Legal

Privacy Policy

Last updated June 16, 2026 · Invicta Mandala Unipessoal Lda, Portugal

Invicta Mandala Unipessoal Lda is a company established in Portugal. We act as the data controller for the personal data you share with us, and we handle it under the EU General Data Protection Regulation (GDPR). This policy explains what we collect, why, who we share it with, and the rights you have over it.

Who we are

Faroa is an AI-generated learning-path service operated by Invicta Mandala Unipessoal Lda, Portugal. When you create an account, start a trial, or read a learning path, we decide how and why your personal data is processed, which makes us the data controller under the GDPR.

You can reach our privacy team any time at faroasupport@gmail.com.

The data we collect

We keep collection deliberately small. Depending on how you use Faroa, we process:

  • Account data: your email address and, if you provide it, your name. This is what identifies your account and lets you sign in.
  • Usage data: the books you choose, the concepts you read, your progress through a learning path, and session timestamps. This is how your vault and reading history stay in sync.
  • Your focus and goals: the context you give us when you start a learning path, so the path can be shaped around what you actually want to get from a book.
  • Vault contents: the AI-generated concepts you accumulate. These are content we generate, though they reflect what you have chosen to read.
  • Payment data: handled for us by Stripe. We receive confirmation that a payment succeeded and limited details such as the card brand and last four digits; we never see or store your full card number.

What we do not collect

Faroa is built around a firewall: no book text ever enters our systems. We do not copy, store, or process the interior text of any book: no chapters, no paragraphs, no quotations. Book titles and author names are public facts, not personal data.

When we ask an AI provider to generate a learning path, we send only the minimum needed, and we do not include your name. We design our prompts so that personal data sent to providers is kept to the smallest possible amount.

Under Article 6 of the GDPR, we rely on:

  • Performance of a contract (Art. 6(1)(b)): to create your account, generate your learning paths, keep your vault in sync, and manage your trial and subscription.
  • Legitimate interests (Art. 6(1)(f)): to keep Faroa secure, prevent abuse, and improve the product. You can object to processing based on legitimate interests at any time.
  • Legal obligation: where we must keep certain records, for example for tax or accounting.

AI providers and international transfers

To generate learning paths, we send prompts to third-party AI providers, which may include Anthropic, OpenAI, Google, or Mistral. These prompts contain book metadata and your stated focus, never book text, and never your name.

Where a provider is based outside the EU, the transfer is protected by an appropriate safeguard such as Standard Contractual Clauses or the EU-US Data Privacy Framework, and we put a Data Processing Agreement in place under Article 28 before any data is sent. We prefer EU-based providers where we can, and we opt out of having your prompts used to train providers' models.

Payments

Subscriptions are processed by Stripe, which acts as an independent controller of your payment data and maintains its own PCI-DSS-compliant security. Stripe's handling of your card details is governed by Stripe's privacy policy. Faroa never stores your full card number.

Cookies and analytics

We use a small number of essential cookies to keep you signed in and to remember your place in a learning path. For product analytics we use privacy-friendly measurement that helps us understand how Faroa is used without building advertising profiles of you. We do not sell your data, and we do not run third-party advertising trackers.

How long we keep it

We keep your account and learning data for as long as your account is active. If you close your account or ask us to erase your data, we delete it, except where we are required to keep limited records for legal reasons (such as proof of a transaction), which we hold only for as long as the law requires.

Your rights

Under the GDPR you have the right to:

  • Access (Art. 15): get a copy of the personal data we hold about you.
  • Erasure (Art. 17): ask us to delete your account and associated data.
  • Portability (Art. 20): receive your data in a structured, machine-readable format.
  • Object (Art. 21): object to processing we carry out under legitimate interests.
  • Rectification (Art. 16): correct data that is inaccurate or incomplete.

To exercise any of these, email faroasupport@gmail.com. You also have the right to lodge a complaint with our supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD), if you believe we have handled your data improperly.

Children

Faroa is not directed at children. You must be at least 16 years old to create an account. If we learn that we have collected data from a child below that age without the consent of a parent or guardian, we will delete it.

Changes to this policy

As Faroa grows, we may update this policy. When we make a material change we will revise the date at the top of this page, and where appropriate we will let you know directly. The current version always lives here.

Contact

Questions about your privacy? Write to faroasupport@gmail.com. For how our learning paths are made and how we treat books, see our Content Policy, and for the terms that govern your use of Faroa, see our Terms.