Privacy Policy

1. Who We Are

Proof App ("PROOF", "we", "us", "our") is a company registered in Australia, with ABN 39 696 947 118 and ACN 696 947 118. We operate the PROOF platform, a software-as-a-service product for brands and agencies to contract, verify, and pay micro-influencer creators on a performance basis.

For the purposes of the Privacy Act and the APPs, we are the entity responsible for the personal information we collect about you. For GDPR purposes, we act as:

• Data Controller for personal information about Brands (our paying customers), Creators who register directly with us, and visitors to our website; and
• Data Processor for personal information a Brand uploads or imports about their Creators and campaign contacts, where the Brand remains the Controller.

2. What Data We Collect

We collect different categories of personal information depending on whether you are a Brand, a Creator, or a visitor.

2.1 Brand data

• Identity and contact: full name, business name, work email, password hash, phone number, job title.
• Billing: billing address, company name, Australian Business Number (ABN) or foreign tax ID, and payment method metadata (card brand, last four digits, expiry) returned by Stripe. We never see or store your full card number or CVC — these are tokenised by Stripe.
• Usage: campaigns you create, Contracts you issue, creator shortlists, briefs, and integration configurations.

2.2 Creator data

• Identity and contact: full name, display name, email, phone number, profile image.
• Social handles and metrics: Instagram, TikTok, YouTube, X, and other handles; follower counts, engagement rates, audience demographics, and post-level metrics as provided by Phyllo / InsightIQ or entered by you.
• Tax and payout: ABN or non-resident declaration, GST status, date of birth for Stripe identity verification, and banking metadata (bank, last four digits, account type) held by Stripe Express. Full bank credentials are handled entirely within Stripe's environment and are not visible to us.
• Content: post submissions, drafts, captions, and any material you upload to a Contract.

2.3 Metric and verification data

For Creators under Contract, we collect and store public metric snapshots (likes, views, comments, saves, shares, reach where available) from social media platforms via Phyllo / InsightIQ, typically on an hourly polling schedule during a Contract's tracking window.

2.4 Technical and usage data

• Device and network: IP address, browser type, operating system, device type, language, and approximate geographic location (city-level, derived from IP).
• Behavioural: pages visited, features used, click paths, timestamps, and error reports.
• Email engagement: opens (via a tracking pixel in transactional emails) and click-throughs.
• Cookies: as described in section 7.

2.5 Sensitive information

We do not seek to collect sensitive information (racial or ethnic origin, political opinions, religion, health, sexual orientation, biometrics, genetic data, etc.) within the meaning of section 6 of the Privacy Act or Article 9 of the GDPR. If you volunteer sensitive information in a brief, a pitch, or support ticket, we will treat it with the heightened protection those laws require and will not use it beyond the purpose for which it was provided.

3. How We Use Your Data

We use personal information only for the purposes set out below, and only on the lawful basis identified (for GDPR purposes) or as permitted by the APPs (for Australian purposes).

• To provide the Services — authenticate users, display dashboards, facilitate Contracts, verify metrics, release escrow, and enforce state transitions. Basis: performance of a contract (GDPR Art. 6(1)(b)); primary purpose under APP 6.
• To process payments and payouts — charge Brands, hold escrow, pay Creators, handle refunds, reconcile transactions. Basis: performance of a contract; legal obligation for record-keeping.
• To operate security and fraud controls — rate-limiting, abuse detection, audit trails, and investigation of suspected breaches. Basis: legitimate interest in the integrity of the platform (GDPR Art. 6(1)(f)); APP 6 secondary purpose directly related to the primary.
• To communicate with you — send transactional notifications (offers, counter-offers, payouts, expiry reminders, security alerts) and respond to support requests. Basis: performance of a contract; legitimate interest.
• To send marketing — product updates, webinars, and best-practice guides, only to business email addresses and subject to a clear opt-out. Basis: consent (which you may withdraw at any time); legitimate interest for B2B.
• To improve the Services — analyse usage patterns, measure feature adoption, and train internal benchmarks (such as the Creator Power Score, predictive pricing, and outcome simulator). Analytics are performed on aggregated or pseudonymised data wherever practicable. Basis: legitimate interest.
• To generate AI outputs — deal recommendations, outreach drafts, content intelligence, compliance scans. Prompts may include Campaign briefs, Creator metrics, and Contract terms. We contractually prohibit sub-processors from using your prompts to train their own foundation models. Basis: performance of a contract; legitimate interest.
• To meet legal and tax obligations — including reporting under the ATO Digital Platform Reporting regime for Australian Creators, responding to lawful requests from regulators or courts, and keeping records for the periods required by the Income Tax Assessment Act 1997 (Cth). Basis: legal obligation (GDPR Art. 6(1)(c)); APP 6.

We do not sell your personal information. We do not use your data for automated decision-making that has legal or similarly significant effects on you without human review.

4. How We Share Data

We share personal information only as described below. All sub-processors are bound by written data-processing terms that require them to keep your information confidential, apply appropriate security, and use it only on our documented instructions.

4.1 Sub-processors

4.2 Between Brands and Creators

Certain information is shared between the parties to a Contract by design: a Brand sees the Creator's name, profile, handles, verified metrics, and post submissions; a Creator sees the Brand's name, Campaign brief, Contract terms, and audit trail. This sharing is necessary to perform the Contract.

4.3 Legal obligations

We may disclose personal information where required by law, including to:

• The Australian Taxation Office under the Digital Platform Reporting regime for certain AU-resident Creators (name, ABN, address, gross payments);
• A court or regulator in response to a validly-issued order or notice;
• Law-enforcement agencies where we reasonably believe it necessary to prevent or investigate serious unlawful conduct.

4.4 Business transfers

If Proof App is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of the transaction. We will provide notice and, where required, seek consent before information becomes subject to a materially different privacy policy.

5. International Data Transfers

PROOF is operated from Australia. Several of our sub-processors (including Stripe, OpenAI, Anthropic, Resend, and Railway) are located in the United States. As a result, your personal information may be transferred to, processed in, and stored in jurisdictions outside Australia, the EEA, and the United Kingdom.

For transfers from the EEA or United Kingdom, we rely on:

• The European Commission's Standard Contractual Clauses (2021/914), with the UK Addendum where relevant, incorporated into each sub-processor contract; and / or
• Adequacy decisions where applicable (for example, the EU–US Data Privacy Framework where the sub-processor is certified).

For Australian Privacy Act purposes, we take reasonable steps before disclosing personal information to an overseas recipient to ensure it will handle that information in a manner consistent with the APPs (APP 8). A copy of the relevant transfer documentation is available on request via support@proofapp.net.

6. Your Rights

Under the APPs and the GDPR you have the rights below. Many can be exercised directly from your Account settings; others, or those from non-account-holders, can be exercised by emailing support@proofapp.net. We respond within 30 days (or sooner where required by local law) and never charge a fee for reasonable requests.

• Access (APP 12 / GDPR Art. 15) — request a copy of the personal information we hold about you.
• Correction (APP 13 / GDPR Art. 16) — request that we correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
• Deletion / right to be forgotten (GDPR Art. 17) — request deletion of your personal information, subject to our legal and contractual retention obligations. Account-holders can initiate deletion from Account settings; we will honour the request within 30 days other than for records we are required to retain (see section 8).
• Portability (GDPR Art. 20) — request a machine-readable export of the information you provided to us directly (JSON or CSV).
• Restriction (GDPR Art. 18) — request that we pause processing while we resolve a correction or objection.
• Object to processing (GDPR Art. 21) — object to processing based on legitimate interest, including for direct marketing.
• Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Opt out of marketing — every marketing email includes a one-click unsubscribe. Transactional messages related to an active Contract cannot be disabled without closing the Account.
• Lodge a complaint with a supervisory authority — see section 13 below.

To protect your information we will verify your identity before acting on a request. Where a request is made by an authorised agent, we require evidence of that authority.

7. Cookies and Tracking

We use a small number of cookies and equivalent technologies (local storage, session storage). They fall into three categories:

• Essential — authentication tokens (e.g. proof_token), CSRF protection, session state, load balancing. These cannot be disabled without breaking the Services.
• Functional — remember your UI preferences (dark mode, collapsed sidebar, saved filters).
• Analytics — measure feature adoption and page performance in aggregate. Used only with your consent where required.

We do not use third-party advertising cookies. You can manage your cookie preferences at any time from the cookie-preferences control in the footer, or by configuring your browser to refuse cookies. For email tracking, the tracking pixel described in section 2.4 may be blocked by disabling image loading in your email client.

8. Data Retention

We retain personal information only as long as necessary for the purposes collected, and then we delete or irreversibly anonymise it. Specific retention periods include:

• Contracts, invoices, and financial records — at least seven (7) years from the end of the financial year to which they relate, as required by the Income Tax Assessment Act 1997 (Cth), the A New Tax System (Goods and Services Tax) Act 1999 (Cth), and the ATO Digital Platform Reporting regime.
• Account data — for the life of your subscription plus 90 days (to allow reactivation), then deleted.
• Audit trail — retained for the life of the relevant Contract plus seven (7) years, for evidentiary and compliance integrity. Audit records are append-only and immutable.
• Backups — rolling 35-day encrypted backups; deletion requests propagate to backups on the next rotation cycle.
• Marketing lists — until you opt out, plus a short suppression period to honour your preference.
• Support tickets — three (3) years from closure, unless you ask for earlier deletion.

9. Security

We take security seriously and implement technical and organisational measures proportionate to the sensitivity of the information we handle, including:

• Encryption in transit using TLS 1.3 across all public endpoints and between services;
• Encryption at rest for Postgres databases, object storage, and backups;
• Credential hygiene — passwords hashed with bcrypt; API keys stored as SHA-256 digests; secrets managed in a dedicated secret store;
• Principle of least privilege for employee access, with SSO and 2FA on all administrative systems;
• Audit logging for sensitive actions, with cryptographic hash chains for Contract state transitions;
• Vendor diligence — we preferentially choose sub-processors with SOC 2 Type II, ISO 27001, or equivalent certifications (notably Stripe, Cloudflare, Anthropic, and OpenAI);
• Incident response — we will notify affected individuals and the OAIC in accordance with the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act), and supervisory authorities in accordance with GDPR Articles 33–34, within the times required by those regimes.

No system is perfectly secure. You are responsible for keeping your password confidential, enabling two-factor authentication where available, and notifying us immediately of any suspected compromise.

10. Children

PROOF is a business-to-business service intended for users aged 18 or over. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact support@proofapp.net and we will delete it promptly. Brands are required by our Terms of Service to ensure no Contract is offered to a Creator under 18.

11. Changes to This Policy

We may update this Policy from time to time. If the change is material, we will notify registered users by email to the address on file at least fourteen (14) days before the change takes effect. Non-material changes (such as typographical corrections, clarifications, or new sub-processor listings that do not materially alter the nature of processing) take effect on posting. The "Last updated" date at the top of this Policy always reflects the current version.

12. Contact

Proof App does not have a formally appointed Data Protection Officer because our processing does not meet the mandatory-appointment thresholds of GDPR Article 37. However, we operate a single privacy contact point that discharges DPO-equivalent functions, including liaison with supervisory authorities and individuals exercising their rights.

For privacy requests, please put "Privacy Request" in the subject line so we can route your message to the correct team.

13. Complaints and the OAIC

If you believe we have breached the APPs, the Privacy Act, or the GDPR, please contact us first at support@proofapp.net so we can investigate. We will acknowledge your complaint within 7 days and provide a substantive response within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner ("OAIC"):

If you are in the EEA or United Kingdom, you also have the right to lodge a complaint with your local data-protection supervisory authority (a list is maintained by the European Data Protection Board at edpb.europa.eu) or with the UK Information Commissioner's Office at ico.org.uk.