Privacy Policy

Last updated: 30 April 2026

InfluencerFinder is a creator-discovery tool for marketing teams. This page explains what personal data we process, why, on what legal basis, and how you exercise your rights under the EU General Data Protection Regulation (GDPR / DSGVO).

1. Controller

Tim Cirksena, [address — see Imprint], Germany. Contact for any privacy matter: privacy@influencerfinder.app.

2. Who this policy applies to

This policy covers three groups:

Visitors who browse the website (anyone hitting influencerfinder.app).
Customers who create an account and use the product.
Creators whose publicly-available profiles on Instagram, TikTok and YouTube appear in our discovery index.

Different sections apply depending on which group you fall into. Creators jump to Section 6.

3. Data we collect from visitors

When you visit the public website without logging in, our hosting provider (Vercel) automatically receives standard server logs: IP address, user agent, requested URL, timestamp, referrer. These are technical access logs — necessary for delivering the page and detecting abuse.

Purpose: serve the site, debug errors, defend against abuse.
Legal basis: Art. 6(1)(f) DSGVO — legitimate interest in operating a functioning, secure website.
Retention: Vercel retains access logs for a maximum of 30 days. We do not duplicate or export them.

We do not use third-party analytics, advertising trackers, social plugins, or retargeting pixels.

4. Data we collect from customers

When you sign up for an account we process:

Email address (required) — for login and transactional email.
Display name (optional) — shown in your workspace.
Organisation / workspace name — to scope your data.
Authentication metadata — last login, session tokens, password hash (handled by Supabase Auth, never stored as plaintext).
Usage data — searches you perform, creators you reveal/save, outreach status notes you write. Stored under your organisation, never shared with other tenants.
Billing data — handled directly by Stripe (see Section 7). We see subscription status (free / paid tier) and the customer-ID, never card numbers.

Purpose: deliver the contracted service.
Legal basis: Art. 6(1)(b) DSGVO — performance of contract; for billing additionally Art. 6(1)(c) DSGVO (statutory record-keeping).
Retention: while your account is active and 90 days after deletion (grace period for restore + abuse-pattern checks). Invoices are retained 10 years per German tax law (§ 147 AO).

5. Cookies and local storage

We use only strictly-necessary cookies / local-storage entries — no consent banner is legally required for these per § 25 (2) Nr. 2 TTDSG:

Session cookie (Supabase) — keeps you logged in. HTTP-only, SameSite, expires when you log out.
UI preferences (local storage) — sort order, filter defaults. Never leaves your device.

No tracking, advertising, A/B-testing or cross-site cookies are set.

6. Data about creators (Art. 14 DSGVO)

Our index contains profile information for creators on Instagram, TikTok and YouTube. Because we collect this without contacting each creator individually, the following section is the "third-party notice" required by Art. 14 DSGVO.

6.1 What we collect

For each creator profile we may store:

Public username (handle) and display name as shown on the source platform.
Profile picture / avatar.
Public bio text and self-declared links.
Country / language signals where the platform exposes them.
Aggregate engagement metrics derived from publicly-visible posts: follower count, average views, engagement rate, posting frequency, last-post timestamp.
A business or contact email only if the creator has voluntarily published iton their public profile (e.g. in the bio or in the "Contact" field of a YouTube channel).
Niche tags and a marketing-fit score we compute internally from the above.

We do not collect: private posts, follower lists, DMs, demographic breakdowns of audiences, location data beyond country, or any data behind a login wall.

6.2 Where the data comes from

From the public, logged-out web — the same pages anyone visiting instagram.com/yourhandle would see — and from the official YouTube Data API. We do not buy lists from data brokers and we do not crack private accounts.

6.3 Why we process it

To let our customers (marketing teams, agencies, DTC brands) discover creators relevant to a campaign. The index is a search and filtering tool — it does not enable mass DMs, scraping pipelines, or any further automated contact.

6.4 Legal basis

Art. 6(1)(f) DSGVO — legitimate interest. The interest is operating a creator-discovery marketplace; the relevant balancing considerations are:

The data is voluntarily made public by the creator.
It is professional/business-context data (a creator's reach and niche).
We index aggregate metrics, not invasive personal information.
Each creator can opt out at any time via influencerfinder.app/remove-me (free, no account, processed within 30 days).

6.5 Why we do not notify each creator individually

Art. 14(5)(b) DSGVO exempts the controller from individual notification where it would involve disproportionate effort. With an index of public profiles across three platforms, contacting each creator directly is not practicable. As a substitute we make this policy public, mention the index on the homepage, and run a prominent always-on opt-out at /remove-me.

6.6 Retention

Active profiles refresh on a rolling 30-day cycle. Stale data is overwritten, not duplicated.
Profiles that disappear from the source platform (account deleted, made private) are removed at the next refresh cycle.
Profiles that are opted out via /remove-me are soft-deleted immediately on approval (display name anonymised, bio and metrics cleared) and a flag prevents the scrapers from re-creating them.

6.7 Recipients

Profile data is visible only to authenticated paying customers within the product. It is not sold to third parties, syndicated, or made public outside the application.

7. Subprocessors

We use the following processors (Auftragsverarbeiter per Art. 28 DSGVO) to operate the service. Each is bound by a Data Processing Agreement (DPA / AVV).

Service	Purpose	Region	Transfer mechanism
Vercel Inc.	Web hosting, edge network, access logs	EU (Frankfurt) primary	EU SCCs + DPA
Supabase Inc.	Database (Postgres), authentication, file storage	EU (Frankfurt)	EU SCCs + DPA
Railway Corp.	Worker / background-job hosting	EU region selected	EU SCCs + DPA
Upstash Inc.	Redis queue and rate-limit counters	EU region	EU SCCs + DPA
OpenAI, L.L.C.	Niche / marketing-fit classification of public profile text. Inputs are bio + caption snippets only.	USA	EU SCCs + DPA; Zero-Retention via API (no training, deleted ≤30d)
Stripe Payments Europe Ltd.	Payment processing, billing, invoicing	Ireland (EU)	EU SCCs + DPA
Resend Inc.	Transactional email (login links, billing receipts)	EU region	EU SCCs + DPA
IPRoyal sp. z o.o.	Residential / mobile proxy network used to access the same public pages a regular browser would	EU (Lithuania)	EU-internal; DPA
Google Ireland Ltd. (YouTube Data API)	Public channel metadata for YouTube creators	Ireland (EU)	EU-internal; standard YouTube API ToS

We do not transfer customer data to processors outside this list. Where a transfer to the USA occurs (OpenAI), it is covered by the EU-US Data Privacy Framework adequacy decision and supplemental Standard Contractual Clauses.

8. Your rights

Under the GDPR / DSGVO you have the right to:

Access the data we hold about you (Art. 15).
Rectify incorrect data (Art. 16).
Erasure (Art. 17) — for creators, the fastest path is /remove-me.
Restrict processing (Art. 18).
Data portability (Art. 20).
Object to processing based on legitimate interest (Art. 21). For creators, an objection via email is treated identically to an erasure request.
Withdraw consent at any time, where processing is based on consent (Art. 7(3)). Currently we do not rely on consent for any processing.
Complain to a supervisory authority (Art. 77). The competent authority for our establishment is the data-protection authority of the federal state of our registered address; you may also complain to the authority of your habitual residence.

Send rights requests to privacy@influencerfinder.app. We respond within 30 days (Art. 12(3)).

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest (managed by Supabase / Vercel / Railway / Upstash). Access to production credentials is limited to the operator. We do not store payment card numbers — Stripe handles those directly. Passwords are stored as hashes (bcrypt via Supabase Auth), never in plaintext.

10. Children

The service is intended for business users (16+). We do not knowingly process data of children under 16 either as customers or as indexed creators. If you become aware of such data, write to privacy@influencerfinder.app and we will remove it immediately.

11. Changes to this policy

We update this page when our processing changes (new subprocessor, new feature, legal development). The "Last updated" date at the top reflects the most recent revision. Material changes affecting customers are additionally announced by email.

12. Contact

Privacy questions, rights requests, complaints: privacy@influencerfinder.app. Postal address: see Imprint.