Kidding← Back to platform
← All legal documents

Privacy Policy

How we handle your personal data under the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

Last updated: 2026-05-23

Privacy PolicyTerms of ServiceCookiesData DeletionImprint

1. Data controller

The controller responsible for the processing of personal data on this website and platform is:

Kidding e.U.
TODO: Straße und Hausnummer
TODO: PLZ TODO: Stadt, Austria
Email: contact@kidding.at
Phone: TODO: +43 ...
Commercial register: TODO: FN XXXXXXx (TODO: z. B. Landesgericht Wien)

We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR. Privacy enquiries can be sent to the address above and are handled by the company owner.

2. Scope of this policy

This Privacy Policy applies to the Kidding platform reachable at platform.kidding.at, including the public website, the authenticated talent and brand portals, and any API endpoints we operate.

Kidding is an internal talent and brand-partnership tool. Some sections only apply if you use a specific feature (for example, the social-account connection flow described in section 6). Where third parties act as independent controllers — most notably the social platforms you connect — their own privacy policies apply in parallel and you should review them on the respective platform before granting access.

3. What personal data we process

3.1 Account data

When you receive an invite or register for the platform we process your email address, a hashed password (managed by Supabase Auth), your full name, your role (admin, talent, brand partner, etc.) and any profile fields you choose to fill in.

3.2 Authentication and session data

We set a small number of strictly necessary cookies that hold your Supabase session token and CSRF protection state. Details are in our Cookie Policy.

3.3 Social-platform OAuth tokens and analytics

If you connect a YouTube, Instagram, TikTok, or X account, we receive and store the OAuth access token (and refresh token, where the platform issues one). Tokens are encrypted at rest with AES-256-GCM using a key that lives only on our servers. We use the tokens to pull read-only analytics about the connected account: account identifier, username, follower or subscriber count, post-level metrics, audience demographics where the platform exposes them, and similar performance data. We never post, comment, like, follow, message, edit, or delete on your behalf.

3.4 Campaign and content data

Inside the platform we process information related to the campaigns you participate in: brand and campaign briefs, deliverables, draft and approved content, UTM tracking links, signed contracts, and the workflow status that goes with them.

3.5 Technical and log data

Our hosting and infrastructure providers automatically log basic technical information when you use the platform: IP address, user-agent string, request paths, response codes, and timestamps. We use these logs only for security, debugging, and abuse prevention. Retention is described in section 9.

3.6 What we do not collect

  • We do not use third-party advertising trackers.
  • We do not sell personal data to anyone, under any circumstances.
  • We do not use the data we receive from social platforms to build user profiles or for any purpose other than serving you the analytics features you signed up for.

4. Legal bases for processing

We rely on the following legal bases under Article 6(1) GDPR for the processing described above:

ProcessingLegal basis
Creating and managing your account, providing the platform features you useArt. 6(1)(b) — performance of a contract
Connecting a social account and retrieving its analyticsArt. 6(1)(a) — your consent, granted in the platform's OAuth flow. You can withdraw consent at any time by disconnecting the account.
Operating security logs, fraud prevention, encrypted backupsArt. 6(1)(f) — legitimate interest in keeping the service secure and available
Invoicing, bookkeeping, contract retentionArt. 6(1)(c) — legal obligation under Austrian commercial and tax law (in particular § 132 BAO and § 212 UGB)
Sending operational emails (deadline reminders, contract notifications)Art. 6(1)(b) — necessary to perform the contract

5. Purposes of processing

  • Provide the Kidding platform to you and to the brand partners and athletes who work with us.
  • Match athletes with brand campaigns and report performance to brands.
  • Pull, store, and visualise the analytics from social platforms you have connected.
  • Generate campaign reports, invoices, and contracts.
  • Keep the service secure and reliable.
  • Comply with our legal obligations, including bookkeeping retention.

6. Social platform connections — platform-specific notices

Connecting a social account is always optional. When you initiate a connection you are redirected to the platform's own OAuth consent screen, where you can see and approve the exact scopes we request. The information below explains what each connection means in plain language.

6.1 YouTube (Google API Services)

We use the YouTube Data API v3 with the read-only scope https://www.googleapis.com/auth/youtube.readonly.

Use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • The data we obtain through Google APIs is used only to provide and improve the user-facing features of the Kidding platform (channel-level analytics inside the authenticated portal).
  • We do not transfer this data to others unless doing so is necessary to provide the user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets — and in the last case only with the user's explicit consent.
  • We do not use this data for serving advertising, including retargeted or personalised advertising.
  • We do not allow humans to read this data unless we have obtained your affirmative agreement to view specific messages, for security purposes (such as investigating abuse), to comply with applicable law, or where the data is aggregated and used for internal operations and only after it has been de-identified.

You can revoke our access at any time from the platform's Connected Accounts page or from your Google Account permissions settings.

6.2 Instagram (Meta Platforms)

We use the Instagram Graph API with the scopes instagram_basic, instagram_manage_insights, pages_show_list, and pages_read_engagement. These scopes give us read-only access to your professional Instagram account: account ID, username, follower count, media list, and aggregated insights (reach, impressions, engagement, audience demographics).

Use of this data complies with Meta's Platform Terms and Developer Policies. You can revoke access at any time from the Connected Accounts page or in Instagram → Settings → Apps and Websites. Detailed instructions are on our Data Deletion page.

6.3 TikTok

We use TikTok Login Kit and the Display API with the scopes user.info.basic and video.list — read-only access to your profile, follower count, and public video metrics. You can disconnect at any time from the Connected Accountspage or in your TikTok account's privacy and security settings.

6.4 X (formerly Twitter)

We use the X API v2 with the scopes tweet.read and users.read — read-only access to your profile, follower count, and post-level metrics. You can disconnect at any time from the Connected Accountspage or in X's Settings → Connected apps.

7. Recipients and sub-processors

We disclose personal data to the following categories of recipients, each acting as a processor on our behalf under a written data processing agreement (Art. 28 GDPR), unless otherwise stated:

ProviderPurposeRegion
Supabase, Inc.Authentication, application database, and storage. All data stored in the EU Central (Frankfurt) region.EU (Frankfurt, eu-central-1) — primary data storage
Vercel Inc.Application hosting and content delivery for the platform.kidding.at website and APIs.EU regions preferred (Frankfurt); global edge network for static assets.
Resend, Inc.Transactional email delivery (account invites, notifications, deliverable reminders).EU and US.
Google LLC / YouTubeYouTube Data API v3 — read-only access to your channel statistics (subscribers, views, watch time) when you connect your YouTube account.United States and global.
Meta Platforms Ireland Limited (Instagram)Instagram Graph API — read-only access to your professional Instagram account: followers, reach, impressions, audience demographics.Ireland (EU controller); processed globally by Meta.
TikTok Technology LimitedTikTok Login Kit and Display API — read-only access to your TikTok profile, follower count, and public video metrics.Ireland (EU controller) with processing in the EEA, UK, US, and Singapore.
X Corp. (Twitter)X API v2 — read-only access to your profile, follower count, and tweet metrics.Ireland (EU controller); processed globally.
DocuSign, Inc.Electronic signature for talent and brand-partner contracts.EU and US.
Stripe Payments Europe, Ltd.Subscription billing for self-serve creator plans. Card data is processed directly by Stripe and never reaches our servers.Ireland (EU controller) with global processing.

We will update this list when we add or replace a sub-processor. Customers and partners with a written agreement that requires advance notice will be informed in good time before any change.

8. International data transfers

The Kidding platform is hosted in the European Union: our Supabase database lives in the EU Central (Frankfurt, eu-central-1) region and we prefer EU-based serverless regions for the Next.js application. Some of our sub-processors and the social platforms you connect, however, process data outside the EEA — primarily in the United States.

Where personal data leaves the EEA, the transfer is covered by one or more of:

  • an adequacy decision of the European Commission (e.g. EU-U.S. Data Privacy Framework certification);
  • the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Module 2 — controller to processor), with supplementary technical and organisational measures where required;
  • your explicit consent to a specific transfer (Art. 49(1)(a) GDPR), in the case of the social platforms you choose to connect.

A copy of the relevant safeguards is available on request to contact@kidding.at.

9. How long we keep your data

DataRetention period
Account profileFor as long as you have an account, then deleted within 30 days of account closure.
Encrypted social platform tokensDeleted immediately when you disconnect the platform or close your account.
Social platform analytics we have storedDeleted within 30 days of disconnection or account closure. Aggregated, non-identifying campaign metrics may be retained for historical reporting.
Signed contracts, invoices, and related correspondence7 years, in line with the Austrian retention obligation under § 132 BAO and § 212 UGB.
Technical logs (request logs, error traces)Up to 90 days, then deleted or aggregated.
BackupsEncrypted daily backups are retained for up to 30 days, after which they are overwritten.

10. Security

  • All traffic is encrypted in transit with TLS 1.2 or higher.
  • OAuth access and refresh tokens are encrypted at rest using AES-256-GCM with a key managed in our hosting environment and never written to source control.
  • Row-Level Security in our database limits each user to their own records; administrative access is restricted to named staff with multi-factor authentication.
  • We follow the principle of least privilege for staff, sub-processors, and third-party integrations.
  • Incident response: if a personal data breach is likely to result in a risk to the rights and freedoms of data subjects we will notify the Austrian Data Protection Authority within 72 hours of becoming aware of it (Art. 33 GDPR) and, where the risk is high, the affected individuals (Art. 34 GDPR).

11. Your rights under the GDPR

You have the following rights in relation to your personal data:

  • Right of access (Art. 15 GDPR) — receive a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion in the situations the GDPR allows. See our Data Deletion page for the practical steps.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — withdraw consent at any time, without affecting the lawfulness of processing before withdrawal. Disconnecting a social account is one way to exercise this right.
  • Right to lodge a complaint with the Austrian Data Protection Authority (Österreichische Datenschutzbehörde (DSB)), Barichgasse 40–42, 1030 Wien, Austria, web: https://www.dsb.gv.at, email: dsb@dsb.gv.at.

To exercise any of these rights, contact us at contact@kidding.at. We will respond within one month (Art. 12(3) GDPR). We may ask you to verify your identity before acting on a request.

12. Automated decision-making

We do not use any form of automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR).

13. Children

The Kidding platform is not intended for children under the age of 14 (the digital age of consent in Austria under § 4(4) DSG). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

14. Changes to this policy

We will update this Privacy Policy when our processing changes or to reflect changes in the law. The current version is always available at platform.kidding.at/privacy with the date it was last revised at the top. Material changes will be communicated to active users in-app or by email at least 14 days before they take effect.

15. Contact

Questions, complaints, or rights requests? Write to contact@kidding.at or by post to the address in section 1.

© 2026 Kidding e.U. · TODO: Stadt, Austria

ImprintPrivacyTermsCookiesData deletion