Frenemy Privacy Policy
Frenemy is operated by Solvitur Studio LLC (“we,” “us”). This policy explains what personal information we handle when you visit our websites (including frenemy.dev and lab.frenemy.dev) or use the Frenemy service, and your rights over it.
1. Two contexts — controller vs. processor
We handle personal data in two distinct roles, and this policy applies to only the first:
- As a controller (this policy applies). When you visit our websites or create and use a Frenemy account, we decide how and why your personal information is handled.
- As a processor (this policy does not apply). When Frenemy runs on one of our customers’ websites and processes that site’s visitor traffic, we act on that customer’s instructions. The customer is the controller of that visitor data; our processing is governed by our Data Processing Agreement with them and by that customer’s own privacy policy. If you are a visitor to a website that uses Frenemy and want to exercise rights over your data, contact the operator of that website. See Section 6.
2. Information we collect as a controller
- Account information — the email address and website details you provide when you sign up. There are no passwords: you sign in with emailed one-time links.
- Billing information — processed by our payment processor, Stripe. We do not store full payment-card numbers; Stripe handles them.
- Usage information — how you interact with the dashboard, plus logs and diagnostic data generated as you use the service.
- Website data — we run no client-side analytics tracker and set no analytics cookies on our websites; we rely on network-level (cookieless) analytics from our hosting provider, Cloudflare. We also run the Frenemy service on our own websites — there, we act as the controller of our own site’s traffic, under the same data-minimization rules described in Section 6.
- Communications — messages you send us for support or other inquiries.
3. How we use it, and our legal bases
We use the information above to provide, operate, secure, and improve the service; to process billing; to respond to support requests; and to meet legal obligations. Under the GDPR our legal bases are: performance of our contract with you (providing the service, billing); legitimate interests (securing and improving the service, understanding website usage); consent (any marketing you opt into); and legal obligation where applicable.
4. Cookies
We use cookies strictly necessary for authentication and core functionality — signing in sets a session cookie; that’s it. We set no advertising, analytics, or other non-essential cookies, which is why you don’t see a cookie banner.
5. How we share information
Service providers / subprocessors — vendors that help us run the service. The current list (kept in step with the subprocessor list referenced in our DPA):
- Cloudflare, Inc. — Hosting and edge infrastructure — compute, storage, databases, and email routing. Receives: Service data at rest and in transit (the platform everything runs on).
- Stripe, Inc. — Payment processing and billing. Receives: Billing details you provide at checkout. We never store full card numbers.
- Resend, Inc. — Transactional email — sign-in links and service notices. Receives: Your account email address and the contents of the emails we send you.
- Anthropic, PBC — AI-assisted analysis of automated (non-human) traffic patterns, used to operate and improve the service's classifications. Receives: Network information (ASN), user-agent strings of suspected automated clients, and aggregate counts — never IP addresses (raw or hashed), never account details or email.
- Services you connect — if you connect your Cloudflare, GitHub, or Vercel account to install Frenemy, we exchange data with that service at your direction to set up and operate the integration. They act as your providers, not our subprocessors.
- Legal and safety — where required by law or to protect rights, safety, and the integrity of the service.
- Business transfers — in connection with a merger, acquisition, or sale of assets.
- We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under California law. Aggregated or de-identified data is not personal information and is treated separately (see Section 7); aggregates are never sold and never attributable to any individual site.
6. Visitor data we process on behalf of customers
This section describes processing this policy does not govern, included for transparency. When Frenemy operates on a customer’s website, it processes visitors’ IP addresses and user-agent strings in order to classify automated traffic, apply the verdicts the customer has configured, and produce the customer’s ledger. For that processing:
- The customer is the controller; we are the processor, acting on the customer’s instructions under our DPA. The customer’s lawful basis is typically legitimate interest (security and bot detection).
- We never store raw visitor IP addresses. Each IP is irreversibly hashed at ingest with a keyed, per-site salt that rotates daily, and prior keys are destroyed at rotation — so no personally identifying visitor record exists at rest.
- User-agent strings are retained as 30-day samples only for traffic classified as automated or impersonating; these are pseudonymous, and user-agent strings of presumed-human visitors are never stored in any form.
- We strip advertising click identifiers (click IDs) at ingest and do not retain them.
- Aggregated, de-identified statistics are retained for the product’s reporting windows (day-level detail for about 90 days; monthly rollups for about 12 months).
- We do not use this visitor data for our own purposes beyond providing the service — except as aggregated, de-identified derivatives described in Section 5.
- To exercise rights over this data, a visitor should contact the website operator that uses Frenemy, not us.
7. Data retention
We keep account information for as long as your account is active and for a limited period afterward for legal, accounting, and dispute-resolution purposes. Visitor data processed as a processor is retained per Section 6 and the DPA. We may retain aggregated or de-identified data, which does not identify you, for longer.
8. Security
We use commercially reasonable technical and organizational measures to protect personal information. No method of transmission or storage is completely secure, and during the service’s early-access period we do not warrant any specific security standard or certification.
9. International data transfers
We are based in the United States. Where we handle personal data of individuals in the EU, UK, or other regions with transfer restrictions, we rely on appropriate safeguards such as the Standard Contractual Clauses.
10. Your rights
Under the GDPR (EU/UK), you may request access, correction, erasure, restriction, or portability of your personal data; object to certain processing; and withdraw consent at any time. You may also lodge a complaint with your local supervisory authority.
Under the CCPA/CPRA (California), you may request to know, delete, or correct your personal information, and to opt out of its sale or sharing — though, as noted in Section 5, we do not sell or share it. We will not discriminate against you for exercising these rights.
To exercise any of these, contact us using Section 12. For data we process as a processor on a customer’s behalf (Section 6), please direct your request to the relevant website operator.
11. Children
The service and our websites are not directed to children, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact us and we will delete it.
12. Changes & contact
We may update this policy from time to time; for material changes we will provide notice, and the effective date above always reflects the current version. Privacy inquiries: Solvitur Studio LLC — support@frenemy.dev.