Privacy Policy

1. Introduction

This Privacy Policy describes how Farpoint Technologies Inc.(“Farpoint”, “we”, “us”, “our”) collects, uses, discloses, and protects personal information in connection with the Fabricsoftware platform (the “Service”). This Privacy Policy supplements and is consistent with our Terms of Service, Section 13.

Fabric is delivered primarily as a desktop application (Mac, Windows, Linux). Most of your data — your source code, prompts, AI outputs, and conversation history — stays on your local device and is never transmitted to Farpoint. This Privacy Policy explains the limited circumstances in which Farpoint does receive personal information, and what we do with it.

If you do not agree with this Privacy Policy, please do not use the Service.

2. What we do not collect

Because of how Fabric is architected, there are several categories of data we do not collect by default:

• Customer Code. Your source code stays on your device. Farpoint does not have copies, indexes, or backups of your codebase.
• Inputs. Prompts, instructions, file selections, and other content you submit to the AI inside Fabric stay on your device when you use a local model or your own API keys.
• Outputs. Code suggestions, refactorings, and other AI-generated content stay on your device under the same conditions.
• Chat history.Your conversations with the AI are stored locally in the Fabric app’s local storage. Farpoint does not maintain a server-side record of your chats.

When you choose to use a Farpoint-hosted inference endpoint, your Inputs and Outputs are transmitted to Farpoint’s servers for the sole purpose of generating a response. Those servers do not log the contentof Inputs or Outputs in the normal course of operation. The only exception is the abuse-review procedure described in Section 5.4 of the Terms of Service, which is gated by written authorization from Farpoint’s Chief Security Officer.

3. What we do collect

3.1 Account information

When you create an Account to use Fabric, we collect:

• your name and email address;
• a password (stored as a salted hash);
• billing information (processed by Stripe, Inc., our payment subprocessor — see Section 4);
• subscription tier and entitlements;
• the team or organization you belong to, if any;
• security audit data (login times, IP address at sign-in, multi-factor authentication status).

3.2 Opt-in usage analytics

Fabric can collect redacted, opt-in usage telemetry to help us improve the Service. This collection is:

• off by default;
• controlled by you in Fabric → Settings;
• collected via PostHog, Inc. (PostHog Cloud, hosted in the United States), our analytics subprocessor;
• redacted at the source— we strip Customer Code, Inputs, Outputs, file paths, and any content that could identify a specific user or organization before the data leaves your device.

What we docollect through PostHog (when enabled): anonymized event counts (e.g., “code completion accepted”), feature usage breakdowns, error categories, latency measurements, and operating-system / Fabric-version metadata.

What we do not collect through PostHog: code content, prompt content, response content, file paths, project names, user names, email addresses, or any other personal identifier.

3.3 Support communications

If you contact us at any of our operational mailboxes (support, privacy, security, legal, billing @farpointhq.com), we retain your messages and any information you choose to share for the purpose of responding to your inquiry and improving our support quality.

3.4 Bug reports

If you click the in-app “Bug Report” button, Fabric uploads diagnostic logs and the specific chat that is open at that moment, with your explicit consent, so that we can investigate the issue. Bug reports are reviewed only by Farpoint engineering personnel and are deleted within 90 days of resolution.

4. Subprocessors

Farpoint uses the following third-party subprocessors. Each subprocessor is contractually bound to handle personal information consistently with this Privacy Policy and is subject to the same restrictions on training, retention, and disclosure that bind Farpoint.

We will update this list as our subprocessor arrangements change. Material changes will be communicated through the Service or by email at least 30 days before they take effect.

5. Legal basis and applicable law

Farpoint is a Canadian federal corporation headquartered in British Columbia. Our processing of personal information is governed by, and we are committed to compliance with, the following laws:

• the Canadian Personal Information Protection and Electronic Documents Act(“PIPEDA”);
• Quebec’s Act respecting the protection of personal information in the private sector, as amended by Law 25;
• the European Union General Data Protection Regulation (“GDPR”);
• the United Kingdom General Data Protection Regulation (“UK GDPR”);
• applicable United States state privacy laws, including the California Consumer Privacy Act / CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and similar statutes;
• Japan’s Act on the Protection of Personal Information (個人情報の保護に関する法律, “APPI”), including Article 28 (cross-border transfer of personal information).

Where the GDPR or UK GDPR applies, our legal bases for processing are: (a) performance of a contract (operating your Account and providing the Service), (b) legitimate interests (security, fraud prevention, abuse review), (c) consent (opt-in usage analytics, bug reports), and (d) legal obligation (responding to lawful government requests).

6. Data residency and international transfers

Account data and operational logs are stored on infrastructure located in Canada and the United States. Farpoint-hosted inference endpoints, when used, may process Inputs and Outputs at facilities in Canada and the United States.

For users subject to APPI (Japan), GDPR (EU), or UK GDPR, this represents a cross-border transfer of personal information. Farpoint relies on the following safeguards for such transfers:

• Adequacy decisions where applicable (Canada has been recognized as having adequate protection by the European Commission and by the Personal Information Protection Commission of Japan);
• Standard Contractual Clauses for transfers to or from the United States;
• Customer-specific commitments under signed Side Letters or Enterprise Agreements (e.g., commitments to make a Japan-resident deployment available on request).

Enterprise customers who require strict in-country data residency can contract for the Customer-Controlled Cloud Tier or the On-Premises Tier under a separate Order Form, as described in Section 9 of the Terms of Service.

7. How we use personal information

Farpoint uses personal information only for the following purposes:

• to operate, maintain, and improve the Service;
• to authenticate you and protect your Account;
• to provide customer support;
• to process payments and send billing communications;
• to investigate suspected violations of the Terms of Service or applicable law;
• to comply with legal obligations and respond to lawful government requests;
• to communicate with you about Service updates, security advisories, and important changes;
• (with your consent) to send product announcements and marketing communications, which you may unsubscribe from at any time.

We do not use Customer Code, Inputs, or Outputs to train, fine-tune, develop, improve, or evaluate any machine-learning model. This is a contractual prohibition, not a privacy preference, and applies to all deployment tiers by default. It is also flowed down to every model provider and subprocessor we use.

We do not sell personal information. We have not sold personal information in the preceding twelve (12) months and we have no plans to do so.

8. Data retention

We retain personal information only as long as we need it for the purposes set out in Section 7, or as required by law. Specifically:

• Account data: retained for the lifetime of your Account, plus a 90-day grace period after Account deletion to allow recovery of accidental deletions.
• Billing records: retained for the period required by Canadian tax law (currently six (6) years).
• Bug reports: retained for a maximum of 90 days after the issue is resolved.
• Security and audit logs: retained for twelve (12) months; abuse-review logs (where any review under Section 5.4 of the Terms of Service occurred) retained for the same period.
• Inputs and Outputs transiting hosted inference: not retained as content — only ephemeral processing during the request lifecycle.
• Marketing communications: retained until you unsubscribe or request deletion, whichever is sooner.

9. Your rights

Subject to applicable law, you have the following rights with respect to your personal information:

• Access: to obtain a copy of the personal information we hold about you.
• Correction: to correct inaccuracies in your personal information.
• Deletion: to request that we delete your personal information, subject to our legal retention obligations.
• Portability: to receive a machine-readable copy of personal information you have provided to us.
• Objection: to object to certain processing activities, including direct marketing.
• Withdrawal of consent: to withdraw any consent you have given (e.g., for opt-in usage analytics or marketing communications).
• Restriction: to request that we limit the processing of your personal information.
• Complaint:to lodge a complaint with the Office of the Privacy Commissioner of Canada, the Information Commissioner’s Office (UK), the data protection authority in your EU member state, the Personal Information Protection Commission of Japan, or any other supervisory authority with jurisdiction.

To exercise any of these rights, contact us at [email protected]. We will respond within thirty (30) days, or sooner if required by applicable law. We may need to verify your identity before fulfilling certain requests.

10. Security

Farpoint maintains administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. These include:

• encryption of data in transit (TLS 1.3) and at rest (AES-256);
• multi-factor authentication for Farpoint personnel accessing production systems;
• role-based access control with the principle of least privilege;
• regular security training for personnel;
• incident response procedures;
• third-party security assessments.

No security program is perfect. If you believe your Account has been compromised, contact us immediately at [email protected].

11. Children’s privacy

Fabric is not directed to children under the age of majority in their jurisdiction (which is 19 years in British Columbia). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact [email protected] and we will delete it promptly.

12. Cookies and similar technologies

The Fabric desktop application does not use cookies. The Fabric website at codewithfabric.com uses essential cookies for authentication and session management, and (with your consent) analytics cookies. You can manage cookie preferences through your browser settings.

13. Changes to this Privacy Policy

Farpoint may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by email at least thirty (30) days before they take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.

14. Contact

For any questions or requests regarding this Privacy Policy, contact:

Privacy Officer
Farpoint Technologies Inc.
2015 Main Street #2, Vancouver, BC V5T 3C2, Canada
Email: [email protected]

For data protection inquiries from EU residents, you may also contact our EU Representative (when designated) — contact details available on request from the address above.

This Privacy Policy is published under the Farpoint Terms of Service v1.0, effective 14 April 2026.