Privacy Policy

Last updated: 2 July 2026

RightsDesk is a rights-management platform operated by Fondera (Charles Gabriel Somerville, micro-entreprise / auto-entrepreneur, Hermonville, France). This policy explains how we handle personal data when you use RightsDesk at rights.fondera.ai. We take a deliberately privacy-conscious approach: your records are stored in the EU, access is restricted to you and the colleagues you invite, and you can have your account data deleted on request. We use AI to help ingest, organise and draft from your data — but your data is never used to train AI models (see "Data, security and AI" below).

We act in two different roles depending on the data. As controller, for the data we need to run RightsDesk as a business — your account and login details, and how you use the service. As processor, for the rights, contract, contact and royalty records you and your agency put into RightsDesk — for that content your agency is the controller and we process it only on your agency's instructions, under our Data Processing Agreement. If you are an author, publisher contact or co-agent whose details appear in an agency's RightsDesk account, please contact that agency to exercise your rights.

Data controller

Fondera — Micro-entreprise (auto-entrepreneur BNC). Owner: Charles Gabriel Somerville. SIREN 102 502 754. 1 Rue des Buries, 51220 Hermonville, France. Contact: charlie@fondera.ai.

Data we collect

As controller, we collect only what we need to run the service:

  • Account data — your name, work email, hashed password, agency/tenant, and role.
  • Security and authentication logs — login times, IP address, approximate location (city and country) derived from your IP address, and failed-login or password-reset events, for security and audit.
  • Usage data — which features you use and basic technical/device data, to operate and improve the service.
  • Communications — any support messages you send us.

We do not use third-party advertising or tracking cookies. We use only strictly necessary cookies — secure, httpOnly session cookies and CSRF tokens — to keep you logged in and the service secure.

Legal bases (UK/EU GDPR Art. 6)

  • Contract (Art. 6(1)(b)) — to provide RightsDesk to you and your agency.
  • Legitimate interests (Art. 6(1)(f)) — to secure the service, prevent abuse, keep audit logs, and improve the product. You may object at any time.
  • Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data by law.

Data, security and AI

This is the part most clients ask about, so we keep it plain:

  • Where it lives. Your data is stored on secure servers in the European Economic Area (Germany), encrypted in transit, and isolated per customer — we cannot see across accounts and neither can anyone else.
  • AI. We use AI — provided by a European AI provider (Mistral) as our sub-processor, running in EU data centres — to help ingest, organise and draft from the data you put into RightsDesk. It is processed only to provide those features to you, under a data processing agreement and appropriate safeguards (see sub-processors and transfers below), and your data is not used to train, fine-tune or improve any AI model. Data you import from a connected Google account (Sheets) is an exception handled by our own deterministic logic and is never sent to the AI provider. We do not sell your data and we do not use it for advertising.
  • Retention. Your records are kept only while you use RightsDesk and can be deleted on request. Content processed by our AI sub-processor is retained only as needed to provide the feature and is not used to train models.
  • Protection. Passwords are hashed with argon2id (never stored in plain text), access is role-based and per-tenant isolated, authentication endpoints are rate-limited, and security events are logged.

Connecting your Google account (Sheets and Calendar)

RightsDesk lets you connect your own Google account so the service can work with information you already keep in Google. This is optional — RightsDesk works fully without it — and you grant access yourself through Google's standard consent screen. You can disconnect at any time from your RightsDesk settings or from your Google Account's "Third-party apps & services" page, which also revokes the access.

When you connect Google, we request only the minimum access the feature needs:

  • Google Sheets (read-only) — to read a spreadsheet you choose and import its rows into your own RightsDesk records (books, deals, contacts and royalties). We only read; we never edit, create or delete your spreadsheets.
  • Google Calendar (a dedicated RightsDesk calendar) — we create and manage a single dedicated "RightsDesk" calendar in your Google account to hold your deal deadlines, option dates and reminders, and keep it in sync. We can only see and change events on that calendar we create — we never access, read or modify your other calendars or the events on them.

How we use Google data. We use information obtained through these connections only to provide and improve the features described above, inside your own RightsDesk account. It is stored in the EEA (Germany) alongside your other records, isolated to your account, and protected as set out above. We do not sell it, we do not use it for advertising, and we do not use it to train any generalised or non-personalised AI or machine-learning model. The spreadsheet rows you import are processed by our own deterministic import logic — they are not sent to any third-party AI provider.

RightsDesk's use and transfer of information received from Google APIs to any other app will adhere to the [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.

Sub-processors and sharing

We share data only with service providers (sub-processors) acting on our behalf: Hetzner (hosting, Germany/EEA), Mistral (AI-assisted ingestion, organisation and drafting, in the EU — your content is not used to train AI models), and Google Workspace (email delivery — used to send service emails and any messages you choose to send to your contacts from within the service). Where you choose to connect them, we also work with integrations you authorise with your own account — your Google account (Sheets and Calendar, see above) and Xero (invoicing) — accessing only the data those connections allow and only on your instruction. We may disclose data where required by law. We do not sell, rent or otherwise share your personal data.

International transfers

RightsDesk is hosted in the European Economic Area (Germany), and the AI that processes your content runs in the EU. If you are in the UK, the transfer of your data to the EEA relies on the UK's adequacy regulations for the EEA. One service provider — our email-delivery provider (Google Workspace) — may involve transferring data outside the UK/EEA, under appropriate safeguards such as Standard Contractual Clauses or the UK Addendum; and any limited onward transfer by our EU AI provider is likewise covered by such clauses. For the account data we hold as controller, we will not transfer it outside the UK/EEA without such a safeguard.

Your rights

Under UK/EU GDPR you have the right to access, rectify, erase, restrict, port and object to processing of your personal data, and not to be subject to solely automated decisions with legal or similarly significant effect. To exercise these rights for your account data, contact us at charlie@fondera.ai. For content data held in your agency's account, contact your agency, which is the controller. You may also complain to a supervisory authority — in the UK the Information Commissioner's Office (ICO); in France the CNIL.

Retention periods

Account data is kept while your account is active and for a reasonable period afterwards to meet legal, security and accounting obligations, then deleted or anonymised. Authentication and security logs are kept for a limited period for security purposes. Content data is retained and deleted in line with the Data Processing Agreement and your agency's instructions.

Changes

We will update this policy as the service evolves and will post the new version here with a revised "Last updated" date.

Contact

Questions or rights requests: charlie@fondera.ai.