Privacy Policy — Functory

“Functory” is a platform to publish, discover, and run executable functions (“Functions”). This policy covers visitors, registered users, creators who publish Functions (“Creators”), and users who run Functions (“Runners/Executants”).

Data controller: TODO: Legal entity name (“we”, “us”). Address: TODO: full address. Email: privacy@yourdomain.example. If you are in the EEA/UK, add: TODO: EU/UK representative.

Alpha note: Functory is currently in Alpha; features and data flows may evolve. We aim to notify you of material changes (see section 17).

• Controller (we decide the “why” & “how”): account/profile data, authentication, billing/tokens, platform security logs, marketplace discovery metadata, support & abuse handling, payouts KYC/AML (with providers), aggregate analytics.
• Processor (we operate on your instructions): inputs you send to a Function, intermediate artifacts, outputs, and execution logs tied to that run. Creators may be independent controllers for data they ask you to supply to their Functions. In such cases, we act as their processor/sub-processor.
• We offer a Data Processing Addendum (DPA) on request. TODO: link/email to request DPA.

• Account & profile: name/alias, username, password hash, email, optional avatar, organization, roles, preferences, audit trails.
• Usage & device data: logs (IP, timestamps, user agent, referrer, pages/API routes), approximate location derived from IP, crash/diagnostic events.
• Function content: code, metadata (title, tags, descriptions, versions), schemas, pricing, visibility (public/private).
• Execution data: inputs, outputs, intermediate logs (including SSE), runtime metrics (duration, CPU/RAM quotas, status), and artifacts exchanged via presigned links (e.g., S3/MinIO).
• Payments & payouts: limited billing identifiers, token purchases, invoices/receipts; payout KYC/AML information via payment partners (we typically do not store full card details).
• Communications: support tickets, feedback, abuse reports, marketing preferences.
• Cookies & similar: session cookies, auth state, CSRF tokens, preference cookies; see section 8.

Sensitive data: do not submit special categories (e.g., health, biometrics) unless your agreement with us explicitly permits it and you comply with applicable laws.

• Directly from you (forms, API requests, uploads, CLI/SDK activity).
• Automatically (cookies, telemetry, runtime logs, security systems).
• From third parties (auth providers, payment processors, anti-fraud services, and—if you connect them—repositories, storage, or cloud accounts).

• Provide and operate the platform (publish, discover, and execute Functions).
• Authenticate users; manage tokens, pricing, and billing; process payouts.
• Measure usage, performance, reliability; fix bugs; improve UX and security.
• Show public metadata for marketplace discovery (e.g., title, tags, run counts).
• Communicate with you (service messages, updates, support, marketing where permitted).
• Comply with law (tax, accounting, anti-fraud/abuse) and enforce our Terms.

• Contract — to provide requested services and features.
• Legitimate interests — to secure, improve, and operate the platform efficiently.
• Consent — for non-essential cookies/marketing where required.
• Legal obligation — tax, accounting, KYC/AML, compliance requests.

• Service providers / subprocessors: cloud hosting, storage (e.g., S3/MinIO), logging, payments, KYC/AML, email delivery, analytics, customer support.
• Creators & Runners: when you run a Function, your inputs may be visible to the Function owner as needed to operate and improve that Function. Results may be stored for debugging and billing.
• Legal & safety: to comply with law, enforce our Terms, protect rights, security, or users.
• Business transfers: merger, acquisition, or asset sale (with safeguards).

We do not sell personal information and we do not “share” it for cross-context behavioral advertising as defined by the CPRA.

We use essential cookies for authentication and security (non-optional). We may use analytics (e.g., aggregated usage metrics) to understand product performance. Where required, we request consent before setting non-essential cookies. You can manage preferences in your browser and—where available—our cookie banner.

• Essential: auth/session, CSRF, load-balancing, fraud prevention.
• Functional: preferences (e.g., language, theme).
• Analytics: usage trends, product improvement (aggregated/pseudonymized).
• Marketing: emails about new features only with consent where required; opt out anytime.

• We do not use your private code or private execution data to train models without your consent.
• Public Functions and their non-personal, aggregated performance signals (e.g., run counts, success rates) may inform ranking/discovery and product quality metrics.
• If we introduce optional AI features that require training on your data, we will provide clear controls.

We may process data in countries other than your own. Where required, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (SCCs) or UK addendum/IDTA. If we use U.S. providers certified under applicable frameworks (e.g., EU-U.S. Data Privacy Framework), we may rely on that certification where appropriate.

TODO: Provide a list of key hosting regions/subprocessors upon request or in a public page.

• We apply reasonable technical and organizational measures (isolation of executions, presigned link controls, access management, logging, encryption in transit, and—where configured—at rest).
• No method is 100% secure. Report suspected vulnerabilities to security@yourdomain.example.

• We keep personal data only as long as necessary for the purposes described, including legal/accounting obligations. Execution artifacts may be subject to quotas and retention windows, after which they may be purged.
• You can request deletion of your account; some records may be retained as required by law or for legitimate interests (fraud prevention, security).

Depending on your location, you may have rights to access, correct, delete, restrict, object to, or port your personal data, and to withdraw consent where we rely on consent.

• How to exercise: email privacy@yourdomain.example. We may need to verify your identity.
• Marketing: opt out via email footer or in your account (if available).
• Cookies: adjust browser settings and use our consent tools where offered.

The service is not directed to children under 13 (or the age of digital consent in your jurisdiction). Do not use Functory if you are under that age. If we learn we processed such data, we will delete it.

Some browsers offer Do Not Track (DNT) or Global Privacy Control (GPC). While there is no uniform DNT standard, we honor GPC signals where required by law, particularly for cookies deemed “selling” or “sharing” in certain jurisdictions (which we do not engage in; see section 7).

Functory may link to or integrate with third-party services (e.g., payment providers, code repositories, storage). Their privacy practices are governed by their policies. Review them carefully before enabling integrations or submitting data.

We may modify this Policy from time to time. We will update the “Last updated” date and, for material changes, provide additional notice (e.g., in-product banner or email).

Questions or requests about privacy? Contact our privacy team / DPO:
Email: privacy@yourdomain.example
Mailing address: TODO: Legal entity & full address

EEA/UK

• You have rights under GDPR/UK GDPR: access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your supervisory authority. If we rely on consent, you can withdraw it at any time.
• For international transfers, we use appropriate safeguards (see section 10). Contact us for a copy of relevant SCCs subject to redactions.

California (CPRA)

• We do not sell or “share” your personal information for cross-context behavioral advertising.
• Rights: know/access, delete, correct, portability, limit use of sensitive information (where applicable), and freedom from discrimination for exercising your rights.
• Categories collected (examples): identifiers (name, email, IP), commercial info (token purchases), internet activity (logs), inferences (high-level usage cohorts). Sources/purposes/disclosures correspond to sections 4–7 above.

Brazil (LGPD)

• Legal bases include consent, contract, legitimate interest, and legal obligation. You may request confirmation of processing, access, correction, anonymization/blocking/deletion, portability, information about shared use, and revocation of consent.

Canada (PIPEDA)

• We process personal information with your knowledge and consent, except where permitted otherwise by law. You may request access and correction of your personal information.

Singapore/Other APAC (PDPA, etc.)

• We collect, use, and disclose personal data for reasonable purposes you would expect in the context of our services, and obtain consent where required. You may request access and correction consistent with local law.