Privacy Policy
Last updated: 13 July 2026
KoPass helps influencer agencies monitor the compliance of their talents' public publications. This policy explains what personal data we process, why, and the rights you have. The data controller is [legal entity name], [registered address]. For any question, contact us at contact.alexops@proton.me.
1. Data we collect
Agency account data: the name and email address used to create and sign in to your KoPass account.
Talent data: the public handle or profile URL you add for each creator you monitor, and the public publications (posts, Reels, Stories, videos) associated with that profile.
Connected account data: when a creator authorises KoPass to access their Instagram, TikTok or YouTube account, we store a read-only access token and the account's public identifiers (user id, username).
Analysis data: metadata about detected publications (caption, permalink, timestamp, media) and the compliance findings KoPass generates from them.
Billing data: subscription status handled by our payment processor. We never store card numbers.
2. Read-only access — we never modify accounts
KoPass requests read-only permissions only. On Instagram we use the scope instagram_business_basic; on TikTok user.info.basic and video.list; on YouTube youtube.readonly.
We never publish, edit, delete or otherwise modify a connected account. We cannot access private messages. Access is limited to the content needed to detect compliance issues on public publications.
3. Why we process this data
To provide the monitoring service: collect public publications, analyse them for advertising disclosure and other compliance findings, and present prioritised alerts to the agency.
To operate accounts, authentication, billing and support.
Our legal basis is the performance of the contract with the agency and our legitimate interest in operating and securing the service. Connected accounts are processed on the basis of the creator's explicit authorisation, which can be withdrawn at any time.
4. How we protect your data
Access tokens are encrypted at rest. Data is hosted on managed infrastructure with access restricted to what is necessary to run the service.
We retain data only as long as needed to provide the service. When an account or connection is removed, the associated tokens and publications are deleted.
5. Sub-processors and third parties
Supabase — database, authentication and hosting.
Stripe — subscription billing.
Resend — transactional email (invitations, notifications).
Meta (Instagram), TikTok and Google (YouTube) — official APIs from which authorised public content is retrieved.
Automated content analysis may rely on third-party AI processors, limited to the publication content being analysed.
6. Your rights
Under the GDPR you may request access to, rectification of, or erasure of your personal data, and object to or restrict certain processing.
Creators can disconnect an account at any time, or revoke KoPass from the social platform's own settings. Revoking access triggers deletion of the associated data on our side.
To exercise any right, or to request full deletion, email contact.alexops@proton.me. See also our Data Deletion page.
7. International transfers, cookies, changes
Where data is transferred outside the EEA, it is covered by appropriate safeguards. We use only essential local storage (your language choice and your authenticated session) — no advertising cookies.
We may update this policy; the date above reflects the latest version. Material changes will be communicated to account holders.