← Home

Privacy Policy

Last updated: May 19, 2026

This Privacy Policy explains how FreeFTE ("FreeFTE", "we", "us") collects, uses and shares personal data when you use the service at freefte.com. It is designed to comply with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, and US state privacy laws including the California Consumer Privacy Act as amended by the CPRA ("CCPA").

1. Controller and contact

FreeFTE is operated by the operator of freefte.com, established in [EU country of operator] ("we"). For account data, technical data, and the freefte.com website, we act as the data controller. For data that workspace owners place into their workspace about their teammates, projects and allocations ("Workspace Data"), we act as a processor on behalf of the workspace owner, which is the controller of that data.

Privacy contact: privacy@freefte.com. A separate Data Protection Officer is not required at our current scale, but the address above reaches the person responsible for privacy matters.

2. What we collect

  • Account data: email address, hashed password, authentication provider identifiers (e.g. Google sub), display name, sign-in timestamps and IP address.
  • Workspace Data: workspace name, member emails and roles, teammates (name, role, country, weekly hours, optional avatar), projects (name, client, status, dates), allocations and time-off records.
  • Technical data: device and browser metadata, IP address, language, approximate location (derived from IP), and analytics events (page views, feature usage).
  • Support data: messages you send us and our replies.

We do not knowingly collect special-category data (GDPR Art. 9) such as health, biometric, racial, religious, political or trade-union information. Do not place such data in your workspace without a separate written agreement with us.

3. Sources

We receive data directly from you when you sign up or use the service, automatically from your browser/device when you visit freefte.com, and from third parties such as Google when you sign in with Google OAuth.

4. Legal bases (GDPR Art. 6)

  • Contract (Art. 6(1)(b)): to create your account, provide the service and respond to support requests.
  • Legitimate interests (Art. 6(1)(f)): to keep the service secure, prevent abuse, debug issues, and understand aggregate product usage.
  • Consent (Art. 6(1)(a)): for non-essential cookies and analytics where required (see §9). You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting or law-enforcement requirements.

5. How we use data

  • operate, maintain and secure the service;
  • authenticate users and manage workspace membership;
  • respond to support requests and send service-related notifications (e.g. account security, password reset, invites);
  • understand aggregate usage and improve the product;
  • comply with legal obligations and enforce our Terms.

We do not use Workspace Data to train AI models and we do not sell personal data.

6. Sub-processors and sharing

We share personal data with the following categories of recipients:

  • Hosting, database and authentication — Lovable Cloud (Supabase), used in an EU region where available, to store and serve account data and Workspace Data.
  • Authentication providers — Google (only if you sign in with Google).
  • Analytics — [TO BE FILLED: Plausible / PostHog / GA4], pseudonymised usage statistics.
  • Professional advisors and authorities — when legally required.

We do not sell or "share" personal data for cross-context behavioural advertising as those terms are defined under the CCPA. If we engage a new sub-processor we will update this page; material changes will be communicated by email or in-app at least 30 days in advance where practical.

7. International transfers

Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and apply supplementary measures (such as encryption in transit and at rest) where required by Schrems II and subsequent guidance from EU supervisory authorities.

8. Retention

  • Account and Workspace Data: retained while your account is active, then deleted within 30 days of account closure (unless we are legally required to keep it).
  • Encrypted backups: up to 90 days, after which they expire.
  • Security and access logs: up to 12 months.
  • Support correspondence: up to 24 months.

9. Cookies and similar technologies

We use a small number of strictly necessary cookies required to keep you signed in and to protect the service; these do not require consent under the ePrivacy Directive. Any analytics or non-essential cookies are set only after you give consent via our cookie banner, and you can change or withdraw consent at any time from the banner's settings link.

10. Your rights in the EEA / UK

Under GDPR you have the right to:

  • access your personal data and receive a copy;
  • rectify inaccurate or incomplete data;
  • erase your data ("right to be forgotten");
  • restrict or object to certain processing, including processing based on legitimate interests;
  • data portability for data you provided to us;
  • withdraw consent at any time, without affecting prior processing;
  • lodge a complaint with your local supervisory authority — for residents of [EU country of operator], that is the [EU country of operator] Data Protection Authority.

To exercise any of these rights, email privacy@freefte.com. We respond within 30 days. If your data sits inside a workspace, we will route the request to the workspace owner, who is the controller of that data.

11. US privacy rights (California / CCPA, and other states)

If you are a US resident, depending on your state of residence you may have rights to know what personal information we collect, to access and obtain a copy, to correct inaccurate information, to delete personal information, to opt out of the "sale" or "sharing" of personal information, and not to be discriminated against for exercising these rights.

Notice of "Do Not Sell or Share My Personal Information": we do not sell personal information and we do not share it for cross-context behavioural advertising. We do not knowingly process the personal information of consumers under 16 without affirmative authorisation.

Most data we process about US business users is collected in a business-to-business context and may be exempt from certain CCPA obligations. To exercise any US privacy right, email privacy@freefte.com with the subject line "US Privacy Request". You may use an authorised agent; we will verify the request before responding.

12. Children

FreeFTE is a business product and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us and we will delete it.

13. Security

We use industry-standard safeguards including TLS in transit, encryption at rest, Postgres row-level security for workspace isolation, hashed passwords, role-based access for our staff, and audit logging. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay, as required by GDPR Art. 33–34.

14. Data Processing Addendum (DPA)

Business customers who need a Data Processing Addendum (DPA) under GDPR Art. 28 can request one from privacy@freefte.com. Our DPA incorporates the EU Standard Contractual Clauses for any onward transfers.

15. Changes to this policy

We may update this Privacy Policy from time to time. For material changes we will provide notice by email or in-app at least 14 days before they take effect, and we will update the "Last updated" date at the top of this page.

16. Contact

Questions, requests, or complaints? Email privacy@freefte.com.

See also our Terms of Service.