Privacy Policy

Last updated 2 June 2026

This Privacy Policy explains what data Elpha Club (“we,” “us”) collects from you, how we use it, and the choices you have. Elpha Club is operated by Future Nostalgia Studios Inc, 2261 Market Street STE 5610, San Francisco, CA 94114, United States.

Data controller

Future Nostalgia Studios Inc is the data controller for account, billing, and platform usage data. When a creator collects data from their visitors (form submissions, mailing-list subscribers, booking attendees), the creator is the data controller and we act as a data processor on their behalf.

What we collect

  • Account data — email, password (hashed), and any profile information you choose to provide (display name, handle, bio, avatar, etc.).
  • Billing data — handled by Stripe. We store your Stripe customer id and subscription state; payment-card details never touch our servers.
  • Page views — for the analytics dashboard. Stored as anonymous daily-rotating hashes of IP + User-Agent + a server- only salt. We never store raw IP addresses.
  • Form submissions and mailing list — the data your visitors send you (name, email, responses), which we relay to your dashboard. Consent metadata (IP + user-agent) is captured at the point of submission for GDPR compliance.
  • Booking data — when a visitor books a call through your microsite, we collect their name, email, phone (optional), timezone, and the selected time slot.
  • Google Calendar data — if you connect your Google Calendar, we read your existing events to check scheduling conflicts. We store only the start time, end time, and whether the event is all-day. We do not store event titles, descriptions, attendee lists, or any other event content. OAuth tokens are encrypted at rest using AES-256-GCM.

How we use it

  • To operate, secure, and improve the platform.
  • To bill you for the subscription and send invoices + receipts.
  • To send service emails (account, billing, security, booking confirmations, reminders). We don't send marketing email without your opt-in.
  • To create Google Calendar events with video meeting links when visitors book calls through your microsite (only if you've connected your Google Calendar).

What we do NOT do with your data

We do not and will not:

  • Sell your personal data to third parties or data brokers.
  • Use your data for targeted or personalised advertising.
  • Use your data for credit-worthiness determination or lending decisions.
  • Use your data to train AI or machine learning models outside of providing the Elpha Club service to you.
  • Transfer your data to any party for purposes unrelated to providing or improving the Elpha Club service.

Security

We implement industry-standard security measures to protect your data:

  • All data is transmitted over HTTPS/TLS.
  • OAuth tokens (Google Calendar, social media) are encrypted at rest using AES-256-GCM.
  • Passwords are hashed using bcrypt via Supabase Auth.
  • Database access is governed by row-level security (RLS) policies — each user can only access their own data.
  • Service-role keys and secrets are never exposed to the client.
  • We conduct regular security reviews and follow OWASP best practices.

Sub-processors

We share data only with sub-processors strictly needed to run the platform:

  • Supabase — database, authentication, file storage
  • Vercel — hosting and serverless functions
  • Stripe — payment processing
  • Resend — transactional and campaign email delivery
  • Google — Calendar API and Google Meet (only when the creator connects their Google account)
  • Zernio — social media management API (only when the creator connects their Instagram or TikTok account)

Social media integration

When a creator connects their Instagram or TikTok account via Zernio, we access:

  • Posts and analytics — to display engagement metrics (views, likes, comments) in the dashboard.
  • Direct messages (Instagram only) — to display conversations in the social inbox and enable replies from the dashboard.
  • Comments — to display and moderate comments from the dashboard.

We do not store social media content permanently — it is fetched from the platform on each request. Connection tokens are stored encrypted. You can disconnect at any time from Settings → Social.

Google Calendar integration

When a creator connects their Google Calendar, we request access to:

  • Read calendar events (calendar.readonly) — to check which time slots are already busy, so visitors only see genuinely available times.
  • Create, update, and delete events (calendar.events) — to add a calendar event with a Google Meet link when a booking is confirmed, update it on reschedule, and remove it on cancellation.

We do not access calendars other than the creator's primary calendar. We do not share calendar data with third parties. You can disconnect your Google Calendar at any time from Settings → Calendar, which immediately stops all access. Stored OAuth tokens are deleted on disconnection.

Cookies

We use a session cookie for authentication and a consent cookie for the EU/UK cookie banner. Stripe sets __stripe_mid when you visit Checkout. We don't use marketing or tracking cookies.

Your rights

You can access, correct, export, or delete your data at any time via the dashboard (Settings → Privacy & data) or by emailing faye@fnstudios.app. Under GDPR/UK GDPR you also have the right to object to processing, request restriction, and lodge a complaint with a supervisory authority.

Retention

We keep account data while your account is active and for 30 days after termination, then delete it. Billing records are retained as required by tax law (typically 7 years). Google Calendar sync data (busy events) is retained only while the connection is active and deleted immediately on disconnection.

Contact

Future Nostalgia Studios Inc
2261 Market Street STE 5610
San Francisco, CA 94114
United States

Privacy questions: faye@fnstudios.app