Privacy Policy

A. Information You Provide

This may include:

• Name
• Email address
• Social media handles or URLs (such as links to submitted content)
• Payment information processed via Stripe
• Content you submit, including links, captions, screenshots, text, images, or videos
• Communications with us, including support requests or compliance inquiries
• Information required to verify eligibility or payout status

B. Information Automatically Collected

We may automatically collect:

• IP address
• Device identifiers
• Browser type and version
• Operating system
• Usage data (pages viewed, actions taken, timestamps)
• Referral URLs
• Approximate location derived from IP address
• Cookies, pixels, and similar technologies

This information is used for security, fraud prevention, analytics, and service performance.

C. Information From Third Parties

We may receive information from:

• Stripe (payment status, account verification, payout confirmation)
• Social platforms via authorized OAuth connections (see Section 2F below)
• Analytics providers
• Security and fraud-prevention partners
• Publicly available sources

D. Content Submitted to Topr

When creators submit content or links to verify participation in campaigns, we may process:

• Post URLs
• Captions
• Images or videos
• Engagement data where applicable

Creators grant Topr a license to use such content as described in the Terms & Conditions.

E. Children's Data

The Service is not intended for individuals under the age of 13. We do not knowingly collect personal information from children under 13. Users under the age of 18 are not eligible to receive payouts. If we become aware that personal information from a child under 13 has been collected, we will delete it promptly.

F. Data Collected via Social Platform OAuth Connections

When you choose to connect a social media account (such as TikTok or Instagram) to Topr via OAuth, we collect information only after you explicitly authorize access on the platform's consent screen. The specific data we collect depends on the platform and the permissions you grant:

How We Handle OAuth Data

• OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM and stored securely. They are never shared with third parties or exposed to client-side code.
• We use access tokens solely to fetch your profile information and content metrics on your behalf. We do not post content, modify your account, or take actions on the platform.
• When you disconnect a social account, we immediately delete the associated encrypted tokens and mark the connection as inactive.
• You may revoke Topr's access at any time through your account settings on the respective platform (e.g., TikTok Settings > Security > Manage app permissions).

A. Operating and Delivering the Service

• Verifying creator participation
• Enabling payouts
• Enforcing platform rules and campaign requirements
• Providing platform functionality and updates

B. Safety, Security, and Fraud Prevention

We use automated systems, including AI-based tools, to:

• Detect fraudulent or misleading submissions
• Prevent abuse and manipulation
• Verify authenticity of submitted content
• Maintain platform integrity

C. Analytics and Improvements

• Understanding how the Service is used
• Improving performance and reliability
• Enhancing user experience and features

D. Communications

We may contact you regarding:

• Service-related notifications
• Payment or eligibility updates
• Policy or legal updates
• Security alerts

We do not send marketing or promotional communications without separate consent.

E. Legal and Compliance

• Complying with applicable laws and regulations
• Responding to lawful requests from authorities
• Protecting our rights, users, and business

A. Service Providers

We may share information with vendors who support the Service, including:

• Stripe (payment processing)
• Cloud infrastructure providers
• Analytics services
• Security and fraud-prevention partners

We maintain a list of subprocessors available upon request.

B. Business Transactions

If Topr is involved in a merger, acquisition, restructuring, or sale of assets, personal information may be transferred as part of that transaction.

C. Legal Compliance

We may disclose information if required by law or necessary to protect the rights, safety, or property of Topr, our users, or others.

D. Brands and Campaign Partners

When a creator participates in a campaign, brands may receive creator content or proof of performance related to that campaign.

OAuth Tokens and Social Platform Data

• OAuth access tokens are short-lived (typically 1–24 hours) and refreshed automatically while your account is connected
• Refresh tokens are retained only while the connection is active, for up to the platform-specified lifetime (e.g., 365 days for TikTok)
• When you disconnect a social account, encrypted access and refresh tokens are immediately and permanently deleted
• Aggregated metrics data (e.g., video view counts) may be retained in anonymized form for campaign reporting after disconnection

Account Deletion and Requests

Upon account deletion or a verified request:

• Personal data is deleted or anonymized
• All OAuth tokens for connected social accounts are permanently deleted
• Certain information may be retained where required by law (e.g., financial or compliance records)
• Encrypted backups may persist for a limited period before secure deletion

Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing transactions).

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge different prices, or provide a different level of quality based on your exercise of privacy rights.

No Sale of Personal Information

We do not sell personal information as defined under the CCPA. We do not share personal information for cross-context behavioral advertising.