FastPages

Privacy Policy

Last updated: March 24, 2026

1. Company Information

FastPages is operated by Xodera OÜ, a private limited company (Osaühing) registered in the Republic of Estonia, a member state of the European Union.

Legal Name: Xodera OÜ
Registry Code: 17440743
Registered Address: Tornimäe tn 5, Kesklinna linnaosa, Tallinn 10145, Harju maakond, Republic of Estonia
Jurisdiction: European Union (Republic of Estonia)
Data Protection Contact: [email protected]

2. Data We Collect

When you use FastPages, we may collect the following information:

  • Account data: email address, name (via Google OAuth).
  • Domain data: your website domain, sitemap URLs, page paths, page counts, and SEO audit results.
  • Cloudflare credentials: your Cloudflare email and Global API Key, used solely to configure DNS, Workers, and cache rules. Encrypted with AES-256-GCM at rest.
  • Bubble.io API token: your Data API token, used for database synchronization and template rendering. Encrypted with AES-256-GCM at rest.
  • Database content: public-facing records from your Bubble.io database tables that you explicitly enable for synchronization.
  • Performance data: PageSpeed scores, Core Web Vitals metrics, deploy detection history, sync statistics.
  • Usage data: trial results, subscription status, feature usage patterns.
  • Technical data: IP address, browser type, access times (standard server logs).

3. How We Use Your Data

  • To provide the FastPages optimization service (DNS configuration, Worker deployment, page rendering, content synchronization).
  • To detect Bubble.io deploys and automatically update optimized pages.
  • To synchronize dynamic database content so search engines always see current data.
  • To monitor your sitemap for new pages and notify you of changes.
  • To perform SEO audits and generate optimization recommendations.
  • To send transactional emails (trial reminders, subscription updates, service notifications).
  • To process payments through our payment provider (Stripe).
  • To improve our service and develop new features.

4. Data Sharing

We do not sell your personal data. We share data only with the following processors, strictly necessary for service operation:

  • Cloudflare: to configure DNS, Workers, and cache rules on your domain (using credentials you provide).
  • Stripe: to process subscription payments (PCI DSS Level 1 compliant).
  • Resend: to deliver transactional emails.
  • Google: for OAuth authentication and PageSpeed Insights API.
  • OpenAI: for AI-powered SEO analysis (only page metadata is sent, never your credentials or personal data).

5. Data Security

We implement enterprise-grade security measures to protect your data:

  • Encryption at rest: All sensitive credentials are encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). This is the same encryption standard used by governments and financial institutions worldwide.
  • Encryption in transit: All data transmissions between your browser and our servers, and between our internal services, use TLS 1.3 — the latest and most secure transport layer protocol.
  • Infrastructure security: Our servers are hosted in EU data centers operated by providers with ISO 27001 certification.
  • Access control: Strict role-based access controls ensure that credentials and sensitive data are accessible only to automated service processes, never to human operators.
  • Data isolation: Each customer's data is logically isolated. No user can access another user's data, credentials, or configuration.
  • Credential lifecycle: When you cancel your service, all credentials are immediately and irrecoverably deleted from our systems.

6. Data Retention

  • Account data: retained for the duration of your account. Deleted upon written request.
  • Credentials: deleted immediately upon trial cancellation or subscription termination.
  • Synced database content: removed from our PostgreSQL database within 7 days after cancellation.
  • Cached pages: removed from Redis cache within 30 days after cancellation.
  • Server logs: retained for up to 90 days for debugging and security purposes.
  • Analytics data: aggregated visitor and bot statistics retained for 90 days.

7. Your Rights (GDPR)

As a company registered in the European Union, we fully comply with the General Data Protection Regulation (GDPR). You have the right to:

  • Access: request a copy of all personal data we hold about you.
  • Rectification: correct inaccurate or incomplete personal data.
  • Erasure: request deletion of your personal data (“right to be forgotten”).
  • Portability: export your data in a machine-readable format.
  • Restriction: restrict the processing of your data in certain circumstances.
  • Objection: object to data processing based on legitimate interests.
  • Withdraw consent: withdraw your consent at any time.
  • Complaint: lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee.

To exercise your rights, contact us at [email protected]. We will respond within 30 days.

8. Cookies

We use only strictly necessary cookies for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. For detailed information, please see our Cookie Policy.

9. International Data Transfers

All data processing occurs within the European Union. In cases where data must be processed by sub-processors outside the EU (e.g., Stripe for payments, OpenAI for AI analysis), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email at least 14 days before they take effect. Continued use of FastPages after changes constitutes acceptance.

11. Contact

For privacy-related inquiries, contact us at: [email protected]

Xodera OÜ · Tornimäe tn 5, Kesklinna linnaosa · Tallinn 10145, Estonia