Privacy Policy for Fibbler

Information Collection

When you register with Fibbler, we collect the following personal data:

• Name
• Email address
• Company name

This information is essential for the use of our product and services.

Important: Fibbler does not process personal data (PII) as part of its core LinkedIn Ads product. The primary personal data we handle is account-related information such as email addresses, which are used to create and manage Fibbler accounts. We do not process CRM contacts, LinkedIn messages, or sensitive personal information as part of the core product. To provide attribution and analytics features, Fibbler stores company-level and deal/opportunity data from your connected CRM (such as company names, domains, deal amounts, and deal stages). This is business data, not personal data. For customers using the Google Ads attribution add-on, IP addresses of website visitors are processed by our partner Dealfront (Leadfeeder) for the purpose of B2B company identification — see the Google Ads Attribution section below for full details.

Use of Information

The personal data collected is used for the following purposes:

• To enable full use of our product and deliver the services you signed up for, including storing CRM data to power attribution, analytics, and MCP features (Art. 6(1)(b) GDPR — contract performance).
• For marketing purposes, such as sending newsletters, if you opt-in to receive them (Art. 6(1)(a) GDPR — consent).

Data Storage and Transfers

All customer and application data is hosted in the EU on Google Cloud and Fly.io infrastructure. No customer data from the core product is processed outside the EU. Website analytics and marketing email data may be processed by providers outside the EU/EEA under appropriate safeguards (Standard Contractual Clauses or EU-US Data Privacy Framework).

We store LinkedIn ads data, Google Ads campaign data, and CRM data (company names, domains, deal amounts, deal stages, and related metadata) in our database to power attribution, analytics, and MCP features. CRM data is synchronized on a regular schedule while your integration remains connected. Customers with a DPA signed before April 2026 are exempt from CRM data storage unless they agree to a revised DPA.

All stored data is encrypted at rest using AES-256 encryption. Fibbler may also use aggregated and anonymized data (where no individual or company can be identified) to generate industry benchmark reports.

Data Sharing and Sub-processors

We share personal data only with sub-processors necessary to deliver our services. We do not sell or share your data with third parties for their own purposes. Customer and application data is processed exclusively within the EEA, unless otherwise stated below.

All sub-processors are bound by GDPR-compliant data processing agreements. Leadfeeder and Datafa.st are used only on fibbler.co (not the app) and do not process customer data. Our marketing website also uses LinkedIn Insights Tag and Google Ads Tag (gtag.js) for advertising measurement, which are covered by cookie consent and described in the Cookies and Website Analytics section below.

MCP (Model Context Protocol)

Fibbler offers an MCP server that allows customers on the Unlimited plan to connect their Fibbler data to LLMs like Claude, ChatGPT, and Cursor. When using MCP, the customer authenticates with a Fibbler API key and can query their own attribution and analytics data in natural language.

MCP requests are processed using stored CRM and advertising data. MCP is only available to customers whose CRM data is stored by Fibbler. Customers with a DPA signed before April 2026 who have not agreed to a revised DPA will not have access to MCP. No additional data is collected through MCP beyond what is already described in this policy. The data returned through MCP is limited to the customer's own account data and is never shared across accounts.

API key usage is logged for rate limiting and security purposes. Logs include the tool called, response time, and success/failure status. No query content or response data is logged.

Google Ads Attribution (optional add-on)

This section only applies to customers using the Google Ads attribution add-on. If you are not using this feature, you can skip this section.

The add-on uses a tracking script provided by Dealfront (Leadfeeder) on your website to identify which companies visit after engaging with your Google Ads. Data collected includes IP addresses, visitor behavior, source/medium, and first-party cookies (if enabled). IP addresses are matched against a database of known companies for B2B identification only and do not identify individual persons. The tracking script does not use third-party cookies.

Fibbler also connects to your Google Ads account via API to retrieve aggregated campaign performance data (clicks, impressions, spend, keywords). No individual user data from Google Ads is processed.

For this feature, the customer acts as the Data Controller and Dealfront acts as the Data Processor. Processing is based on legitimate interest (Art. 6(1)(f) GDPR) or cookie consent where applicable (Art. 6(1)(a) GDPR). It is the customer's responsibility to implement appropriate cookie consent mechanisms on their website. Fibbler has concluded a Data Processing Agreement with Dealfront in accordance with Art. 28 GDPR.

Cookies and Website Analytics

Our marketing website (fibbler.co) uses cookies and similar tracking technologies. No tracking takes place before you give consent via our cookie banner. The Fibbler application (app.fibbler.co) does not use any tracking cookies.

When you accept cookies, the following may be activated:

• LinkedIn Insights Tag — helps us understand the effectiveness of our LinkedIn advertising campaigns. It may collect your IP address, page views, and other browsing data.
• Google Ads Tag (gtag.js) — helps us measure the effectiveness of our Google advertising campaigns. It may collect your IP address, page views, and other browsing data.
• Leadfeeder (Dealfront) — identifies which companies are visiting our website by matching IP addresses against a database of known businesses. This is limited to company-level identification and does not identify individual persons.
• Datafa.st — provides website analytics and attribution services, including linking website visits to account creation and subscription events.

The processing of this data is based on your consent (Art. 6(1)(a) GDPR). You can adjust your browser settings to refuse cookies at any time.

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data. You can update your name, email, password, 2FA settings, and company details directly in the app
• Erasure — request deletion of your personal data
• Data portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at support@fibbler.co. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority. For Sweden, this is Integritetsskyddsmyndigheten (IMY) at www.imy.se.

DPA and NDA

We offer a standard Data Processing Agreement (DPA) aligned with GDPR and a Mutual Non-Disclosure Agreement (NDA) for vendor evaluation. Email support@fibbler.co to request either.

Children's Privacy

Fibbler is a B2B service and is not directed at children under 16. We do not knowingly collect personal data from children.

Changes to this Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website. For significant changes, we will notify you by email. Continued use of the service after changes take effect constitutes acceptance.

Contact Information

For any privacy-related inquiries or concerns, please contact us at support@fibbler.co.