Elfenfarm

Privacy Policy

How we collect, use, and protect your data

Last updated: March 2026

1. Introduction

This Privacy Policy explains how Elfenfarm ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our platform. We are committed to compliance with the EU General Data Protection Regulation (GDPR) and applicable Swiss data protection laws.

2. Data Controller

Elfenfarm is the data controller for all personal data processed through the Service. For data protection inquiries, contact us at privacy@elfenfarm.com.

3. Data We Collect

Account Data

Name, email address, organization name, organization profile, and account credentials.

Organization Data

Address, contact information, organization profile/mission statement, and intended use declaration.

Content Data

Documents you upload (research papers, policy documents, etc.), AI-generated responses, campaign configurations, and keywords.

Social Media Data

Public social media posts detected by our monitoring system, platform connection tokens (encrypted), and engagement metrics.

Technical Data

IP addresses, browser type, session data, and usage logs for security and performance purposes.

4. How We Use Your Data

  • To provide the Service: processing your documents, generating responses, monitoring social media platforms.
  • To analyze your documents using AI in order to generate relevant, contextual responses.
  • To manage your account and organization settings.
  • To communicate with you about your account, service updates, and security notifications.
  • To ensure compliance with our Terms of Service and Elfenfarm Charter.
  • To improve the Service through aggregated, anonymized usage analytics.

5. Legal Basis for Processing

  • Contract Performance: Processing necessary to provide the Service you have requested.
  • Legitimate Interest: Security monitoring, fraud prevention, and service improvement.
  • Consent: Where required, we will obtain your explicit consent (e.g., marketing communications).
  • Legal Obligation: Processing required to comply with applicable laws.

6. Third-Party Services

We use the following third-party services to provide our platform. For each service, we describe what data is accessed and why.

6.1 AI Services

  • AI Service Providers: We use third-party AI services to analyze your documents and generate contextual responses. Document content may be processed by these services for this purpose. No personal account data is shared with AI providers. All AI processing is governed by appropriate data processing agreements.

6.2 Social Media Platforms

When you connect a social media account, we access specific data through each platform's official API. All OAuth tokens are stored encrypted using industry-standard encryption. You can revoke access at any time by disconnecting the platform in your account settings.

  • Google/YouTube: When you connect your YouTube account via OAuth, we access your YouTube channel information, video metadata, and comments via the YouTube Data API v3. This is used to monitor public discussions and post comments on your behalf as part of campaign management. We request the youtube.force-ssl scope, which allows reading and writing YouTube comments, ratings, and captions. We also request openid, profile, and email scopes for account identification. You can revoke Elfenfarm's access at any time via your Google Account permissions. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • Facebook/Instagram (Meta): When you connect your Facebook account via OAuth, we access your Facebook Pages and linked Instagram accounts. This is used to monitor page interactions and post approved responses. We request permissions for page management and posting. You can revoke access via your Facebook app settings.

  • Twitter/X: When you connect your Twitter/X account via OAuth 2.0 with PKCE, we access your profile information and the ability to post on your behalf. This is used to publish approved responses to relevant conversations. You can revoke access via your Twitter app settings.

  • LinkedIn: When you connect your LinkedIn account via OAuth, we access your profile information and organizational page posting capabilities. This is used to publish approved responses on behalf of your organization. You can revoke access via your LinkedIn app settings.

  • Reddit: When you connect your Reddit account via OAuth, we access your profile information and the ability to post comments on your behalf. For monitoring, we also search public Reddit content using Reddit's API. You can revoke access via your Reddit app authorizations.

  • Mastodon: When you connect your Mastodon account via OAuth on your chosen instance, we access your profile information and posting capabilities. We dynamically register an application on your Mastodon instance during the connection process. You can revoke access via your Mastodon instance's authorized apps settings.

  • Bluesky: When you connect your Bluesky account using an app password, we access your profile and posting capabilities via the AT Protocol. For monitoring, we also search public Bluesky content. You can revoke access by deleting the app password in your Bluesky account settings.

  • Discord: When you connect a Discord server using our bot, we access message content in the channels you configure. This is used to monitor discussions relevant to your campaigns. You can remove access by removing the Elfenfarm bot from your Discord server.

  • Telegram: We use the Telegram Bot API to monitor public channel content relevant to your campaigns. No personal Telegram account data is accessed.

6.3 Infrastructure and Hosting

  • Cloud Infrastructure (Scaleway): Our application, database, and file storage are hosted on European cloud infrastructure provided by Scaleway. All data resides on servers within the EU/EEA.

  • Object Storage (Scaleway S3): Uploaded documents and generated files are stored in Scaleway's S3-compatible object storage, located in the EU (Paris region).

We ensure all third-party processors have appropriate data processing agreements (DPAs) in place.

7. Account & Organization Deletion

User Account Deletion

Any user can request deletion of their own account from their account settings. A 30-day grace period applies during which the deletion can be cancelled. After the grace period, personal data is permanently removed and a confirmation email is sent.

Restrictions: Organization administrators who are the sole admin of their organization cannot delete their account without first transferring admin rights or deleting the organization.

Contributors: Contributors (non-admin users) can delete their accounts at any time. Their contributions (e.g., response reviews) are anonymized but retained for organizational continuity.

Organization Deletion

Organization administrators can request deletion of their entire organization. Two modes are available:

  • End of Period: Deletion occurs after the current subscription period expires. No prorated refund is issued.
  • Immediate: Deletion occurs after a 30-day GDPR grace period. No refund is issued.

Upon organization deletion, all associated data is permanently removed, including campaigns, documents, AI-generated content, monitoring data, platform connections, and all user accounts. Responses already published on social media platforms are NOT removed.

All organization members are notified by email when deletion is scheduled. The deletion can be cancelled at any time before the scheduled date.

Audit Log Retention

Certain records are retained beyond account/organization deletion for legal compliance:

  • Consent timestamps (terms acceptance, privacy policy acceptance, charter acknowledgment)
  • Financial transaction records (invoices, receipts, subscription events)
  • Deletion request and execution logs
  • These records are retained for the legally required period (typically 10 years for financial records under Swiss law).

8. Data Retention

  • Account data is retained for the duration of your account plus 30 days after deletion.
  • Content data (documents, responses) is deleted upon request or account termination.
  • Social media monitoring data is retained for the duration of your active campaigns.
  • Platform connection tokens are deleted immediately when you disconnect a platform.
  • Security logs are retained for 12 months.
  • Audit logs (consent, financial transactions) are retained for 10 years per Swiss legal requirements.

9. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of Access: Request a copy of all personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate personal data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten"). See our Data Deletion Instructions for details.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Restrict Processing: Request limitation of how we process your data.
  • Right to Object: Object to processing based on legitimate interest.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise these rights, contact us at privacy@elfenfarm.com. We will respond within 30 days.

10. Data Security

  • πŸ”’ All data is encrypted in transit (TLS) and at rest.
  • πŸ”’ Platform connection tokens are encrypted using industry-standard encryption.
  • πŸ”’ Access to personal data is restricted to authorized personnel only.
  • πŸ”’ We conduct regular security assessments and maintain incident response procedures.
  • πŸ‡ͺπŸ‡Ί All data is stored exclusively on European-owned servers within the EU/EEA, ensuring full GDPR jurisdiction.

11. Cookies

We use essential cookies for authentication and session management. We do not use tracking or advertising cookies. No consent banner is needed as we only use strictly necessary cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email. The latest version is always available on our website.

13. Contact & Complaints

For privacy inquiries: privacy@elfenfarm.com

You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.