🚧 DRAFT — PENDING LAWYER REVIEW. Not legal advice. Last updated: 2026-05-10.

KOL Look Up — Privacy Policy (Draft v0)

KOL Look Up (“we”, “us”, “our”) provides a SaaS platform that produces brand-safety risk reports on Key Opinion Leaders (KOLs) using public digital footprint data. This Privacy Policy explains what data we collect, why, how we store it, and your rights.

This draft is written to comply with Taiwan Personal Data Protection Act (個人資料保護法 / PDPA), Mainland China Personal Information Protection Law (PIPL), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA / CPRA) at the visitor-data layer. A licensed attorney in Taiwan and Mainland China will review this document before paying-customer launch.

1. Who We Are

KOL Look Up is operated by [Legal Entity — TBD at Phase 2 GO]. Operating jurisdiction will be locked at the Phase 2 → 3 gate (current candidates: Taiwan, Hong Kong, Singapore).

Contact: privacy@kollookup.com (placeholder).

2. Two Categories of Data Subject

We treat visitors/customers and KOLs under different lawful bases.

2.1 Visitors and Paying Customers

People who land on our website, sign up, submit a lead form, book an interview, or pay for a report.

We collect, with your consent (account creation) or based on contractual necessity (delivering a paid report):

Name, email address, company, role
KOL collaboration frequency (self-reported)
Payment information (handled by Stripe; we do not store card numbers — Stripe is PCI-DSS Level 1)
IP address (for fraud and rate limiting)
Browser / device metadata (via Plausible analytics; cookieless)
Account activity logs (logins, scans requested, reports downloaded)

2.2 KOLs (Subjects of Reports)

People our customers ask us to produce a risk report about. KOLs do not sign up. We rely on legitimate interest as the lawful basis for processing their public information for the purpose of brand-safety analysis (analogous to journalism, due diligence, and background-check use cases).

For V0.1 we restrict ourselves to:

Public posts only on public platforms (no auth-walled content).
Public profile metadata (display name, bio, follower count, public-post counts).
Public comments made by the KOL on other public posts.
Content indexed by Google and content available via official platform APIs (YouTube Data API, etc.).
Archival snapshots of previously-public content (Wayback Machine, Google Cache).

We do not, in V0.1:

Bypass authentication walls.
Scrape Instagram, TikTok, or any other platform’s closed APIs.
Access private DMs, private accounts, or login-gated content.
Republish KOL content beyond what is necessary to evidence a flag in a report.

3. Why We Process Each Category (Lawful Basis)

Subject	Purpose	Lawful Basis (PDPA / PIPL / GDPR / CCPA)
Visitors	Account creation, communications	Consent + contract (Art. 6(1)(a)/(b) GDPR; PDPA §19/20; PIPL §13(1)(2))
Paying customers	Service delivery, billing, support	Contract (Art. 6(1)(b) GDPR)
Visitors	Anti-fraud, security	Legitimate interest (Art. 6(1)(f) GDPR)
KOLs	Brand-safety analysis on publicly available data	Legitimate interest (Art. 6(1)(f) GDPR; PDPA §19 specific-purpose; PIPL §13(1)(6) “publicly disclosed”)
Visitors / KOLs	Legal compliance (subpoena, takedown response)	Legal obligation (Art. 6(1)(c) GDPR)

We perform a documented Legitimate Interest Assessment (LIA) for the KOL processing layer and re-review it at every phase gate.

4. Retention

Data	Retention
Visitor account data	24 months from last login, then anonymized or deleted
Lead form submissions (no account)	12 months
Paid-report metadata (customer)	24 months from delivery
KOL scan raw data	90 days from scan completion, then auto-purged
Generated reports	90 days in customer dashboard, then archived for the customer’s records only (not used to train future scans)
Audit logs (legal compliance)	5 years (Taiwan tax + commercial-record requirements)
Stripe payment records	per Stripe retention policy + 7 years (TW tax law)

After 90 days, KOL scan raw data is hard-deleted from primary storage and from backups within 60 additional days (backup-rotation cycle).

5. KOL Takedown / Right of Review

Even though KOLs are not our customers, we recognize their rights as data subjects under PDPA, PIPL, GDPR, and CCPA.

A KOL (or their authorized representative) can:

Request review: ask what reports referencing them are in our system.
Request takedown: ask us to purge all reports about them and to add them to a do-not-scan list.
Request correction: flag factual errors in flagged-content extracts.

How:

Public form at /kol-takedown (live at landing page launch).
Email at takedown@kollookup.com.
We acknowledge within 48 hours and resolve within 7 calendar days.

We will purge reports unless a paying buyer has already legitimately purchased and downloaded the report — in which case the report leaves our active systems but the customer’s local copy is outside our control. We notify the KOL of this status and add the KOL to a do-not-scan list going forward.

6. Cookies and Analytics

Plausible — cookieless, EU-hosted, used by default for all visitors. No personal identifiers collected.
Google Analytics 4 (GA4) — used only with explicit consent via a cookie banner for visitors detected as being in the EU/UK/EEA. Visitors elsewhere see GA4 active by default with a clear notice and an opt-out link.
Hotjar (free tier, optional) — heatmaps only; no recordings of input fields; respects DNT signal.

We do not run third-party advertising trackers.

We share visitor / customer data only with:

Stripe (payment processing).
Supabase (database hosting).
Cloudflare (object storage, CDN, DDoS protection).
Vercel + Fly.io (web/app hosting).
Resend (transactional email).
Anthropic, OpenAI, Google Cloud (LLM, OCR, transcription processors). KOL public content may be sent to these processors strictly for the analytical purpose; no model training rights granted.
Lawful authorities if compelled by valid legal process within an operating jurisdiction.

We have or will have a Data Processing Agreement (DPA) with each processor. We do not sell personal data.

8. International Transfers

Operating from Asia, we may transfer data across:

Taiwan ↔︎ Singapore / United States (cloud providers).
Mainland China customer data — we use PIPL Standard Contractual Clauses (or the platform-provided cross-border data export framework) where applicable.
EEA visitor data — EU Standard Contractual Clauses plus a transfer-impact assessment.

9. Security

TLS 1.2+ for all data in transit.
AES-256 at rest for Supabase + Cloudflare R2.
Secrets managed via cloud provider key-management; rotated quarterly.
Access logs retained 12 months.
Annual penetration test (begins post Phase 4 launch).
Incident response: notify affected users within 72 hours of confirmed breach (GDPR Art. 33; PDPA §12).

10. Children

This service is not for users under 18, and we do not knowingly produce reports about KOLs who are minors (under 18 in any operating jurisdiction). All visitor accounts must affirm 18+ at signup. KOL handles flagged as belonging to minors are blocked from scanning.

11. Audit Trail

Every report scan logs: source URLs, timestamp of fetch, AI model + version used, reviewer ID (FND in V0.1), and decision rationale. This audit trail is retained for 5 years for legal-compliance reasons and is available to legitimate data-subject access requests.

12. Your Rights

Subject to local law, you have the right to:

Access your data.
Correct inaccurate data.
Request deletion (“right to be forgotten” under GDPR; analogous PDPA / PIPL provisions).
Object to processing or withdraw consent.
Data portability (machine-readable export).
Lodge a complaint with your local supervisory authority (e.g. Taiwan NDC PDPA office; EU national DPAs; California Attorney General).

Email privacy@kollookup.com to exercise any of these. We respond within 30 days (GDPR / PDPA standard).

13. Changes

We will post material changes 30 days before they take effect. Continued use after the effective date constitutes acceptance.

14. Contact

General privacy: privacy@kollookup.com (placeholder)
KOL takedown: takedown@kollookup.com (placeholder)
Legal: legal@kollookup.com (placeholder)

🚧 This draft has not been reviewed by legal counsel. It is a Phase 0 placeholder authored by PM-A based on the spec in Development Plan v3 §14. A licensed attorney in Taiwan (PDPA + 個資法), Mainland China (PIPL), and an EU/UK practitioner (GDPR) will review and rewrite as needed before Phase 4 commercial launch.