Privacy Policy

Buzzaar Benelux B.V.
Address:

• Privacy inquiries: help@buzzaar.world
• Legal inquiries: help@buzzaar.world
• General support: help@buzzaar.world

Data Protection: We have appointed a dedicated privacy team responsible for all data protection matters. For any questions regarding the processing of your personal data, contact our Data Protection Team at help@buzzaar.world. While we have not appointed a formal Data Protection Officer under Article 37 of the GDPR, our privacy team fulfills equivalent oversight functions.

Buzzaar Benelux B.V. is the data controller responsible for the processing of your personal data under this Privacy Policy.

We collect and process the following categories of personal data:

2.1 Account and Registration Data

When you register for the Service, we collect:

• Full name
• Email address
• Password (stored in hashed form)
• Phone number
• Date of birth (to verify you meet the minimum age requirement of 18)
• Country and city of residence
• Preferred language (English, Spanish, or Russian)

2.2 Profile and Questionnaire Data

After registration, you may provide additional information through your profile and questionnaires:

• Profile photo (including cropped and resized versions)
• Gender
• Occupation and professional background
• Areas of interest and product category preferences
• Household and lifestyle information relevant to brand matching
• Ambassador type (WOM Ambassador or Influencer)
• Preferred communication channels

2.3 Social Media Data

When you connect your social media accounts to the Platform, we collect data through authorized APIs and our data aggregation partner, Phyllo:

Instagram Data (via Instagram Graph API, accessed through Phyllo):

• Instagram username and user ID
• Profile picture URL
• Account type (personal, business, or creator)
• Follower count and following count
• Media count
• Bio/description
• Published media (posts, stories, reels) including captions, timestamps, media URLs, like counts, and comment counts
• Audience demographics (where available for business/creator accounts)

The Instagram API permissions (scopes) we request are:

Scope	Data Accessed
instagram_business_basic	Username, profile picture, follower/following count, media count, account type
instagram_business_manage_insights	Reach, impressions, audience demographics (Creator/Business accounts only)
instagram_business_manage_comments	Comment counts and engagement data
instagram_business_content_publish	Content verification for campaign compliance
instagram_business_manage_messages	Message delivery status for campaign communications

All Instagram data is retrieved through Phyllo on our behalf and is used to calculate your Ambassador Score and to match you with relevant brand campaigns.

TikTok Data (via TikTok API through Phyllo):

• TikTok username and user ID
• Profile picture URL
• Follower count and following count
• Video count
• Published video data including descriptions, timestamps, view counts, like counts, comment counts, and share counts
• Audience demographics (where available)

2.4 Ambassador Score Data

We process your social media metrics to calculate an Ambassador Score, which is a numerical rating used to:

• Evaluate your reach and engagement potential
• Match you with appropriate brand campaigns
• Determine eligibility for specific campaign tiers

The Ambassador Score is derived from publicly available social media metrics (follower counts, engagement rates, content frequency, audience quality indicators) and your activity on the Platform.

2.5 Campaign and Activity Data

When you participate in brand campaigns ("Launches"), we collect:

• Campaigns you have applied to, been accepted to, or completed
• Content you create and submit as part of campaigns (photos, videos, text)
• Product shipment and delivery information
• Campaign feedback and survey responses
• Performance metrics related to campaign content

2.6 WhatsApp and Communication Data

If you link your WhatsApp number or communicate with us via WhatsApp:

• WhatsApp phone number
• Message content exchanged through WhatsApp Business API
• Message delivery and read status
• Communication preferences

Our use of the WhatsApp Business API is subject to the WhatsApp Business Terms of Service and WhatsApp Business Policy.

2.7 Technical and Device Data

We automatically collect certain technical information when you access the Service:

• IP address
• Browser type and version
• Operating system and device type
• Screen resolution
• Referring URL and pages visited
• Session duration and interaction data
• Device or push-subscription identifier
• Language and locale settings

2.8 Cookies and Tracking Data

We use cookies and similar technologies to collect:

• Session authentication cookie
• Language/locale preferences
• Cookie consent preferences
• Cookie preferences and any optional analytics or marketing choices if those tools are activated in a future release

For more details, please see our Cookie Policy.

We process your personal data for the following purposes and on the following legal bases:

3.1 Service Delivery (Contractual Necessity)

• Creating and managing your account
• Authenticating your identity and securing your account
• Matching you with brand campaigns based on your profile, interests, and Ambassador Score
• Facilitating your participation in campaigns, including product delivery coordination
• Calculating and updating your Ambassador Score
• Processing campaign-related communications between you and brands
• Providing customer support

3.2 Platform Improvement (Legitimate Interest)

• Analyzing usage patterns to improve the Service
• Detecting and preventing fraud, abuse, and security threats
• Conducting internal analytics and reporting
• Testing new features and functionality
• Maintaining and improving platform performance

3.3 Communications (Consent / Legitimate Interest)

• Sending you campaign invitations and updates
• Notifying you of new launches relevant to your profile
• Providing administrative notices (policy changes, security alerts)
• Sending marketing communications (with your consent, which you may withdraw at any time)

3.4 Legal Compliance (Legal Obligation)

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from public authorities
• Enforcing our Terms of Service
• Protecting the rights, property, and safety of Buzzaar Benelux B.V., our users, and the public

We share personal data only in the following circumstances:

4.1 With Brand Partners

When you participate in or are matched to a campaign, we share relevant profile information with the sponsoring brand, including:

• Your name and profile photo
• Ambassador type and Ambassador Score
• Relevant social media metrics (follower counts, engagement rates)
• Content you create as part of the campaign
• Campaign performance data

We do not share your email address, phone number, password, or precise location with brand partners unless you explicitly consent.

4.2 With Service Providers (Data Processors)

We engage the following third-party service providers who process data on our behalf under data processing agreements:

• Render, Inc. — cloud application hosting and managed PostgreSQL database (European Union, Frankfurt). See Render Privacy.
• Cloudflare, Inc. — media/object storage and content delivery. See Cloudflare Privacy.
• Google LLC — Google sign-in (OAuth), web push-notification delivery, and, only after you grant analytics consent, Google Analytics. See Google Privacy.
• OpenAI, L.L.C. — AI-assisted content generation. See OpenAI Privacy.
• Telegram FZ-LLC — optional messaging channel, if you connect it. See Telegram Privacy.
• Phyllo, Inc. — social-media data aggregation, if you connect your Instagram or TikTok account. See Phyllo Privacy.
• Meta Platforms, Inc. — WhatsApp Business API, if you communicate with us via WhatsApp. See Meta Privacy.

4.3 For Legal Reasons

We may disclose your data if required to do so by law or if we believe in good faith that such disclosure is necessary to:

• Comply with a legal obligation, subpoena, court order, or governmental request
• Protect and defend our rights or property
• Prevent fraud or other illegal activity
• Protect the personal safety of users or the public

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

Your personal data is stored and processed in the European Union (Frankfurt, Germany). If you access the Service from outside that location, your data may be transferred to and processed there.

We apply appropriate safeguards (Standard Contractual Clauses and data-processing agreements with our providers) for international transfers, so that your data is protected in line with applicable data-protection law, including:

• Google LLC and Meta Platforms, Inc. participate in the EU-US Data Privacy Framework. For other processors including Phyllo, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
• Reliance on data processing agreements with our service providers that include adequate data protection commitments
• Compliance with applicable data transfer frameworks

By using the Service, you acknowledge that your data may be transferred to, stored, and processed in the European Union (Frankfurt, Germany), where data-protection laws may differ from those in your jurisdiction.

We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data Category	Retention Period
Account data	Duration of your account plus 30 days after deletion request
Profile and questionnaire data	Duration of your account plus 30 days after deletion request
Social media data (from Phyllo)	Refreshed periodically while your account is active; deleted within 30 days of account deletion
Ambassador Score	Duration of your account; deleted upon account deletion
Campaign and content data	3 years after campaign completion (for contractual and legal purposes)
WhatsApp communication data	1 year after the last message
Technical and device data	Up to 26 months, depending on security and operational needs
Cookie data	See our Cookie Policy for specific retention periods

After the applicable retention period expires, we securely delete or anonymize your personal data.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of Access -- You may request a copy of the personal data we hold about you.
• Right to Rectification -- You may request that we correct inaccurate or incomplete personal data.
• Right to Erasure (Right to be Forgotten) -- You may request that we delete your personal data, subject to certain exceptions.
• Right to Restriction of Processing -- You may request that we restrict the processing of your personal data under certain circumstances.
• Right to Data Portability -- You may request to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Object -- You may object to the processing of your personal data for certain purposes, including direct marketing.
• Right to Withdraw Consent -- Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint -- You have the right to lodge a complaint with a supervisory authority in your jurisdiction.

If you are in the United Kingdom, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EEA, you may contact the supervisory authority in your country of residence. If you are in Mexico, you may contact the Instituto Nacional de Transparencia, Acceso a la Informacion y Proteccion de Datos Personales (INAI).

To exercise any of these rights, please contact us at help@buzzaar.world. We will respond to your request within 30 days or as required by applicable law.

Buzzaar Benelux B.V. uses automated processing, including profiling, to calculate your Ambassador Score. This score is derived from your social media metrics including follower count, engagement rate, content activity, and account type.

How the Score is used: The Ambassador Score helps brands identify suitable candidates for campaigns. A higher score may increase your visibility and likelihood of being selected for campaigns.

Your rights regarding automated decisions:

• You have the right to obtain meaningful information about the logic involved in the scoring
• You may request a breakdown of your score factors through your profile settings
• You have the right to express your point of view and contest the score
• You may request human review of any decision based solely on automated processing
• Contact help@buzzaar.world to exercise these rights

Legal basis: We process this data based on contractual necessity (it is a core feature of the Service) and legitimate interest (matching ambassadors with suitable campaigns).

You can request deletion of your personal data through any of the following methods:

9.1 In-App Deletion

You may delete your account and associated data directly from your account settings on the Platform. Navigate to Settings > Account > Delete Account and follow the on-screen instructions.

9.2 Data Deletion Request via Email

You may submit a data deletion request by emailing help@buzzaar.world with the subject line "Data Deletion Request." Please include:

• Your full name
• The email address associated with your account
• Your Buzzaar Benelux B.V. username (if applicable)

9.3 Data Deletion Callback URL

We provide a data deletion callback endpoint in compliance with platform requirements:

Deletion Callback URL: https://buzzaar.world/api/data-deletion/meta

This endpoint accepts deletion requests from connected platforms (including Meta/Instagram) and initiates the deletion process automatically.

9.4 What Happens When You Request Deletion

Upon receiving a valid deletion request:

1. Your account will be deactivated immediately.
2. Your personal data will be queued for permanent deletion.
3. Data deletion will be completed within 30 days of the request.
4. Certain data may be retained beyond 30 days only where required by law or for the establishment, exercise, or defense of legal claims (e.g., campaign content data that is subject to contractual obligations with brand partners).
5. You will receive a confirmation email when the deletion process is complete.
6. Data that has been shared with brand partners prior to your deletion request is subject to the brand partner's own data retention policies. We will notify brand partners of your deletion request.

9.5 Social Media Data Deletion

When you disconnect a social media account (Instagram or TikTok) from the Platform:

• All social media data retrieved through Phyllo for that account is deleted from our systems within 30 days.
• Your Ambassador Score will be recalculated excluding the disconnected account's data.
• This does not affect data on the social media platform itself.

We use cookies and similar technologies on the Platform to support authentication, language selection, and your saved cookie preferences.

Optional analytics or marketing tools are not active in this release. If we enable them later, they will remain off until you consent and the Cookie Policy will be updated in the same release.

You can manage your cookie preferences through the cookie banner when you first visit the Platform or later through Cookie Settings in the footer.

For full details about current categories, storage keys, and retention periods, see our Cookie Policy.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit -- All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
• Encryption at rest -- Personal data is encrypted at rest (AES-256) by our cloud hosting and storage providers.
• Authentication security -- Passwords are hashed using an industry-standard algorithm (scrypt). Authenticated sessions are protected with signed, HTTP-only cookies, and we support passkey (WebAuthn) sign-in.
• Access controls -- Access to personal data is restricted to authorized personnel on a need-to-know basis.
• Infrastructure security -- Our infrastructure runs on reputable cloud providers that maintain SOC 2, ISO 27001, and equivalent security certifications (see the sub-processors listed in this Policy).
• Regular security reviews -- We conduct periodic security assessments of our systems and processes.
• Incident response -- We maintain a data breach response plan and will notify affected users and relevant authorities in accordance with applicable law.

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

The Service is intended for users who are at least 18 years of age. We do not knowingly collect personal data from individuals under 18.

If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data as promptly as possible. If you believe that a person under 18 has provided us with personal data, please contact us at help@buzzaar.world.

Age verification is conducted during the registration process. Users are required to provide their date of birth, and accounts are not created for individuals who do not meet the minimum age requirement.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you by email or through a prominent notice on the Platform prior to the change becoming effective
• Where required by law, seek your consent to material changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy: help@buzzaar.world
• Legal: help@buzzaar.world
• Support: help@buzzaar.world

Buzzaar Benelux B.V.
Address:

We aim to respond to all inquiries within 30 days.