1. Who We Are and How to Contact Us

Zuvayo ("we", "us", "our") operates the influencer marketing platform available at zuvayo.com. We are the data controller for personal data processed in connection with the Services. If you have any questions or concerns about this Privacy Policy or how we handle your personal data, please contact our Privacy team at privacy@zuvayo.com. For data subject requests, you may also use the in-app GDPR tools under Account Settings.

2. What Personal Data We Collect

We collect personal data from you in several ways, including when you register, use the platform, or contact us. Categories of data we collect include:

• Identity data: name, username, profile photo, user type (brand or creator)
• Contact data: email address, phone number (if provided)
• Account credentials: hashed passwords, 2FA secrets (never stored in plaintext)
• Profile data: bio, location, social media handles and statistics, media kit, portfolio items, rate cards
• Payment and billing data: card brand, last 4 digits, expiry date (full card numbers are never stored — handled by Stripe); billing address; invoice history
• Usage data: pages visited, features used, search queries, campaign activity, click events
• Technical data: IP address, browser type and version, device identifiers, operating system, referring URLs
• Communications: messages sent through the platform, support tickets, feedback you submit
• Social integration data: publicly available social statistics imported from connected accounts (followers, engagement rates, content metrics)

3. How We Use Your Personal Data

We use the personal data we collect to:

• Create and manage your account and provide you with the Services
• Process subscription payments, send invoices and receipts
• Enable creators and brands to connect, collaborate, and transact through the platform
• Personalise your experience and surface relevant creators, campaigns, and recommendations
• Enforce our Terms of Service and detect and prevent fraud, abuse, and security threats
• Send transactional communications (account verification, password reset, billing alerts, campaign notifications)
• Send service and product update communications (you may opt out of marketing emails at any time)
• Conduct analytics and research to improve the platform and develop new features
• Comply with legal obligations (tax, anti-money-laundering, GDPR data subject requests)
• Protect the rights, property, and safety of Zuvayo, our users, and the public

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions where a legal basis is required, we rely on the following bases:

• Contract performance: processing necessary to provide the Services you requested (account creation, subscription management, campaign features)
• Legitimate interests: fraud prevention, platform security, product analytics and improvement, where our interests are not overridden by your rights
• Legal obligation: compliance with tax, accounting, and other applicable laws
• Consent: marketing emails and optional analytics cookies (you may withdraw consent at any time)

5. How We Share Your Information

We do not sell your personal data. We may share your information with the following categories of recipients:

• Payment processors: Stripe processes payment transactions on our behalf and is subject to its own privacy policy and PCI-DSS compliance
• Cloud infrastructure: AWS (hosting, file storage via S3), Redis Labs (caching), and similar providers who process data under data processing agreements
• Email delivery: AWS SES for transactional emails
• Analytics and monitoring: error tracking and performance monitoring providers bound by confidentiality
• Creator profiles shared with Brands: when you create a public creator profile, certain profile fields are visible to business users on the platform as intended by the service
• Legal and regulatory: we may disclose information to law enforcement, regulators, or courts where required by law or to protect our legal rights
• Business transfer: in the event of a merger, acquisition, or sale of all or part of our assets, personal data may be transferred as part of that transaction with equivalent protections

6. Cookies and Tracking Technologies

We use cookies and similar technologies (local storage, session storage, pixel tags) to operate the platform, remember your preferences, authenticate sessions, and analyse usage. Types of cookies we use:

• Strictly necessary: session management, CSRF protection, authentication — cannot be disabled without breaking core functionality
• Functional: remembering your preferences such as billing toggle and UI settings
• Analytics: aggregate usage data to improve the platform (we do not use third-party advertising trackers)

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Services. Specific retention periods:

• Account data: retained while your account is active, plus 30 days after account deletion to allow for recovery requests
• Billing records: retained for 7 years to comply with tax and accounting regulations
• Campaign and contract data: retained for the duration of your account; available for export for 30 days after account deletion
• Security and audit logs: retained for 12 months
• Analytics data: aggregated and anonymised after 24 months
• Backup data: purged within 90 days of deletion from primary systems

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside your home country, including the United States. When we transfer personal data from the EEA or UK to countries that do not provide an equivalent level of data protection, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or equivalent mechanisms. You may request a copy of our transfer safeguards by contacting privacy@zuvayo.com.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure ('right to be forgotten'): request deletion of your personal data, subject to legal retention obligations
• Right to restrict processing: request that we limit how we use your data in certain circumstances
• Right to data portability: request your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent: where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Rights related to automated decision-making: request human review of any decisions made by automated means that significantly affect you

10. How to Exercise Your Rights

To exercise any of these rights, use the GDPR tools in your Account Settings (Settings → Privacy & Data) or email privacy@zuvayo.com. We will respond within 30 days. We may need to verify your identity before processing your request. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS/HTTPS) and at rest for sensitive data
• HttpOnly cookies for authentication tokens to prevent client-side script access
• Hashed passwords using industry-standard algorithms
• Role-based access control and least-privilege principles for internal access
• Regular security assessments and penetration testing
• Incident response procedures and breach notification processes

12. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@zuvayo.com and we will promptly delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or by a prominent notice on the platform at least 14 days before they take effect. The 'Last updated' date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

14. Contact and Data Protection Officer

For privacy enquiries, data subject requests, or to raise a concern, please contact us at privacy@zuvayo.com. You can also write to us or visit our contact page. We aim to respond to all enquiries within 5 business days and to complete formal data subject requests within 30 days.

Questions about this policy?

Email us at privacy@zuvayo.com