1. Introduction & Scope

Boostary (“we,” “us,” or “our”) is a digital platform (currently in Early Access) that connects music producers (“Producers”) with content creators/influencers (“Influencers”) for fixed-scope, contract-based collaboration campaigns. This Privacy Policy explains how we collect, use, store, and share personal information when you use the Boostary platform (the “Service”). It applies to all users of our Service – including Producers and Influencers – and covers all personal data processed through the platform. By using Boostary, you acknowledge that you have read and understood this Privacy Policy.
Scope: This Policy covers only Boostary’s practices in relation to the Service. It does not apply to third-party websites or services that you may link to or use in connection with Boostary (for example, social media platforms where campaign content is published, or Stripe’s services for payments), which have their own privacy policies. We encourage you to review those policies separately.

2. Who We Are & User Roles

Boostary is operated by Boostary Inc., a company based in the United States. We provide an online marketplace where two types of users interact:

Producers: Typically artists, brands, or clients who initiate a campaign by setting requirements, deadlines, and a budget for a content collaboration.
Influencers: Content creators who accept a Producer’s campaign and create the agreed content (e.g. social media posts or videos) according to the campaign brief.

Both Producers and Influencers are considered “users” under this Policy. In general, we collect and process the same categories of personal data for both roles. We do not maintain separate data profiles based on role – all users provide basic account and contact information and agree to campaign terms, regardless of being a Producer or an Influencer.

3. Information We Collect

We limit our data collection to what is necessary to provide and secure the Service. The following categories of personal information are collected or generated by Boostary:

Account Information: When you register for a Boostary account, we collect your name (or chosen display name/alias) and your email address. This information is required to create your account, allow you to log in, and identify you on the platform. We do not collect your phone number or any government-issued identifiers during registration. You will create login credentials (such as a password), which we store securely in hashed form. Your name or display name may be used on the platform to represent your profile (for example, to form a link to a public social media profile if you choose to provide one). We do not ask for or collect any sensitive personal information (such as racial or ethnic origin, health data, or biometric identifiers) as part of account signup.

Campaign Information: If you are a Producer creating a campaign or an Influencer participating in one, we collect the details you input about the campaign. This includes the campaign title, a description or brief of the work, the requirements/deliverables, and relevant deadlines (e.g. due dates for content delivery or revision timelines). We use this information to facilitate the campaign contract between users. Importantly, we do not collect or host the actual content files produced for campaigns. For example, if an Influencer creates a video or social media post as a deliverable, that content is published on external platforms (like a social network) rather than uploaded to Boostary. Boostary does not copy or store those media files. We may record basic campaign milestones – for instance, that a deliverable was marked as completed at a certain time – but we do not ingest the content itself or any detailed analytics/metrics about its performance. We also do not collect any audience or engagement data about such off-platform content beyond what is necessary to verify completion of the campaign (e.g. confirmation that a link was provided or a task marked done, as used in dispute resolution – see Section 6). In summary, the platform tracks campaign parameters (like what work is due and when) and completion status, but not the creative content or its viewer statistics.

In-Platform Communications: We provide in-product messaging tools (such as a chat or direct message system) for users to communicate about campaigns. If you send messages within the platform (for example, to discuss campaign details, ask questions, or resolve issues), those communications are collected and stored by Boostary. This includes text messages and any attachments or links shared through our messaging interface. We treat these communications as private between the parties involved. However, authorized Boostary staff may access them when needed for specific purposes such as dispute resolution or policy enforcement (see Section 6 on Disputes & Enforcement). Communications data is retained as part of the campaign record and for trust and safety purposes (for example, to have an audit trail in case of disagreements). We do not publish or share your internal messages outside of these operational needs.

Payment and Financial Information: All payments on the Boostary platform are processed through our third-party payment processor, Stripe. Boostary itself does not collect or store your sensitive financial details (such as credit card numbers, bank account information, or government IDs for payments/payouts). When a Producer funds a campaign or an Influencer receives a payout, you provide payment details and (if required for payout compliance) identity verification information directly to Stripe via secure forms. For example, Stripe may collect your card number, billing address, or tax identification for payout, and it might require a photo ID or selfie for Know-Your-Customer (KYC) verification depending on the transaction and laws. Boostary does not see or retain those details – they are handled by Stripe on our behalf.

What Boostary does receive from Stripe is limited metadata necessary to keep records and operate the service, such as: a Stripe customer/account ID linked to your Boostary user profile; confirmation that a payment was made or a payout issued (including status, dates, and amounts); and a flag indicating whether you have completed required identity/KYC verification. We store this metadata to track campaign payments (e.g. that a campaign has been funded and funds are held in escrow, or that an Influencer’s payout is pending or complete). We do not receive or store the underlying card numbers, bank details, or identity documents – those remain with Stripe. (See Section 5 for more on Payments.)

Logs and Technical Data: Like most online services, Boostary automatically collects certain technical information about how you access and use the platform, for security and maintenance purposes. This includes:

Device and Browser Information: We log the type of device you use (mobile, desktop, etc.), your operating system, browser type, and version.
IP Address: We record the IP addresses you use to access the Service. This helps us with security monitoring – for example, detecting unusual login locations or potential malicious activity – and with fraud prevention. We do not use IP to derive your precise location; at most we infer general region (city or country) for security alerts, and we do not collect any precise GPS/location data.
Usage Logs & Timestamps: We maintain logs of key actions on the platform (e.g. login times, campaign creations or acceptances, message sends, and other important events) with timestamps. These logs help us troubleshoot issues, monitor performance, and provide an audit trail in case of disputes or security incidents.

These technical logs are stored securely with access restricted to authorized personnel. We do not use technical data for profiling you or for marketing purposes – it is used strictly to maintain the platform’s integrity, security, and functionality. We also do not collect any unique device identifiers for advertising purposes (for example, we do not access your device’s advertising ID). Technical data is used to detect and prevent misuse (see Section 6) and to ensure a stable service, not to build marketing profiles.

Cookies and Similar Technologies: Boostary uses a minimal number of cookies and similar tracking technologies, all of which are essential for the Service to function. These include cookies to keep you logged in (session cookies and authentication tokens), to remember certain preferences or state as you navigate the site, to provide security features (such as CSRF protection and rate-limiting), and cookies used by Stripe during payment processes. We do not use any analytics, advertising, or marketing cookies within the Boostary product platform. In other words, we do not embed Google Analytics, Facebook/Meta Pixel, or similar trackers in the logged-in experience that would monitor your behavior for marketing purposes. (On our public-facing marketing website or landing pages, we may use standard analytics or advertising tools, but not inside the authenticated product – see Section 7 on Cookies & Tracking.) If you’d like a detailed explanation of our cookie usage, please refer to Section 7 of this Policy as well as our separate Cookie Policy, which provides further specifics on types of cookies and their purposes.

Optional Information You Provide: If you choose to contact us (for example, by sending an email to support or privacy contacts) or provide feedback in any way, we will collect whatever information you voluntarily provide in that communication. This could include your contact details and the content of your message. We will use this information solely to address your inquiry or improve our service. We do not ask you to provide any personal data beyond what is described above when you reach out. In particular, we do not solicit or intend to collect any sensitive categories of personal data (such as racial/ethnic origin, health information, biometric data, or precise geolocation) through user support interactions, and we ask that you refrain from including such details in any messages to us.

4. How We Use Information

We use the personal information we collect strictly for the purposes described in this section. Each use is tied to a relevant legal basis (such as fulfilling our contract with you, complying with legal obligations, or pursuing our legitimate interests), as noted below:

Providing and Improving the Service: We use account data (name, email, login credentials) to create and maintain your account, authenticate you at login, and provide you with access to the platform’s features. We use campaign information (briefs, requirements, deadlines) to facilitate the collaboration contract between Producer and Influencer – for example, to display campaign details to the participating parties, send reminders about upcoming deadlines, and automatically update campaign status (e.g. marking campaigns as completed or closed when deliverables are approved or deadlines are missed). This processing is necessary to perform our contract with you (the Terms of Service you agree to by using Boostary), as it enables the core functionality you expect from the platform. We also continually improve the Service by analyzing aggregate usage patterns and feedback (not personal profiles) – for instance, understanding which features are used most can inform product improvements, but we do this without any invasive tracking.
Facilitating Communications: We process your in-platform messages in order to deliver them to the intended recipient(s) and to allow you to review past communications. For example, if you send a message to your campaign partner, our system routes that message and stores a copy so that both you and the other party can view the conversation history. Retaining these communications also supports dispute resolution if needed (see below). Handling messages in this way is part of performing our contract with you (enabling you to communicate and collaborate within the platform).
Transactional Notifications: We use your email address to send essential notifications and confirmations related to your use of Boostary. For instance, we will email you to verify your email upon registration, to confirm key actions you take (like a campaign being accepted or completed), or to inform you of important updates such as a change in campaign status or the outcome of a dispute. These emails are transactional or administrative in nature – we do not send marketing newsletters or promotional emails as part of the product service without your explicit consent. Sending these service-related communications is necessary for performing our contract (by keeping you informed about the service you’re using) and is also in our legitimate interest to operate an effective and user-friendly platform. We use a reputable third-party email service provider to deliver these messages (see Section 8 on Data Sharing), and that provider is not permitted to use your email for any purpose other than sending our communications.
Potential Future Notifications: In addition to email, we may provide in-app or push notifications for certain events where applicable. For example, if you opt in to receive push notifications, we might send a notification to your device when a campaign milestone occurs (such as “Payment received!” when a payout is completed). These notifications would only be used for service-related purposes (e.g. real-time updates on campaigns) and only with your consent where required (you can control push notifications via your device or app settings). If we implement push notification services (for instance, via a service like OneSignal) in the future, they will be configured to use minimal data (essentially your device’s push token) just to deliver the message, and not for any marketing profiling. You will always have the ability to opt out of push or similar notifications by adjusting your settings. All such notifications, like our emails, will remain focused on helping you use the Service (not advertisements).
Payments and Payouts Coordination: We use personal information to facilitate financial transactions on the platform. When you fund a campaign or receive a payout, we share the necessary identifiers and transaction details with Stripe to initiate and execute the payment process. For example, if you are a Producer funding a campaign, we provide Stripe with your relevant order details (campaign ID, your user ID/email, the amount to charge, etc.) so Stripe can charge your card. If you are an Influencer receiving a payout, we provide your Stripe account ID and payout amount so Stripe can transfer funds to you. We then use the confirmation and status information returned by Stripe to update our records and inform both parties of payment status (e.g. to indicate that funds have been secured in escrow, or that a payout to the Influencer has been completed). We also generate internal records of amounts paid, fees, and payouts for bookkeeping and accounting purposes. Processing payment-related data in these ways is part of our contractual service (enabling campaigns and payments). Additionally, complying with payment industry rules and anti-money laundering laws via Stripe’s processes is a legal obligation. In short, we handle just enough of your information to ensure you get paid or charged correctly, relying on Stripe to handle the sensitive parts.
Identity Verification & Trust and Safety: If Stripe requires you to complete identity or Know-Your-Customer (KYC) verification (for example, Influencers may need to verify their identity and tax status to receive payouts above certain thresholds), we facilitate that process. This might include directing you to provide required information to Stripe and then receiving from Stripe a simple status update (e.g. “verification passed” or “verification needed”). We use the verification results to confirm you’re eligible to transact on the platform (for instance, that you are a real person or legitimate entity and not on any prohibited sanctions list) and to help maintain a safe community. This processing is based on our legitimate interest in fraud prevention and platform integrity, and in some cases on legal obligations (such as ensuring compliance with financial regulations and tax laws). Notably, Boostary itself does not collect or store the actual documents or personal data you submit for KYC – those go directly to Stripe, and we receive only the outcome/status.
Security and Fraud Prevention: We use technical data like IP addresses, device information, and log timestamps to protect the security of the platform and our users. This includes detecting and blocking suspicious or malicious activity (for example, multiple failed login attempts, or logins from an unusual location that might indicate a compromised account), enforcing rate limiting and other abuse-prevention measures, and investigating any security incidents. Our legitimate interest in maintaining a secure, trustworthy service is the basis for this processing. In certain cases, we may also use log data to debug software issues or ensure compatibility with different devices and browsers – which falls under our legitimate interest in product improvement and maintenance. (If any security processing were to have a significant effect on you, we would balance it against your rights, but our goal is that these measures are non-intrusive and purely protective.)
Dispute Resolution and Enforcement: In the event of a dispute between a Producer and an Influencer, or if a user is suspected of violating our Acceptable Use Policy or other terms, we use relevant personal information to investigate and resolve the issue. This can include reviewing campaign details (title, requirements, deadlines), deliverable evidence (links or screenshots provided to prove work was done), and the communication history between the parties. For example, if a Producer claims an Influencer missed a deadline, we might check the timestamps in our logs and messages to verify what happened. If an Influencer claims a Producer demanded extra work beyond the agreed contract, we may review the chat history and original campaign brief to understand the scope. Boostary staff (or an authorized dispute resolution agent) will access user communications and data strictly for the purpose of fairly resolving disputes or enforcing our rules. We may also use personal data to enforce platform integrity more generally – for instance, monitoring for fraud schemes or patterns of abuse (such as users repeatedly attempting to circumvent the payment system). This processing is based on our legitimate interests in protecting our service and user community, and on fulfilling our contractual commitment to provide a safe, reliable platform. Where required by law, any enforcement-related processing will be done in compliance with applicable regulations and due process.
Legal Compliance: We may process and retain personal information as necessary to comply with our legal obligations. This includes keeping certain records to satisfy tax and accounting requirements, fulfilling lawful requests from government authorities, or responding to legally binding orders (such as subpoenas or court orders). For example, U.S. law may require us to maintain records of payments and payouts for tax reporting or to help prevent money laundering. If we are under a legal obligation to retain data for a certain period (e.g. maintaining transaction records for X years), we will do so even if you request deletion, but only to the extent and for the duration required by law. In all cases, we will only disclose or retain what is strictly necessary to meet our legal duties.
No Marketing or Profiling: We want to emphasize that we do not use your personal information for advertising or marketing purposes without your consent. We do not analyze your behavior for targeted advertising, and we do not sell or rent your information to advertisers or data brokers. We also do not engage in automated decision-making about you in a way that produces legal or similarly significant effects without human involvement – there are no AI-driven eligibility decisions or credit scoring happening with your data. Essentially, all processing of your data is tied to providing you with the service or fulfilling legitimate and legal obligations as described above, not for building marketing profiles. If we ever decide to use your information for any new purpose that is not compatible with these original purposes, we will update this Policy and (if required by law) obtain your consent or allow you to opt out.

Legal Bases: For users in jurisdictions like the European Union (under GDPR) where a “lawful basis” is required for processing, the bases we rely on are typically: Contract necessity (to provide the core platform functions you signed up for, such as account management, running campaigns, and enabling communications), Legal obligation (for processing required by law, such as payment records and KYC checks), and Legitimate interests (for our security measures, fraud prevention, and internal improvements), always balanced against your rights and expectations. If we ever process personal data based on your consent (for example, if in the future we introduce an optional feature that requires opt-in consent), we will make that clear at the point of data collection and you would have the right to withdraw consent at any time. However, as of now, we do not rely on consent for any data processing except the implicit consent for essential cookies as described in Section 7.

5. Payments & Financial Information

All financial transactions on Boostary are facilitated through Stripe, Inc. As our payment processor, Stripe handles the movement of funds so that Boostary itself can minimize direct handling of sensitive financial data. This section provides more detail on how payment and payout data is managed:

Payment Processing (Producers): When a Producer funds a campaign (e.g. by paying with a credit or debit card), the payment is processed by Stripe. During the checkout or funding process, you will enter your payment information through a secure Stripe interface. Stripe will collect your card details (card number, CVC code, expiration date, billing ZIP/postal code, etc.) and any other necessary information to complete the charge. Boostary’s servers do not see or store your full card information at any point. Once Stripe processes the payment, the funds are placed into an escrow account (managed by Stripe) associated with your campaign. Stripe then provides us with a confirmation that the payment was successful (or an error if it failed). We record the fact that a payment of a certain amount was made for a specific campaign, along with a Stripe transaction ID or customer ID and the timestamp/status (for example, “Payment successful and funds held in escrow”). We do not have access to your actual card number or other payment instrument details – that information remains solely with Stripe.

Payouts to Influencers: When an Influencer is to be paid for a completed campaign (for instance, after the Producer approves the deliverables), the payout is also handled by Stripe. Influencers are typically required to set up a Stripe account (often via Stripe Connect) to receive their funds. As part of that setup, Stripe will gather the necessary payout information from the Influencer, such as bank account or debit card details, and may also collect personal information for verification (like legal name, date of birth, government ID, and tax information if applicable). Boostary does not collect these payout details directly; the Influencer provides them securely to Stripe via Stripe’s onboarding forms. Stripe requires this information to comply with financial regulations (e.g. KYC laws and tax reporting rules). Once the Influencer’s Stripe account is configured and verified, Boostary can initiate payouts to that account when campaigns are completed and approved.

Identity Verification (KYC): Stripe might require certain users (especially Influencers receiving payouts above certain thresholds, or users from certain countries) to undergo verification. This could involve uploading an identification document, a selfie for identity confirmation, and/or providing a taxpayer identification number (such as an SSN or EIN in the US) for tax purposes. All of this information is provided directly to Stripe. Boostary does not receive or store the actual documents, images, or detailed personal data you submit to Stripe for verification. We are only notified by Stripe about the outcome of the verification (for example, “Verified” or “Verification pending/failed”) and perhaps minimal metadata like your Stripe account ID or whether you have submitted the required forms. We use this information simply to know if you are eligible to receive payouts through our platform and to ensure we comply with legal requirements (for instance, we may be prevented from releasing funds until verification is complete, or we may have to suspend payouts if verification fails or is revoked). If you have questions about how Stripe uses the information you provide to them (such as your ID documents or tax info), we encourage you to review Stripe’s own privacy policy, as Stripe’s handling of your financial data is governed by their terms and privacy practices.

No Storage of Financial Account Data: To reiterate, Boostary does not store your credit card numbers, bank account numbers, or government ID numbers on our servers. We rely on Stripe’s secure infrastructure for all sensitive payment processing. Similarly, we do not receive full financial account details from Stripe; for example, we might see that a payout was sent to your bank account ending in the last 4 digits XYZ for reference, but not your full account or routing number. Our database might contain a note that you have a verified payout method and perhaps the country of your bank (for currency purposes), but not the actual account details. By outsourcing payment processing to Stripe, we significantly limit the financial data we ourselves hold, thereby reducing risk to you in case of any data issue on our side.

Stripe Cookies and Scripts: In order to facilitate payments seamlessly, our website may integrate Stripe’s checkout workflow or include Stripe-provided scripts. As a result, Stripe may set its own cookies or collect certain information from your browser when you engage in payment-related activities on Boostary. For example, if you are directed to a Stripe-hosted checkout page or we embed Stripe’s card input fields on our site, Stripe might place cookies to remember your session or device and to enable fraud detection. These Stripe cookies are considered third-party cookies (since they are set by Stripe’s domains like stripe.com or checkout.stripe.com, not by Boostary’s domain) and are used solely to facilitate payments and comply with Stripe’s security protocols. Boostary does not have access to the data that Stripe’s cookies or scripts collect; that data is transmitted to Stripe and handled according to Stripe’s privacy policy. We classify Stripe’s cookies as essential because without them you might not be able to complete transactions on our platform (for instance, Stripe uses cookies to help prevent fraud or remember your Stripe session during the checkout process). For more details on Stripe-related cookies, you can refer to our Cookie Policy. In summary, any cookies or tracking done during payments are there for security and functionality, and they involve Stripe acting as a service provider.

Financial Records: Boostary maintains records of transactions for bookkeeping, commission calculation, and dispute resolution purposes. For example, we keep track of each campaign’s agreed price, the platform fee we deduct, and the net payout to the Influencer. We may use these records to issue refunds (via Stripe) if necessary, or to handle disputes or chargebacks. These records generally contain minimal personal data – mostly numerical values and timestamps linked to user IDs – and are kept secure with access limited to authorized financial personnel. We retain such records as long as needed for legal and operational purposes (see Data Retention in Section 10), typically at least for the duration required by financial regulations and tax laws.

User Responsibilities (Payments): We ask all users to use the designated Stripe payment process for all campaigns. For both Producers and Influencers, attempting to make or accept payments outside of the Boostary platform is against our policies (see our Acceptable Use Policy) and undermines the protections we provide (such as escrow, dispute resolution, and secure payments). If payments are made off-platform, Boostary cannot assist with or enforce those transactions. By using Stripe through Boostary, you are also agreeing to Stripe’s terms of service and privacy policy, since Stripe will be processing your payments. We will do our best to assist with any payment-related issues that fall within our control, but certain issues (like a declined card, bank transfer delays, or identity verification delays) may be outside our direct purview and handled by Stripe or banking networks.

6. Disputes, Enforcement & Platform Integrity

Boostary is committed to maintaining a fair, safe marketplace for both Producers and Influencers. As such, we may use personal data to prevent misuse of the platform and to resolve conflicts, as outlined below:

Dispute Resolution: If a campaign enters a formal dispute (meaning a Producer or Influencer requests Boostary’s help to resolve an issue), our team will review relevant information to determine a fair outcome. This can include looking at the campaign contract details (brief, deliverables, deadlines), any evidence of deliverables (such as links or proofs provided that content was created), and the communication history between the parties. For example, we may check chat logs to see if the parties agreed to an extension, or verify timestamps to see if a deadline was indeed missed. All information collected through the platform – campaign data, messages, logs, etc. – may be used as evidence in resolving the dispute. Only authorized personnel involved in dispute resolution will access user data for this purpose, and they will only access what is necessary to make a decision. Our goal is to enforce the original contract terms and our policies even-handedly. Once a decision is reached, we will inform the parties and execute any necessary actions (such as refunding the Producer or releasing payment to the Influencer) consistent with our Terms of Service and dispute procedures.
Policy Enforcement: If we suspect that a user is violating our Acceptable Use Policy or other terms (for example, engaging in fraudulent activities, harassment, or attempts to circumvent our system), we will use personal data to investigate and take appropriate action. This may involve reviewing user activities and communications relevant to the suspected violation. For instance, to enforce our “no off-platform payment” rule, we might investigate if our systems flag that a user shared contact info or keywords suggesting an attempt to transact off-platform. If a user is reported for abusive behavior, we might review the message history or campaign feedback for evidence. We take care to limit our review to what’s necessary for enforcement. Any personal data accessed in this context will be used strictly to confirm whether a violation occurred and to address it. Actions can include warnings, temporary suspensions, or permanent account removal, depending on severity and according to our Terms of Service.
Fraud and Security Monitoring: We continuously monitor for patterns that might indicate fraud or security issues. For example, we pay attention to rapid creation of multiple accounts, unusual payment patterns, or IP addresses associated with known attacks. We may share certain information with financial partners or law enforcement if we detect fraudulent schemes (for instance, if there is evidence of credit card fraud or money laundering attempts). However, we do not make decisions to ban or penalize users based solely on automated profiling; there is always a human review to confirm any flags. Our use of personal data for these purposes is based on our legitimate interests in protecting the platform and our users from harm. We also have a contractual obligation to users to provide a safe service, which justifies reasonable monitoring for fraud and misuse.
Platform Integrity: Beyond individual disputes or violations, we may analyze data in aggregate to identify systemic issues or areas for improvement in trust and safety. For example, we might track the frequency of disputes or the common reasons for disputes to improve our processes. If we notice that a certain campaign category often leads to problems, we might adjust our guidelines. These activities generally use anonymized or aggregated data where possible. If any personal data is used, it is limited to internal purposes and not shared externally except as needed to address the issue.

In all scenarios above, we adhere to the principle of data minimization – we access and use only the information that is reasonably necessary to carry out the conflict resolution or enforcement task at hand. For instance, if a dispute is about whether a deadline was met, we might need to check timestamps and messages around that deadline, but we wouldn’t need unrelated personal info from your profile. Likewise, if cooperating with law enforcement on a fraud case, we would only provide the specific records requested under lawful process. Our staff handling disputes and enforcement are trained to respect user privacy and follow strict procedures.

7. Cookies & Tracking

High-Level Overview: Boostary’s use of cookies and similar tracking technologies is minimal and purely functional. We do not use cookies for analytics, advertising, or user profiling on our platform. All cookies in use are intended to support core service features like authentication, security, and payments.

The cookies and related technologies operating on our site fall into a few essential categories:

Essential Session Cookies: These cookies are required for the platform to work properly. For example, when you log in, a session cookie (or a similar token) keeps you logged in as you navigate between pages. Without it, you would be logged out every time you clicked a new link or refreshed the page. We also use session cookies to remember your preferences or selections during your visit (for instance, which language you chose, or other interface settings), and to distribute load on our servers (load balancing cookies). These cookies typically contain only a random identifier or small piece of data necessary to maintain your session state; they do not contain personal details beyond linking your browser to your session on our servers. They are usually temporary (lasting for the browser session) and are often automatically deleted when you log out or close the browser.
Security Cookies (including CSRF tokens): We set cookies to protect our platform and users against certain attacks. For example, we use a CSRF token cookie – a small value that ensures that commands your browser submits to our website actually came from you (via our site) and not from a malicious third-party page. This helps prevent Cross-Site Request Forgery attacks. These security cookies are also considered essential; they exist to prevent unauthorized or forged actions on your account. Additionally, if we implement any rate-limiting or abuse-prevention mechanisms, we might store an identifier in a cookie or local storage to note that a device has triggered certain limits, which helps us distinguish legitimate users from bots or attackers. Such data is used solely to identify potentially malicious behavior and is not used for marketing.
Authentication Tokens: Boostary may use JSON Web Tokens (JWTs) or similar tokens for authenticating API requests and maintaining your login session. Depending on our implementation, these tokens might be stored in a secure cookie (HttpOnly, so it isn’t readable by JavaScript) or in local storage. In either case, their purpose is to verify your identity after you log in, so you don’t have to enter your password for each action. We might use a combination of a short-lived token and a longer-lived refresh token (the refresh token possibly stored as a cookie) to keep you logged in for a convenient period without compromising security. These authentication tokens are strictly used for logging you in and authorizing your actions; they are not used for tracking your activity beyond securing your session.
Stripe Cookies: Because Boostary integrates with Stripe for payments, Stripe may set its own cookies when you interact with payment-related features on our site. For example, if you are directed to a Stripe checkout page or we embed a Stripe payment form, Stripe might set cookies to remember your Stripe session, to implement fraud prevention (such as detecting if a payment attempt is from a new device), or to ensure the payment process completes smoothly. These cookies are considered third-party cookies since they are set by Stripe’s domains (like stripe.com or checkout.stripe.com) rather than Boostary’s domain. We consider them essential for payment functionality – without Stripe’s cookies, you might not be able to successfully complete a checkout or verification on our platform. Boostary does not have direct access to or control over the data in Stripe’s cookies, but we trust Stripe as a PCI-compliant payment provider to use them solely for secure payment processing and fraud detection, not for marketing purposes. If you were to block Stripe’s cookies, certain payment functions (like the checkout flow or instant identity verification for payouts) may not work properly.
No Analytics or Advertising Cookies in Product: Boostary does not use Google Analytics or any similar analytics service within the logged-in product, nor do we use advertising networks or pixels (such as Facebook/Meta Pixel, Google Ads tags, or Twitter/TikTok pixels) in the platform interface. This means that when you are using the Boostary app as an authenticated user, we are not tracking your clicks or behavior for third-party marketing or advertising purposes. We do not allow any third-party to collect data about your online behavior through cookies or scripts in our product. (On our public marketing website or landing pages, outside of the app, we may use basic analytics or advertising cookies solely to measure site traffic and the effectiveness of our ads; any such use on public pages is separate from the product and, where applicable, is done with notice/consent. As of the latest update, we remain very limited in that area as well.) In summary, the Boostary application itself is free of analytics/tracking cookies – all cookies in use are there to support operational needs like login, security, and payments.

Because we only utilize essential cookies at this time, we do not currently implement a cookie consent banner or pop-up for logged-in users. Under many privacy laws (such as EU regulations), strictly necessary cookies do not require prior consent. We still want to be transparent about our cookie use, which is why we provide information here and in our Cookie Policy. If in the future we introduce any non-essential cookies or tracking technologies (for example, analytics cookies on our public site, or new features in the app that involve cookies), we will update our policies accordingly and obtain any required consents (e.g., by showing a cookie banner to users in relevant jurisdictions).

For detailed information such as specific cookie names, duration, and whether they are first-party or third-party, please refer to our Cookie Policy. That document breaks down the cookies we use and their purposes in more depth. In summary, every cookie or similar technology currently utilized by Boostary is there to support essential service functions like logging in, maintaining security, and processing payments. We do not use cookies for user profiling, advertising, or any unnecessary data collection.

If you wish, you can control or delete cookies through your web browser settings. Most browsers allow you to view the cookies stored on your device, delete them, and set preferences for how cookies are handled (e.g., blocking third-party cookies or all cookies). Be aware that if you disable or block cookies that are essential (especially our session and authentication cookies), the Boostary platform will not function properly – for example, you won’t be able to log in or stay logged in, and transactions may fail. Blocking third-party cookies (like Stripe’s) might still allow basic use of the site, but could interfere with payment flows. We recommend leaving essential cookies enabled for a seamless and secure experience. For more guidance on managing cookies, see the “Managing and Disabling Cookies” section of our Cookie Policy.

(Note: If Boostary releases a mobile application, the concept of “cookies” would be replaced by similar mechanisms like secure storage of authentication tokens. Our approach to handling those would mirror what’s described here – using them only for functionality and not for tracking.)

8. Data Sharing & Service Providers

Boostary understands the importance of keeping your personal information confidential. We do not sell your personal data to third parties. We also do not share your information with third parties for their own independent marketing or advertising purposes. However, we do share certain data with third-party services we rely on to run Boostary, but only in the contexts described below and always under appropriate safeguards:

Stripe (Payment Processor): As detailed in Sections 3 and 5, we share certain information with Stripe to facilitate payments and payouts. This includes things like your email address or user ID, and the necessary transaction details (campaign ID, amounts, etc.) for Stripe to charge your payment method or send you funds. Stripe is a crucial service provider for Boostary; they handle all sensitive financial information on our behalf. We have an agreement in place with Stripe that governs the protection of personal information shared for processing transactions. Stripe is authorized to use this data only for providing payment services and fulfilling legal/compliance requirements. They are not allowed to use your Boostary data for any unrelated purposes (for example, Stripe won’t use info we share to market their own products to you). Please refer to Stripe’s Privacy Policy for details on how they safeguard your data; from Boostary’s side, we ensure that data shared with Stripe is limited to what is necessary (principle of data minimization).
Email Delivery Provider: We use a third-party email service to send out the transactional emails and system notifications described in Section 4 (such as account verification emails, password reset emails, campaign updates, and dispute notices). Examples of such providers include SendGrid, Mailgun, Amazon SES, or similar reputable email delivery services. To send these emails, we need to provide our email service provider with your email address and the content of the message (which might include your name and some context, like “Your campaign X has been completed”). Our contract with this provider ensures they treat your email and the message content as confidential and use it only to send the emails on our behalf. They do not have the right to use your information for their own purposes, and they will not sell or disclose your email or our email content to others. In other words, the email provider is acting as a service provider (or “data processor”) for Boostary, not as an independent data controller.
Cloud Hosting and Infrastructure: Boostary’s platform is hosted on third-party infrastructure – for example, we may use reputable cloud services like Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure, or other hosting providers to run our application and store data. This means that any personal data you provide (account info, messages, campaign data, etc.) is stored on servers that we rent from these providers. We ensure that any hosting provider we utilize has robust security measures in place and that we maintain control over our data on those systems. These providers technically have your data on their infrastructure, but contractually they are not allowed to access or use it except as needed to keep the servers running (they act as “data processors” following our instructions). In addition to hosting, we may use other IT service providers for things like data backup, security monitoring, or logging systems. In all cases, we choose providers that contractually commit to confidentiality and data protection, mirroring our obligations under this Privacy Policy. For example, if we use a cloud database backup service, the provider cannot look at or sell the data in those backups – they simply store it for us and keep it secure.
Professional Advisors and Related Parties: We may share minimal personal information with our professional advisors (such as our lawyers, accountants, or auditors) or with insurance providers, but only as necessary for specific purposes. For instance, our accountants or auditors might need to review records that include user transaction amounts or payout records to complete financial statements or comply with audit requirements. Similarly, if we consult with legal counsel about a dispute involving a user, we might share relevant details of that user’s interactions on the platform with the lawyer to get advice. In all such cases, these parties are under strict duties of confidentiality. They are obligated to use the information only to provide services to Boostary (e.g. giving us legal or financial advice) and not for any other purpose.
Legal Requirements and Protection of Rights: We may disclose personal information to third parties (including government agencies or law enforcement) if we believe in good faith that such disclosure is required to: (a) comply with a law, regulation, legal process, or enforceable governmental request (for example, responding to a court order or subpoena); (b) enforce our Terms of Service, Acceptable Use Policy, or other agreements; (c) investigate or defend against third-party claims or allegations; (d) detect, prevent, or address fraud, security, or technical issues; or (e) protect the rights, property, or safety of Boostary, our users, or the public as required or permitted by law. For example, if law enforcement provides a lawful subpoena for information on a user involved in criminal activity, we may be required to provide the requested data. Or if a user threatens another person’s safety, we might report that to authorities. We will carefully review each request to ensure it has a valid legal basis and will only disclose what is legally necessary. If we receive requests that we believe are overly broad, we may object to them or seek to narrow them.

In any scenario of data sharing, we adhere to data minimization: we only share the information that is reasonably necessary for the third party to perform its function. For example, if our email provider only needs your email address and message content to send an email, we will not also send them your IP address or other data they don’t need. Similarly, if an auditor needs to verify payout records, we might provide transaction logs with user IDs and amounts, but not, say, your message contents, as that would be irrelevant.

All service providers that process personal data on our behalf are bound by contractual agreements to protect your data in line with this Privacy Policy and applicable law. These contracts (often called Data Processing Agreements or DPAs) require the service provider to implement appropriate security measures and to only use the data as we have instructed. If any provider can no longer meet those obligations (for example, if they had a security breach), they are required to inform us and remediate it promptly.

No Third-Party Advertising Sharing: To avoid doubt, we do not share your data with advertisers or social media companies for marketing purposes. Boostary has no advertising partners that receive personal data about you from us. We do not “sell” or “share” personal information as defined under laws like the CCPA – meaning we don’t exchange your data for money or for cross-context behavioral advertising. You will not, for instance, find that Boostary has given your info to Facebook or Google to advertise to you elsewhere; that does not happen.

Business Transfers: If Boostary is involved in a corporate transaction such as a merger, acquisition, investment financing, reorganization, bankruptcy, or a sale of company assets, your personal information may be transferred to the successor or acquiring entity as part of that transaction. In such an event, we would ensure that the new owner or entity is contractually obligated to uphold the privacy commitments we have made in this Policy. We would also provide notice to users if their personal data becomes subject to a new owner. (To be clear, Boostary is in an Early Access/startup phase and no such changes are currently planned, but we include this as a standard disclosure.) If such a transfer occurs, we will notify you by appropriate means (for example, via email or a prominent notice on our site) and outline any choices you may have regarding your data as a result.

9. International Data Transfers

Boostary is based in the United States, and the majority of our systems and data storage are located in the U.S. If you are accessing the Service from outside the United States, please be aware that your personal information will likely be transferred to, stored in, and processed in the United States (and possibly other countries where we or our service providers operate). The data protection and privacy laws in these countries – including the U.S. – may be different from, and in some cases less protective than, the laws of your country of residence.

However, we take steps to ensure that your personal information is given an adequate level of protection no matter where it is processed. If you are located in the European Economic Area (EEA), United Kingdom, Switzerland, or other regions with data transfer restrictions, we rely on approved legal mechanisms to transfer data internationally. This typically means:

We implement Standard Contractual Clauses (SCCs) or equivalent contractual safeguards in our agreements with service providers who may receive personal data outside of the EEA/UK. These clauses are EU-approved provisions that legally bind the recipient to protect the data to EU standards. For example, our contracts with cloud hosting providers or Stripe include commitments via SCCs (or similar frameworks) to safeguard personal data during transfer and processing.
We also rely on the necessity of data transfer for the performance of our contract with you. When you sign up for Boostary (a U.S.-based service) and use it from outside the U.S., the transfer of your data to the U.S. is often inherently necessary to provide the service you requested. For instance, if you’re in Europe and using Boostary’s platform hosted in the U.S., sending your data to our servers is required for the service to function.
In some cases, we may rely on your consent for certain cross-border transfers, though generally our other measures cover it. If none of the standard mechanisms apply and we still need to transfer data, we would request your consent explicitly.

For users outside the EEA/UK, by using our Service or providing information to us, you acknowledge and consent that your information may be transferred to the U.S. or other jurisdictions as necessary for the reasons described in this Policy. We will protect that information as described herein, regardless of where it is processed.

We implement internal policies and safeguards to ensure that when your data is transferred internationally, it remains secure and handled in accordance with this Privacy Policy. This includes limiting access to personal data to those who need it for the tasks described, and ensuring that those individuals understand their responsibilities to protect the data (through training and confidentiality obligations).

If you have questions about our international data practices or need more information about the specific safeguards we use for cross-border data transfers, you can contact us (see Section 16). We understand this can be a complex area, and we’re happy to provide additional details relevant to your location.
10. Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. The duration for which we keep different categories of data can vary based on legal, operational, and business needs:

Account Information: We keep your basic account information (like your name and email) for as long as your account is active. If you choose to delete your account or request its deletion, or if we need to close your account (for example, due to prolonged inactivity or a violation), we will initiate the deletion of your personal information from our active databases. However, we may retain certain information in backups or archives for a period of time (see “Backup Copies” below), and we might retain data if necessary for legal compliance (see examples below).
Campaign Data & Communications: Records of the campaigns you participate in (including campaign details, messages, and associated timestamps) are generally retained while your account is active, so that you and the other party have a history to reference. This is useful for transparency and for any potential follow-up (like questions about past work). If you delete your account, our policy is to either delete or anonymize personal data associated with your past campaigns and communications, unless we have a specific reason to retain it. Specific reasons might include ongoing legal obligations or legitimate interests. For example, if a particular campaign was subject to a dispute that resulted in action (say, an Influencer was removed for breach of terms), we might retain the dispute records even after account deletion to maintain an audit trail of enforcement actions (this would be based on our legitimate interest in preserving the integrity of the platform and possibly for legal defense). In such cases, we would retain only what is necessary (e.g. a record that “User X was banned on DATE for REASON” along with supporting evidence) and only for as long as necessary (e.g. for the statute of limitations for claims, or a set policy period).
Payment and Financial Records: We keep transaction-related records and metadata for at least the minimum period required by financial regulations and tax laws. For instance, in the United States, accounting and tax rules often require businesses to retain records of payments and transactions for a number of years (commonly 7 years for tax audit purposes). Therefore, details like campaign payment amounts, payout records, and fee calculations may be retained for such periods. These records typically contain minimal personal data – mostly they link amounts to user identifiers and dates – but they may be necessary to demonstrate compliance with tax and financial obligations. We also might keep them in case of financial disputes or chargebacks that can arise even months after a transaction. Rest assured, we secure these records and limit access, treating them with the same care as other personal data.
Technical Logs: Our security and system logs (including IP address logs, device information, login/logout timestamps, etc.) are retained for limited periods. We generally keep raw log data for a few months (e.g. 90 days) by default, unless a particular log is actively needed for an investigation or to support an ongoing issue. We periodically purge or anonymize old logs that are no longer necessary. For example, web server logs might be automatically deleted or rotated after a set time frame. In cases where logs are retained longer for analysis or security (like investigating a security incident), we would continue to protect them and only keep them for as long as the investigation or relevant need continues.
Backup Copies: Like many services, Boostary performs routine backups of its databases and systems to prevent data loss. These backups are stored securely (often encrypted) and are kept for a finite period according to a rolling backup schedule. For example, we might keep daily backups for the past 7 days, weekly backups for a few weeks, and monthly backups for a few months, after which older backups are overwritten or deleted. If you request deletion of your data or delete your account, we will remove your data from our active databases promptly. However, that data might remain in our encrypted backups until those backups reach their expiration and are overwritten. During that interim, your data isn’t readily accessible and we would only restore from a backup in exceptional circumstances (like a major system recovery). We have strict access controls on backups, so any personal data contained in them is protected and not used for any active purpose while in storage. Essentially, backups are a safety net, and any personal data within them exists passively until the backups are deleted in due course.
Anonymized or Aggregated Data: In some cases, we may transform your personal data into an anonymized or aggregated form for analytical or statistical purposes. For example, we might compile statistics like the total number of campaigns completed each month, the average campaign budget, or overall platform growth metrics that do not identify any individual user. We may retain such aggregated data indefinitely, since it no longer contains personal data and cannot be used to identify you. This kind of data helps us understand trends and improve our service at a macro level without impacting individual privacy.

When we no longer have a legitimate need or legal obligation to keep your personal information, we will securely delete or anonymize it. If erasure is not immediately feasible (for example, because the data is stored in a backup that will be overwritten later), we will ensure the data is isolated from any further active use until deletion is possible. We periodically review the data we hold to ensure we’re not keeping things longer than necessary.
Please note that since Boostary is in an Early Access phase, our data retention practices might evolve as we refine our operations. If we decide to adjust any retention periods (for instance, keeping certain data longer for user convenience or deleting some data sooner to minimize storage), we will do so in compliance with applicable laws, and we will update this Privacy Policy to reflect any significant changes. Any extension of retention for personal data will have a justified reason (like compliance or improved service continuity) and, if significant, will be communicated to users.

11. User Rights (US and EU)

Depending on where you reside, you may have certain rights regarding your personal information. Boostary is committed to honoring the rights of users under applicable data protection laws, such as the EU General Data Protection Regulation (GDPR) for European users and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) for California residents. Even if you do not reside in those jurisdictions, we aim to provide transparency and control over your data in line with these principles, within the bounds of our ability.

Rights for EU/EEA, UK, and Similar Jurisdictions: If you are located in the European Union, European Economic Area, United Kingdom, or other jurisdictions with similar data protection laws, you have the following rights (subject to certain conditions and legal exceptions):

Right to Access: You have the right to request a copy of the personal data we hold about you, as well as information about how we process it. This includes confirming whether we’re processing your data, the categories of data, the purposes of processing, and the recipients to whom the data has been disclosed. We will provide this information in a concise, transparent manner. (In practice, much of your basic info is available in your account settings, but you can formally request a comprehensive record as well.)
Right to Rectification: If any personal information we have about you is inaccurate or incomplete, you have the right to request that we correct or update it. For example, if your email address or name has changed, you can update it in your account profile or ask us to change it. We strive to keep your data accurate and will make corrections promptly upon verification.
Right to Erasure: You have the right to request deletion of your personal data in certain circumstances, often referred to as the “right to be forgotten.” Upon your request, we will delete your personal data without undue delay if: the data is no longer needed for the purposes it was collected; you withdraw consent (and consent was the basis for processing); you object to processing and we have no overriding legitimate grounds; or the data was processed unlawfully; or erasure is required to comply with a legal obligation. Keep in mind, this right has exceptions – for instance, we might retain certain information if required by law (see Data Retention in Section 10). If we cannot delete all your data (e.g. due to a legal requirement), we will inform you of what we must retain and why.
Right to Restrict Processing: You have the right to ask us to limit the processing of your personal data under certain conditions. This could apply if you contest the accuracy of the data (for a period allowing us to verify it), or if you believe the processing is unlawful but you prefer restriction over deletion, or if we no longer need the data but you need it for a legal claim, or if you have objected to processing and verification of our legitimate interests is pending. When processing is restricted, we will store your data but not actively use it until the issue is resolved (except for storing it or as needed for legal claims, etc.).
Right to Data Portability: To the extent applicable (typically where processing is based on your consent or on a contract and done by automated means), you have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and the right to transmit that data to another service provider. In simpler terms, you can ask for an export of your data and, if technically feasible, we will transfer it directly to another service at your direction. This right only covers information you provided directly (e.g. your profile info, communications) and not any derived data.
Right to Object: You have the right to object to certain types of processing of your personal data when that processing is based on legitimate interests. If you object, we will review whether our legitimate grounds override your rights and freedoms. If they do not, we will cease that processing for your data. You also have an absolute right to object to any processing of your data for direct marketing purposes. Note: Boostary does not use your data for direct marketing (we send no ads or promotional emails), so this is largely not applicable except in a hypothetical future marketing scenario. We also currently do not do any automated decision-making that would trigger a right to human review (see above in “No Marketing or Profiling”).

If you are an EU/EEA/UK user and wish to exercise any of these rights, please contact us (see Section 16 for how to reach us). We may need to verify your identity before fulfilling the request (for example, by confirming you control the email associated with your account) to ensure we don’t give your data to an impostor. We will respond to your request within the timeframe required by law – typically within one month for GDPR, which can be extended by an additional two months for complex requests (if extended, we will inform you of the reason and timeframe). There is generally no fee for exercising these rights, unless requests become excessive or repetitive, in which case a reasonable fee may apply as allowed by law.

Additionally, EU/EEA/UK individuals have the right to lodge a complaint with their local data protection supervisory authority if they believe we have infringed their data protection rights. For example, in the UK this is the ICO, and in each EU country there is a national or regional DPA. We encourage you to reach out to us first so we can address your concerns directly, but you do have this option.

Rights for California (CCPA/CPRA) and Other U.S. States: If you are a California resident, you have specific rights under the CCPA (as amended by the CPRA), and similarly residents of other states like Colorado, Virginia, Connecticut, and Utah have comparable rights under their new privacy laws (in effect or coming into effect in 2025). We outline the core California rights here, which we also extend in spirit to users from other U.S. states where applicable:

Right to Know (Access): You have the right to request that we disclose the personal information we have collected about you and how we have used and shared it. This includes the categories of personal information collected, the categories of sources of that information, the business or commercial purpose for collecting (or selling/sharing, if applicable) the information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we hold about you. Essentially, it’s a California-flavored version of the access right described above, with some specific categorizations defined by law. We provide much of this information in this Privacy Policy itself (see the section mapping CCPA categories below), but you can also request a more tailored report.
Right to Delete: You can request that we delete personal information we have collected from you (and direct our service providers to do the same), with certain exceptions. Upon a verifiable deletion request, we will delete the information we hold about you from our active systems and instruct our service providers to do so as well, unless an exception applies. Exceptions under CCPA/CPRA include situations where the information is necessary to complete a transaction or provide a service you requested, to detect security incidents, to exercise free speech or other rights, to comply with a legal obligation, or for certain internal uses that are compatible with the context in which you provided the information. We will inform you if any such exception applies when you request deletion.
Right to Correct: You have the right to request correction of inaccurate personal information that we maintain about you. If you find that certain information associated with your account is incorrect, you can contact us to correct it (or often correct it yourself in your account settings). We will take into account the nature of the information and the purposes of processing when determining how to address the request, and we’ll make corrections as needed or provide an explanation if we cannot fulfill a specific request.
Right to Opt-Out of “Sale” or “Sharing” of Personal Information: Important: Boostary does not sell personal information to third parties for money, and we do not share personal information for cross-context behavioral advertising (which is what “sharing” means under CPRA). In other words, we do not exchange your data for monetary value, nor do we disclose it to advertising networks or data brokers in a manner considered a sale or targeted advertising. Therefore, there is no need for an opt-out in our current practices, because we don’t engage in those activities. If our practices change in the future such that a sale or sharing of personal data (as defined by California law) would occur, we will update this policy and provide a clear mechanism for you to opt out (for instance, a “Do Not Sell or Share My Personal Information” link). But again, we have no such arrangements at this time and no plans for them, so this is largely a precautionary statement.
Right to Limit Use of Sensitive Personal Information: CPRA introduces a right to limit the use and disclosure of “sensitive personal information” (SPI) if a business uses SPI for purposes beyond what is “necessary and proportionate” to provide the requested services. SPI under CPRA includes things like precise geolocation, social security number, driver’s license number, financial account info, racial or ethnic origin, etc. Boostary’s collection of anything that could be considered SPI is extremely limited – perhaps the only SPI we indirectly handle is through Stripe’s collection of government IDs for verification or tax IDs for payouts, which is used strictly for mandated verification and payments, not for inferring characteristics or advertising. We do not use or disclose sensitive info for any purpose that would trigger the right to limit (we don’t use it to infer traits or serve ads). Therefore, this right doesn’t materially apply to Boostary’s current practices. If that ever changes (unlikely, given our business model), we will implement a mechanism to honor the limitation of use of SPI.
Right of Non-Discrimination: We will not discriminate against you for exercising any of your rights under applicable privacy laws. That means if you choose to exercise your privacy rights (accessing data, deleting data, etc.), we will not deny you our services, charge you a different price, or provide a lower quality of service just because of that choice. Do note, however, that if the exercise of your rights renders us unable to provide certain services (for instance, if you request deletion of all your data, we can’t very well continue providing the service since it relies on your data), that outcome is a natural consequence and not a form of punishment or discrimination. We will always explain any impact that a deletion or restriction request might have on your use of Boostary so you can make an informed decision.

If you are a California resident (or a resident of another state with similar rights) and you’d like to exercise any of these rights, you (or your authorized agent) can contact us through the methods listed in Section 16 (e.g. via our privacy email address). For opt-out requests that might be needed in the future, we will provide a dedicated “Do Not Sell/Share” link or setting, but as noted, that’s not applicable currently since we have no such data sharing.

When you make a request, we will take steps to verify your identity to ensure it’s really you (or your authorized agent) making the request. This might involve asking you to log in, or to provide information that we can match against our records. If you use an authorized agent to submit a request, we will require proof that the agent is authorized (such as a signed permission from you or power of attorney) and we may still verify your identity directly as well, as required by law.

For transparency, here is a summary of the categories of personal information (as defined by the CCPA) that Boostary collects and the purposes for which we use them, as of the date of this Privacy Policy:

Identifiers: Examples include real name, alias/display name, email address, IP address, account ID/username, or other similar identifiers. We collect these (directly from you or generated through your use of the service) to provide the Service and for the purposes described (account setup, communication, security, transactions). We disclose identifiers to service providers for business purposes (e.g., email address to our email provider, user ID and email to Stripe, etc.), but we do not sell or share these identifiers for advertising.
Personal information categories from Cal. Civ. Code §1798.80(e): This category includes contact information, financial information, and some identifiers. In Boostary’s context, the financial information (payment card details, bank info) is collected by Stripe, not directly by Boostary. Boostary itself collects very limited financial-related info (just transaction records and last4 of cards as relayed by Stripe if we display a saved method). We do not collect driver’s license numbers or similar info. We do not sell or share this information.
Characteristics of protected classifications (under California or federal law): Examples include race, ethnicity, gender, religion, etc. We do not collect this information and have no need for it in our Service.
Commercial information: This includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. For Boostary, this would translate to your transaction histories on the platform (campaigns created, accepted, completed, amounts transacted). Yes, we collect and maintain records of campaigns and transactions as part of providing the service. We use this information to facilitate and document the collaborations (essentially the “services purchased” on the platform). We disclose necessary parts of this information to service providers like Stripe (to process payments) and store it for our records. We do not sell or share this data outside of those service needs.
Biometric information: Boostary does not collect biometric identifiers or biometric information. (If Stripe collects biometric data such as a facial recognition for KYC, that is done under Stripe’s system and not provided to us).
Internet or other electronic network activity information: This includes browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement. In our case, we collect usage logs and technical data about interactions within our Service (see Logs and Technical Data in Section 3), such as login times, page navigation on our platform, etc.. We do not track your browsing outside of our platform. The data we collect is used for security, functionality, and improving the service (e.g., troubleshooting, preventing fraud). We might disclose some identifiers like IP to service providers (hosting or security services) or to law enforcement if needed for security issues, but we do not share this data for advertising. We do not treat this data as “sold” or “shared” as it is only used internally or for service provision.
Geolocation data: We do not collect precise geolocation (like GPS coordinates). We may infer approximate location (city, region, country) from your IP address for security purposes (e.g., alerting you to a login from a new location), but we don’t store or use location data beyond that general security context.
Sensory data: We do not collect audio, electronic, visual, thermal, olfactory, or similar sensory information. (For example, we don’t record phone calls or video meetings – in fact, our platform’s communications are text-based. If any video content is produced, it’s not uploaded to us, and we don’t capture any video/audio streams of users.)
Professional or employment-related information: We do not require or collect info about your professional background or employment, unless you voluntarily included something on your profile or in a campaign description. Our platform is more about content collaboration than resumes, so this is generally not collected in any structured way.
Education information: We do not collect educational records or information about education history.
Inferences drawn from other personal information: We do not create or derive profiles about users’ preferences, characteristics, psychological trends, etc., beyond what is necessary to operate the platform. We don’t do things like user segmentation for marketing or inferring your interests for advertising – none of that is happening with Boostary data.

This mapping is provided to give you a clear picture of how CCPA categories align with our data practices. If you need additional information or clarification on any of these points, please reach out to us.

12. Children’s Data

Boostary is not intended for use by children or anyone under the age of 13. Our platform and services are designed for adults (and young adults) such as professionals, independent artists, and creators who can enter into contracts and potentially earn money from collaborations. We do not knowingly collect personal information from anyone under 13 years of age, and individuals under 13 are not permitted to use Boostary.

Additionally, because our Service involves entering into contractual agreements and financial transactions, it is generally targeted to adults (typically 18 years or older, or the age of majority in your jurisdiction). We understand that in some cases minors between 13 and 17 might be interested in such platforms, but as a general rule, Boostary’s Early Access program and current service is not open to minors under 18. If you are under 18, you should only use Boostary with involvement and consent of a parent or legal guardian, and only if such use is allowed by the laws of your jurisdiction. (We reserve the right to prohibit use by minors entirely, given the nature of our platform, but at minimum those under 18 need guardian consent.)

If we become aware that we have inadvertently collected personal data from a child under 13 (or under the applicable minimum age in other jurisdictions, which may be 16 in some regions for certain data laws, without parental consent), we will take prompt steps to delete that information from our records. For example, if a 12-year-old somehow registered by misrepresenting their age and we later discover this (through a support query or verification failure), we will deactivate the account and remove any personal data associated with it as quickly as possible.

Parents or Guardians: If you discover that your child under the relevant age has created a Boostary account or provided us with personal information without your consent, please contact us immediately (see Section 16 for how to contact us). We will work with you to investigate and promptly delete any personal data for that child, and to terminate the child’s account if one exists. We may ask for proof of your relationship to the child to ensure we are communicating with the correct person regarding the deletion request.
We comply with the U.S. Children’s Online Privacy Protection Act (COPPA) and similar international laws aimed at protecting children’s privacy. As part of this compliance, we intentionally design our sign-up process and platform features to not solicit information from children. We also do not display content categories or run marketing campaigns aimed at children. By minimizing data collection in general and restricting youth access, we reduce the likelihood of handling any children’s data.

13. Security

We take the security of our users’ personal information very seriously. Boostary implements a variety of technical and organizational measures to protect your data from unauthorized access, use, disclosure, or destruction. Some of the key security practices we follow are:

Encryption: We use industry-standard encryption protocols (such as TLS/SSL) to secure data in transit between your device and our servers. This means that when you enter personal information on our site or app (for example, logging in with your password, or sending a message through Boostary), that data is encrypted while it travels over the internet so that it cannot be easily intercepted by attackers. Similarly, sensitive interactions like entering payment information are done through Stripe’s secure frames which are also encrypted. We also encrypt sensitive data at rest where appropriate. For instance, passwords are never stored in plaintext – they are hashed and salted using strong cryptographic algorithms. Any sensitive configuration secrets (like API keys or encryption keys we use) are stored securely with restricted access.
Access Controls: We limit access to personal data to only those Boostary employees, contractors, or agents who need that access to perform their job duties. For example, our support or trust & safety team might have access to user account information and communications if needed for helping users or resolving disputes, but a developer working on a UI feature might not need any access to production user data. We enforce role-based access controls and principles of least privilege, meaning each team member has the minimum access necessary. Access to sensitive systems requires authentication (and we use measures like two-factor authentication for administrative access to our databases, servers, or backend systems). We also maintain an access log and monitor for any unusual access patterns internally.
Secure Development Practices: We follow secure coding and development practices. This includes regular code reviews (to catch security issues in code), using up-to-date libraries and frameworks (and quickly applying security patches for any third-party components we use), and performing dependency vulnerability scans. We also may engage in periodic penetration testing or security audits by external experts, especially as we grow beyond Early Access. Any findings from such tests are addressed with high priority. Our infrastructure is configured following security best practices (for instance, firewalls are in place to limit access to databases, we use network segmentation, etc.). We also employ continuous monitoring to detect potential intrusions or anomalies at an early stage.
Incident Response: We have a process in place to handle any suspected data breaches or security incidents. This includes procedures for immediate investigation, mitigation steps to contain any issues, and remediation actions to prevent future incidents. If a data breach were to occur that affects personal information, we will promptly inform affected users and the relevant authorities as required by law. We train our team on how to respond to security incidents, including how to escalate internally and communicate externally in a responsible way.
User Responsibilities: We also remind you that security is a partnership between Boostary and our users. We encourage you to take steps to protect your own account security. This includes using a strong, unique password for your Boostary account (avoiding passwords you’ve used on other services), and keeping your login credentials confidential. We will never ask you for your password via email or unsolicited communication. If you suspect any unauthorized access to your account or notice any abnormal activity (such as login alerts from unknown devices, or strange emails that appear to come from us), please notify us immediately. We can assist in securing your account (for example, by helping you reset your password or reviewing account access logs) and investigate any potential breach. Additionally, enabling two-factor authentication (if available) adds an extra layer of security to your account.

Despite all the measures we and our service providers take, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee absolute security of your information. However, we strive to use commercially reasonable and industry best practices to protect your personal data. In the unlikely event of a data breach that poses a high risk to your rights and freedoms, we will promptly inform you and the appropriate supervisory authorities as required by law.

By using Boostary, you acknowledge that you understand the inherent risks of online services. We continuously evolve our security practices and will update this Policy or provide additional notice if our security measures materially change. We appreciate your trust and are committed to keeping that trust by vigilantly safeguarding your data.

14. Early Access Disclaimer

Boostary is currently offered as an Early Access platform. This means the Service is in a pre-launch or beta stage where features, infrastructure, and policies are still being refined. We want to be transparent about how this Early Access status might affect your data and privacy:

Limited Scale: During Early Access, the number of users and campaigns is limited. With a smaller community, we often take a more hands-on approach to support and moderation. This can actually enhance privacy in some ways (fewer people with access, more direct oversight). However, as we scale up after Early Access, data volumes will grow and our processes might evolve (always with privacy as a priority). At the Early Access stage, it’s easier for us to monitor systems and catch issues quickly due to the limited scale.
Evolving Features: Because the platform is under active development, we may introduce new features or change how existing features work. Some of these changes could affect how we process data. For example, if we later add an in-app review system for completed campaigns, or a profile “bio” section, or push notification features, those would involve collecting and displaying new types of information (like review text, or additional profile info, or device push tokens). Rest assured, we will not expand our data collection or usage in a way that materially reduces your privacy protections without updating this Privacy Policy and, if required, obtaining your consent. Early Access is a learning period for us, but it does not mean we can neglect privacy rules – we are compliant with laws like GDPR and CCPA from day one. Any optional features introduced (such as in-app analytics to improve user experience, or push notifications to enhance communication) will be clearly disclosed, and you will have choice or consent mechanisms as applicable. We consider privacy implications in every new feature and build safeguards accordingly.
Bugs and Issues: Early Access software may have bugs or inconsistencies. While we do our best to avoid problems, there is a small chance that a software bug could inadvertently affect privacy. For example, a bug might temporarily expose information in a way not intended (perhaps a UI glitch that shows you some data from another user’s account, or an email notification that is misrouted). We have processes to quickly identify, investigate, and fix such issues. If any significant privacy-related bug occurs, we will be transparent about it and inform affected users and (if needed) regulators. We appreciate the understanding and feedback from our Early Access users – if you notice something that doesn’t look right or might be a security/privacy bug, please report it to us immediately. Your feedback during this phase helps us improve and ensures these issues don’t persist.
User Feedback: As part of Early Access, we may occasionally reach out to you for feedback or to participate in surveys about your experience. Providing feedback is optional, but highly appreciated. Any feedback you provide (including suggestions, bug reports, or usage insights) will be used solely to improve Boostary. We will handle any personal data in feedback in line with this Privacy Policy. If we email you or message you in-app for feedback, these communications are considered service-related (not marketing) because they are meant to help us improve the service you’re using. Of course, you can ignore or opt out of feedback requests, and we’ll respect that.
No Waiver of Rights: Our Erly Access status is not a waiver of any user privacy rights or our obligations. We still abide by all relevant privacy regulations and best practices. The Early Access disclaimer is simply a recognition that the platform is new and subject to change. We encourage you to periodically review this Privacy Policy during the Early Access period because we will update it as needed to reflect the true state of our data practices (with “Last Updated” dates to indicate changes). If we make material changes, we will notify Early Access users through the usual channels.

In summary, even though Boostary is in Early Access, we treat your personal data with the same care and security as if we were fully launched. Early Access is a time for us to fine-tune the product, and privacy is an integral part of that process. Any material changes to how we handle data will be communicated to you, and you will always have the choice to stop using the platform if you disagree with new practices (though we hope to always meet your expectations and even exceed them when it comes to privacy and security).

Thank you for being an Early Access user of Boostary and for trusting us with your information. We are committed to proving that your trust is well-placed.

15. Changes to This Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will take appropriate steps to inform you:

We will post the updated Privacy Policy on our website (and within the app, if applicable) with a new “Last Updated” date so you can see that it has changed. You should check this page periodically to review any changes.
If there are material changes – for example, if we start collecting new types of personal data or begin using existing data for new purposes that would significantly affect your rights – we will provide a more prominent notice or communication. This could include sending an email to the address associated with your account and/or providing an in-app notification about the change. In some cases, if required by law or if the change is especially significant, we might also seek your consent (or give you the opportunity to opt in or out) before the change becomes effective.
We will keep prior versions of this Privacy Policy available (for example, in an archive or upon request) so that you can see how our practices have evolved over time. We believe in transparency, so if you’re curious about what changed, you can compare the versions or ask us for a summary of changes.

Your continued use of Boostary after any changes to this Privacy Policy signifies your acceptance of the revised terms, to the extent allowed by law. However, if a change involves a new processing activity that by law requires your consent, we will obtain that consent explicitly. We do not want to “surprise” you with data uses – any major shift will involve communication and choice.
If you do not agree with the changes to the Privacy Policy, you should discontinue use of the platform and, if you wish, delete or deactivate your account before the new policy takes effect. We will always note the effective date of the latest version of the Policy at the bottom of this document for clarity.

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us. We are here to help and are committed to addressing any privacy-related inquiries you may have.

You can reach the Boostary team in the following ways:

Email: info@boostary.app – This is our dedicated email address for privacy inquiries. You can email us here for things like data access requests, deletion requests, questions about your data, or any other concerns related to privacy. We may need to verify your identity if you are making a request to exercise your rights (for example, by confirming you control the account’s email).
Postal Mail: Boostary LLC, Attn: Privacy Team, 46 NE 162nd St, Miami, FL 33162, USA – You can send us mail at this address (please use the attention line to direct it to our privacy team).

We will respond to legitimate inquiries as promptly as possible, and in any event within the timeframes set by applicable law. If your request or question is complex or might take some time to resolve, we will let you know that we received it and provide an estimated timeline for our response.

We value your privacy and feedback. Thank you for taking the time to read our Privacy Policy. Your trust in Boostary is important to us, and we are dedicated to keeping your information safe and handling it with the utmost care and respect.

Last Updated: February 4, 2026 (Effective Date)

Producers: Typically artists, brands, or clients who initiate a campaign by setting requirements, deadlines, and a budget for a content collaboration.

Influencers: Content creators who accept a Producer’s campaign and create the agreed content (e.g. social media posts or videos) according to the campaign brief.

Device and Browser Information: We log the type of device you use (mobile, desktop, etc.), your operating system, browser type, and version.

In some cases, we may rely on your consent for certain cross-border transfers, though generally our other measures cover it. If none of the standard mechanisms apply and we still need to transfer data, we would request your consent explicitly.

Characteristics of protected classifications (under California or federal law): Examples include race, ethnicity, gender, religion, etc. We do not collect this information and have no need for it in our Service.

Biometric information: Boostary does not collect biometric identifiers or biometric information. (If Stripe collects biometric data such as a facial recognition for KYC, that is done under Stripe’s system and not provided to us).

Education information: We do not collect educational records or information about education history.

We will post the updated Privacy Policy on our website (and within the app, if applicable) with a new “Last Updated” date so you can see that it has changed. You should check this page periodically to review any changes.

Postal Mail: Boostary LLC, Attn: Privacy Team, 46 NE 162nd St, Miami, FL 33162, USA – You can send us mail at this address (please use the attention line to direct it to our privacy team).

Boostary Terms of Service