Introduction
Fairlx is built and operated by Stemlen Pvt Ltd., a software company registered in Warangal, Telangana, India. We build tools that help teams plan, execute, and ship software — including sprint boards, work item management, team collaboration, AI-powered productivity features, time tracking, GitHub integration, and a wallet-based billing system.
This Privacy Policy applies to everything we operate: the Fairlx marketing website at fairlx.com, the Fairlx web application at app.fairlx.com, all APIs and webhooks exposed by Fairlx, and any third-party integrations we connect with (such as GitHub). When we say "Services" in this document, we mean all of the above collectively.
We designed this policy to be readable, specific, and honest. We avoid vague legal language wherever possible. If something is unclear, you can always reach out to us — our contact details are at the bottom of this page.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, we respectfully ask that you discontinue using our Services. Your trust is foundational to how we build Fairlx, and we take the responsibility of handling your data seriously.
Information We Collect
We collect only the data necessary to provide, secure, and improve our Services. Below is a detailed breakdown of every category of information we may collect, along with specific examples and explanations.
A. Account Information
When you create a Fairlx account — either as an individual or on behalf of an organization — we collect information needed to set up and manage your identity within the platform:
- Full name — Used to identify you within workspaces, project assignments, and activity logs.
- Email address — Used for authentication, transactional notifications, security alerts, and account recovery.
- Organization name and details — If you create or join an organization, we store metadata such as the organization name, type, and member count to support multi-tenant features.
- Role and account type — We track whether your account is personal or organizational, and your assigned role (Owner, Admin, Member, Viewer) to enforce role-based access control throughout the platform.
- Password — If you sign up with email and password, your password is securely hashed using industry-standard algorithms before storage. We never store, log, or have access to your plaintext password.
B. Authentication Data
We support sign-in via GitHub OAuth in addition to traditional email/password. When you authenticate through a third-party provider, we receive and store certain data:
- GitHub OAuth profile — Your GitHub username, avatar URL, and the primary email address associated with your GitHub account.
- OAuth access tokens — GitHub issues an access token when you authorize Fairlx. This token is encrypted at rest using strong encryption before being stored on our servers. We use it solely to authenticate API requests on your behalf (e.g., listing repositories, syncing issues).
- Account linking information — If you connect multiple authentication methods (e.g., email + GitHub), we store the association so you can sign in using either method.
- Repository metadata — When you connect a GitHub repository to a Fairlx project, we store repository names, IDs, and configuration preferences. We do not read your source code.
C. Payment & Wallet Information
Fairlx uses a wallet-based billing system. You pre-load credits into your wallet, and usage is deducted from your balance. Payment processing is handled entirely by Razorpay — a PCI-DSS Level 1 compliant payment gateway.
- Razorpay transaction references — We store order IDs, payment IDs, and transaction signatures returned by Razorpay. These are used to verify payment authenticity and link transactions to your wallet.
- Wallet balance and transaction history — We maintain a record of all credits and debits to your wallet, including top-up amounts, usage deductions, and the timestamps of each transaction.
- Coupon redemption records — If you apply a promotional coupon, we log which coupon was used, the credit amount granted, and the date of redemption to prevent duplicate or fraudulent claims.
- GitHub star reward credits — Fairlx offers bonus credits when users star our GitHub repository. We record whether the reward was claimed and the associated GitHub account to prevent repeat claims.
- Billing metadata — This includes currency preferences, top-up frequency, and active subscription identifiers. It does not include full credit card numbers, bank details, CVVs, or any raw card data.
Fairlx never stores your full credit card number, bank account number, CVV, or card expiry.
All sensitive payment data is handled directly by Razorpay, which is PCI-DSS Level 1 certified. Fairlx only receives transaction reference identifiers after a payment is confirmed.
D. Usage & Technical Data
To operate, secure, and improve Fairlx, we automatically collect certain technical information when you interact with our Services:
- IP address — Used for security monitoring, rate limiting, abuse detection, and approximate geolocation for compliance purposes.
- Device information — Screen resolution, device type (desktop/mobile/tablet), and hardware identifiers provided by your browser.
- Browser type and version — To ensure compatibility, diagnose rendering issues, and prioritize browser support.
- Operating system — Collected alongside browser data to help reproduce and resolve reported issues.
- Feature usage patterns — We track which features you use, how often, and in what sequence. This helps us understand where users spend their time and where we need to improve the product.
- API usage and request logs — For API consumers, we log endpoint calls, response codes, and request timestamps. This supports debugging, rate limiting, and traffic metering for usage-based billing.
- AI feature usage logs — When you use AI-powered features, we log routing metadata such as which AI model was invoked, latency, token count, and whether the request succeeded. We do not store the content of your prompts or the AI-generated responses beyond the immediate processing window.
- Error diagnostics — Crash reports, unhandled exceptions, and client-side error traces are collected to proactively identify and resolve stability issues.
- Traffic metering data — For usage-based billing, we meter API calls, storage consumption, and compute usage. This data is tied to your workspace and used to calculate wallet deductions.
E. Cookies & Tracking Technologies
We use a minimal set of cookies and similar technologies to make Fairlx work properly and to understand how people use our Services:
- Essential cookies — These are required for authentication, session management, and security. Without them, you would not be able to sign in or stay signed in. We consider these strictly necessary and they do not require consent.
- Analytics cookies — We use Google Analytics to collect aggregated, anonymized data about site usage patterns — such as page views, session duration, and traffic sources. You can opt out of Google Analytics using browser extensions or your browser's cookie settings.
- Session management — Session tokens stored in secure, HTTP-only cookies maintain your authenticated state. These expire automatically based on your session settings and cannot be accessed by client-side scripts.
- Preference storage — We may store user preferences (theme, sidebar state, last-visited workspace) in local storage or session cookies to provide a seamless experience across page reloads.
We do not use advertising cookies, retargeting pixels, or fingerprinting technologies. We do not build advertising profiles from your usage data.
How We Use Your Information
Everything we collect serves a specific purpose. Below is a detailed explanation of each use case, along with the rationale behind why that processing is necessary.
Authentication & Account Security
We use your email, password hash, and OAuth tokens to verify your identity during sign-in, enforce multi-session management, and protect your account against unauthorized access. Session tokens are validated on every API request. Failed login attempts are monitored to detect brute-force attacks, and your IP address is temporarily recorded for security auditing.
Account Creation & Onboarding
When you sign up, we use your name, email, and organization details to provision your workspace, assign default roles and permissions, and guide you through the onboarding process. This includes verifying your email address to confirm you own the account.
Wallet & Credit Processing
Your wallet balance, top-up history, and usage data are processed to credit your account when payments clear, deduct credits as you consume services, prevent double-crediting through idempotent transaction handling, and generate transparent billing records. Coupon redemption and GitHub star reward processing also rely on this data. Every wallet operation is logged with a full audit trail.
Fraud Detection & Prevention
We monitor wallet activity for anomalies — such as unusually high top-up frequency, concurrent transactions from multiple IPs, or attempts to exploit coupon or reward systems. Daily top-up limits are enforced automatically. Razorpay payment signatures are cryptographically verified before any credits are applied. This protects both you and other users from financial abuse.
AI Feature Processing
When you invoke AI-powered features (such as smart suggestions, workflow automation, or code analysis), your request is routed to third-party AI model providers as needed. We process only the minimum context required — we do not send your entire workspace or project history. AI prompt content is processed in memory and is not permanently stored. We retain only metadata (model used, token count, latency, success/failure status) for performance monitoring and cost tracking.
Product Improvement & Analytics
We analyze aggregated usage patterns — which features are used most, where users drop off, what workflows take the longest — to guide product decisions, prioritize bug fixes, and improve overall performance. This analysis is done on aggregated or anonymized data wherever possible. We never use your private project content for analytics.
Security Monitoring & Access Control
We enforce role-based access control across organizations, workspaces, projects, and teams. Access events are logged — including who accessed what, when, and from which IP. Administrative actions (such as inviting members, changing permissions, or modifying billing settings) are recorded in audit logs. These measures exist to prevent unauthorized access and to maintain the integrity of your data.
Support & Troubleshooting
If you contact us for support or report a bug, we may access your account metadata, error diagnostics, and usage logs to investigate and resolve the issue. We access only what is relevant to the reported problem and do not browse your project content without your explicit permission.
Communications & Notifications
We use your email to send transactional messages (payment confirmations, password resets, email verification), security alerts (unusual login activity, permission changes), and product announcements (new features, maintenance windows). You can adjust your notification preferences in your account settings. We never send unsolicited marketing email without your opt-in consent.
Legal & Regulatory Compliance
Certain data processing is required to comply with applicable laws — such as maintaining financial transaction records for tax compliance, responding to valid legal requests from authorities, and complying with data protection regulations in the jurisdictions where we operate and where our users are located.
Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or any other jurisdiction that requires a legal basis for processing personal data, here is how we justify each category of processing. We aim to be transparent about why we process each type of data.
Contractual Necessity
Most of the data we process — account information, authentication, billing, and feature delivery — is necessary to fulfill the service agreement between you and Fairlx. Without this processing, we simply cannot provide you with access to Fairlx or manage your account. This covers account creation, wallet management, project functionality, and integration features.
Legitimate Interests
We process data for security monitoring, fraud prevention, usage analytics, and service reliability under our legitimate interests — but only when those interests do not override your fundamental privacy rights. For example, we monitor API request patterns to detect abuse, analyze aggregate feature usage to improve the product, and log security events to protect all users. We perform balancing tests to ensure our interests are proportionate.
Consent
For any processing that goes beyond what is necessary for our Services or our legitimate interests — such as optional marketing communications, product research surveys, or beta feature participation — we rely on your explicit, freely given consent. You may withdraw this consent at any time through your account settings or by contacting us, and withdrawal will not affect the lawfulness of prior processing.
Legal Obligations
We are legally required to retain certain data — particularly financial transaction records — to comply with Indian tax law, anti-money laundering regulations, and accounting standards. If we receive a valid legal request from a government authority, court, or regulatory body, we may also be compelled to disclose specific data. We evaluate every such request for validity and scope before responding.
Data Sharing & Disclosure
We share your personal data only when it is necessary to operate our Services, comply with the law, or protect the security of our platform. We are highly selective about who we share data with and what data they receive.
Payment Processors
Razorpay processes all financial transactions on behalf of Fairlx. When you initiate a wallet top-up, we share the minimum information required to process the payment — your name, email, and order amount. Razorpay is PCI-DSS Level 1 certified and operates under its own privacy policy. We do not send your project data, workspace content, or usage history to Razorpay.
Cloud Infrastructure Providers
Our Services are hosted on cloud platforms that act as sub-processors under our direct instruction. They provide compute, storage, and networking infrastructure. They do not have independent access to your data and are contractually bound by data processing agreements that restrict how they may handle information.
Analytics Providers
We use Google Analytics to understand broad usage trends — such as which pages are most visited, how long sessions last, and where traffic originates. Data shared with Google Analytics is anonymized where technically feasible. We do not send identifiable project content, work items, or private workspace information to analytics providers.
Security & Monitoring Tools
We may use third-party services for error tracking, performance monitoring, and security alerting. These services receive limited technical data (error traces, request metadata, anonymized performance metrics) to help us identify and resolve issues. They do not have access to your project content or personal communications.
Legal Authorities
We may disclose your information if we are compelled to do so by a valid court order, subpoena, search warrant, or mandatory regulatory request. Before disclosing data, we evaluate each request for legal validity, narrow scope, and jurisdictional applicability. Where legally permitted, we will notify you before disclosure. We do not voluntarily provide user data to government agencies.
We do not sell, rent, lease, or trade your personal data.
Fairlx has never sold user data and never will. We do not participate in data broker networks, advertising exchanges, or any arrangement where your personal information is monetized. Our business model is simple: you pay for the product, the product works for you.
Data Retention
We retain your data only for as long as it serves the purpose for which it was collected — or as long as we are legally required to keep it. We follow a principle of data minimization: when data is no longer needed, it is deleted or irreversibly anonymized. Below are our specific retention periods:
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account data | Until account deletion + 30-day grace period | Grace period allows recovery from accidental deletion |
| Organization data | Until organization deletion + 30-day soft delete | Protects members from data loss due to admin error |
| Payment & transaction data | Minimum 8 years | Indian financial compliance and tax law requirements |
| Wallet transaction logs | 3 years | Dispute resolution and audit trail integrity |
| Server & access logs | 90 days | Security investigation and incident response |
| AI prompt metadata | 30 days | Cost tracking and quality monitoring only; prompt content is not stored |
| Security & audit logs | 1 year | Compliance auditing and forensic capability |
| Usage metering data | Current billing cycle + 90 days | Billing accuracy and dispute resolution |
| Error diagnostics | 30 days | Timely bug detection and resolution |
When data reaches the end of its retention period, it is permanently deleted from our production systems and backups within a reasonable timeframe. In some cases, data may be anonymized and retained in aggregate form for long-term product analytics — but only in a way that makes it impossible to re-identify any individual.
Security Measures
We invest heavily in security because the data you trust us with — your projects, your financial information, your team activity — deserves real protection, not just checkbox compliance. Here is a detailed overview of the measures we have in place:
HTTPS everywhere
All communication between your browser and Fairlx is encrypted using TLS 1.2+ (HTTPS). Plaintext HTTP connections are automatically redirected. This protects your data from interception during transit.
Encryption at rest
Sensitive data — including OAuth tokens, wallet balances, and authentication credentials — is encrypted before being stored in our databases. Even in the unlikely event of a data breach at the infrastructure level, encrypted data would be unreadable.
Session management
Sessions are managed through secure, HTTP-only cookies with configurable expiration. Tokens are validated on every API request. Inactive sessions expire automatically to reduce the window of exposure if a device is shared or lost.
Role-based access control (RBAC)
Fairlx enforces granular permissions at four levels: organization, workspace, project, and team. Each level has distinct roles (Owner, Admin, Member, Viewer) with carefully scoped permissions. This ensures users only access what they need.
Webhook signature verification
Incoming webhooks from Razorpay and GitHub are cryptographically verified using HMAC signatures before processing. This prevents attackers from forging webhook payloads to manipulate your account or trigger unauthorized actions.
Payment signature validation
Every Razorpay payment completion includes a cryptographic signature. We verify this signature server-side before crediting your wallet. This prevents replay attacks, forged payment confirmations, and double-crediting.
OAuth token encryption
GitHub OAuth tokens are encrypted using strong encryption before storage. They are decrypted only at the moment of use and only within secure server-side processes. Tokens are never exposed to the client, logged in plaintext, or transmitted insecurely.
Wallet fraud protection
The wallet system enforces daily top-up limits, transaction idempotency (to prevent duplicate credits), and automated monitoring for suspicious patterns — such as rapid successive top-ups or coupon exploitation attempts.
Rate limiting
API endpoints are rate-limited to prevent abuse, brute-force attacks, and denial-of-service attempts. Limits are calibrated per endpoint based on expected legitimate usage.
Audit logging
Administrative actions — role changes, member invitations, billing modifications, permission updates — are recorded in tamper-resistant audit logs with timestamps and actor identification.
Monitoring & anomaly detection
We continuously monitor system health, API traffic patterns, and authentication activity. Anomalous behavior (such as login attempts from unusual geolocations or sudden spikes in API usage) triggers automated alerts for review.
Data minimization
We collect only the data we need and avoid retaining data beyond its useful life. Logs, diagnostic data, and AI metadata are purged on defined schedules. We do not build profiles beyond what is necessary for service operation.
Security disclaimer: While we implement rigorous, industry-standard security measures and continuously work to strengthen our defenses, no method of electronic transmission or data storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly reporting, investigating, and remediating any security incident that affects your data.
Your Rights
Depending on where you are located, you may have specific rights regarding the personal data we hold about you. We respect these rights regardless of whether they are legally mandated in your jurisdiction — if you make a request, we will do our best to accommodate it.
Right of Access
You have the right to request a copy of all personal data we hold about you. We will provide this in a commonly used, machine-readable format within 30 days of receiving a verified request.
Right to Correction
If any personal data we hold is inaccurate, outdated, or incomplete, you may request that we correct or update it. Most profile information can be updated directly through your account settings.
Right to Deletion
You may request the deletion of your personal data. We will comply except where we are legally required to retain certain records (for example, financial transaction data required for tax compliance). Account deletion initiates a 30-day grace period before permanent removal.
Right to Data Portability
Where technically feasible, you can request an export of your data in a structured, machine-readable format so that you can transfer it to another service provider.
Right to Object
You may object to the processing of your personal data where we rely on legitimate interests as the legal basis. In such cases, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.
Right to Withdraw Consent
Where we process your data based on consent (such as marketing communications), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to Restrict Processing
In certain situations — for example, while we verify the accuracy of your data following a correction request — you may request that we restrict further processing of your information.
How to exercise your rights
Send a request to stemlen.co@gmail.com with the subject line "Privacy Rights Request". Include your account email and a description of which right you wish to exercise. We will verify your identity and respond within 30 calendar days. If we need more time due to the complexity of the request, we will inform you of the extension within the initial 30-day window.
International Data Transfers
Fairlx is operated from India by Stemlen Pvt Ltd. Our primary infrastructure is hosted in cloud regions that may span multiple jurisdictions. If you access our Services from outside India, your personal data will be transferred to and processed in India and potentially in other countries where our cloud providers maintain infrastructure.
We recognize that different jurisdictions have different data protection standards. To protect your data during international transfers, we implement the following safeguards:
- Standard Contractual Clauses (SCCs) — Where required (particularly for transfers from the EEA), we use SCCs approved by the European Commission as the legal mechanism for cross-border data flows.
- Data Processing Agreements (DPAs) — All sub-processors and third-party service providers who handle personal data on our behalf are bound by data processing agreements that impose strict confidentiality, security, and data handling obligations.
- Regulatory compliance — We monitor changes in international data protection law and adapt our transfer mechanisms accordingly. This includes compliance with the GDPR, the UK GDPR, India's Digital Personal Data Protection Act, and other applicable frameworks.
- Encryption in transit — All data transferred between regions is encrypted using TLS, ensuring that even during cross-border transmission, your data cannot be intercepted or read by unauthorized parties.
Personal Data of Children
Fairlx is a professional SaaS platform designed for businesses, development teams, and working professionals. Our Services are not directed at, marketed to, or intended for use by anyone under the age of 13.
We do not knowingly collect, store, or process personal data from individuals under 13 years of age. Our registration and onboarding processes are designed for adult professional use, and we do not request or require any information that would specifically identify a child.
If you are under the age of 13, please do not create an account, submit any personal information through our Services, or interact with our platform in any way that involves providing identifying data.
If we become aware — through our own review, a report from a user, or a notification from a parent or guardian — that we have inadvertently collected personal data from someone under 13, we will take immediate steps to delete that information from our systems and terminate the associated account.
Parents and guardians who believe their child may have submitted personal information to Fairlx are encouraged to contact us at stemlen.co@gmail.com. We will investigate promptly and ensure all related data is permanently removed.
Third-Party Links & Integrations
Fairlx integrates with and links to third-party services to extend the platform's capabilities. It is important that you understand how these connections affect your data.
External Links
Our website and application may contain links to external websites, documentation, or resources that are not operated by Fairlx. When you click on a third-party link, you leave our platform and are subject to that third party's privacy practices. We are not responsible for the content, privacy policies, or data handling practices of any external website. We encourage you to review the privacy policy of every site you visit.
GitHub Integration
Fairlx offers deep integration with GitHub for repository syncing, issue tracking, and pull request workflows. When you connect your GitHub account, we receive access scoped to the permissions you grant during OAuth authorization. We access only the repository metadata and events necessary for the integration to function. We do not read, store, or analyze your source code. You can revoke Fairlx's access to your GitHub account at any time through your GitHub settings.
Payment Gateway
Payment transactions are processed by Razorpay. When you initiate a payment, you interact directly with Razorpay's secure payment interface. Any card or bank information you enter is handled exclusively by Razorpay under their privacy policy and PCI-DSS compliance framework. We recommend reviewing Razorpay's Privacy Policy for detailed information on how they process payment data.
AI Model Providers
AI-powered features in Fairlx may route requests to third-party AI model providers. When this happens, only the minimum context required to generate a response is transmitted. We do not share identifying user information, workspace metadata, or project history with AI providers. AI providers process data under strict terms that prohibit them from using your data to train their models, unless you have independently accepted their terms.
Changes to This Privacy Policy
Privacy is not static — as our Services evolve, as regulations change, and as we adopt new technologies, this Privacy Policy may need to be updated. We are committed to keeping you informed about any changes.
When we update this policy, we will:
- Revise the "Last Updated" date and version number at the top of this page.
- Publish a clear summary of what changed, particularly for material modifications that affect how your data is collected, used, or shared.
- For significant changes, notify active users via email or through an in-app notification banner. In the Fairlx application, users will be asked to review and re-accept the updated policy before continuing to use the Services.
- Maintain previous versions of this policy for your reference.
If you continue to use our Services after a policy update takes effect, you are considered to have accepted the revised terms. If you disagree with any changes, you may stop using our Services and request deletion of your account and personal data.
Contact Us
We value transparency and are happy to answer any questions you may have about this Privacy Policy, your personal data, or how we handle privacy at Fairlx. Whether you have a concern, a question, or want to exercise your data rights — reach out and we will respond.
Contact
Legal & Support
stemlen.co@gmail.comCompany
Stemlen Pvt Ltd.
Registered Address
Warangal, Telangana, India
Website
fairlx.com