Legal
Privacy Policy
Last updated: June 2026 (draft)
FameX helps you grow as yourself. To do that we analyze your identity and the things you choose to share with us. This policy explains what we collect, why, who we share it with, and the control you have over it. The short version: we never sell your data, we never run ads, and we never scrape — we only use sanctioned platform APIs and the things you give us.
1. Who we are
FameX ("FameX", "we", "us") operates the FameX app and the Tara AI coach. For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDP") we act as a Data Fiduciary, and for the EU/UK General Data Protection Regulation ("GDPR") we act as a Data Controller, for the personal data described below. Our contact and grievance details are in section 14.
2. Who can use FameX
FameX is for adults only — you must be 18 or older. We do not knowingly collect data from anyone under 18. If we learn that a user is under 18, we delete their account and associated data (see section 10), keeping only a minimal, identifier-free record that a deletion took place.
3. What we collect
We collect only what we need to give you your Digital Mirror and coaching:
- Account & identity: a display name if you give one, an anonymous device identifier (or, if you sign in, your authentication ID from our login provider), and your confirmation that you are 18+ and consent to the analysis, with the time you confirmed it.
- Connected social account (optional): if you connect a supported platform, we read only your own account data that the sanctioned API returns. Instagram and Reddit can provide profile and recent-post signals; X/Twitter and TikTok connectors are built but key-gated; LinkedIn self-serve access verifies identity only and does not give us your posts. Where a platform reports account or post metrics (such as followers, karma, reach, views, or likes), we use only those reported numbers. We store access and refresh tokens in encrypted form. We never receive or store your social password.
- What you tell Tara:your chat and voice-call conversations with Tara, your intake answers, the "desired identity" you describe, and commitments you make. We distil short "memories" from these so Tara can remember you between sessions.
- Your Digital Mirror & journey: the Digital Mirror and gap analysis we generate, your weekly plans, a baseline of your own past performance (used only to show change relative to yourself), and a timeline of your journey milestones — the commitments you make and the outcomes you log — kept and shown back to you so you can see your progress.
- Shareable cards (optional): if you create one, a publicly viewable card holding your recommended lane and identity line (never follower or view numbers), reachable by an unguessable link until you delete it.
- Product analytics: first-party usage events (e.g. which screens you viewed, key actions you took). We strip out raw performance metrics and long free-text before storing them, and we use no third-party analytics, advertising pixels, or tracking SDKs.
- Billing: your subscription tier and status. Payment card details go directly to our payment processor — we never see or store your card number.
What we do not collect:your passwords, your card numbers, your precise location/GPS, mobile advertising identifiers, or health data. We don't build biometric identifiers such as voiceprints or facial geometry — a live voice call streams audio to our voice provider to transcribe and reply (section 5), but we never create a voiceprint from it.
4. How we use your information
- To generate your Digital Mirror and your desired-identity gap analysis.
- To let Tara coach you and remember the context of your journey across sessions.
- To save your progress so a dropped call or a closed tab doesn't lose your place.
- To show performance readouts relative to your own past — never as a fabricated benchmark or a guarantee of growth.
- If you opt into the marketplace, to help brands discover you by authentic fit (see section 6).
- To operate, secure, debug, and improve the service, and to meet legal obligations.
Our legal bases (GDPR) are your consent (for the analysis and connected-account access), performance of our contract with you (to run the service), and our legitimate interests (to keep the service secure and working). Under DPDP, our processing rests on the consent you give before any analysis begins.
5. AI processing
Generating your Digital Mirror and coaching uses AI models. For text-based features — such as your handle, bio, post captions, and the answers or transcript you give Tara — we send the relevant text to a third-party AI model provider that processes it on our behalf under contract; depending on our configuration, that provider is one of Anthropic, OpenAI, or Google.
If you use the live voice call with Tara, your device streams your microphone audio in real time directly to OpenAI, our realtime voice provider, which processes the audio and returns Tara's spoken response (using a short-lived token we issue). We keep a text transcript so Tara can remember the conversation (see section 3), but we do not store the raw audio recording. We do not use your data, and we instruct these providers not to use it, to train AI models.
6. Aggregate insights & the creator–brand marketplace
From your journey milestones (which we also keep in your own timeline — see section 3) we maintain an anonymized cross-user corpus, so we can surface "others on a similar journey". When we search it for you, the results contain only the shape of a journey (its theme, stage, and arena) — never another person's identity or identifiers.
FameX includes an opt-increator–brand marketplace. It is off unless you choose to join. If you opt in, your Digital Mirror-derived lane and an identity "fit" signal become discoverable so brands can find creators by authentic fit (not follower counts); brands only ever see an opaque match handle and your lane until you choose to engage. We never expose your private data or contact details to brands without your explicit opt-in, you can leave the marketplace at any time, and your listing is removed when you delete your account. We will never sell your personal data, and we will never share it with advertisers.
7. Who we share your data with
We share data only with service providers who process it for us under contract:
- The AI model provider described in section 5.
- OpenAI — additionally, as our realtime voice provider, if you use the live voice call (section 5).
- Meta (Instagram Graph API), Reddit, X/Twitter, LinkedIn, and TikTok — used only through their official, sanctioned APIs for your own connected account. LinkedIn is verification-only; TikTok is hidden for the India-first launch unless a sandbox/global rollout is enabled. We never scrape.
- Our payment processor (e.g. Stripe or Razorpay), to take subscription payments.
- Our authentication provider, if you choose to sign in.
- Cloud hosting and infrastructure providers that run the service.
- Brands, only if you opt into the marketplace — and then only an opaque match handle and your lane, never your private data or contact details, until you choose to engage (section 6).
We may also disclose data if required by law or to protect rights and safety. We do not sell your data, and we do not share it for advertising.
8. Your rights & choices
You can, at any time:
- Access the personal data we hold about you and ask for a copy.
- Correct inaccurate data.
- Delete your account and data (see section 10).
- Withdraw connected-account consent by disconnecting, or contact us about other consent withdrawal.
- Lodge a complaint — with us via our grievance contact (section 14), with the Data Protection Board of India (DPDP), or with your local supervisory authority (GDPR).
You can disconnect any connected social account or delete your account in-app under Account. For access, correction, consent-withdrawal questions, or any other privacy right, email us at privacy@famex.ai. We aim to respond within the timelines required by applicable law.
9. Disconnect vs. delete
These are different, and we want to be precise about it:
- Disconnecting a social account removes our stored access token, so we can no longer read or post to that account. Data we already analyzed (such as your Digital Mirror or your saved progress) remains until you delete it.
- Deleting your account erases the personal data we hold about you across our systems, including your profile, conversations, memories, plans, baselines, connected-account tokens, and analytics events.
10. Data retention
We keep your personal data until you delete your account, or until you withdraw consent in a way that requires us to stop processing it. At that point we erase or stop processing it as required. The only thing we retain afterwards is a minimal, identifier-free marker — with no personal data in it — where we need to demonstrate that a required deletion happened (for example, deletion on discovery that a user is under 18). We do not retain your consent record after you delete your account; the deletion itself ends the processing it authorized.
11. Security
We protect your data in transit with encryption (HTTPS), store connected-account access tokens encrypted at rest, and keep audit trails of sensitive actions such as consent, billing-webhook processing, and under-18 deletion-on-discovery. No system is perfectly secure, so we cannot promise absolute security, but we work to protect your data and to meet our obligations if anything goes wrong.
12. International transfers
Some of our providers (for example, AI model and infrastructure providers) may process data outside India or the EEA. Where they do, we rely on appropriate safeguards, such as contractual protections, to keep your data protected to the standard described here.
13. Changes to this policy
We may update this policy as the product evolves. We will revise the "last updated" date and, for material changes, take reasonable steps to let you know.
14. Contact & grievance redressal
For privacy questions, to exercise your rights, or to raise a grievance, contact our Grievance Officer at privacy@famex.ai. We aim to acknowledge grievances within 72 hours and resolve them within the timelines required by DPDP and GDPR. The named officer and a postal address will be confirmed in the counsel-reviewed version before launch.