Privacy Policy

Last updated: June 19, 2026

KollabKey ("we", "us") provides creator-content performance tracking to brand marketing teams. This policy explains what we collect, why, how long we keep it, and how to delete it. This page is maintained by KollabKey and should be reviewed by qualified legal counsel before public launch.

Who we collect data about

• Brand users — the people who create a KollabKey account to run campaigns.
• Creators — invited by a brand, who connect their Instagram Professional (Business or Creator) account.

What we collect from brands

• Account email, name, and authentication metadata.
• Brand name, website, and campaign details you enter.
• Tracking-link destinations and aggregated click counts.

What we collect from creators

• Account email and authentication metadata.
• Display name, handle, and profile image.
• With your explicit consent at OAuth time, data from your Instagram Professional account via the Instagram Graph API:
  • Instagram account ID, username, account type, profile image.
  • Posts, reels, carousels, and stories: caption, permalink, media URL, thumbnail, published timestamp, and media type.
  • Per-media insights: views, reach, likes, comments, shares, saves, replies, and other metrics returned by Instagram.
• A long-lived Instagram access token (rotated every ~60 days) and its expiry, used solely to perform the syncs you authorized.

Permissions we request from Instagram

• instagram_business_basic — identify your Instagram Professional account and fetch your media.
• instagram_business_manage_insights — fetch per-post, reel, and story performance metrics.

We do not request publishing, messaging, comment-management, ads, shopping, or any permission outside of read-only media and insights.

Why we collect it

• To show brands which creators and content performed best.
• To build Creator Scorecards used to decide who to rehire.
• To attribute clicks from tracking links you generate.

How we store it

Data is stored in a managed Postgres database hosted on Supabase (AWS infrastructure). Access from our application is constrained by Row Level Security policies so brands can only see data for campaigns they own, and creators can only see their own data.

Subprocessors

• Supabase — database, authentication, storage.
• Cloudflare — application hosting and edge runtime.
• Meta / Instagram — source of Instagram media and insights.

Retention and deletion

• Disconnect Instagram: clears your access token and account identifiers from your KollabKey creator profile. Historical synced content remains so brands keep their campaign reports intact.
• Delete account or request data deletion: removes your synced Instagram media, metrics, and tokens. Submit at the data-deletion URL below or by removing the KollabKey app from your Instagram account; Meta will send us a deletion request and we will process it.
• Backup snapshots and database write-ahead logs may retain deleted rows for up to 30 days before they age out.

How to request deletion

• From inside KollabKey: Creator dashboard → Disconnect Instagram, then contact us to delete the historical sync data.
• From Instagram: Settings → Apps and Websites → Remove KollabKey. Meta will notify our data-deletion endpoint and we will purge your Instagram-derived data.
• Status page: /data-deletion-status.

Your rights

You can request access, correction, or deletion of your personal data at any time by contacting us at the email below.

Contact

Questions or requests: privacy@kollabkey.com