Skip to content

Legal

Privacy Policy

Effective date: 23 May 2026

1. About This Policy

This Privacy Policy explains how the Vibemetri platform ("Platform", "we", "us"; a trading name of Campaign Intelligence Ltd) collects, processes, shares, and protects personal data. It is designed to comply with Türkiye's Personal Data Protection Law (KVKK, Law No. 6698), the EU General Data Protection Regulation (GDPR), and the UK Data Protection Act / UK GDPR.

The Platform is a SaaS service that connects brands with content creators (influencers), enabling campaign execution and analytical reporting. The Platform does not intermediate the campaign-fee payment between Brand and Creator. This policy applies to visitors of our website, registered users (brands and creators), and the owners of linked social media accounts.

2. Data Controller

The data controller is Campaign Intelligence Ltd, a company registered in England and Wales (Company No. 17230666, registered office: 26 Niagara Avenue, London W5 4UD, United Kingdom). For users based in Türkiye, you may exercise your KVKK rights and reach our data protection contact at privacy@campaignintelligence.com.tr.

3. Personal Data We Collect

We process personal data in the following categories:

3.1. Account & Identity

  • Name, email, phone, username, hashed password.
  • For brand users: company name, tax/VAT number, billing address, authorised contact.
  • For creator users: year of birth, gender (optional), city.

3.2. Social Media Platform Data

When you connect a social media account (TikTok, Instagram, YouTube, Facebook) to the Platform, we retrieve only the data covered by the permissions you grant, via the platform's official APIs (e.g. TikTok Login Kit, TikTok Display API, Instagram Graph API, YouTube Data API):

  • Profile data: open ID, username, profile image, bio, follower count, following count.
  • Content data: list of published videos / posts, titles, descriptions, cover images, publish dates.
  • Performance data: impressions, views, likes, comments, shares, watch time (only for content owned by the linked account).
  • Comment content: public comments on campaign-scope posts (commenter username + comment text).

TikTok specifically: When you sign in with TikTok Login, we only access data within the scopes you approve (e.g. user.info.basic, user.info.profile, user.info.stats, video.list). We never request or receive your password, direct messages, phone number, or TikTok payment details. You can disconnect your TikTok account at any time via Platform → Settings → Connected accounts.

3.3. Usage & Technical Data

  • IP address, browser, operating system, device identifier.
  • Sign-in timestamps, pages visited, click events, error logs.
  • Data collected via cookies and similar technologies (see Section 11).

3.4. Financial Data

  • Brand subscription invoice details, payment date and amount.
  • Card data is never stored on our servers; it is processed directly by our PCI-DSS-compliant payment provider (Stripe).
  • The campaign-fee payment between Brand and Creator is settled off-platform; the Platform does not collect bank, IBAN, or payout account details for those payments.

4. Purposes & Legal Bases

  • Service delivery: account creation, brand-creator matching, campaign management, report generation. Basis: performance of contract (KVKK Art. 5/2-c, GDPR Art. 6(1)(b)).
  • Campaign analytics & reporting: AI-assisted (Claude API) comment classification, sentiment analysis, purchase-intent inference. Basis: performance of contract + legitimate interest (KVKK Art. 5/2-f, GDPR Art. 6(1)(f)).
  • Subscription billing: brand subscription billing, tax obligations. Basis: legal obligation (KVKK Art. 5/2-ç, GDPR Art. 6(1)(c)).
  • Service improvement & security: fraud prevention, debugging, product development. Basis: legitimate interest.
  • Marketing communications: newsletters, product updates. Basis: explicit consent (revocable at any time).
  • Legal compliance: court orders, tax law, KVKK/GDPR requests. Basis: legal obligation.

5. Sharing of Personal Data

We do not sell your data. We share it only in the limited cases below:

  • Other Platform users: Public information on your creator profile (username, follower count, past campaign scores) is shown to brands. Campaign reports are visible to the brand that ran the campaign.
  • Infrastructure providers (data processors): AWS / Cloudflare (hosting), Anthropic Claude API (analytics), Stripe (subscription payments), Twilio (WhatsApp notifications), Postmark / Resend (email). Each has a signed Data Processing Agreement (DPA) in place.
  • Authorities: when required by law or court order.
  • Mergers and acquisitions: in the event of a sale or merger, data may be transferred to the acquirer with prior user notice.

6. AI-Assisted Analysis

In campaign reports we send public comments under social media posts to the Anthropic Claude API to infer sentiment, purchase intent, product / creator feedback, brand perception, and topic clusters. This includes the commenter's username and the comment text. Under our enterprise terms with Anthropic, this data is not used to train Anthropic's models. The analytical output is visible only to the brand that owns the campaign and to the participating creator.

7. Data Retention

  • Account data: for as long as the account is active + 3 years after closure (statute of limitations).
  • Campaign reports and analytical data: 5 years (tax and audit obligations).
  • Profile and content data fetched from social media APIs: deleted or anonymised within 30 days at most after the connection is revoked.
  • Payment and invoice data: 10 years (Turkish Commercial Code and tax law).
  • Marketing preferences: until consent is withdrawn.
  • Log records: 12 months.

8. Your Rights as a Data Subject

Under KVKK Art. 11 and GDPR Art. 15–22, you have the right to:

  • Confirm whether your data is being processed and request access.
  • Request correction of inaccurate or incomplete data.
  • Request erasure ("right to be forgotten").
  • Object to processing or request restriction.
  • Receive your data in a portable, structured format.
  • Request human intervention for automated decisions.
  • Withdraw any consent previously given.

To exercise these rights, write to privacy@campaignintelligence.com.tr. We respond within 30 days (KVKK) and within one month (GDPR).

You also have the right to lodge a complaint with the Turkish Data Protection Authority (kvkk.gov.tr) or the UK Information Commissioner's Office (ico.org.uk).

9. Account & Data Deletion Requests

You can request deletion of your account and all associated data (including data fetched from social media APIs) in two ways:

  1. In-product: open Settings → Account → Delete my account.
  2. By email: send a message titled "Account deletion request" to privacy@campaignintelligence.com.tr.

Once we receive the request, we close any active campaigns, complete financial reconciliation, and within 30 days delete or irreversibly anonymise all your personal data. Financial records we are legally required to retain (invoices, payment receipts) are kept for the statutory period and deleted at expiry.

10. International Data Transfers

Data may be processed by our infrastructure providers in the EU, the UK, and the US (AWS, Cloudflare, Anthropic, Stripe). All cross-border transfers are protected by Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms under KVKK Art. 9 and GDPR Chapter V.

11. Cookies & Tracking

The Platform uses strictly necessary cookies (session, security) and, with your consent, privacy-friendly analytics (Plausible Analytics — cookieless mode). We do not use third-party advertising cookies. You can manage cookie preferences in your browser settings.

12. Children's Data

The Platform is not directed at users under 18. We do not knowingly collect data from anyone under 18. If we become aware that an account belongs to a person under 18, we close the account and delete its data.

13. Security Measures

Passwords are hashed with bcrypt; all traffic is encrypted with TLS 1.2+; database backups are encrypted with AES-256; OAuth tokens live in an isolated secrets store; access follows least-privilege; production access requires 2FA. In the event of a data breach, we will notify the relevant authority within 72 hours and affected individuals where required.

14. Changes to This Policy

We may update this policy from time to time. For material changes, we will notify you by email or in-product banner. The latest version is always published at this URL.

15. Contact

For any privacy or data-related question, request, or complaint: