Legal

Privacy Policy

Transparent data practices for our competitive intelligence platform. GDPR and CCPA compliant with your privacy rights clearly explained.

🔒 In Plain English

We collect your work email and usage data to provide competitive intelligence services. We track publicly available competitor data for you, never sell your information to anyone, use enterprise-grade security, and give you full control over your data. Questions? Contact our privacy team

Welcome to Fragments ("we," "us," or "Fragments"). We provide competitive intelligence tools and platforms ("Services") available at fragments.ai. This Privacy Policy explains how we collect, use, and protect your personal information in compliance with GDPR, CCPA, and other privacy laws.

Legal Basis for Processing (GDPR)

Why We Process Your Data: Contract performance (providing services), legitimate interests (service improvement), and legal compliance (anti-fraud, tax records).

We process your personal data based on the following legal grounds under GDPR:

  • Contract Performance: To provide our competitive intelligence services as agreed
  • Legitimate Interests: To improve our services, prevent fraud, and ensure security
  • Legal Compliance: To meet tax, accounting, and regulatory requirements
  • Consent: For marketing communications and optional features (you can withdraw anytime)

What Data We Collect

Personal Data: Work email, name, company info, usage analytics. Competitor Data: Information from multiple sources including, but not limited to, public sources, licensed databases, and purchased data access.

Personal Information You Provide

  • Account Information: Work email address, full name, company name, job title
  • Profile Data: Professional experience, team role, competitive intelligence interests
  • Communication Data: Support messages, feedback, survey responses
  • Payment Information: Billing address, payment method (processed by Stripe - we don't store card details)

Automatically Collected Data

  • Usage Analytics: Features used, time spent, login frequency, search queries
  • Technical Data: IP address, browser type, device information, operating system
  • Performance Data: Page load times, error logs, system performance metrics
  • Security Data: Login attempts, suspicious activity detection, access logs

Competitive Intelligence Data

We collect information about companies you choose to research from various sources:

  • Company websites, press releases, blog posts, marketing materials
  • News articles, industry reports, analyst coverage
  • Social media posts, LinkedIn company pages, Twitter accounts
  • Job postings, career pages, employee counts
  • Business directory listings, Crunchbase profiles, funding data
  • Patent filings, regulatory submissions, SEC documents
  • Licensed data sources and databases we have agreements to use

Data Sources: We collect from publicly available sources as well as licensed private data sources where we have proper agreements with providers. We do not hack systems, access unauthorized data, or violate any terms of service. All data collection is conducted ethically and legally.

How We Use Your Data

Service Delivery: Account management, competitive intelligence, platform features. Service Improvement: Analytics, feature development, security.

Primary Service Purposes

  • Providing competitive intelligence and analysis services
  • Creating and updating competitor profiles and battlecards
  • Sending alerts about competitor activities and market changes
  • Enabling team collaboration and data sharing within your organization
  • Processing payments and managing your subscription

Service Improvement & Operations

  • Analyzing usage patterns to improve our platform and features
  • Providing customer support and technical assistance
  • Ensuring platform security and preventing fraud
  • Complying with legal obligations and regulatory requirements
  • Conducting research and development for new features

Communications (With Your Consent)

  • Service updates and important account notifications
  • Feature announcements and product newsletters (opt-in)
  • Educational content about competitive intelligence (opt-in)
  • Customer satisfaction surveys and feedback requests (opt-in)

Data Sharing & Third Parties

Limited Sharing: Only with essential service providers (hosting, payments, analytics). We never sell your data or share it for marketing purposes.

Essential Service Providers

  • Stripe: Payment processing and subscription management
  • Brevo: Transactional and marketing email delivery
  • Google Analytics: Website usage analytics and insights

All service providers are bound by data processing agreements and are required to protect your data according to GDPR standards.

Legal Disclosures

We may disclose personal data when required by law, court order, or government request, or to protect our rights, property, or safety.

What We Don't Do

  • ❌ Sell your personal data to third parties
  • ❌ Share your competitive research with other customers
  • ❌ Use your data for advertising outside our platform
  • ❌ Share data with competitors or industry partners

Data Retention & Storage

Storage Periods: Account data for 2 years after cancellation. Usage analytics for 3 years. Competitive intelligence data deleted with your account.

Retention Periods

  • Account Information: 2 years after account closure (for support and legal purposes)
  • Usage Analytics: 3 years (aggregated and anonymized)
  • Financial Records: 7 years (required by tax and accounting laws)
  • Your Competitive Research: Deleted immediately upon account closure (or when you delete it)
  • Support Communications: 2 years after last interaction

Data Storage & Security

Your data is stored securely in data centers located in the European Union. We employ:

  • AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Magic link authentication (no passwords to compromise)
  • Role-based access controls and secure work email verification
  • Regular security training for all employees
  • Automated backup and disaster recovery systems

International Data Transfers

Cross-Border Transfers: EU data may be processed in the US under Standard Contractual Clauses and adequacy decisions. UK transfers covered by adequacy decision.

While our primary data processing occurs in secure facilities within the EU and US, some data may be transferred internationally to our service providers. We ensure all transfers comply with GDPR requirements through:

  • European Commission Standard Contractual Clauses (SCCs)
  • Adequacy decisions for countries with equivalent data protection
  • Additional safeguards for transfers to countries without adequacy decisions
  • Data Processing Agreements with all international service providers

Cookies & Tracking

Cookie Types: Essential (required), Analytics (usage insights), Preferences (your settings). You can control non-essential cookies in your browser.

Cookie Categories

  • Essential Cookies: Required for login, security, and core functionality
  • Analytics Cookies: Help us understand how you use our website and platform (Google Analytics)
  • Preference Cookies: Remember your settings and customizations

Cookie Management

You can control cookies through your browser settings. Disabling essential cookies may limit platform functionality. Analytics and preference cookies can be disabled without affecting core features.

Your Privacy Rights

Your Control: Access, correct, delete, or export your data anytime. Withdraw consent for marketing. Request processing restrictions.

GDPR Rights (EU Residents)

  • Right of Access: Get a copy of your personal data and information about how we use it
  • Right to Rectification: Correct inaccurate or incomplete personal data
  • Right to Erasure: Delete your personal data (with some legal exceptions)
  • Right to Data Portability: Export your data in a machine-readable format
  • Right to Restrict Processing: Limit how we process your data in certain circumstances
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for marketing or optional features

CCPA Rights (California Residents)

  • Right to Know: Information about data collection, use, and sharing
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of sale of personal information (we don't sell data)
  • Right to Non-Discrimination: Equal service regardless of privacy choices

How to Exercise Your Rights

Contact us through our contact form or use the data export/deletion tools in your account settings. We'll respond within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing requests.

Children's Privacy

Age Restriction: Fragments is not intended for users under 16. We do not knowingly collect data from children.

Our Services are designed for business users and are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will delete it promptly. If you believe we have collected information from a child, please contact us immediately.

AI Usage & Processing

AI Usage: We use AI for competitor analysis, insights generation, and user-requested actions like updating content, creating charts, and modifying presentations. All AI actions require your explicit request.

We use AI systems to analyze competitive intelligence data and generate insights when you request them. These systems help identify patterns, trends, and competitive threats in the data you choose to track. AI can also perform specific actions when you ask, such as updating slides, adding charts, creating content, and making other changes to your competitive intelligence materials. All AI actions are initiated by your explicit requests - AI does not take autonomous actions. You maintain full control over when and how AI is used with your data and can review, modify, or reject any AI-generated content.

Data Breach Notification

Security Incident Response: We'll notify you within 72 hours of discovering any data breach that affects your personal information.

In the unlikely event of a data breach affecting your personal information, we will:

  • Notify you via email within 72 hours of discovery
  • Notify relevant supervisory authorities as required by law
  • Provide details about what information was affected
  • Explain what we're doing to address the breach
  • Offer guidance on steps you can take to protect yourself

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service features. We will notify you of material changes via email at least 30 days before they take effect and update the "Last Updated" date at the top of this page. Continued use of our Services after changes take effect constitutes acceptance of the updated policy.

Contact & Data Protection Officer

For privacy questions, data requests, or concerns, contact us:

Supervisory Authority

If you're not satisfied with our response to privacy concerns, you have the right to lodge a complaint with your local data protection authority. For EU residents, find your supervisory authority at edpb.europa.eu.