Privacy Policy

2.1 Information You Provide

We collect information that you provide directly to us, including:

• Account Information: Name, email address, password, and other registration details when you create an account
• Brand Information: Business name, Shopify store domain, brand logo, program settings, and configuration preferences
• Creator Information: Name, email address, social media handles (Instagram, TikTok, YouTube), audience demographics, and content submissions
• Phone Number and Messaging Data: Phone numbers provided for WhatsApp or SMS communications, messaging preferences, opt-in/opt-out status, and records of messages sent and received
• Content: Images, videos, text, and other content submitted through the Platform
• Communication Data: Messages, feedback, and other communications you send to us
• Payment Information: Commission structures, payment preferences, and related financial data. We facilitate commission payouts to Creators via Stripe Connect. Creators connect a Stripe Express account to receive payments; we do not store bank account details directly. Stripe's privacy policy governs the handling of financial data collected during onboarding.

2.2 Information Automatically Collected

When you use the Platform, we automatically collect certain information, including:

• Usage Data: Pages visited, features used, time spent on the Platform, and interaction patterns
• Device Information: IP address, browser type and version, operating system, device identifiers, and mobile network information
• Log Data: Access times, error logs, and system performance data
• Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to track activity and store preferences

2.3 Information from Third-Party Services

We collect information from third-party services you connect to the Platform:

• Shopify: Store data, product information, customer data, order history, and revenue data
• Social Media Platforms: Profile information, follower counts, engagement metrics, and content from Instagram, TikTok, and other platforms (with your authorization)
• Email Marketing Platforms (e.g., Klaviyo): Email lists, campaign data, and subscriber information
• Analytics Services: Usage statistics and performance metrics

2.4 Social Media Authentication (OAuth) Data

When you authenticate using Instagram, TikTok, or other social media platforms, we receive and store certain information from these services:

• Basic Profile Information: Username, display name, profile picture URL, and email address (if permitted by the platform)
• Account Identifiers: Unique user IDs assigned by the social platform to identify your account
• Public Metrics: Follower counts, following counts, post counts, and engagement rates (where authorized)
• Access Tokens: Authentication tokens that allow us to access your authorized data on your behalf. These tokens may be refreshed automatically to maintain connectivity
• Content Permissions: Information about what data you have authorized us to access based on the permissions you granted during authentication

Important: We do not receive or store your social media passwords. Authentication is handled securely through the OAuth protocol, where you grant permission directly through the social media platform's interface.

2.5 WhatsApp and SMS Messaging Data

If you opt in to receive messages via WhatsApp, SMS, or other messaging platforms, we collect and process:

• Phone Numbers: Mobile phone numbers you provide for receiving messages
• Messaging Preferences: Your opt-in status, preferred messaging channels, notification settings, and opt-out history
• Message Records: Records of messages sent to and received from you, including timestamps, delivery status, and read receipts (where available)
• Consent Records: Documentation of when and how you consented to receive messages, as required by CASL, TCPA, and other regulations
• Interaction Data: Responses to messages, links clicked within messages, and engagement metrics

2.6 Content Rights Consent Data

When you upload content to the Platform, we collect and store consent-related information to document your agreement to grant content rights to Brands. This information is collected for legal compliance and includes:

• Consent Timestamp: The exact date and time when you provided consent to grant content rights to the Brand
• IP Address: Your IP address at the time of consent, used to verify the origin of the consent and for legal compliance purposes
• User Agent: Information about your browser and device (browser type, version, operating system) at the time of consent

This consent data is stored securely and is used solely for legal compliance and to demonstrate that you explicitly consented to grant content rights as described in our Terms of Service. This data is retained for as long as necessary to fulfill legal obligations and may be used in the event of disputes regarding content rights.

5.1 Between Platform Users

Brands and Creators may share information with each other through the Platform as part of the program management process. This includes:

• Creator contact information shared with Brands
• Content submissions shared with Brands for review
• Performance metrics and analytics shared between parties
• Program settings and configurations visible to authorized users

5.2 Service Providers

We may share information with third-party service providers who perform services on our behalf, including:

• Cloud hosting providers (e.g., Supabase, AWS, Vercel)
• Email service providers (e.g., Resend)
• Messaging service providers (e.g., Twilio, WhatsApp Business API)
• Analytics and monitoring services
• Payment processors (if applicable)
• Customer support tools

5.3 Social Media Platforms

When you connect your social media accounts, limited information may be shared with those platforms as part of the authentication and API integration process. This sharing is governed by the privacy policies of the respective platforms (Instagram/Meta, TikTok).

5.4 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders, subpoenas, or other legal processes
• Government requests or regulatory requirements
• Enforcement of our Terms of Service or other agreements
• Protection of our rights, property, or safety, or that of our users

5.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

5.6 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

6.1 Types of Cookies We Use

We use the following categories of cookies:

• Strictly Necessary Cookies: Required for the Platform to function properly. These cannot be disabled and include authentication cookies, security cookies, and session management. No consent is required for these cookies.
• Functional Cookies: Remember your preferences and settings to enhance your experience. These require your consent.
• Analytics Cookies: Help us understand how users interact with the Platform, measure performance, and improve our services. These require your consent.
• Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness. These require your explicit consent.

6.2 Cookie Consent

When you first visit our Platform, you will be presented with a cookie consent banner that allows you to:

• Accept all cookies
• Reject all non-essential cookies
• Customize your cookie preferences by category

6.3 Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages. We do not control these third-party cookies and recommend reviewing their privacy policies:

• Google Analytics (analytics)
• Intercom (customer support)
• Social media platforms (sharing features)

6.4 Do Not Track Signals

Our Platform currently does not respond to "Do Not Track" (DNT) browser signals. However, you can manage your tracking preferences through our cookie consent mechanism.

8.1 Specific Retention Periods

• Account Data: Retained for the duration of your account plus 2 years after deletion (for legal compliance)
• Transaction Records: Retained for 7 years (tax and accounting requirements)
• Content Submissions: Retained until deleted by user or Brand, or 2 years after account termination
• Usage Logs: Retained for 12 months for security and analytics purposes
• Marketing Consent Records: Retained for 3 years after consent withdrawal (to demonstrate compliance)
• Messaging Consent Records: Retained for 3 years after consent withdrawal (to demonstrate CASL/TCPA compliance)
• Message History: Retained for 2 years for service improvement and dispute resolution
• OAuth Tokens: Retained while your social accounts remain connected, deleted upon disconnection or account termination

9.1 General Rights (All Users)

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal and contractual obligations)
• Portability: Request a copy of your data in a machine-readable format (CSV or JSON)
• Objection: Object to certain processing activities
• Restriction: Request restriction of processing in certain circumstances
• Messaging Opt-Out: Withdraw consent to receive WhatsApp, SMS, or other messaging communications at any time
• Social Account Disconnection: Disconnect linked social media accounts and request deletion of associated OAuth data

9.2 PIPEDA and Quebec Law 25 Rights (Canada)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, if you are a Quebec resident, additional rights under Law 25, including:

• Right to access your personal information held by us
• Right to challenge the accuracy and completeness of your information
• Right to withdraw consent for processing
• Right to be informed of automated decision-making processes
• Right to data portability in a commonly used technological format
• Right to be informed of any security incidents affecting your personal information
• Right to lodge a complaint with the Commission d'accès à l'information du Québec (CAI) or the Office of the Privacy Commissioner of Canada

9.3 GDPR Rights (EU/UK)

If you are located in the European Union or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including the right to:

• Withdraw consent for processing based on consent
• Lodge a complaint with a supervisory authority
• Receive clear information about data processing
• Object to processing based on legitimate interests
• Not be subject to automated decision-making without safeguards

9.4 CCPA Rights (California)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising privacy rights
• Right to limit use of sensitive personal information

9.5 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@usermade.co or use the privacy settings in your account dashboard. We will respond to your request within:

• 30 days for Canadian (PIPEDA/Law 25) requests
• 30 days for GDPR requests (extendable by 60 days for complex requests)
• 45 days for CCPA requests (extendable by 45 days if necessary)

13.1 Transfer Safeguards

We take appropriate safeguards to ensure your information receives adequate protection, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/UK
• Data Processing Agreements with all service providers that handle personal information
• Adequacy decisions where applicable (e.g., Canada is recognized as providing adequate protection for EU data)
• Additional technical and organizational measures to protect data in transit and at rest

13.2 Data Storage Locations

Primary data storage is located in secure data centers in North America. Backups may be stored in additional locations for disaster recovery purposes. You may request information about the specific locations where your data is stored by contacting us.

16.1 Email Marketing

With your consent, we may send you marketing communications about our services, features, and updates. You can opt-out of these communications at any time by:

• Clicking the unsubscribe link in our emails
• Updating your account preferences
• Contacting us at team@email.usermade.co

16.2 WhatsApp and SMS Communications

If you have opted in to receive WhatsApp or SMS messages, you can withdraw your consent at any time by:

• Replying STOP to any SMS message
• Sending "STOP" or "Unsubscribe" via WhatsApp
• Updating your messaging preferences in your account settings
• Contacting our support team

18.1 How to Delete Your Account

You can delete your account through the following methods:

• Account Settings: Navigate to your account settings page and use the "Delete Account" feature. This option is available for both Brand and Creator accounts.
• Contact Support: Send a deletion request to privacy@usermade.co with your account email address and a clear request for account deletion.
• Social Media Platforms: If you connected your account via Instagram or other social media platforms, you can remove the app from your social media account settings, which will trigger a data deletion request.

18.2 What Gets Deleted

When you delete your account, we will permanently delete or anonymize the following information:

• Account Information: Your profile, email address, password, and authentication credentials
• Content: All uploaded content, images, videos, and text submissions
• Social Media Connections: Linked social media accounts, OAuth tokens, and associated profile data
• Program Data: Creator-brand relationships, program enrollments, tier assignments, and participation history
• Discount Codes: Personal discount codes and associated tracking data
• UTM Links: Custom tracking links created for your account
• Messaging Data: Phone numbers, messaging preferences, and message history (subject to legal retention requirements)

18.3 What May Be Retained

Certain information may be retained for legal, regulatory, or legitimate business purposes, including:

• Transaction Records: Financial records, commission payments, and transaction history (retained for 7 years for tax and accounting compliance)
• Legal Compliance: Information required to comply with legal obligations, court orders, or regulatory requirements
• Dispute Resolution: Data necessary to resolve disputes, enforce agreements, or defend against legal claims
• Anonymized Analytics: Aggregated, anonymized data that cannot be used to identify you
• Backup Systems: Information in backup systems may persist for up to 90 days before permanent deletion

18.4 Deletion Timeline

Account deletion is typically processed immediately upon your request. However:

• Immediate Effects: Your account will be deactivated immediately, and you will no longer be able to access the Platform
• Data Removal: Personal information will be deleted from our active systems within 30 days
• Backup Deletion: Information in backup systems will be permanently deleted within 90 days
• Third-Party Services: If you have connected third-party services (e.g., Shopify, Klaviyo), you may need to separately manage data deletion with those services

18.5 Data Deletion Status

If you initiated account deletion through a social media platform (e.g., Instagram), you can check the status of your deletion request by visiting the confirmation URL provided in the deletion request. You will receive a confirmation number that you can use to track the deletion process.

18.6 Irreversibility

Account deletion is permanent and cannot be undone. Once your account is deleted:

• You will lose access to all Platform features and data
• You will need to create a new account if you wish to use the Platform again
• Any outstanding commissions, rewards, or benefits will be forfeited unless otherwise required by law
• Content that was shared with Brands may remain visible to those Brands until they delete it from their systems

20.1 Supervisory Authorities

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the appropriate supervisory authority: