Privacy Policy

1. Introduction

This Privacy Policy applies to CHAPA, a creator relationship management platform operated by SPR Software Ltd ("we", "us", "our").

We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

Note: ICO registration is pending. This policy is a template and should be reviewed by a qualified legal professional.

2. Information We Collect

2.1 Personal Information

When you create an account or use CHAPA, we collect:

• Name and email address (required for account creation and authentication)
• Profile information you choose to provide
• Communication preferences

2.2 Usage Data

To provide and improve our service, we collect:

• Brand and creator information you input into the platform
• Deal data, including status, revenue, and notes
• Attachments and files you upload
• Activity logs and feature usage patterns

2.3 Technical Data

Automatically collected through our infrastructure:

• IP address and device information
• Browser type and version
• Session data and authentication tokens
• Error logs and performance metrics

Technical data is collected via Supabase, our authentication and database provider.

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 Service Provision

• To create and manage your account
• To provide CRM functionality (brands, deals, attachments)
• To process payments via Stripe
• To send service-related emails (via Resend)

3.2 Communications

• Account notifications and important updates
• Responses to your inquiries and support requests
• Optional marketing communications (with your consent)

3.3 Analytics and Improvement

• To analyze usage patterns and improve features
• To monitor system performance and security
• To develop new functionality

3.4 Legal Compliance

• To comply with legal obligations and regulatory requirements
• To enforce our Terms of Service
• To protect our rights and prevent fraud or abuse

4. How We Share Your Data

We do not sell your personal data. We only share your data with trusted service providers who help us deliver CHAPA:

4.1 Data Processors

• Supabase: Database and authentication services
• Stripe: Payment processing
• Resend: Transactional email delivery

All processors are carefully vetted and bound by data processing agreements that require them to meet GDPR standards. Service providers and their locations may change; this policy will be updated accordingly.

4.2 Legal Disclosure

We may disclose your data if required by law, court order, or to protect our legal rights or the safety of others.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. You will be notified of any such change.

5. Data Storage and Security

5.1 Location

Your data is primarily stored in datacenters located in the United Kingdom. Where international transfers of personal data occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or other mechanisms approved under GDPR. Data storage locations and providers may change as our infrastructure evolves.

5.2 Security Measures

We implement industry-standard security practices:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Access controls and authentication (including multi-factor authentication)
• Regular security audits and vulnerability assessments
• Automated backup systems
• Employee training on data protection

While we take all reasonable precautions, no system is completely secure. We encourage you to use strong passwords and protect your account credentials.

6. Data Retention

We retain your personal data only as long as necessary to provide our services and comply with legal obligations:

• Active Accounts: Data retained while your account is active and for reasonable operational needs
• Deletion Requests: Upon request, we delete your data within 30 days. Backups may retain data for up to 30 additional days before permanent deletion.
• Inactive Accounts: Accounts inactive for 2+ years may be deleted after notification
• Legal Retention: Some data (e.g., financial records) must be retained for 6-7 years per UK tax law

7. Your Rights Under GDPR

As a data subject in the UK/EU, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Right to Restrict Processing: Request limitation on how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests or marketing
• Right to Withdraw Consent: Withdraw consent for processing at any time

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection authority, at ico.org.uk.

8. Cookies and Tracking

8.1 Current Use

CHAPA currently uses only essential cookies required for authentication and session management. These are necessary for the service to function and do not require consent under GDPR.

8.2 Future Use

If we introduce non-essential cookies (e.g., analytics or marketing cookies), we will implement a cookie consent banner and provide you with options to accept or decline.

8.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect your ability to use CHAPA.

9. International Data Transfers

Where we transfer personal data outside the United Kingdom or European Economic Area, we ensure appropriate safeguards are in place to protect your data. These safeguards include:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements that require GDPR-level protections
• Other legally approved transfer mechanisms as appropriate

We regularly review our data processors and transfer mechanisms to ensure compliance with applicable data protection laws. If you would like more information about specific data transfers, please contact us.

10. Children's Privacy

CHAPA is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately so we can delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

We will notify you of material changes by:

• Sending an email to your registered email address
• Displaying a prominent notice in the application
• Updating the "Last Updated" date at the top of this policy

Continued use of CHAPA after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

Important Note: This Privacy Policy is a template designed to meet GDPR requirements. We strongly recommend having it reviewed by a qualified legal professional before relying on it. Additionally, if you process personal data, you may need to register with the UK Information Commissioner's Office (ICO).