Privacy Policy
Effective Date: March 15, 2026
Korroni LLC ("Company," "we," "us," or "our") operates Fancy Waitlist ("Service"). This Privacy Policy explains how we collect, use, share, and protect information when you use our Service.
1. Definitions
- "Customer" — an individual or entity that creates an account to manage waitlists through the Service.
- "Subscriber" — an individual who signs up for a Customer's waitlist or mailing list.
- "Personal Data" — any information that identifies or can be used to identify an individual.
2. Information We Collect
2.1 Information Customers Provide
- Account information (name, email address)
- OAuth credentials (Google, GitHub) used for sign-in
- SMTP credentials (encrypted at rest with AES-256-GCM)
- Email templates, configuration files, and waitlist settings
- Payment information (processed by Stripe; we do not store card numbers)
2.2 Information Subscribers Provide
- Email address and optional name
- Survey responses
- Referral activity and codes
- OAuth profile data (if signing up via Google or GitHub)
2.3 Information Collected Automatically
- IP addresses (for rate limiting and fraud prevention)
- Device fingerprints (for referral fraud detection only)
- Browser type, operating system, and referral URLs
- Email delivery data (opens, clicks, bounces)
- Usage analytics (page views, feature usage)
3. How We Use Your Information
- Provide and operate the Service (waitlist management, email delivery, referral tracking)
- Process transactions and send billing-related communications
- Detect and prevent fraud in referral programs
- Enforce rate limits and protect against abuse
- Send service notifications (account updates, security alerts)
- Improve and develop new features
- Comply with legal obligations
4. SMTP Credential Storage
Fancy Waitlist uses a Bring Your Own SMTP (BYOSMTP) model. Customer SMTP credentials are encrypted at rest using AES-256-GCM with keys stored in a separate secrets manager. Credentials are never logged, never exposed via API, and are used solely to send emails on the Customer's behalf.
5. Cookies and Similar Technologies
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
next-auth.session-token | Session authentication | 1 hour |
ref | Referral attribution | 30 days |
__Host-next-auth.csrf-token | CSRF protection | Session |
We use Plausible Analytics, which is cookieless and does not track personal data. For more details, see our Cookie Policy.
6. Legal Bases for Processing (GDPR)
If you are in the EEA, UK, or Switzerland, we process data based on:
| Basis | Activities |
|---|---|
| Contract | Account management, service delivery, billing |
| Legitimate Interest | Fraud prevention, security, service improvement |
| Consent | Marketing communications, analytics where required |
| Legal Obligation | Tax records, law enforcement requests |
7. How We Share Your Information
We do not sell personal data. We share information only in these circumstances:
- Service providers — hosting, payment processing (Stripe), and infrastructure providers who process data on our behalf under strict data processing agreements.
- Customer's SMTP provider — email content and subscriber email addresses are transmitted through the Customer's chosen SMTP provider for delivery.
- Legal requirements — when required by law, court order, or governmental authority.
- Business transfers — in connection with a merger, acquisition, or sale of assets, with prior notice.
8. Data Retention
- Active accounts — data is retained for the duration of the account.
- Terminated accounts — data is available for export for 30 days, then permanently deleted.
- Unverified subscribers — automatically removed after 7 days (configurable by Customer).
- Fraud records — retained for 1 year for pattern detection, then anonymized.
- Email delivery logs — retained for 90 days.
9. Security
We implement industry-standard security measures including: HTTPS encryption in transit, AES-256-GCM encryption at rest for sensitive credentials, secure session management, rate limiting, CSRF protection, Content Security Policy headers, and regular security reviews. Despite our efforts, no method of electronic transmission or storage is 100% secure.
10. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your personal data
- Portability — receive your data in a structured, machine-readable format
- Restriction — request restriction of processing
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
To exercise these rights, contact [email protected]. We will respond within 30 days.
11. California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the CCPA/CPRA, including the right to know what personal information we collect, the right to delete, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your rights.
12. International Data Transfers
Data may be transferred to and processed in the United States. Where required, we use Standard Contractual Clauses or other approved mechanisms to ensure adequate protection for international transfers.
13. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If we learn we have collected data from a child under 13, we will delete it promptly. Customers are responsible for ensuring their waitlists comply with applicable age restrictions.
14. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for their privacy practices. We encourage you to review their privacy policies.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The "Effective Date" at the top reflects the latest revision.
16. Contact
For privacy-related questions or to exercise your rights, contact:
Korroni LLC
Email: [email protected]
New York, NY