn or Storyforge open early access. When you do:

  • The email address and the product label (e.g. “Hunter Reborn”) are sent to our /api/subscribe endpoint.
  • We forward this submission to our internal team mailbox via Resend (see §6) so we can contact you when invites open.
  • We retain the submission for up to 18 months, or until you ask us to unsubscribe — whichever is sooner. Unsubscribe requests reach us at privacy@faroapplications.com.

2.3 Hunter Reborn

  • Workout data: exercises logged, sets, reps, weights, rest times, GPS-tracked runs, and derived metrics such as estimated 1RM and pillar scores.
  • Health data (optional):sleep duration, steps, resting heart rate, and heart rate variability, accessed via Apple HealthKit (iOS) or Health Connect (Android). This data is read only with your explicit permission. You may revoke access at any time via your device's health settings. Raw HealthKit / Health Connect records remain on your device — only the aggregated values needed to compute your HLT pillar score are synchronized to our servers.
  • Bodyweight: if you log it, stored as part of your profile to calibrate strength-relative scores.

For Apple App Privacy / App Store Connect nutrition-label purposes, Hunter Reborn collects: Contact Info (email), Health & Fitness, User Content (workout logs), Identifiers (user ID), Usage Data, and Diagnostics. None of this is linked to advertising or shared with third parties for marketing.

2.4 Storyforge

  • Prompt content: the text you submit to generate storyboards, carousels, characters, and highlight reels. Stored so you can revisit past projects.
  • Uploaded media: video clips, episodes, or series you upload for indexing, scene extraction, and highlight-reel generation. Stored in our Supabase Storage bucket (EU region) scoped to your user ID. Deleted on request or when you delete the source project.
  • Derived index data: scene boundaries, character recognitions, transcript fragments, and ranking metadata computed from your uploads to enable search and top-N reel generation.
  • Generated assets: images, captions, storyboards, and rendered MP4 clips produced by the AI pipeline. Stored in our Supabase Storage bucket, scoped to your user ID.
  • Usage events: generation start, completion, and failure events for capacity planning and abuse detection.

For App Store / TikTok privacy-disclosure purposes, Storyforge collects: Contact Info (email), User Content (prompts, uploaded media, generated assets), Identifiers (user ID), Usage Data, and Diagnostics. Generated outputs are processed by Google Vertex AI as described in §6.

3. Legal bases for processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): to provide the core functionality of the products you sign up for (login, sync, generation, export).
  • Consent (Art. 6(1)(a)): for optional features such as Apple HealthKit / Health Connect access, and for the marketing-site signup form where you ask us to email you when early access opens. You may withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f)): security, fraud/abuse prevention, service-quality monitoring, debugging, and protecting our network and users. We balance these interests against your rights and freedoms before relying on this basis.
  • Legal obligation (Art. 6(1)(c)): when retention or disclosure is mandated by Lithuanian or EU law (e.g. accounting, lawful requests from authorities).

4. How we use your data

  • To provide, maintain, and improve our products.
  • To compute your Hunter Rank, pillar scores, and class.
  • To generate AI content in Storyforge using prompts and media you supply (see §6 for sub-processors).
  • To respond to your support requests.
  • To contact you about early access, but only if you submitted the marketing-site signup form. We do not add submitters to other marketing lists.
  • To detect, prevent, and address abuse, fraud, and security.
  • To comply with applicable law.

We do not sell personal data, run third-party advertising, or share your data with data brokers.

5. Where data is stored and international transfers

User account data, workout logs, and Storyforge prompts, uploads, and generated assets are stored in the European Union via Supabase (Frankfurt, DE). Health data ingested from Apple HealthKit or Health Connect is processed on your device and only synchronized to our servers in the aggregated form required to compute your HLT pillar score. Hunter Reborn does not export raw HealthKit / Health Connect records to our servers.

Some sub-processors listed in §6 are headquartered in the United States (Vercel, Resend, Cloudflare, and the Supabase / Google Cloud parent entities). Where processing involves a transfer outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where the recipient is certified, the EU–US Data Privacy Framework. Copies of the relevant safeguards are available on request from privacy@faroapplications.com.

6. Sub-processors

We engage the following sub-processors to deliver our services. Each operates under a written data-processing agreement (DPA) and provides appropriate technical and organisational measures under Art. 28 GDPR. Transfers outside the European Economic Area, where they occur, rely on the European Commission's Standard Contractual Clauses (SCCs) and/or the EU–US Data Privacy Framework where applicable.

  • Supabase Inc. (US, hosting in EU / Frankfurt) — authentication, Postgres database, and object storage for both products. Primary store of personal data.
  • Google Cloud / Vertex AI (EU region requested) — Storyforge text generation, image generation, and series indexing. Prompts, uploaded media excerpts, and derived index data are sent to Vertex AI for inference. Google does not use this data to train its foundation models when processed through Vertex AI under the enterprise terms we accept on signup.
  • Vercel Inc. (US, EU edge) — hosting for this marketing site and our Next.js API routes (including /api/subscribe, which receives the early-access signup form). Vercel processes standard request logs and the data submitted through the form.
  • Resend(US, with EU send infrastructure) — transactional email service. We use Resend to forward early-access signups submitted through this website to our internal team mailbox. Resend processes only the visitor's email address, the product label, and the submission timestamp. It is not used to send marketing emails to users.
  • Cloudflare, Inc. (US, anycast network) — DNS for faroapplications.com and Email Routing for our company addresses (e.g. support@faroapplications.com). Cloudflare processes message headers and routing metadata; bodies are forwarded to our team mailbox.

This list is current as of the “Last updated” date above. We will announce material changes at least 14 days before they take effect. To request a copy of the relevant DPAs or to object to a new sub-processor, email privacy@faroapplications.com.

7. Retention

  • Account data: retained for as long as your account is active. After account deletion we apply a 30-day soft-delete window during which the account can be restored, then we permanently erase the record from primary storage.
  • Workout and rank data (Hunter Reborn): retained for the life of the account. You can export it via Settings → Export, or delete individual entries from inside the app. Deletion is permanent after the soft-delete window above.
  • Storyforge prompts, generated assets, and projects: retained until you delete the project, or until account deletion — whichever occurs first.
  • Storyforge uploaded media: retained for the life of the project that owns it. When you delete a project, the source files are removed from object storage within 7 days. The derived index data is removed in the same operation.
  • Marketing-site signup submissions: retained for up to 18 months, or until you ask to be removed.
  • Support correspondence: retained for the duration of the thread plus 24 months.
  • Request and security logs: retained for up to 90 days for security, abuse-investigation, and debugging purposes.
  • Database backups: retained on a rolling 30-day basis. Deleted records are removed from active backups as those backups age out.

Where Lithuanian or EU law requires us to keep specific data longer (e.g. tax records), we retain only the minimum needed to meet that obligation and protect it accordingly.

8. Your rights (GDPR Chapter III)

You have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Request correction of inaccurate data (Art. 16).
  • Request deletion (Art. 17).
  • Restrict or object to processing (Arts. 18, 21).
  • Receive your data in a portable, structured format (Art. 20).
  • Withdraw consent at any time, where consent is the legal basis.
  • Lodge a complaint with the Lithuanian State Data Protection Inspectorate (VDAI) — see vdai.lrv.lt.

To exercise these rights, email privacy@faroapplications.com. We respond within 30 days at no cost (extendable by two months for complex requests).

9. Security

We use industry-standard encryption in transit (TLS 1.2+) and at rest (Supabase managed AES-256). Passwords are never stored in plaintext. Access to production systems is limited to authorized personnel and logged. If we discover a personal-data breach affecting your rights, we'll notify you and the VDAI within 72 hours where required by Art. 33–34 GDPR.

10. Children

Our products are not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced via in-app notice or email at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

12. Contact

Privacy questions: privacy@faroapplications.com
General support: support@faroapplications.com
Postal: Mažoji bendrija FARO applications, J. Savickio g. 4-7, LT-01108 Vilnius, Lithuania

See also our Terms of Service, Cookie Policy, and Data Protection notice.