Pactly

Privacy Policy

Last updated: April 27, 2026 — Version 2.1

1. Introduction

Pactly, Inc., a Delaware corporation, with registered offices at 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States ("Pactly") is committed to protecting its users' privacy. This Policy describes how we collect, use, store, and protect your personal information when you use our Platform.

By using Pactly, you accept the practices described in this Policy.

2. Data we collect

2.1 Data you provide directly

Creator account:

  • Full name and handle.
  • Email and password (hashed).
  • Bio and avatar.
  • Declared and verified social networks.
  • Location (city, country).
  • Stripe account information (managed by Stripe, not stored by Pactly).

Buyer account:

  • Full name.
  • Email (authentication primarily via magic link; Creators use email and password).
  • Brand name and website.
  • Billing data (managed by Stripe, not stored by Pactly).

Guest purchase (no account):

  • Email and name for identification.
  • JWT tracking token sent to email.
  • Payment data (managed by Stripe).

Generated content:

  • Briefs, messages, publication evidence.
  • Publication screenshots and content URLs.
  • Reports about other users.
  • Support tickets.

2.2 Automatically collected data

  • IP address (hashed for privacy).
  • User agent (browser, operating system).
  • Preferred language.
  • Visited pages and performed actions.
  • Session date and time.
  • Device identifiers for security.

2.3 Third-party data

  • Payment data (from Stripe — not stored by Pactly).
  • Social verification data (from declared social network APIs).
  • Advertising campaign data (from Meta and Google Ads, only with user consent).

3. How we use your data

We use your data to:

  • Process Orders, payments, and payouts.
  • Verify Brief fulfillment.
  • Send transactional notifications (confirmations, status alerts).
  • Prevent fraud and ensure Platform security.
  • Comply with legal and tax obligations.
  • Improve the Platform via aggregate analysis (not individually identifiable).
  • Measure advertising campaign effectiveness (only with consent).
  • Send promotional communications (only with explicit consent).

4. Cookies and similar technologies

4.1 Essential cookies (always active)

No consent required. Necessary for basic functionality.

  • sb-[project]-auth-token (Supabase) — User session. Duration: browser session.
  • sb-refresh-token (Supabase) — Session renewal. Duration: 7 days.
  • locale (Pactly) — Preferred language. Duration: 1 year.
  • referral_code (Pactly) — Referral tracking. Duration: 30 days.
  • invited_by (Pactly) — Buyer→creator invitation. Duration: 30 days.
  • cookie_consent (Pactly) — Cookie preferences. Duration: 6 months.

4.2 Analytics cookies (require consent)

Help us understand aggregate Platform usage. Do not identify users personally.

  • sentry-* (Sentry) — Technical error tracking. Duration: session.
  • _ga, _ga_* (Google Analytics) — Aggregate usage metrics. Duration: 2 years.
  • _va_session (Vercel) — Aggregate metrics. Duration: 24 hours.
  • _va_id (Vercel) — Anonymous identifier. Duration: 1 year.

4.3 Marketing cookies (require consent)

Will be activated with the cookie consent system. Used to measure advertising campaign effectiveness and show relevant content on third-party platforms.

  • _fbp (Meta) — Meta Pixel identifier. Duration: 90 days.
  • _fbc (Meta) — Meta ads click ID. Duration: 90 days.
  • _gcl_au (Google) — Google Ads identifier. Duration: 90 days.
  • _gcl_aw (Google) — Google Ads conversions. Duration: 90 days.

4.4 Consent management

The user can change their preferences at any time from the "Cookies" link in the footer or from Settings → Privacy and Cookies (in authenticated accounts). Optional cookies are not loaded until explicit consent is granted.

5. Sharing data with third parties

We do NOT sell personal data to third parties. We share data only with the following service providers necessary to operate the Platform.

5.1 Essential subprocessors

  • Stripe, Inc. (United States) — payment processing. Data: email, name, banking data (managed by Stripe).
  • Supabase, Inc. (United States) — database and authentication. Data: all account data.
  • Resend (United States) — transactional emails. Data: email, name, notification content.
  • Vercel, Inc. (United States / global) — hosting. Data: IPs, access logs.
  • Upstash (United States) — rate limiting and cache. Data: IPs, sessions.
  • Sentry (United States) — error monitoring. Data: hashed IPs, user agents, technical errors.
  • Anthropic PBC (United States) — AI-assisted verification of submitted media (Claude Vision API). Data: account verification screenshots, declared handle, verification code. Images are processed in transit and not retained by Anthropic beyond the time required to return the analysis result. Subject to Anthropic's Privacy Policy and Commercial Terms.

5.2 Automated decision-making (GDPR Article 22)

Pactly may use automated systems (including AI-assisted analysis of verification screenshots) to make initial decisions about the verification status of social network accounts. These decisions can result in automatic approval (high confidence), referral for manual human review (medium confidence), or rejection with the option to retry (low confidence). You always have the right to human review of any automated decision: any rejection or referral for review is subject to admin review of the underlying evidence, and you may contact privacy@pactly.io to request explicit human reconsideration.

5.3 Marketing subprocessors (with consent)

  • Meta Platforms, Inc. (United States) — advertising pixel. Data: hashed emails, conversion events. Enabled after consent.
  • Google LLC (United States) — Google Analytics and Google Ads. Data: anonymous IDs, hashed emails, conversion events. Google Ads requires consent.

5.4 Data shared with Stripe

We share with Stripe the data necessary to process transactions and comply with financial regulations: full name, email address, IP address, transaction data (amounts, dates, service description), and for Creators receiving payments, identity verification and bank account data. Stripe processes this data in accordance with its Privacy Policy.

5.5 Legal disclosure

We may share data when legally required by:

  • Judicial or administrative authorities (with valid order).
  • Compliance with tax or regulatory obligations.
  • Protection of Pactly's or its users' rights, safety, or property.

6. International data transfers

Pactly, Inc. is incorporated in the United States. By using our services, your personal data may be transferred and processed in the United States, where data protection laws different from those in your country of residence may apply.

For users in the European Economic Area (EEA) and United Kingdom: data transfer is carried out in accordance with the Standard Contractual Clauses (SCCs) approved by the European Commission and adequacy decisions when applicable.

For Brazilian users: data processing is carried out in accordance with the Lei Geral de Proteção de Dados (LGPD). You have the rights provided for in articles 17 and 18 of the LGPD.

For Mexican users: data processing is carried out in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP).

By registering with Pactly, you consent to the transfer and processing of your data in the United States under the safeguards described herein.

7. Data security

We implement technical and organizational measures to protect your data:

  • Encryption in transit (TLS 1.3).
  • Encryption at rest (database).
  • Row Level Security (RLS) in the database.
  • Authentication with secure hashing.
  • Rate limiting on critical endpoints.
  • Active security monitoring.
  • Restricted access to sensitive data (principle of least privilege).
  • Payment data processed exclusively by Stripe (PCI DSS Level 1 certification).

If a security breach affects your personal data and poses a high risk to your rights and freedoms, we will notify you without undue delay (within 72 hours where technically feasible), in accordance with GDPR Article 34. The notification will include the nature of the breach, the likely consequences, and the measures taken to mitigate them. We will also notify the competent supervisory authorities within 72 hours under GDPR Article 33.

8. Data retention

We retain your data for the following periods:

  • Active account: while you use Pactly.
  • Post-account closure: 7 years for tax and financial records (legal requirement).
  • Resolved disputes: 5 years.
  • Support tickets: 2 years.
  • Access logs: 90 days.
  • Analytics and marketing cookies: per Section 4.
  • Marketing communications: until consent is withdrawn.

9. Your rights

You have the right to:

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate data. Most information can be edited from Settings.
  • Erasure: request deletion (right to be forgotten).
  • Portability: receive your data in a structured format (JSON or CSV).
  • Objection: object to processing based on legitimate interest.
  • Restriction: limit the use of data in specific cases.
  • Withdrawal of consent: revoke previously granted consent.
  • Non-discrimination: not be penalized for exercising your rights.

9.1 How to exercise your rights

We will respond within a maximum of 30 days. Note: completed transaction data is retained for legal and tax obligations for the period required by law.

10. California residents (CCPA)

California residents (U.S.) have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know what personal information we collect and how we use it.
  • Right to delete personal information we hold about you (subject to legal exceptions).
  • Right to correct inaccurate information.
  • Right to opt out of sale or sharing of personal information.

We do not sell your personal information. However, the use of marketing cookies (Meta Pixel, Google Ads) may qualify as "sharing for cross-context behavioral advertising" under CCPA.

To exercise your right to opt out of sharing information for advertising, use the "Do Not Sell My Info" link in the footer, manage your cookie preferences, or write to privacy@pactly.io.

We will not apply discriminatory treatment for exercising these rights.

11. Minors

Pactly is not directed at individuals under 18. We do not knowingly collect data from minors. If we detect a minor's account, we will proceed to close it immediately and delete the data.

If you are a parent or guardian and believe your child has provided us with data, contact us at privacy@pactly.io.

12. Links to external sites

Pactly contains links to third-party sites (social networks, payment processors, legal pages of providers). We are not responsible for the privacy practices of those sites. We recommend reviewing their policies.

13. Changes to this Policy

We may update this Policy occasionally. Substantial changes will be notified at least 30 days in advance by email and Platform notice.

The last updated date and document version appear at the top of this page.

14. Contact

For questions about this Privacy Policy, exercising your rights, or reporting a concern:

For EU residents, you can contact our data protection representative at dpo@pactly.io.

Back to homeBack to top
·····