Legal

Privacy Policy

Last updated: June 1, 2026 — KWALEAD SAS, France

1Data Controller

KWALEAD SAS, a simplified joint-stock company with a capital of €6,000, registered with the RCS of Créteil under number B 813 823 192, with its registered office at 8 rue d'Estiennes d'Orves, 94000 Créteil (France), publisher of the InfluenceOS service, acts as the data controller. For any questions regarding your personal data, please contact our DPO at: privacy@influenceos.fr.

2Data Collected

We collect data strictly necessary for the service: email address, full name, public Instagram profile data (bio, follower count, engagement statistics), public post content, aggregated audience data. This data is collected via Apify (MVP phase) or the Meta Graph API (production phase after approval). No sensitive data within the meaning of GDPR is collected.

3Purposes and Legal Bases

Your data is processed for: (1) Provision of analytics and monetization service (legal basis: performance of contract / ToS); (2) Calculation of AI Score and media kit generation (legal basis: performance of contract); (3) Product improvement and anonymized statistical analysis (legal basis: legitimate interest); (4) Sending transactional and summary emails (legal basis: performance of contract); (5) Sending marketing communications (legal basis: consent).

4Retention Period

Your data is kept for the duration of your active subscription, then for 3 years after termination to meet our legal obligations (accounting, disputes). Technical log data is deleted after 12 months. You can request early deletion of your data from your account space.

5Hosting and Security

All data is hosted in Europe: PostgreSQL database on Supabase (EU Frankfurt region), files on Supabase Storage, application on Vercel (CDG1 Paris region). Instagram access tokens are encrypted with AES-256 in the database and never transmitted in clear text. Communications are encrypted with TLS 1.3.

6Subcontractors

We use the following subcontractors, all with adequate GDPR guarantees: Supabase Inc. (data storage, Frankfurt); Vercel Inc. (hosting, Paris CDG1); Stripe Inc. (payments, Privacy Shield/SCCs); Brevo (transactional emails); Apify Technologies (public Instagram data scraping); Upstash Inc. (Redis cache).

7Your GDPR Rights

In accordance with GDPR (EU Regulation 2016/679), you have the following rights: access to your data, rectification, erasure ('right to be forgotten'), portability (JSON/CSV export), objection to processing, restriction of processing, withdrawal of consent at any time. To exercise these rights, contact privacy@influenceos.fr. You also have the right to lodge a complaint with the CNIL (www.cnil.fr).

8Cookies

InfluenceOS uses functional cookies necessary for authentication (Supabase Auth session) and analytical cookies (Vercel Analytics, with consent). Consult our cookie policy for more details.

9Data Collected via Meta (Facebook & Instagram)

When you connect your Instagram Business or Creator account to InfluenceOS via Facebook Login for Business, we collect: Instagram user ID (ig_user_id), username, full name, profile picture, bio, follower/following/post count, list of recent posts (media, captions, dates), engagement metrics per post (likes, comments), aggregated insights (reach, impressions, engagement — aggregated and anonymized), linked Facebook Page ID and name. We DO NOT COLLECT: your follower/following list, your private messages (DMs), your Meta advertising data, or your Facebook friends' data. The Meta access token is AES-256-GCM encrypted in the database and stored on Vercel servers in Europe (cdg1 Paris). You can revoke access at any time from your Meta settings (the InfluenceOS app will then be removed and all your Instagram data with us will be automatically deleted within 24 hours via the compliant Meta Data Deletion callback), or via the 'Disconnect' button in Settings > Instagram. Deletion status can be checked at /legal/data-deletion-status.