Fluencify legal
Privacy Policy
This Policy explains how Fluencify handles personal data about Platform users, creators, business contacts and people whose public creator profiles may be considered for campaign opportunities.
- Version
- PRIVACY-2026-07-10
- Effective and last updated
- 10 July 2026
Controller: Fluencify AB, org. no. 559484-6254, Solparksvägen 3, 169 54 Solna, Sweden. For privacy requests, email contact@fluencify.io. If your request concerns a public social profile, include the platform and public handle so we can locate the right record without asking for unnecessary identification.
1. Who this Policy covers
This Policy covers personal data about:
- creators, ambassadors and other registered Platform users;
- brand, agency, customer and supplier representatives;
- people who contact us, receive service communications or visit our Web Service;
- public creators considered for relevant campaign opportunities; and
- business contacts approached about Fluencify's services.
Fluencify is normally the controller for its marketplace, account, creator, contract, security, analytics and business-development activities. Where a business customer gives Fluencify documented instructions to process personal data solely on that customer's behalf, the customer is controller and Fluencify acts as processor under the applicable Data Processing Agreement.
2. Personal data and where it comes from
| Context | Examples | Usual source |
|---|---|---|
| Account and identity | Name, email, phone, organisation, role, account ID, authentication and age-eligibility information | You, an authorised administrator, Clerk, Apple or Google sign-in |
| Campaign and content | Applications, briefs, submissions, messages, approvals, public posts, image, voice, usage rights and performance information | You, customers, public platforms and campaign activity |
| Billing and payout | Plan, invoice, transaction and payout references, amount, currency, status and limited fraud/compliance information | You, Stripe, Grade and our transaction records |
| Device, service and security | IP address, device/browser details, timestamps, logs, session and access events, support and error information | Your device, our systems and service providers |
| Optional analytics | Page paths, navigation, feature events, role and application-error context after consent | Your use of the Web Service through PostHog after you allow analytics |
| Public creator discovery | Public handle, profile name, bio, avatar, captions, public media/URLs, engagement metrics, content topics or style and a broad estimated age band | Public social platforms, public websites and data-source providers |
| Business development | Work name, role, employer, published work contact, source, correspondence and suppression status | You, public business sources, referrals and business-data providers |
We do not ask for special-category data for ordinary Platform use and do not intentionally create sensitive-trait, biometric, precise-location or personality labels from public creator content. Please do not provide such data unless we have expressly requested it for a lawful, documented reason.
3. Why we process data and our legal bases
| Purpose | Legal basis |
|---|---|
| Create accounts, authenticate users, provide Platform features, run campaigns, communicate and administer creator compensation | Performance of a contract or steps requested before a contract; legitimate interests for related business-user administration |
| Bill customers, maintain accounting/tax records, respond to authorities and establish or defend legal claims | Legal obligation and legitimate interests in legal-claims management |
| Protect users and systems, prevent fraud, enforce rules, troubleshoot and maintain availability | Legitimate interests in a secure and reliable service; legal obligation where applicable |
| Identify public creators for relevant invitations and human-assisted campaign matching | Legitimate interests, subject to strict minimisation, transparency, human review, freshness, objection and suppression safeguards |
| Send proportionate, role-relevant B2B communications and maintain an opt-out list | Legitimate interests, subject to marketing law and the unconditional right to object to direct marketing |
| Measure Web Service use and application errors through optional analytics | Consent; the SDK remains uninitialized until analytics is allowed |
| Send marketing that requires permission or access a device feature such as camera or notifications | Consent or the relevant device permission, where required |
Where we rely on legitimate interests, we balance the stated business purpose against the person's reasonable expectations, data sensitivity and likely impact. You may request information about that assessment and object as described below.
4. Public creators and Article 14 information
Public availability does not remove privacy rights. We may use limited public profile and content information to identify creators whose publicly presented work may fit a campaign, invite them to join Fluencify and support human-assisted matching. We aim to provide this information at first contact and, where required and reasonably possible, within one month after collection or before an earlier disclosure.
AI may help describe non-sensitive content topics, produce a broad age band or rank a possible match. Its output is a suggestion, can be wrong and must not be the sole basis for a decision with legal or similarly significant effects. Suspected minors must not be targeted for outreach. Customers do not receive an unrestricted right to download or reuse the public-creator dataset.
The dedicated Public Creator Notice explains sources, profiling, likely effects and the quickest correction, objection and removal route.
6. International transfers
Our providers and their authorised support teams may process data in the EEA and in other countries. Before making a restricted transfer, we use an applicable GDPR Chapter V mechanism, such as an adequacy decision or the European Commission's Standard Contractual Clauses, and assess supplementary protections where required. The exact route depends on the service, account and selected region. Contact us for information about the safeguard relevant to your data.
7. How long we keep data
| Data | Retention rule |
|---|---|
| Account and ordinary Platform data | For the account or service relationship, then deletion or anonymisation after applicable closure, backup and legal-retention periods |
| Campaign contracts, approved deliverables and transaction records | For the licence/contract term and statutory accounting, tax, dispute and legal-claims periods |
| Ordinary messages | Up to 730 days unless a shorter feature rule or legal need applies |
| Security and audit events | Normally up to 365 days, longer only for an active investigation or legal claim |
| Raw AI or provider payloads | Target maximum 30 days unless a recorded, lawful need requires a different period |
| Public creator source facts | Refreshed at least every six months; inactive candidate profiles deleted after 12 months; prompt suppression and purge following an upheld objection |
| Business prospects | Normally 12 months after the last meaningful contact; a minimal suppression record may remain to prevent re-contact |
| Optional analytics | For the configured PostHog project period and only while needed for the disclosed purpose; browser consent and identifiers can be withdrawn or cleared at any time |
We may retain less data for longer where necessary to honour an objection, prevent fraud, meet legal duties or establish, exercise or defend a legal claim. Backups are isolated and expire on their managed cycle unless restoration is required.
8. Your rights
Subject to the GDPR's conditions and exceptions, you may request access, correction, deletion, restriction, portability and information about your data. You may object to processing based on legitimate interests. An objection to direct marketing is absolute: we will stop marketing to that person and keep only the minimum suppression information needed to avoid contacting them again.
Email contact@fluencify.io. We may ask for proportionate information to verify that we are acting for the right person. We normally respond within one month and will explain if the GDPR permits an extension or limits a request. You may also complain to the Swedish Authority for Privacy Protection, Integritetsskyddsmyndigheten (IMY), at imy.se, or to the competent authority where you live or work.
9. Security and children
We use role-based access, managed authentication, encryption in transit, provider storage protections, restricted secrets, logging and incident procedures proportionate to the risks. No online service can promise absolute security. Tell us promptly if you suspect unauthorised account use.
Registered creator accounts are limited to people aged 18 or older. Public content may nevertheless include a minor or a person whose age is unclear. We do not intentionally target suspected minors for creator outreach and use age-risk review, minimisation and deletion/suppression controls for that risk.