Privacy Policy

Discovr AI Private Limited ("Discovr AI", "we", "us") is committed to protecting the privacy and security of your personal data. This Privacy Policy describes how we collect, use, process, store, share, and protect personal information in connection with our Platform and Services.

This Policy applies to: (a) all users who register accounts on the Platform (Brands, Agencies, and Creators); (b) unregistered influencers whose publicly available data is indexed in our database; (c) visitors to our website at www.discovr.ai; and (d) any individual whose personal data we process in connection with our services.

By using the Platform, you consent to the collection and processing of your personal data as described in this Policy. Where consent is required under applicable law, we will request it separately.

1.1 Data Controller

Discovr AI Private Limited is the data controller for personal data processed in connection with the Platform. Our registered office is in Mumbai, Maharashtra, India. Contact our Data Protection Officer at: privacy@discovr.ai.

2.1 Data You Provide Directly

When you register and use the Platform, we may collect:

• Identity data: Full name, job title, company name, professional role;
• Contact data: Email address, phone number, mailing address;
• Account data: Username, password (hashed), account preferences;
• Payment data: Billing address, transaction history (payment card details are processed by and stored with our payment processors; we do not store full card numbers);
• Campaign data: Campaign briefs, brand guidelines, outreach templates, shortlisted Creator lists;
• Communications: Messages exchanged through the Platform, support tickets, feedback.

2.2 Data Collected Automatically

When you access the Platform, we automatically collect:

• Device and technical data: IP address, browser type and version, operating system, device identifiers;
• Usage data: Pages visited, features used, search queries, time spent, clickstream data;
• Log data: Access logs, error logs, API request logs;
• Location data: Country and region inferred from IP address (we do not collect precise GPS location).

2.3 Social Media & Creator Data

For Registered Creators, we collect:

• Social media profile information you authorize us to access (handles, bio, profile picture);
• Performance metrics from connected accounts (follower count, engagement rates, video views, audience demographics);
• Content data: Post captions, hashtags, tags, media thumbnails from public posts;
• YouTube data accessed via Google APIs (subject to Google API Services User Data Policy and Limited Use requirements).

For Unregistered Influencers (public data), we collect:

• Publicly available social media profile information (display name, handle, bio, profile picture);
• Publicly available performance metrics and content from accounts with public privacy settings;
• Contact information (such as email or business enquiry links) that the Creator has publicly listed in their profile.

We ONLY collect data from accounts with public privacy settings. We do not scrape private accounts, data behind paywalls, or information not publicly disclosed by the individual.

2.4 Third-Party Data Sources

We may supplement our data with information from:

• Official social media platform APIs (YouTube Data API v3, Instagram Graph API, TikTok Research API, etc.) in compliance with each platform's developer policies;
• Public web data from Creator-managed websites, media kits, and publicly available press coverage;
• Third-party data enrichment providers, where applicable, with appropriate data processing agreements in place.

2.5 Sensitive Personal Data

We do not intentionally collect sensitive personal data (including race, ethnicity, religion, health information, political opinions, biometric data, or sexual orientation). If such data is incidentally collected from public sources, it is not used for profiling or targeting purposes. If you believe we have collected sensitive data about you, please contact privacy@discovr.ai for deletion.

3.1 For Registered Users (Brands, Agencies, Creators)

We process your personal data on the following legal bases:

Contract performance: Processing necessary to provide you with the Platform and Services you have subscribed to (account management, billing, service delivery).

Legitimate interests: Improving Platform features, security monitoring, fraud prevention, and internal analytics, where our interests do not override your fundamental rights.

Consent: Marketing communications, optional analytics, and cookie placement where required by law. You may withdraw consent at any time.

Legal obligation: Compliance with applicable laws, court orders, or regulatory requirements (tax records, legal holds).

3.2 For Unregistered Influencers

We process publicly available data of unregistered influencers on the basis of legitimate interest, specifically: enabling the commercial influencer marketing ecosystem and facilitating connections between Creators and Brands. We have conducted a Legitimate Interests Assessment (LIA) to verify that this processing does not override Creator fundamental rights. Creators may object to or request deletion of their data at any time per Section 9.

We use collected personal data for the following purposes:

• Account creation, maintenance, and authentication;
• Providing, operating, improving, and personalizing the Platform;
• Processing payments and managing subscriptions;
• Creator discovery, matching, and recommendation features;
• Generating campaign analytics, reports, and performance insights;
• Communicating with you about your account, updates, and support requests;
• Sending marketing communications where you have opted in (you may unsubscribe at any time);
• Fraud detection, security monitoring, and abuse prevention;
• Compliance with legal and regulatory obligations;
• Research and development of new features (using anonymized or aggregated data);
• Enforcing these Terms and our other policies.

4.1 What We Do NOT Do

Discovr AI commits that it will NOT:

• Sell your personal data to third parties for their own commercial purposes - ever;
• Share individual Brand campaign data (budgets, strategies, Creator relationships) with other Brands or external parties;
• Use your personal data to build targeted advertising profiles for third-party ad networks;
• Share Creator data with Epsilon, data brokers, or third-party advertising networks without explicit consent;
• Use personal data obtained from Google APIs for purposes other than operating and improving the Platform, in compliance with Google API Services User Data Policy and Limited Use requirements;
• Retain personal data for longer than necessary for the purposes for which it was collected;
• Use automated decision-making that produces legal or similarly significant effects without human review.

5.1 Authorized Sharing

We share personal data only in the following circumstances:

5.1.1 Within the Platform

• Brand and Creator profile information is shared with each other within the Platform for the purpose of facilitating influencer marketing connections, to the extent necessary for that purpose.
• Registered Creator profiles (including publicly available metrics) are visible to Brand and Agency users who subscribe to the Platform.

5.1.2 Service Providers

We engage third-party service providers who process data on our behalf under strict contractual data processing agreements. These include:

• Cloud hosting providers (AWS, Google Cloud Platform);
• Payment processors (Razorpay, Stripe) - for billing only;
• Email delivery services - for transactional and marketing emails;
• Analytics tools - for internal product analytics (using anonymized data where possible);
• Customer support software;
• Security and fraud monitoring services.

We do not permit service providers to use your personal data for their own purposes beyond what is necessary to provide services to us.

5.1.3 Legal Disclosures

We may disclose your personal data to government authorities, courts, or law enforcement where required by: (a) applicable law, court order, or regulatory requirement; (b) to establish, exercise, or defend our legal rights; or (c) to protect the safety of any person from imminent threat. We will, where legally permissible, notify you of such disclosures.

5.1.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your personal data may be transferred to the successor entity. We will notify you of any such transfer in advance and the successor entity will be bound to honor this Privacy Policy or provide materially equivalent protections.

5.2 International Data Transfers

Your personal data may be processed in countries other than where you reside, including India, the United States, and other countries where our service providers operate. When we transfer data internationally, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, for transfers from the EEA;
• Adequacy decisions where applicable;
• Binding contractual obligations on service providers to provide equivalent levels of protection;
• For transfers from India: compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and any cross-border transfer framework notified by the Government of India.

We use cookies, web beacons, pixels, and similar technologies on our Platform. You will be presented with a cookie consent banner on your first visit and may manage your preferences at any time through our Cookie Settings page.

6.1 Cookie Categories

Strictly Necessary: Essential for Platform functionality (login sessions, security, CSRF protection). These cannot be disabled.

Performance & Analytics: Help us understand how users interact with the Platform (e.g., Google Analytics with IP anonymization enabled). Requires consent.

Functional: Remember your preferences and settings. Requires consent.

Targeting/Marketing: We do NOT currently use third-party advertising or targeting cookies. If this changes, we will update this Policy and seek consent.

6.2 Third-Party Pixels

We do not embed third-party advertising pixels (such as Meta Pixel, LinkedIn Insight Tag, or similar) that share your data with ad networks for targeting purposes without your explicit consent.

We retain your personal data for as long as is necessary to fulfil the purposes described in this Policy, subject to the following guidelines:

• Active account data: Retained for the duration of your account and for 3 years after account deletion, for legal and dispute resolution purposes;
• Transaction and billing records: 8 years as required by Indian tax and accounting law;
• Campaign data and Creator data: 2 years after the last campaign activity, unless you request earlier deletion;
• Security and audit logs: 1 year;
• Unregistered Creator profiles: Continuously updated; deleted within 30 days of a valid removal request;
• Marketing consent records: 5 years from consent or withdrawal.

When data is no longer needed, it is securely deleted or irreversibly anonymized using industry-standard procedures. We do not retain personal data solely as a business asset or for data brokerage purposes.

We implement comprehensive technical and organizational security measures appropriate to the risk of processing your personal data, including:

• Encryption of data in transit using TLS 1.2 or higher;
• Encryption of sensitive data at rest using AES-256 or equivalent;
• Access controls: Role-based access, principle of least privilege, and multi-factor authentication for internal systems;
• Regular security assessments, penetration testing, and vulnerability scanning;
• Data Processing Impact Assessments (DPIAs) for high-risk processing activities;
• Incident response plan with defined notification timelines;
• Employee training on data security and privacy obligations;
• Vendor security assessment for all third-party processors.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities in accordance with applicable law (within 72 hours for GDPR; within the timelines required under India's DPDP Act; as required by applicable US state laws).

Depending on your location and applicable law, you may have the following rights regarding your personal data. To exercise any of these rights, contact: privacy@discovr.ai. We will respond within 30 days (or shorter where required by law) and may require identity verification before processing requests.

9.1 Rights Available to All Users

• Right to Access: Request a copy of the personal data we hold about you and information about how it is processed.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
• Right to Object: Object to processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.

9.2 Additional Rights Under GDPR (EEA/UK Users)

• Right to Restriction: Request restriction of processing while accuracy or legitimacy is disputed.
• Right to Data Portability: Receive your personal data in a structured, machine-readable format (where technically feasible).
• Right Not to Be Subject to Automated Decision-Making: Request human review of any automated decisions that significantly affect you.
• Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority or the UK ICO at https://ico.org.uk).

9.3 Rights Under India's DPDP Act 2023

As a data principal under India's Digital Personal Data Protection Act, 2023, you have the right to:

• Access information about personal data processed by us and the identity of third parties with whom it is shared;
• Correction, completion, and updating of your personal data;
• Erasure of your personal data when the purpose for collection has been fulfilled or consent has been withdrawn, unless retention is required by law;
• Nominate another individual to exercise your rights in the event of your death or incapacity;
• Grievance redressal: File a complaint with our designated Grievance Officer (privacy@discovr.ai) within 30 days. We will respond within 48 hours of acknowledgment;
• Escalation to the Data Protection Board of India (once constituted) if your grievance is not satisfactorily resolved.

9.4 Rights Under US State Laws (CCPA / State Privacy Laws)

If you are a California resident or a resident of another US state with applicable privacy laws:

• Right to Know: Request disclosure of categories and specific pieces of personal data we have collected, sources, purposes, and third parties with whom it is shared;
• Right to Delete: Request deletion of personal data (subject to exceptions);
• Right to Correct: Request correction of inaccurate personal data;
• Right to Opt-Out of Sale: We do not sell personal data. If this changes, we will provide an opt-out mechanism;
• Right to Non-Discrimination: Exercise of privacy rights will not result in denial of service or different pricing;
• Right to Opt-Out of Sharing for Cross-Context Behavioral Advertising: Currently, we do not engage in such sharing.

9.5 Rights Under GDPR for Unregistered Influencers

If you are an unregistered influencer whose data appears in our Platform and you are an EEA/UK resident, you may exercise all GDPR rights including erasure and objection to processing. Erasure requests will be honored within 30 days unless we have a legitimate legal basis to retain the data. Contact: privacy@discovr.ai with subject line "Influencer Data Removal Request".

The Platform is not directed to, and we do not knowingly collect personal data from, any individual under the age of 18. If we become aware that we have collected personal data from a minor, we will take immediate steps to delete such data. If you believe a minor has provided us with personal data, please contact privacy@discovr.ai immediately.

In relation to Creator data, we will remove any profile of an individual who informs us they are under 18, and we will not facilitate campaign partnerships involving minors.

11.1 India - DPDP Act 2023

Discovr AI is an Indian data fiduciary under the Digital Personal Data Protection Act, 2023. We are committed to processing personal data in a lawful and responsible manner. Our designated Grievance Officer can be reached at privacy@discovr.ai. We will appoint a Consent Manager and implement all obligations under the DPDP Act as its implementing rules are notified.

11.2 European Economic Area & United Kingdom (GDPR)

For users in the EEA and UK, Discovr AI processes personal data in compliance with the EU General Data Protection Regulation (GDPR) and the UK GDPR. Our legal bases for processing are set out in Section 3. We will appoint an EU/UK representative if required by applicable guidance. For GDPR-related inquiries, contact: privacy@discovr.ai.

11.3 United States

For US residents, this Policy addresses rights under the California Consumer Privacy Act (CCPA) as amended by CPRA, Virginia's VCDPA, Colorado's CPA, and other applicable US state privacy laws. We do not sell personal data. We do not engage in cross-context behavioral advertising without consent. To exercise your state-specific rights, email: privacy@discovr.ai with your state of residence and the right you wish to exercise.

11.4 Other Jurisdictions

We endeavor to comply with applicable privacy laws in all jurisdictions where we operate or process personal data. If you are located in a jurisdiction with specific privacy rights not addressed in this Policy, please contact us at privacy@discovr.ai and we will endeavor to accommodate your lawful request.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or Platform features. When we make material changes, we will:

• Update the "Last Updated" date at the top of this document;
• Provide at least 14 days' advance notice via email and in-platform notification for material changes;
• For changes that significantly expand how we use your data, seek fresh consent where required by applicable law.

Your continued use of the Platform after the effective date of a revised Policy constitutes acceptance of the changes. We maintain a policy version history available upon request.

Data Protection Officer / Grievance Officer

Discovr AI Private Limited

Attn: Data Protection Officer / Grievance Officer

Mumbai, Maharashtra, India

Email: privacy@discovr.ai

Response time: We will acknowledge your query within 48 hours and resolve it within 30 days (or such shorter period as required by applicable law).

For legal notices: legal@discovr.ai

For security incidents: security@discovr.ai

For billing queries: billing@discovr.ai

For general support: support@discovr.ai