Sign in

Privacy Policy

Fusey B.V. - Last updated: May 2026
This Privacy Policy explains how Fusey B.V. ("Fusey", "we", "us", "our"), a private limited company registered in the Netherlands, collects, uses, stores, and protects your personal data when you use the Fusey platform ("Platform").
We process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Dutch Uitvoeringswet Algemene verordening gegevensbescherming (UAVG).

1. Data Controller

Fusey B.V. is the data controller responsible for your personal data.
Registered address: Tesselschadestraat 39, 2026SM, Haarlem, the Netherlands
Email: fuseybusiness@gmail.com
This is our registered business address. We do not accept visits or postal correspondence at this location. For all enquiries, please contact us via the Platform or by email.

2. Personal Data We Collect

2.1 Account Data (provided by you or your OAuth provider)

  • Username and display name
  • Email address
  • Profile picture (avatar) and banner image
  • Bio and description
  • Preferred language and timezone

2.2 Authentication Data

You may sign in via Google, Discord and X/Twitter, or by registering with email and password. You may optionally enable two-factor authentication (2FA) for additional account security.
OAuth providers (Google, Discord and X/Twitter): when you authenticate, we receive:
  • Provider account identifier
  • Provider profile information (name, avatar)
  • OAuth tokens (stored encrypted at rest, used solely to maintain your session)
We do not receive or store your password from any OAuth provider.
Email and password (classic sign-in): your password is never stored in plaintext and never recoverable. We store only a one-way Argon2id hash (memory-hard, OWASP-recommended) with a unique random salt per account.
Two-factor authentication (optional): if you enable 2FA, we store:
  • The TOTP secret used to generate authentication codes, encrypted at rest with AES-256-GCM
  • A small set of one-time recovery codes, stored as Argon2id hashes (one-way, single-use, never recoverable in plaintext)

2.3 Social Media Data (Creators only)

When Creators connect social media accounts for verification, we collect:
  • Platform type (Discord, YouTube and X/Twitter)
  • Account identifier and display information
  • Public metrics (subscriber/follower/member counts, view counts)
This data is synced periodically to display accurate analytics on Creator profiles.

2.4 Transaction Data

  • Order details (packages purchased, prices, timestamps)
  • Delivery content links and notes
  • Community instructions provided by Sponsors
  • Dispute information (reason, resolution)
  • Payout and withdrawal history

2.5 Communication Data

  • Messages exchanged between users on the Platform
  • File attachments (max 5 files per message/order, max 5 MB each)

2.6 Technical Data

  • Browser type and version (from HTTP headers)
  • IP address (server logs, not stored long-term)
  • Session metadata recorded on sign-in: browser name and operating system name (parsed from your User-Agent header), and a last-used timestamp. You can review and revoke active sessions at any time from Settings > Account > Sessions.

2.7 Analytics Data

We use Plausible Analytics, a privacy-friendly analytics tool, self-hosted on our own infrastructure. Plausible does not use cookies, does not collect personal data, and does not track users across sites or sessions. The data collected is aggregated and anonymised:
  • Page visited and referrer source
  • Browser type and operating system
  • Country (derived from IP address; IP is not stored)
We do not use tracking pixels, advertising cookies, or fingerprinting.

3. Legal Basis for Processing

PurposeLegal Basis (GDPR Art. 6)
Account creation and authenticationPerformance of contract (Art. 6(1)(b))
Payment processing and escrowPerformance of contract (Art. 6(1)(b))
Dispute resolutionPerformance of contract (Art. 6(1)(b))
Email notifications about ordersPerformance of contract (Art. 6(1)(b))
Social media metrics displayConsent (Art. 6(1)(a)) - you choose to connect accounts
Platform security and fraud preventionLegitimate interest (Art. 6(1)(f))
Aggregated analytics (Plausible)Legitimate interest (Art. 6(1)(f)), no personal data
Legal compliance (tax, financial regulations)Legal obligation (Art. 6(1)(c))

4. How We Use Your Data

We use your personal data to:
  • Create and manage your account.
  • Process transactions between Creators and Sponsors.
  • Hold funds in escrow and process payouts via Stripe.
  • Facilitate communication between users.
  • Display Creator profiles with connected social media metrics.
  • Send order-related email notifications.
  • Resolve disputes between users.
  • Detect and prevent fraud or abuse.
  • Measure aggregated, anonymised platform usage via Plausible Analytics (no personal data involved).
  • Comply with legal obligations.
We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Third-Party Processors

We share personal data with the following processors, each bound by Data Processing Agreements:
ProcessorPurposeData SharedLocation
StripePayment processing, payouts, identity verificationName, email, financial dataEU/US (EU SCCs)
Google / Discord / X/TwitterAuthenticationOAuth tokens, profile dataUS (EU SCCs)
Discord / YouTube / X/TwitterCreator social media sync (analytics, metrics)OAuth tokens, public metricsUS (EU SCCs)
Transactional emails are sent from our own mail server. No third-party email processor is used.
All processors are required to protect your data in accordance with GDPR standards. Where data is transferred outside the EU/EEA, appropriate safeguards (Standard Contractual Clauses) are in place.

6. Cookies

We use only strictly necessary and functional cookies. We do not use tracking cookies, analytics cookies, or advertising cookies.
Cookie NamePurposeTypeDuration
authTokenKeeps you signed in to your account. Contains an encrypted authentication token.Strictly necessary1 year
I18N_LOCALERemembers your preferred language.Functional1 year
TIMEZONERemembers your preferred timezone.Functional1 year
oauth_stateProtects against cross-site request forgery (CSRF) during the sign-in process.Strictly necessary10 minutes
Under the Dutch Telecommunicatiewet (Art. 11.7a) and the EU ePrivacy Directive (Art. 5(3)), consent is only required for cookies that are not strictly necessary for the service requested by the user. All cookies on Fusey are either strictly necessary (authentication, security) or functional (language preference). Therefore, no cookie consent banner is required.

7. Data Retention

Data TypeRetention Period
Account dataMarked inactive on deletion, anonymized after 3 years
Transaction dataPreserved indefinitely (Dutch fiscal retention obligation, Algemene wet inzake rijksbelastingen Art. 52)
MessagesDeleted 3 years after self-deletion (cascade during anonymization). Retained indefinitely for admin-banned accounts.
File uploadsDeleted when associated order or account data is removed
Authentication credentialsPassword hash, OAuth tokens, 2FA secret, and recovery codes are deleted immediately on account deletion
Social media OAuth tokensDeleted 3 years after account deletion (during anonymization)
SessionsDeleted immediately on account deletion or admin ban, on password reset, and on 2FA disable. Idle sessions are also automatically cleaned up after 1 month of inactivity
Server logs (IP, user agent)Dependent on infrastructure, not stored long-term
When you delete your account, your email is cleared and the account is marked inactive. After 3 years, all remaining personal data (display name, avatar, bio, social media connections, conversations, and messages) is permanently anonymized or deleted. Transaction records are preserved for legal and financial compliance.
If your account has been disabled by Fusey administration (e.g., due to a ban for Terms of Service violations), your account data is retained indefinitely and is not subject to the anonymization schedule above. This is necessary to enforce bans and prevent re-registration using the same credentials (GDPR Art. 17(3)(b), processing necessary for the establishment, exercise, or defence of legal claims).

8. Your Rights Under GDPR

You have the following rights regarding your personal data:
  • Right of access (Art. 15) - Request a copy of your data. Available via Settings > Privacy & Data > Export My Data.
  • Right to rectification (Art. 16) - Update your profile information at any time.
  • Right to erasure (Art. 17) - Delete your account via Settings > Privacy & Data > Delete My Account. Subject to legal retention obligations. Account deletion may be temporarily restricted if you have active or in-progress orders, or if you are a Creator with an outstanding balance to withdraw. Resolve these before requesting deletion.
  • Right to restriction (Art. 18) - Request that we limit processing of your data.
  • Right to data portability (Art. 20) - Export your data in a machine-readable format via the Export function.
  • Right to object (Art. 21) - Object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) - Withdraw consent for social media connections at any time by disconnecting the account.
To exercise any right not available through the Platform interface, contact us at fuseybusiness@gmail.com.
We will respond within 30 days as required by GDPR Art. 12(3).

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:
  • Encrypted data transmission (HTTPS/TLS) for all communication between your device and the Platform.
  • Argon2id password hashing — a memory-hard, OWASP-recommended algorithm. Your password is salted and hashed; we never store or transmit it in plaintext, and it cannot be recovered from our database.
  • AES-256-GCM encryption at rest for OAuth tokens (authentication and social media providers) and two-factor authentication (TOTP) secrets. The encryption keys are managed separately from the database.
  • Argon2id hashing of two-factor authentication recovery codes. Recovery codes are one-way hashed, single-use, and cannot be recovered in plaintext.
  • JWT-based authentication stored in secure, HttpOnly cookies to prevent client-side script access.
  • PKCE (Proof Key for Code Exchange, S256) on all OAuth2 authorization code flows to mitigate authorization code interception.
  • CSRF protection via cryptographic state cookies and the SameSite=lax cookie attribute.
  • Rate limiting on sensitive authentication endpoints (sign-in, sign-up, password reset, 2FA verification) to mitigate brute-force and abuse.
  • Session invalidation on password reset, 2FA disable, and admin ban — active sessions are revoked so leaked credentials cannot be reused.
  • Access controls and role-based permissions to limit who can access administrative functions.
  • Regular security assessments.

10. Children's Data

Fusey is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has created an account, contact us and we will delete the account.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. Automated order actions (e.g., auto-decline after 72 hours) are contractual processes, not profiling.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or Platform notification. The "Last updated" date at the top reflects the most recent revision.

13. Supervisory Authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
Autoriteit Persoonsgegevens
PO Box 93374, 2509 AJ The Hague

14. Contact

Fusey B.V.
Registered address: Tesselschadestraat 39, 2026SM, Haarlem, the Netherlands
Email: fuseybusiness@gmail.com
This is our registered business address. We do not accept visits or postal correspondence at this location. For all enquiries, please contact us via the Platform or by email.