Influeppy← Back

Legal

Privacy Policy

Last updated: 21 May 2026  ·  AVGP Marketing Group SRL

1. Data Controller

The data controller is AVGP Marketing Group SRL, a Società a Responsabilità Limitata Semplificata incorporated under Italian law, registered as Startup Innovativa, VAT number IT02896170996, with registered office at Via Fieschi 15/17 (piano terra), 16121 Genova, Italy.

For any privacy-related enquiries, contact us at privacy@influeppy.com.

2. What Data We Collect

We collect data you provide directly and data generated automatically when you use our services.

Data you provide

  • Name, email address, and contact details when you register or apply.
  • Social media handles, audience metrics, and content categories you submit.
  • Bank/payment details required to process your earnings.
  • Communications you send us (email, WhatsApp, support tickets).

Data collected automatically

  • IP address, browser type, operating system, and referring URL.
  • Pages visited, time spent, and interactions on influeppy.com and its subdomains.
  • Cookies and similar tracking technologies (see our Cookie Policy).

3. How We Use Your Data

  • Service delivery — to match creators with brands, manage campaigns, and process payments.
  • Account management — to create and maintain your account and communicate service updates.
  • AI features — to train and run our AI agent for outreach, negotiation, and reporting. Data used for AI training is anonymised or pseudonymised where possible.
  • Legal obligations — to comply with Italian and EU tax, accounting, and regulatory requirements.
  • Marketing — to send you relevant updates and offers (only with your explicit consent, which you may withdraw at any time).

4. Legal Bases for Processing (GDPR)

  • Contract performance (Art. 6(1)(b)) — processing necessary to deliver the services you requested.
  • Legitimate interests (Art. 6(1)(f)) — fraud prevention, platform security, analytics.
  • Legal obligation (Art. 6(1)(c)) — tax and accounting duties.
  • Consent (Art. 6(1)(a)) — marketing communications and non-essential cookies.

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Brand partners — limited profile information (handle, niche, audience size) shared with brands as part of campaign matching. You are informed before any sharing.
  • Service providers — hosting (Vercel, AWS), payment processors, email/SMS providers, analytics tools — all bound by data processing agreements.
  • Authorities — when required by law or to protect rights and safety.

6. Data Security and Protection Measures

We apply administrative, technical, and organisational safeguards designed to protect personal data and sensitive data obtained through connected third-party accounts, including Google APIs.

  • Encryption in transit: data exchanged between your browser, INFLUEPPY, and third-party API providers is protected using HTTPS/TLS.
  • Encryption at rest: production databases, backups, and object storage that contain user data are encrypted at rest using managed encryption provided by our infrastructure providers.
  • Access controls: access to production systems and user data is limited to authorised personnel who need it to operate, support, secure, or debug the service. Administrative access is protected by role-based permissions and authentication controls.
  • OAuth token protection: access and refresh tokens for Google, YouTube, Gmail, and other connected platforms are stored server-side only, are not exposed to client-side code, and are used only for the scopes and purposes disclosed in this policy.
  • Least-privilege processing: we request only the OAuth scopes needed for the visible product feature and use connected-account data only to provide that feature, maintain security, comply with law, or fulfil user-requested support.
  • Monitoring and logging: we monitor production systems for reliability, security, and abuse prevention. Logs are access-controlled and are not used to sell personal data or for advertising profiles.
  • Provider revocation and deletion: when you disconnect a provider or revoke access from the provider side, we stop using the tokens for that provider and delete or anonymise cached provider data within the retention periods described in this policy, unless a longer legal retention period applies.
  • Human access limits: personnel do not read Gmail messages or other sensitive third-party content unless necessary to provide user-requested support, investigate abuse or security issues, comply with law, or with your explicit consent for a specific case.

7. Third-Party Platforms We Connect To

Creators may optionally connect one or more of their public social media accounts to INFLUEPPY so that brands can evaluate them for paid partnerships. All connections use the official OAuth flow of each platform — you are redirected to the provider, you review the requested permissions on the provider's own consent screen, and you can revoke access at any time from your provider account settings.

All scopes listed below are read-only. INFLUEPPY never posts, edits, deletes, messages, or modifies anything on your behalf on any connected platform.

Meta (Instagram & Facebook)

  • Scopes: instagram_basic, pages_show_list, pages_read_engagement, instagram_manage_insights, business_management.
  • What we read: your Instagram username and profile, your linked Facebook Page, follower count, media list, and aggregate post + audience insights (reach, impressions, age/gender/country demographics).
  • Why: to surface your Instagram reach and audience demographics to brands evaluating you for sponsored content, and to populate the analytics card on your INFLUEPPY profile.

Gmail (Google)

  • Scopes: https://www.googleapis.com/auth/gmail.readonly, https://www.googleapis.com/auth/userinfo.email.
  • What we read: the email address of the Google account you authorised and Gmail messages, message metadata, sender/recipient information, timestamps, subject lines, and message bodies needed to detect and manage inbound brand partnership proposals.
  • Why: to help creators identify, organise, and respond to inbound brand opportunities from the Gmail account they explicitly connect. The integration is read-only: INFLUEPPY does not send, modify, archive, delete, or mark emails on your behalf.
  • Google API Services User Data Policy: INFLUEPPY's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Gmail data for advertising, retargeting, creditworthiness, or to train generalised AI/ML models.

YouTube (Google)

  • Scopes: https://www.googleapis.com/auth/youtube.readonly, https://www.googleapis.com/auth/userinfo.email.
  • What we read: your channel ID, channel title, subscriber count, total view count, and recent video metadata (titles, thumbnails, view counts), plus the email address of the Google account you used to authorise.
  • Why: to display your YouTube reach to brands and to link the consenting Google account to the correct INFLUEPPY profile.
  • Google API Services User Data Policy: INFLUEPPY's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use YouTube data for advertising, retargeting, creditworthiness, or to train generalised AI/ML models.

TikTok

  • Scopes: user.info.basic, user.info.profile, user.info.stats, video.list.
  • What we read: your TikTok display name, avatar, bio, follower count, total likes, video count, and metadata (title, cover, view/like/comment/share counts) of your recent public videos.
  • Why: to populate your TikTok profile card and recent-content gallery shown to brands.

Twitch

  • Scopes: user:read:email.
  • What we read: your Twitch login, display name, profile image, broadcaster type, total view count, and the email address on your Twitch account.
  • Why: to link the Twitch identity to your INFLUEPPY creator account and display your channel on your profile.

X (Twitter)

  • Scopes: tweet.read, users.read, offline.access.
  • What we read: your X username, display name, bio, follower count, verified status, profile image, and the engagement metrics (likes, reposts, replies, views) of your recent public tweets.
  • Why: to surface your X reach and tone-of-voice to brands evaluating you for paid posts. offline.access is used solely to refresh the connection so we can re-sync metrics without forcing you to re-authenticate each session.

How to revoke

You can disconnect any platform at any time from your INFLUEPPY profile page (Settings → Social connections → Disconnect). You can additionally revoke the OAuth grant directly from the provider's own settings — for example: Google Account permissions, TikTok app permissions, Twitch connections, X connected apps, Instagram apps and websites. Revoking from the provider side immediately invalidates the access and refresh tokens we hold; we delete the cached profile data within 30 days.

8. International Transfers

Some of our service providers are based outside the European Economic Area. Where this occurs, transfers are governed by Standard Contractual Clauses approved by the European Commission, or by other appropriate safeguards under GDPR Chapter V.

9. Data Retention

  • Account data is retained for the duration of your account plus 2 years after deletion, unless a longer period is required by law.
  • Financial and tax records are retained for 10 years as required by Italian law.
  • Marketing data is deleted immediately upon consent withdrawal.

10. Your Rights

Under the GDPR you have the right to:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
  • Restriction — ask us to limit processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@influeppy.com. We will respond within 30 days. You also have the right to lodge a complaint with the Italian supervisory authority, the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).

11. Cookies

We use essential cookies for platform functionality and, with your consent, analytics and marketing cookies. You can manage your preferences via the cookie banner or by contacting us. For full details, see our Cookie Policy.

12. Children

Our services are not directed at persons under 18. We do not knowingly collect data from minors. If you believe we have done so inadvertently, contact us and we will delete the data promptly.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email or prominent notice on our platform at least 14 days before they take effect. Continued use of the service after the effective date constitutes acceptance.