Privacy Policy

1. Information We Collect

Information You Provide

• Account information: Name, email address, and password when you create an account.
• Profile information: Bio, location, content niches, portfolio URL, and profile photos.
• Business information: Business name, type, address, website, and contact details (for Small Business Owners).
• Campaign information: Campaign details, budgets, content guidelines, and targeting preferences.

Information from Third-Party Platforms

When you connect your social media accounts, we receive:

• YouTube: Channel name, handle, subscriber count, and channel description. We store OAuth tokens to access your channel analytics for campaign performance tracking.
• Instagram: Username, account type, follower count, media count, biography, website, and profile picture. We store OAuth tokens to access your post insights for campaign performance tracking.
• TikTok: Display name, username, follower count, and video statistics. We store OAuth tokens to access your video analytics for campaign performance tracking.

Information Collected Automatically

• Usage data: Pages visited, features used, and interactions with the Service.
• Device information: Browser type, operating system, and device identifiers.
• Cookies: See our Cookie Policy for details.

2. How We Use Your Information

• To provide, maintain, and improve the Service.
• To match creators with relevant campaign opportunities based on audience, niche, and performance metrics.
• To track campaign performance metrics (views, engagement, reach) during active campaigns.
• To process payments and calculate performance-based payouts.
• To communicate with you about your account, campaigns, and Service updates.
• To enforce our Terms of Service and protect against fraud.

3. How We Share Your Information

• Between users: Your public profile information (bio, niches, stats) is visible to businesses browsing creators. Campaign details are shared between matched businesses and creators.
• Service providers: We share data with third-party services that help us operate (hosting, payment processing, analytics).
• Legal requirements: We may disclose information if required by law or to protect our rights and safety.

We do not sell your personal information to third parties.

4. Data Security

We implement industry-standard security measures to protect your information, including encrypted data transmission (TLS/SSL), secure token storage for third-party platform credentials, and access controls on our infrastructure. However, no method of transmission over the internet is 100% secure.

5. Third-Party Platform Tokens

When you connect YouTube, Instagram, or TikTok accounts, we store OAuth access tokens and refresh tokens encrypted at rest (AES-256-GCM). These tokens are used solely to:

• Verify your ownership of the connected account.
• Retrieve your public profile information and analytics.
• Track campaign performance metrics during active campaigns.

You can disconnect any linked account at any time from your profile settings, which immediately revokes our access and deletes the stored tokens.

If you remove the SociaList app directly from your Instagram account settings, Meta notifies us automatically and we deauthorize the connection on our side. You can also request full deletion of all data we obtained from Instagram (profile snapshot, OAuth tokens, cached analytics) via Instagram's data-deletion flow; we process those requests automatically and surface a confirmation at thesocialistapp.com/data-deletion-status.

6. Your Rights

You have the right to:

• Access, update, or delete your account information.
• Disconnect linked social media accounts at any time.
• Request a copy of your data.
• Request deletion of your account and associated data.
• Opt out of non-essential communications.

7. Data Retention

We retain different categories of data for different durations:

• Account and profile information: retained for as long as your account is active. Deleted within 30 days of account deletion.
• Connected social-account snapshots (Instagram / TikTok / YouTube): retained while the account is connected, deleted on disconnect or on a platform-initiated data-deletion request.
• OAuth access and refresh tokens: deleted within 24 hours of disconnect, account deletion, or platform deauthorize event.
• Campaign performance data: retained for 24 months after the campaign ends for reporting, audit, and dispute resolution; aggregated anonymized statistics may be retained longer.
• Payment and payout records: retained for 7 years to meet Swiss accounting and tax-record obligations.
• Server logs: retained for 90 days for security incident response and operational debugging.

8. Legal Basis for Processing (EEA / UK / Switzerland)

If you are in the European Economic Area, United Kingdom, or Switzerland, we process your personal data under the following lawful bases:

• Contract performance (GDPR Art. 6(1)(b)): to operate the Service, match creators with campaigns, and process payouts on the basis of our agreement with you.
• Consent (Art. 6(1)(a)): when you connect an Instagram, TikTok, or YouTube account, and for non-essential cookies and marketing communications. You can withdraw consent at any time.
• Legitimate interest (Art. 6(1)(f)): to keep the Service secure, detect fraud, and improve product features, where these interests are not overridden by your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): to retain accounting and tax records, respond to lawful requests, and comply with Swiss and applicable EU/UK regulations.

9. International Data Transfers

We are based in Switzerland and use Google Cloud Platform infrastructure with data primarily processed in the United States (us-central1 region). Where we transfer personal data from the EEA, UK, or Switzerland to the United States, we rely on the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework and on Standard Contractual Clauses where applicable, supplemented by encryption in transit (TLS) and at rest (AES-256).

10. Children's Privacy

The Service is not directed to and is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected such information without verified parental consent, we will delete it promptly. If you believe a child has provided us personal data, please contact [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise any of the rights listed in Section 6, please contact us at [email protected]. For Instagram-initiated data-deletion confirmations, see thesocialistapp.com/data-deletion-status.