Privacy
Notice

Ikaroa Group Limited ("Ikaroa", "we") is the controller of personal data processed through Ikaroa Amplify (the "Marketplace"). We are registered in England and Wales and our registered office is at 9 Noel Street, London W1F 8GH, United Kingdom.

For any privacy request (access, correction, deletion, portability, objection, restriction, withdrawal of consent, or complaint), write to privacy@ikaroa.com. We aim to respond within 30 days. If you are in the EU or UK and you believe we have not addressed your request properly, you have the right to complain to your local supervisory authority. In the UK, that is the Information Commissioner's Office (ico.org.uk).

Account data. When you sign up we store your email address, the role you signed up under (creator or brand member), the IP address and user-agent of your sign-up event, and the version of the Terms and Privacy Notice you accepted. We also store your full name, profile photo, and contact preferences if you provide them.

Public-profile data (creators only). We collect publicly available information about creators from Instagram, TikTok, YouTube and similar platforms: handle, display name, bio, profile photo, follower count, engagement rate, recent post snippets, audience country breakdown, audience age and gender estimates, brand-safety scores. This data is supplied by audited third-party data partners under contract.

Claim data (creators only). When you verify a public profile we store the verification method (bio code, OAuth, etc.), the verification timestamp, and the link between your account and the handle. This is the audit trail that proves the profile is yours.

Offer and application data. When you post or apply to an Offer, we store the brief, pitch, proposed rate, communications, and the status of any resulting Deal.

Payment data. Payments are processed by Stripe. We do not store full card numbers. We store the Stripe customer ID, Stripe Connect account ID, payout account country, payout currency, the gross and net amount of every transaction, and the tax breakdown.

Device data. When you use the Marketplace we automatically log device type, browser, operating system, IP address, referring URL, and a session identifier so we can secure the account, debug issues, and produce aggregate analytics.

To provide the Marketplace (performance of contract). Account creation, authentication, profile listing for claimed creators, posting and applying to Offers, processing payments, sending Deal-related notifications, and customer support.

To run the public directory of creators (legitimate interest, where the creator has not claimed). The directory uses publicly available information to help brands discover creators and to help creators receive offers they would otherwise miss. Creators can object at any time by writing to privacy@ikaroa.com and we will remove the listing.

To comply with the law (legal obligation). Tax invoicing, anti-money-laundering checks via Stripe Connect, response to law-enforcement requests issued under valid legal process, retention of transaction records for the period required by accounting and tax law (currently six years in the UK).

To improve and secure the service (legitimate interest). Aggregate analytics, fraud detection, abuse prevention, A/B testing of new Marketplace features. We do not sell personal data and we do not use it to train generative-AI models on identifiable individuals.

To send marketing (consent, where required). Product announcements, new-Offer alerts that match your profile, and the Amplify newsletter. You can opt out at any time using the unsubscribe link in the email.

Other Marketplace users. Brands see the Public Profile, the application pitch, the proposed rate, and the contact email of any Creator who applies to one of their Offers. Creators see the Brand name, the Offer brief, and any post-award communications. We do not share more than is needed to operate the Marketplace.

Processors. Supabase (Postgres database and authentication, hosted in the EU), Vercel (application hosting), Stripe (payments and KYC), Open Doors / LeadConnector (transactional email and CRM), RapidAPI / Instagram Statistics API and similar audited-stats providers (third-party data enrichment), and the customer-support tooling we operate from time to time. Each processor is bound by a data-processing agreement.

Law enforcement and legal advisers. Where required by law, where necessary to defend a legal claim, or where reasonably required to protect the safety of users or the integrity of the Marketplace.

In a corporate transaction. If Ikaroa is acquired, merged, or restructured, personal data may transfer to the acquirer subject to confidentiality and to your continuing rights under data-protection law.

We do not sell personal data and we do not share it with advertisers for behavioural targeting.

Our primary infrastructure (database, authentication, hosting) is in the European Union. Some processors (Stripe, Vercel's edge network, RapidAPI) operate globally and may process data outside the EU and the UK, including in the United States. Where personal data leaves the UK or the EEA, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an equivalent transfer mechanism. A copy of the relevant safeguards is available on request.

Account and profile data are kept for as long as your account is active, plus 30 days after closure for safety and dispute resolution. Verified-claim records are kept for the longer of (a) the life of the account or (b) six years, so we can demonstrate ownership of the profile if challenged. Payment and tax records are kept for six years. Audit logs of acceptances, sign-ins, and admin actions are kept for 24 months. Audited-stats data on the public directory is refreshed regularly; outdated snapshots are deleted within 90 days unless they are tied to a Deal that is still being delivered.

Depending on where you live, you have the right to access the data we hold about you, to correct inaccurate data, to request deletion (the "right to be forgotten"), to receive a copy in a portable format, to object to processing based on legitimate interest, to restrict processing while we look into a dispute, and to withdraw any consent you have given.

For most rights you can act directly from your dashboard at /amplify/dashboard. To exercise rights that are not exposed there, write to privacy@ikaroa.com. We may need to verify your identity before acting on a request. If you are exercising a right on behalf of a creator who has not claimed their profile, please include enough information to prove your authority.

The Marketplace uses strictly necessary cookies for authentication and security; these cannot be disabled. We also use a small number of analytics events to understand how the Marketplace is used; these are aggregated and do not identify you. Where required by law we will ask for your consent before setting non-essential cookies. The mobile app uses platform-native equivalents (push tokens, secure-storage refresh tokens) for the same purposes.

Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 on the underlying storage). Access to production systems is restricted to a small number of engineers, requires single-sign-on with hardware-key 2FA, and is logged. Stripe handles all card data under PCI-DSS Level 1. Despite these measures, no system is 100% secure. If we become aware of a breach that is likely to result in a high risk to your rights, we will notify you and the relevant supervisory authority within the timelines required by law.

The Marketplace is not directed at children under 13. If you are between 13 and 17, your parent or legal guardian must register and operate the account on your behalf. We will delete any account we discover to be operated by a child without verifiable parental consent.

We may update this notice as the Marketplace evolves. The version date is shown at the top of this page. Where a change is material, we will notify active users in advance and ask them to acknowledge the new version on next sign-in.