Privacy Policy

Version 2026-05-31 · Effective 2026-05-31

This Privacy Policy explains what data Kollab, Inc. (“Kollab,” “we,” “us”) collects, why, who we share it with, and what you can do about it. It applies to the Kollab Platform, including Discover, Activate, and Manage.

1. Data We Collect

1.1 Information you give us

• Account data — email, name, password (handled by Clerk). For Google sign-in, your Google account identifier and verified email.
• Creator claim data — when you claim a Creator profile, we verify ownership of the X (Twitter) account via Clerk OAuth, which gives us your X user ID, handle, and public profile metadata.
• Payment and payout data — Brands provide payment-method information to Stripe; Creators provide identity, banking, and tax data to Stripe Connect during onboarding. We do not store payment-card numbers or bank-account numbers ourselves; we hold only Stripe-issued identifiers.
• Campaign and Offer data — campaign briefs, deliverables, rates, go-live dates, notes, and any messages or counter-offers exchanged on the Platform.
• Creator preferences — verticals, campaign types, rate cards, content filters, availability, and blocklist entries you save to your profile.
• Agreement signatures — at signing time we capture your typed name, IP address, user agent, and timestamp. We hash the final terms with SHA-256 for tamper evidence.

1.2 Information we collect automatically

• Usage data — searches performed in Discover, rate-limit counters, page views, and feature interactions.
• Device and log data — IP address, browser, operating system, and request logs.
• Cookies — we use session cookies (via Clerk) to keep you signed in. We do not use third-party advertising cookies.

1.3 Information we pull from third parties

• X (Twitter) public profile data — when a Creator handle is scored or claimed, we fetch publicly available profile metadata, recent tweets, and reply samples from the X API v2. We cache this data in Upstash Redis for 24–48 hours to limit API load.
• Stripe — we receive payout status, balance, and Connect-onboarding completion signals from Stripe.

2. How We Use Your Data

• To provide, operate, and improve the Platform — including running the Kollab Scoring Engine and authenticity model.
• To authenticate you and protect accounts from unauthorized access.
• To facilitate Offers, Agreements, and payouts between Brands and Creators.
• To send transactional emails (Offer notifications, signed-Agreement PDFs, dispute updates, payout confirmations).
• To detect, investigate, and prevent fraud, abuse, or violations of our Platform Terms.
• To respond to support requests and legal obligations.

We do not sell your personal data. We do not use your data to train third-party AI models.

3. Who We Share Data With

We share data with the following service providers strictly to operate the Platform. Each is bound by its own privacy and security commitments.

• Clerk — authentication, session management, OAuth (Google, X).
• Supabase — primary database and private storage for signed Agreement PDFs.
• Stripe (Connect & Customers) — payment processing, Escrow, payouts, KYC for Creators.
• Resend — transactional email delivery.
• Sentry — error and performance monitoring.
• Upstash — Redis cache for X API responses and rate limits.
• Vercel — hosting and content delivery.
• X (Twitter) — we read public profile and tweet data via the X API. We do not write anything to your X account without your explicit OAuth consent.

We also share data when (a) you direct us to (e.g., sending an Offer shares Campaign details with the receiving Creator), (b) it's required by law or to enforce our Platform Terms, or (c) part of a business transfer such as a merger, acquisition, or asset sale.

4. Data Retention

• Account data — kept while your account is active, deleted within 90 days of account closure (longer where law requires).
• Agreements and signature audit data — retained for up to 7 years after the Agreement's completion or termination, to meet tax, accounting, and contract-enforcement obligations.
• Payment records — retained per Stripe's and applicable tax-law requirements (typically 7 years in the U.S.).
• Cached X profile data — 24–48 hours in Redis. Snapshots written to the follower-history table are kept indefinitely for authenticity trajectory analysis.
• Logs and error events — up to 90 days in Sentry.

5. Security

We use industry-standard measures: TLS in transit, encryption at rest via our providers (Supabase, Stripe), least-privilege access controls, and audit logging. Signed Agreement PDFs sit in a private storage bucket and are only accessible via short-lived signed URLs (10 minutes). No system is bulletproof; if we become aware of a breach affecting your data we'll notify you as required by law.

6. Your Rights

Depending on where you live (e.g., U.S. states with consumer-privacy laws, the EU/UK under GDPR, California under CCPA), you may have the right to:

• Request a copy of the personal data we hold about you.
• Ask us to correct inaccurate data.
• Ask us to delete data we no longer need to keep (subject to legal retention).
• Withdraw consent or object to certain processing.
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email hello@officialkollab.com. We'll respond within 30 days.

7. International Transfers

Kollab is operated from the United States and uses U.S.-based service providers. If you access the Platform from outside the U.S., your data will be transferred to and processed in the U.S. and other jurisdictions where our providers operate.

8. Children

The Platform is not directed at anyone under 18. We don't knowingly collect data from anyone under 18. If you believe a minor has provided us data, contact us and we'll delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we'll update the Version above. For material changes we'll notify you by email or in-product notice before they take effect.

10. Contact

Privacy questions, requests, or complaints: hello@officialkollab.com.