Privacy Policy

This Privacy Policy describes how Fobi Inc. (doing business as fobi, referred to here as "fobi," "we," "us," or "our") collects, uses, shares, and protects information about you when you visit fobi.com, create an account, subscribe to a paid plan, or otherwise interact with the Services. By using fobi you accept the practices described in this policy. If you do not agree, please do not use the Services.

This policy applies to information collected through fobi.com and any related subdomains, the fobi web application, the email communications we send you, and any other places where this policy is linked. It does not apply to third-party websites, tools, or services that fobi links to but does not operate — those third parties have their own privacy practices, summarized in §6 below.

The information fobi collects directly from you is intentionally minimal:

• Email address. Required to create an account. Used to authenticate you (magic-link sign-in), send service-related notifications (billing receipts, security alerts), and operate the Services. Magic-link delivery is handled by Resend.
• Name and profile image. Optional. Collected only if you sign in with Google, which exposes these fields as part of the OAuth flow. You can leave these blank by using magic-link sign-in instead.
• Billing information. When you subscribe, your card number and billing address are entered into Stripe Checkout and stored by Stripe. fobi never sees or stores your card details. We retain only what Stripe returns: a customer identifier, the subscription tier and status, the period end date, and the domain you entered (Company plan only).
• Company-plan domain. If you buy the Company plan, the work-email domain you enter at checkout is stored so that anyone with an email at that domain can access fobi. This is the entire access-control mechanism for the Company plan — no individual rosters or SAML.
• Communications you send us. Emails, support requests, or other content you voluntarily send to fobi addresses (e.g. hello@rickyrichards.com) are stored in our email provider's systems for as long as is reasonably required to respond and to keep an audit trail of the correspondence.

When you visit fobi, certain information is collected automatically:

• Server logs. Like nearly every web service, fobi receives standard HTTP request data from your browser — your IP address, the user-agent string, the URL requested, referrer headers, and a timestamp. These are recorded in transient hosting logs (Vercel) primarily for operational debugging and abuse detection. We do not use them to build cross-site behavioral profiles.
• Authentication cookie. When you sign in, fobi sets a single session cookie containing an encrypted JWT that identifies your account on subsequent requests. This cookie is essential to the Services; without it, paywall and account features cannot function. No third-party cookies are set by fobi itself.
• Product analytics. fobi uses Vercel Analytics, which records aggregate page-view counts and route-level performance metrics without cookies, without IP storage beyond the immediate request, and without cross-site tracking. We do not use Google Analytics, Facebook Pixel, tracking pixels, session-replay tools, or any third-party advertising network.
• Last-seen markers. A small number of timestamps are stored on your user record to power "new since you last visited" indicators on surfaces such as the jobs board. These are visible only to you and are not shared with third parties.

fobi receives limited information about you from the following third parties:

• Google (only if you sign in with Google). Through the OAuth flow, we receive your email address, name, profile image URL, and a stable Google account identifier. We do not request any other Google scopes (no Gmail access, no Drive, no Calendar). You can revoke fobi's access at any time from your Google account's "Third-party apps" page.
• Stripe. Returns a Stripe customer identifier, subscription state (status, period end, plan), and a small set of webhook events when your subscription changes. We do not receive your card number or billing address from Stripe.

fobi uses the information described above for the following purposes:

• Operating the Services. Authenticating you, granting or denying access to gated content based on subscription state, sending magic-link emails, displaying account information, processing payments through Stripe.
• Service communications. Sending you billing receipts, account notifications (security events, billing failures), and updates about material changes to the Services or these terms. These messages are not marketing; they are operational.
• Product improvement. Aggregated, non-personal usage patterns (which pages are most-visited, which features people use) help us prioritize what to build next. Individual-level behavioral profiling is not something we do.
• Abuse prevention. Server logs may be inspected if we have reason to investigate scraping, account-sharing abuse, or attempted unauthorized access.
• Legal compliance. Retaining the records we are required by law to keep — primarily billing records for tax purposes.

We do not use your information to train third-party machine-learning models, to sell to data brokers, to construct advertising profiles, or to share with marketing partners. These categories are intentionally omitted from our processing because they would be incompatible with how we want fobi to feel as a product.

fobi is a small operation built on top of a small number of trusted infrastructure providers. Each of these companies acts as a data processor on our behalf; they are contractually bound to handle your data only as instructed by fobi and only for the purposes described below.

• Vercel — hosts the fobi web application and provides the hosting-layer analytics described in §3. Vercel may temporarily store request metadata in its edge infrastructure as part of normal operation.
• Stripe — payment processing, subscription management, the customer billing portal. Stripe is a PCI-compliant payment processor and holds your card details directly.
• Resend — transactional email delivery (magic-link sign-in, billing notifications, support replies). Resend holds your email address while messages are in transit.
• Neon / Postgres provider — managed Postgres database where your account record, subscription state, and last-seen markers are stored.
• Google — only when you choose to sign in with Google, as described in §4.

The data fobi shares with each provider is the minimum needed to perform their function — Stripe receives nothing it doesn't need to bill you; Resend receives nothing it doesn't need to deliver the email; Neon receives only the application schema described elsewhere in this policy. We do not use any third-party advertising network, analytics vendor (beyond Vercel's first-party tooling), session-replay tool, customer-data-platform, marketing-automation system, A/B-testing service, or social- media tracking pixel.

fobi uses large-language-model providers (Anthropic, OpenAI, and DeepSeek) to synthesize the editorial content that appears on the site — sector briefs, bull / bear cases, hard-problem taxonomies, news classification, and similar artifacts. These model calls process public source material (articles, filings, patents) and our editorial prompts, not user-account data.

The LLM providers do not receive your email address, your account history, your subscription state, or any other personal information about you when fobi calls their APIs. Your usage of fobi does not contribute to model training at those providers, to the extent each provider's API terms permit us to assert that — for the avoidance of doubt, we do not send personal data to them.

fobi uses a minimal set of cookies, all strictly necessary for the Services:

• Session cookie — encrypted JWT that represents your signed-in session. Required for authentication and paywall enforcement. Expires after a reasonable period of inactivity.
• Theme preference — a small local-storage entry that remembers whether you prefer the light or dark theme. Visible only to your browser; not transmitted to fobi or any third party.

fobi does not set advertising cookies, analytics cookies (Vercel Analytics is cookie-free), third-party tracking cookies, or social-media cookies. Because the cookies we do set are strictly necessary, a "Cookie Preferences" modal is not required and we have intentionally not built one.

fobi retains personal information only for as long as is necessary to provide the Services and to comply with legal obligations.

• Active accounts. Your account record, subscription state, and any preference / last-seen data are retained as long as your account is active.
• Cancelled subscriptions. When you cancel a paid subscription, your account record is retained but moved to a "canceled" status. The historical record (including the is_founder_member flag for cohort accounting) is preserved per the Terms of Service. You can request full deletion at any time — see §10.
• Deleted accounts. When you delete your account, fobi removes your account record and personal preferences within a reasonable period (target: within 30 days). Some data is retained beyond that for legitimate purposes — billing records are retained for the period required by tax law (typically 7 years), and operational backups roll off on a normal schedule (typically 30 days).
• Server logs. Transient logs are retained at our hosting provider for short operational windows (typically 7 to 30 days) before being rotated out.

You have the following rights regarding the personal information fobi holds about you:

• Access. You can ask us to confirm what data fobi holds about you and receive a copy. The account page surfaces the live values for your email, subscription state, and stored preferences; if you need anything else, email hello@rickyrichards.com.
• Correction. You can ask us to correct inaccurate or incomplete personal data.
• Deletion. You can ask us to delete your account and the personal data we hold about you. Email hello@rickyrichards.com from the address registered on the account. We will confirm and complete the deletion within a reasonable period, subject to the retention exceptions in §9.
• Portability. You can request a portable export of the personal data fobi holds about you in a structured, machine-readable format.
• Objection / restriction. You can object to, or ask us to restrict, particular processing activities. In practice fobi's processing is limited to delivering the Services you signed up for, so the most common form of objection is account deletion.
• Withdrawal of consent. Where processing is based on consent (rather than contractual necessity), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Complaint to a supervisory authority. If you believe fobi has handled your personal data unlawfully, you have the right to lodge a complaint with the data-protection authority in your jurisdiction.

To exercise any of these rights, email hello@rickyrichards.com from the address registered on the account. We will respond within a reasonable period — target 30 days.

fobi takes reasonable technical and organizational measures to protect personal data: TLS in transit, encryption at rest where supported by our infrastructure providers, single-purpose access tokens for third-party services, principle-of-least-privilege access to the production database, and the use of the well-reviewed authentication library (Auth.js v5) rather than rolled-from-scratch session handling.

That said, no system is invulnerable. If we ever become aware of a security incident that materially affects your personal data, we will notify you and the relevant authorities within the time periods required by applicable law.

fobi's infrastructure providers operate globally. Your personal data may be stored and processed in countries other than the one you live in, including the United States. Where required by applicable law, we rely on lawful transfer mechanisms (such as the EU Standard Contractual Clauses) for cross-border transfers.

fobi is not directed to children under the age of 13 (or under 16 in the EEA / UK), and we do not knowingly collect personal information from children. If you believe a child has provided personal information to fobi, email hello@rickyrichards.com and we will delete it.

fobi sends very few marketing emails. Service emails (billing receipts, security alerts, account notifications, magic-link sign-in) are operational and cannot be opted out of while you have an active account. Any genuinely promotional emails (e.g. a launch announcement for a new sector) will offer an unsubscribe link in the email itself.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, depending on the significance of the change, may notify you by email or via an in-product notice. Your continued use of fobi after a change is published constitutes acceptance of the revised policy.

If you have any questions, concerns, or requests about this Privacy Policy or about how fobi handles your personal data, please email hello@rickyrichards.com. We will respond at our earliest convenience.