Privacy Policy

Effective: May 1, 2026 · Last updated: May 10, 2026 · Version: 2026-05

1. Who we are

Fabella is operated by Fabella LLC, a Wyoming limited liability company (the "Company," "we," "us," or "our"). Fabella is a social mobile app that lets you share short audio, video, and image "anecdotes" with friends and followers.

• Company: Fabella LLC
• Product: Fabella iOS app and the website at https://fabella.app
• Privacy contact: contact@fabella.app
• General support: support@fabella.app
• Press inquiries: press@fabella.app
• Registered office (for legal notices only): Fabella LLC, c/o Registered Agent, 30 N Gould St Ste N, Sheridan, WY 82801, USA

Where we operate from

Although Fabella LLC is incorporated in the United States, all of Fabella's day-to-day operations and personal-data processing decisions are made from France. Under the EU General Data Protection Regulation, this means Fabella has an establishment in the European Union (France) for the purposes of Articles 3 and 4(16) GDPR, and we treat France as our main establishment.

In practice, this means:

• Our lead supervisory authority for GDPR matters is the Commission nationale de l'informatique et des libertés (CNIL) — https://www.cnil.fr.
• We are not required to appoint an Article 27 representative inside the EU, because we are already established there through our French operations.
• French data-protection law (the Loi Informatique et Libertés of 6 January 1978, as amended) applies in addition to the GDPR.

This document tells you what we collect, why, who we share it with, how long we keep it, and what rights you have over your data.

2. Scope of this policy

This Privacy Policy applies to:

• The Fabella iOS app (bundle ID com.fabella.app) downloaded from the Apple App Store.
• The Fabella website at https://fabella.app, including subpages such as /privacy, /terms, /u/{username}, and the "Advertise on Fabella" landing page.
• Email and customer-support communications you exchange with us at the addresses above.

It does not apply to third-party services we link to or integrate with, which have their own privacy policies. The main third parties are listed in Section 5.

3. Information we collect

We group the data we collect into nine categories.

3.1 Account data

When you create or use a Fabella account, we collect:

• Your email address.
• Your password, which is hashed and managed by Firebase Authentication; Fabella never sees, stores, or logs your password in clear or recoverable form.
• Your display name, username (handle), and bio that you set during onboarding.
• Your avatar / profile photo, stored as a file on Firebase Storage and referenced by URL.
• Account metadata: account creation date, last sign-in timestamp, the authentication provider you used (password, google.com, or apple.com), your Firebase Auth UID, and your email-verification status.
• Account preferences: notification preferences (which event types alert you), privacy preferences (who can see your profile, who can send you anecdotes), and your consent trail — a record of analytics, ATT, and policy-version acceptance, stored at users/{uid}/consents/{ts} with the matching policyVersion for audit purposes (GDPR Art. 7(1)).
• Onboarding interests you selected during sign-up, used to suggest people to follow.

If you sign in with Google or Apple, we receive only the basic profile information those providers share with us (typically: name, email, and a stable user ID). Sign in with Apple lets you hide your real email address using Apple's private relay; we honor that choice.

3.2 User-generated content

When you use Fabella, you create content that we store on our backend so we can deliver the service:

• Posts you publish: text/captions, hashtags, and references to attached media.
• Media files (video, image, audio) you upload or record in-app, stored on Firebase Storage.
• Anecdotes captured in-app using your camera and microphone (audio via AVAudioRecorder, video via AVAssetWriter).
• Enrichment media that you or other invited users attach to a post.
• Comments you write.
• Recipient lists for anecdotes you send (one or more user IDs and usernames).
• Validation and enrichment decisions you make on anecdotes you receive.
• Reactions you author on other users' anecdotes.
• Bookmarks (anecdotes you saved for later).
• Hashtags you use, which are aggregated into trending counters; the counters are non-identifying and cannot be tied back to your account.

3.3 Social-graph data

To make the social features work, we store:

• The list of accounts you follow and your followers.
• Pending and accepted follow requests.
• Blocked users you have chosen to block.
• Mention relationships generated when you @-tag someone in a caption.

3.4 Device and technical data

To deliver pushes, fix crashes, and keep the app secure, we automatically collect:

• A Firebase Cloud Messaging (FCM) push token for each device you use to sign in, so we can deliver notifications. The token is stored at users/{uid}/private/profile and removed on sign-out.
• Device tier (a coarse performance bucket) collected with crash reports.
• Crash diagnostics via Firebase Crashlytics — stack traces, app version, OS version, device model, and free memory/disk. Crashlytics is disabled in development builds and runs only in production. You can disable it any time in Settings → Data & Privacy.
• The Identifier for Advertisers (IDFA) assigned by iOS — but only if you opt into personalized ads in our in-app consent banner and grant tracking permission via Apple's App Tracking Transparency prompt. If you decline ATT or skip personalized ads, we run AdMob with the NPA=1 flag (non-personalized ads), no IDFA leaves the device, and we do not access the IDFA at all.

Fabella never accesses iOS Location Services. We do not request — and do not collect — precise or coarse location from the device, contacts, calendars, reminders, FaceID or biometric data, motion or fitness data, Bluetooth, HealthKit, or any other sensitive iOS permission. (Note: AdMob's ad-serving infrastructure may infer coarse location from your IP address server-side; see §3.6.)

3.5 Analytics data (opt-in, off by default)

Firebase Analytics is disabled until you accept the consent banner shown the first time you launch the app. The banner sets a UserDefaults flag (analyticsEnabled) and writes a record into your consent trail (see §3.1).

If you opt in, we collect:

• Screen views inside the app.
• Feature-usage event counts such as anecdote_sent, anecdote_validated, and anecdote_rejected.
• Standard Firebase Analytics auto-collected events (session start, app update, etc.).

If you opt out — or never tap "Accept" — no analytics events are sent. You can change your choice at any time in Settings → Data & Privacy → Analytics.

3.6 Advertising data

Fabella shows ads in-app. Two flows are involved:

• Ads served to you (Google AdMob): Google AdMob serves banner, interstitial, rewarded, and native ads. AdMob handles ad selection, click metrics, and impression counting on its own infrastructure. If you opt into personalized ads in Fabella and accept App Tracking Transparency, AdMob may use your IDFA for personalization; otherwise, AdMob runs with NPA=1 (non-personalized ads) and the IDFA is not accessed. The tracking domains contacted by AdMob are googleads.g.doubleclick.net, pagead2.googlesyndication.com, and googlesyndication.com. AdMob also receives your device IP address, from which it may derive an approximate (city-level) location used for ad-relevance and frequency capping; this happens inside AdMob's infrastructure and Fabella itself never accesses iOS Location Services.
• Ads sold directly by Fabella (sponsored campaigns): in addition to AdMob, Fabella sells a small number of native and full-screen ad slots directly to advertisers. When such an ad is shown to you or you tap its call-to-action, the app sends an authenticated event to our backend so we can count impressions and clicks per campaign. Your Firebase Auth UID is transmitted with each event for the sole purpose of server-side deduplication (preventing the same user from inflating a competitor's pack). The UID is not stored alongside the event; only aggregate counters (impressionsUsed, clicksTotal) are persisted on the campaign document, and advertisers only ever see those aggregates — never per-user data.
• Ads bought by advertisers: if you use the "Advertise on Fabella" flow, payments are processed by Stripe. Stripe collects your card details directly on its servers — Fabella never sees or stores your card number, CVV, or expiry. We store only the advertiser approval status, campaign metadata, and aggregate impression counts in Firestore.

3.7 Email-deliverability data

When we send transactional emails (such as email verification, password resets, and invitations), we use third-party SMTP providers — SendGrid (operated by Twilio Inc.) as our primary, and Resend as a secondary fallback when SendGrid is unavailable. The provider in use at the time of send receives your email address and the content of the email (such as the verification or reset link) so it can deliver the message.

To prevent abuse, our backend stores per-user rate-limit state in Firestore: a 60-second cooldown between sends and a hard cap of 10 verification emails per account per rolling 24-hour window. Email-verification rate-limits are keyed on your Firebase UID; password-reset and advertiser upload-URL endpoints are rate-limited per IP address, and the IP address is hashed with SHA-256 before any persistence (we never store IPs in clear). See §3.8 for details on server-side IP processing.

3.8 Server-side processing (Cloud Functions)

Our backend logic runs on Google Cloud Functions in region us-central1. When you make a privileged request (account changes, password reset, advertiser upload URLs, content reports), the function processes the request on the server side. Two pieces of network metadata are involved:

• IP address (hashed for rate-limit state): for rate-limiting on the password-reset and advertiser upload-URL endpoints, the requesting IP is hashed with SHA-256 before any persistence in Firestore. We never store IP addresses in clear in our database, and the hashed counters expire on a rolling 24-hour basis.
• IP address (operational logs): Cloud Functions themselves log the requesting IP to Google Cloud Logging as part of standard execution traces. Retention follows Google Cloud's defaults — approximately 30 days — after which the logs are deleted.

Other rate-limits (email verification, send-limits) are keyed on your Firebase UID rather than your IP, and expire on a rolling 24-hour basis.

3.9 Invitation and validation tokens

To deliver anecdotes you address to people who are not yet Fabella members, and to let designated witnesses confirm a multi-recipient anecdote, we generate short-lived single-use tokens stored in Cloud Firestore:

• Email-invitation tokens (invite_tokens) — created when you send an anecdote to an email address that does not have a Fabella account. The token is bound to a single anecdote and recipient email, sent to that address by our SMTP provider, expires 30 days after creation, and is consumed on first use. To prevent harassment, our backend caps invites at 30 per sender and 3 per recipient address per rolling 24-hour window.
• Witness-validation tokens (validation_tokens) — created when an anecdote requires confirmation by one or more designated witnesses, so each witness can authenticate their decision in-app. The token is bound to one anecdote and one witness account, expires 7 days after creation, and is consumed when the witness confirms or declines.

These tokens contain only an opaque identifier, the anecdote and recipient/witness identifiers needed to route the request server-side, and the expiry timestamp. They are never used for tracking, profiling, or advertising, and they are auto-deleted once they expire or are consumed.

4. How we use your information

We use the data above for the purposes below. Under the EU General Data Protection Regulation ("GDPR"), each purpose has a legal basis, listed in brackets.

• Provide the service — create your account, authenticate you, store and deliver your posts and anecdotes, render your feed, run search, and let you follow, block, and message other users. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
• Send transactional emails — verify your email address and respond to support requests. Legal basis: performance of a contract.
• Keep the service secure and prevent abuse — Firebase App Check / Apple App Attest hardware attestation, rate-limiting, server-side validation in Cloud Functions, blocked-user enforcement, and content-moderation review. Legal basis: legitimate interests (GDPR Art. 6(1)(f)) — the integrity of the platform.
• Diagnose and fix crashes via Firebase Crashlytics in production. Legal basis: legitimate interests — keeping the app stable.
• Show ads — AdMob delivers in-app advertising. Personalized ads run only when you grant App Tracking Transparency permission. Legal basis: legitimate interests for non-personalized ads; consent (GDPR Art. 6(1)(a)) for personalized ads / IDFA use.
• Process advertiser payments when an advertiser uses the "Advertise on Fabella" flow. Legal basis: performance of a contract with the advertiser.
• Measure how the app is used through Firebase Analytics. Legal basis: consent — only after you accept the in-app banner.
• Comply with legal obligations — respond to lawful requests, enforce our Terms, defend against legal claims. Legal basis: legal obligation (GDPR Art. 6(1)(c)) and legitimate interests.

We do not sell your personal information, and we do not use it to build psychographic profiles, train AI models, or share it with data brokers.

5. Sharing and disclosure

We share personal data only with the sub-processors and recipients listed below, only for the purposes described, and only under written contracts that require them to protect your data.

We may also disclose information without your consent when required by law: in response to subpoenas, court orders, or other valid legal process; to protect the rights, safety, or property of Fabella, our users, or the public; or in connection with a corporate transaction (merger, acquisition, financing, or asset sale), in which case we will require the recipient to honor this Privacy Policy or notify you of material changes.

6. International data transfers

Fabella LLC is incorporated in the United States, our operations are conducted from France, our primary database (Cloud Firestore) is hosted in the United States (us-central1, Iowa), our backend logic (Cloud Functions) also runs in the United States (us-central1, Iowa), and several sub-processors (notably Google, Apple, Stripe, SendGrid/Twilio, and Resend) operate globally. The bulk of your personal data is therefore stored on servers in the United States.

For transfers of personal data out of the European Economic Area, the United Kingdom, or Switzerland to the United States or other third countries — including the routine transfer of your account data, posts, and media to our US-based Firestore database — we rely on the safeguards required by Articles 44–49 GDPR:

• The EU–U.S. Data Privacy Framework (DPF) and its UK Extension and Swiss–U.S. Framework, where the recipient (Google LLC, Apple Inc., Stripe Inc., Twilio Inc., Resend Inc.) is self-certified.
• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), as a complementary or alternative basis, together with supplementary technical measures (encryption in transit and at rest, strict access controls, and pseudonymization where feasible).
• Where neither mechanism is available, we rely on the derogations of Article 49 GDPR only in narrow cases (e.g., transfers necessary to perform the contract you have with us).

You can request a copy of the relevant transfer mechanism by writing to contact@fabella.app.

7. When you delete your account

You can delete your account at any time via Settings → Account → Delete account, or by emailing contact@fabella.app. Deletion is permanent — we cannot recover deleted accounts or content.

7.1 What we delete (within minutes; internal version-history is purged within 1 hour)

• Your Firebase Authentication identity (email, password hash, provider links).
• Your Firestore profile and all its sub-collections: blocked list, send-limits, follow requests, saved posts (bookmarks), push tokens, notification preferences, and your consent trail.
• Every anecdote you sent.
• Every anecdote you received — both single- and multi-recipient. For multi-recipient anecdotes, the post is also removed from the other recipients' inboxes.
• All media (images, videos, audio) attached to those anecdotes, including media that other recipients had uploaded on those posts.
• Your reactions and comments on other users' posts.
• Your follow graph — follower and following entries on your account and on the other users' accounts.
• Your follow requests, sent and pending.
• Your username slot (released for reuse).
• Your profile picture.
• Your inbound notifications and notifications you authored elsewhere.

Deletion is permanent and immediate. We do not maintain encrypted long-term backups; Firestore retains a short internal version-history window (currently 1 hour) for operational integrity, after which all copies of your data are purged.

7.2 What survives deletion

• Email-invitation tokens you sent to non-members remain valid for up to 30 days, including the original anecdote text and your former username.
• Validation-by-link tokens for non-member witnesses remain valid for up to 7 days, including the anecdote text.
• Reports you submit are retained for as long as required to comply with Apple App Store Review Guideline 1.2 (User-Generated Content moderation audit trail) and to maintain the integrity of our moderation system. Your former Firebase UID remains attached to those records.
• Records of automated moderation decisions taken on content you authored.
• Aggregated, non-identifying analytics counters (e.g., trending hashtag totals).
• Operational logs (Firebase Crashlytics, Cloud Functions / Google Cloud Logging) for up to 30 days.
• Sponsored-campaign records (if you ever paid to boost a post) for accounting and tax compliance — typically 7 years, as required by US tax law.

7.3 Default retention windows for ongoing data

While your account is active, we keep some operational data on a rolling basis:

• Crashlytics crash diagnostics: retained by Google for 90 days (default).
• Analytics events (if you opted in): retained by Firebase Analytics for 14 months (default), then aggregated.
• Email-verification rate-limit counters (keyed on Firebase UID): 24 hours rolling.
• Hashed-IP rate-limit state (password reset, advertiser upload URLs): 24 hours rolling.
• Cloud Functions execution logs (Google Cloud Logging): approximately 30 days.
• Server logs and security logs: 90 days active, then deleted.

If a longer retention period is required by law (for example, tax or anti-fraud laws), we keep the affected records for the legally required period and then delete them. You can request a copy of your data at any time via Settings → Data & Privacy → Export My Data (RGPD Art. 20 portability).

8. Your rights

You have rights over your personal data. The list below summarizes the rights granted by the GDPR (EEA, UK, and Switzerland) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA). Where laws overlap, we apply the strictest standard.

8.1 Rights granted by GDPR

• Right of access — get a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data. Most fields can be edited directly in the app (display name, username, bio, avatar, email).
• Right to erasure ("right to be forgotten") — delete your account and the personal data tied to it. Use Settings → Account → Delete account in the app. The flow asks for confirmation and removes your account and content within the windows in Section 7.
• Right to restriction of processing — ask us to pause certain processing while a dispute is resolved.
• Right to data portability — get a structured, commonly used, machine-readable export of the data you provided to us. The fastest way is in-app: Settings → Data & Privacy → Export My Data, which generates a JSON archive of your account, posts, social graph, consents, send-limits, and follow requests. You can also email contact@fabella.app and we will respond within 30 days.
• Right to object — object to processing based on legitimate interests, including analytics and crash reporting.
• Right to withdraw consent — where processing is based on consent (analytics, ATT/IDFA), you can withdraw consent at any time in iOS Settings or in the app, with no effect on processing done before withdrawal.
• Right to lodge a complaint with a data protection authority. Because Fabella's main establishment is in France, our lead supervisory authority is the CNIL (Commission nationale de l'informatique et des libertés, https://www.cnil.fr). You can also lodge a complaint with the data-protection authority of the EU/EEA member state where you live, where you work, or where you believe a violation occurred.

8.2 Rights granted by CCPA/CPRA (California residents)

• Right to know what personal information we collect, use, disclose, and share.
• Right to delete personal information we have collected from you.
• Right to correct inaccurate personal information.
• Right to opt out of "sale" or "sharing" of personal information. Fabella does not sell your personal information and does not "share" it for cross-context behavioral advertising as those terms are defined under the CPRA. If you grant App Tracking Transparency permission and AdMob uses your IDFA for personalized advertising, that activity may be considered "sharing" under the CPRA; you can withdraw at any time in iOS Settings → Privacy & Security → Tracking, or by denying the prompt.
• Right to limit use of sensitive personal information — Fabella does not use sensitive personal information for purposes other than providing the service.
• Right to non-discrimination — we will not deny you service, charge you a different price, or degrade quality because you exercised a right.

8.3 How to exercise your rights

For most rights, the fastest path is in-app:

• Edit your profile or email: Settings → Account.
• Manage analytics consent: Settings → Privacy → Analytics.
• Manage tracking (IDFA): iOS Settings → Privacy & Security → Tracking → Fabella.
• Block, report, or unfollow another user: profile screen → menu.
• Export your data: Settings → Data & Privacy → Export My Data. We generate a JSON archive of your account, posts, social graph, consents, send-limits, and follow requests (RGPD Art. 20).
• Delete your account: Settings → Account → Delete account. Once you confirm, your account and content are deleted within the windows in Section 7. You can also email contact@fabella.app and we will process the deletion for you.

For rights that need a written request (access, portability, restriction, objection, complaint), email contact@fabella.app with:

1. The right you are exercising.
2. Enough information for us to identify your account (the email tied to your account is usually enough).

We respond within 30 days (extendable to 60 days for complex requests, with notice). We do not charge a fee unless your request is manifestly unfounded or excessive. If we cannot verify your identity, we may ask for additional information; we will not use that information for any other purpose.

You may authorize an agent to make a CCPA request on your behalf. We will require proof of authorization and may verify your identity directly.

9. Children's privacy

Fabella is not intended for children under 13, and our minimum age is higher in some regions:

• Worldwide minimum age: 13.
• European Economic Area / United Kingdom: 16, in line with the GDPR's digital-consent age (and the higher age set by most EU member states).
• United States: we comply with the Children's Online Privacy Protection Act (COPPA) by not knowingly collecting personal information from children under 13.

During sign-up we ask you to confirm you are at least the applicable minimum age for your region. We do not store your date of birth. If you indicate you are below the minimum age, we (a) block your device locally — the block is persisted in the iOS Keychain so it survives app reinstallation, (b) delete your Firebase Authentication account on a best-effort basis, and (c) trigger a server-side cleanup that removes any Firestore profile already created.

If we later learn that we have collected personal information from a child below the applicable minimum age, we will delete that information and terminate the account promptly. If you are a parent or guardian and believe a child has created an account, please email contact@fabella.app and we will act within 7 days.

10. Security measures

We protect your information with technical and organizational measures, including:

• Encryption in transit: all client–server traffic uses HTTPS/TLS, enforced by Firebase.
• Encryption at rest: Firestore, Firebase Storage, and Firebase Auth encrypt data at rest by default. The Firestore offline cache on your device is stored within the iOS app sandbox, which is encrypted by iOS using your device passcode.
• Hardware-backed app integrity: in production, Firebase App Check uses Apple App Attest to verify that requests come from a genuine Fabella app on a genuine device, blocking abuse and emulator attacks.
• Rate-limiting: verification emails are limited to one per 60 seconds and 10 per 24 hours per account.
• Server-side validation: Cloud Functions validate every privileged operation (post deletion, account changes, advertiser approvals) on the server, never relying on client trust.
• Crash reporting hardening: Crashlytics is disabled in development builds and only collects production crash data.
• Password handling: account passwords are managed entirely by Firebase Authentication and never seen, stored, or logged by Fabella.
• IP hashing for rate-limit state: when our Cloud Functions need to enforce IP-based rate limits (password reset, advertiser upload URLs), the IP address is hashed with SHA-256 before any persistence in Firestore. We never store IP addresses in clear in our database. Operational logs (Google Cloud Logging) follow a separate ~30-day retention.
• Automated content moderation: images uploaded to anecdotes are scanned by Google Cloud Vision (SafeSearch) for CSAM and explicit content, and text captions and comments pass through a profanity classifier. Both run server-side and complement manual moderation.
• Optional crash and analytics opt-out: you can disable Firebase Crashlytics and Firebase Analytics any time in Settings → Data & Privacy. Analytics is off by default until you accept the consent banner; Crashlytics is disabled in development builds.
• Least-privilege access: access to production systems is limited to authorized personnel, secured with multi-factor authentication.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant data-protection authority within 72 hours as required by GDPR Art. 33 and notify you without undue delay where required.

11. App Tracking Transparency (IDFA)

iOS requires us to ask for permission before we — or any partner — track you across other companies' apps and websites or access the IDFA on your device. We only show the App Tracking Transparency prompt if you first opt into personalized ads in Fabella's in-app consent banner.

• If you skip personalized ads in Fabella: the iOS ATT prompt is not shown, AdMob runs with NPA=1, and no IDFA leaves the device.
• If you opt in and tap "Allow" on the ATT prompt: AdMob may use your IDFA to serve personalized ads. The tracking domains contacted by AdMob are listed in §3.6.
• If you opt in but tap "Ask App Not to Track": AdMob serves only non-personalized ads (NPA=1), and we do not access your IDFA.

You can change your decision at any time in iOS Settings → Privacy & Security → Tracking → Fabella or via Fabella → Settings → Data & Privacy. Your choice does not affect your ability to use the app.

12. Cookies and similar technologies

The Fabella iOS app does not use web cookies. Inside the app, the equivalent local-storage technologies are limited to what iOS provides to apps: a small amount of UserDefaults (e.g., your analytics-consent flag and onboarding state), the Firestore offline cache, the Firebase Auth secure-keychain session token, and Firebase/AdMob SDK identifiers.

The Fabella website at https://fabella.app may use a small number of cookies and similar technologies for:

• Strictly necessary purposes (load balancing, security).
• Analytics, only with your consent collected via the website's cookie banner.

When we publish more details, they will be in the cookie notice on the website. You can clear cookies at any time in your browser settings.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will:

• Update the "Last updated" date at the top.
• For material changes (new categories of data, new sub-processors that materially expand processing, new purposes), give you at least 30 days' advance notice by in-app notification, email, or both before the change takes effect.

If you keep using Fabella after a change takes effect, you accept the updated policy. If you do not accept it, you can delete your account at any time.

14. Contact

For privacy questions or to exercise your rights:

• Email (preferred and fastest): contact@fabella.app
• General support: support@fabella.app
• Press inquiries: press@fabella.app

For formal legal notices and service of process only:

• Fabella LLC, c/o Registered Agent, 30 N Gould St Ste N, Sheridan, WY 82801, USA

For users in the EU/EEA, your lead supervisory authority is the CNIL in France — https://www.cnil.fr. You can also contact the data-protection authority of your own EU/EEA member state.
For users in the UK, you can lodge a complaint with the Information Commissioner's Office (ICO) — https://ico.org.uk.

For any other matter, please use email — we respond faster and can authenticate your account more reliably than by mail.