Privacy Policy

Who we are

Faultline ("we", "us", "our") is a software service operated from Cardiff, Wales, UK. Our service is available at usefaultline.com. For data protection purposes we are the data controller.

Questions about this policy or your personal data can be sent to hello@usefaultline.com.

What data we collect

We collect the minimum data needed to provide the service. This falls into three categories:

Account data - your name and email address, collected when you sign up. Authentication is handled by Clerk (see Third-party processors below).

Organisation data - data you enter while using Faultline: your organisation name, system area names, team member names, and knowledge depth ratings. This data belongs to your organisation and is entered by you voluntarily.

Usage data - basic server logs (IP address, request timestamps, HTTP method and path) retained for security and debugging. We do not use third-party analytics or advertising trackers.

Legal basis for processing (UK GDPR)

• Contract performance - processing your account data to provide the service you signed up for.
• Legitimate interests - server logs for security monitoring and debugging, where these interests are not overridden by your rights.

How we use your data

• To create and manage your account
• To deliver the Faultline service to you and your team
• To send transactional emails (e.g. team invitations). We do not send marketing email without your explicit opt-in.
• To investigate security incidents and fix bugs

We do not sell your data. We do not use it for advertising.

Third-party processors

We share data with the following sub-processors solely to operate the service:

• Clerk (clerk.com) - authentication and session management. Clerk processes authentication data (email address, session tokens) in the United States. Transfers from the UK are made under the UK Extension to the EU-US Data Privacy Framework, with Standard Contractual Clauses as a fallback. Clerk's DPA is available at clerk.com/legal/dpa.
• MongoDB Atlas (MongoDB, Inc.) - cloud database hosting on AWS, Frankfurt region (eu-central-1). All application data is stored here, encrypted at rest.
• Fly.io - application hosting and infrastructure. Servers are located in London, UK.
• Resend - transactional email delivery (e.g. invitation emails), processed in the EU (Ireland, eu-west-1).

Each processor has been selected for their data protection standards. We do not allow processors to use your data for their own purposes.

Cookies

Faultline uses one strictly-necessary cookie, set by Clerk, to maintain your authenticated session. This cookie is required for the service to function and does not require consent under UK GDPR.

We do not set analytics, advertising, or tracking cookies. We do not use Google Analytics or similar tools.

Data retention

We retain your data for as long as your account is active. If you delete your account or organisation, we delete your data within 30 days, except where retention is required for legal or security purposes (e.g. server logs, which are retained for up to 90 days).

Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data ("right to be forgotten")
• Request a portable copy of your data
• Object to processing based on legitimate interests
• Lodge a complaint with the ICO (ico.org.uk)

To exercise any of these rights, email hello@usefaultline.com. We will respond within 30 days.

Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted to authorised personnel. We maintain audit logs for all data mutations.

To report a security vulnerability, please email hello@usefaultline.com with details. We aim to acknowledge reports within 48 hours.

Changes to this policy

We may update this policy as the service evolves. Material changes will be notified by email or via an in-app notice. The effective date at the top of this page will always reflect the latest version.