OwlScran Ltd (company number 15305650)
Last updated: March 2026
This privacy policy explains how OwlScran Ltd ("we", "us", or "our") collects, uses, stores, and shares your personal information when you use our website at owlscran.com and the services we provide through it (together, the "Services").
We are the data controller for the personal information described in this policy. Our details are:
If you have any questions about this policy or wish to exercise your data protection rights, please contact us at the email address above.
When you connect a social media account to the Services, we access and process data from that platform on your behalf to generate your media kit. The platforms we currently support are TikTok, Instagram, Facebook, and YouTube. The data we retrieve includes:
This data is retrieved directly from each platform's official API using the OAuth access tokens you grant when connecting your account. We store this data in our database to power your media kit and to track changes over time.
When you visit or use the Services, we automatically collect certain technical and usage data:
Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for each type of processing we carry out. The table below sets out our purposes and the corresponding legal basis.
| Purpose | Lawful basis | Details |
|---|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) | Necessary to provide the Services you have signed up for. Processed via Supabase Auth. |
| Providing the media kit service | Contract (Art. 6(1)(b)) | Retrieving and displaying your creator data from connected social media platforms. |
| Payment processing | Contract (Art. 6(1)(b)) | Processing subscription payments and managing billing via Stripe. Note: Stripe also processes certain data as an independent controller for its own fraud prevention and regulatory compliance purposes. |
| Sending transactional emails | Contract (Art. 6(1)(b)) | Account confirmations, password resets, billing notifications, and service updates via Resend. |
| Client-side analytics | PECR statistical purposes exception; Legitimate interest (Art. 6(1)(f)) | Understanding how users interact with the Services so we can improve them. This processing qualifies for the statistical purposes exception under PECR regulation 6A, which permits certain analytics without prior consent. We offer an opt-out via our cookie settings. Our legitimate interest is improving the functionality and user experience of the Services. See section 5 for details. |
| Performance measurement (Vercel Analytics and Speed Insights) | PECR statistical purposes exception; Legitimate interest (Art. 6(1)(f)) | Measuring page load performance using privacy-friendly, cookieless tools that provide aggregate data only. Opt-out available via our cookie settings. |
Where we rely on legitimate interest, we have conducted a Legitimate Interest Assessment to ensure our interests do not override your rights and freedoms. You may request a copy of our assessments by contacting us.
We use anonymised, aggregated data derived from creator activity across the platform to build statistical models and benchmarks. These may be used to provide features such as brand deal pricing predictions, audience benchmarking, and performance insights.
What data feeds into this process: the primary inputs are data that creators voluntarily contribute to the platform, such as brand deal pricing, campaign outcomes, content formats, niche categories, and commercial terms. We may also use aggregate statistical patterns derived from creator profiles across the platform.
How we anonymise data: before any data is used for model training or benchmarking, we remove all direct identifiers (such as names, email addresses, usernames, and social media profile URLs) and aggregate the data so that it relates to statistical patterns across many users rather than to any individual. The anonymisation is irreversible — we do not retain any key or mapping that could link the anonymised data back to you.
Important points:
We do not sell your personal data. We share your data only with the third-party service providers ("processors") we need to operate the Services, and only to the extent necessary for them to perform their function. Each processor is bound by a Data Processing Agreement (DPA) that requires them to process your data only on our instructions and to implement appropriate security measures.
| Service | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase (Supabase, Inc.) | Database hosting, authentication, file storage | All account data, auth tokens, creator data, application data | United States (AWS) |
| Vercel (Vercel, Inc.) | Website hosting, CDN, edge functions, web analytics, speed insights | IP addresses, request headers, aggregate performance metrics | United States |
| Stripe (Stripe, Inc.) | Payment processing | Name, email, payment method, billing address, invoice data | United States (with UK entity Stripe Payments Europe Ltd) |
| Statsig (Statsig, Inc.) | Feature flags, A/B testing, client-side analytics, session replay (if consented) | User ID, analytics events, experiment exposures, session recordings (if consented) | United States |
| HyperDX (DeploySentinel, Inc.) | Observability, error monitoring, server-side logging | User ID (where relevant), error context, request metadata, performance traces | United States |
| Resend (Plus Five Five, Inc.) | Transactional email delivery | Name, email address | United States |
We also use Brandfetch for brand logo lookups. No personal data is sent to Brandfetch; it receives only brand names and returns logo assets.
When you connect a social media account, we access that platform's API to retrieve your creator data. We act on your instructions when doing so. The platforms (TikTok, Instagram, Facebook, YouTube) are not our processors — they are independent controllers of their own services. Please refer to each platform's privacy policy for information on how they handle your data.
We may make AI models trained on anonymised, aggregated data available to other users, brands, and third parties as part of our commercial offerings. Because this data is truly anonymised (see section 3.1), it is no longer personal data and its use does not constitute sharing your personal information.
We may also share your personal data where required by law, regulation, or legal process, or in connection with a merger, acquisition, or sale of all or part of our business. In the event of a business transfer, we will notify you before your data is transferred and becomes subject to a different privacy policy.
We use cookies and similar technologies on the Services. Under the Privacy and Electronic Communications Regulations 2003 (PECR), we categorise these as follows.
These are essential for the Services to function and cannot be disabled.
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth cookies (sb-*) | Authentication and session management | Session / as set by Supabase Auth |
| owlscran_consent | Stores your cookie consent preferences (which categories you have accepted or declined) | 180 days |
The following tracking falls within the PECR statistical purposes exception. This means we may deploy it without prior consent, but we provide an opt-out mechanism via our cookie settings. Data collected under this category is used only for aggregate statistical analysis and is not combined with other data to identify individual users.
| Technology | Purpose | Duration / notes |
|---|---|---|
| Statsig analytics events | Page views, feature interactions, experiment exposures | Events retained for 1 year by Statsig |
| statsig_stable_id cookie | Stable device identifier for consistent analytics and experiment assignment | 400 days |
| Vercel Web Analytics | Aggregate page view analytics. No cookies; visitor identified by request hash discarded within 24 hours. | No persistent storage |
| Vercel Speed Insights | Core Web Vitals performance measurement. No cookies; no personal identifiers. | No persistent storage |
The following tracking technologies are only activated if you give your explicit consent via our cookie banner. You may withdraw your consent at any time through the cookie settings link in the footer of our website.
| Technology | Purpose | Duration / notes |
|---|---|---|
| Statsig session replay | Records browsing sessions (mouse movements, clicks, scrolling, page content) for product improvement | Recordings retained for 30 days by Statsig |
We also read UTM parameters and click identifiers (such as gclid and fbclid) from your URL when you arrive at the Services, and attach them to analytics metadata. We do not set these identifiers ourselves.
All of our processors are based in the United States. When your personal data is transferred outside the United Kingdom, we ensure it is protected by appropriate safeguards as required by UK GDPR Article 46. The specific transfer mechanisms for each processor are as follows.
| Processor | Transfer mechanism |
|---|---|
| Supabase | UK International Data Transfer Addendum ("UK Addendum") to the EU Standard Contractual Clauses (SCCs), incorporated into their DPA |
| Vercel | UK GDPR provisions in DPA; EU-US Data Privacy Framework (including UK Extension) |
| Stripe | UK Data Transfer Addendum; EU-US Data Privacy Framework (including UK Extension) |
| Statsig | UK SCCs (ICO International Data Transfer Addendum) incorporated into their DPA |
| HyperDX | UK Addendum to EU SCCs (Schedule II of their DPA) |
| Resend | UK SCCs (EU SCCs as amended by the UK Addendum), incorporated into their DPA |
You may request a copy of the relevant safeguard documentation by contacting us.
We retain your personal data only for as long as necessary for the purposes set out in this policy, unless a longer retention period is required by law.
| Data category | Retention period | Reason |
|---|---|---|
| Account data | Duration of your account, then 30 days after deletion, after which it is permanently deleted | To provide the Services and allow for account recovery during a grace period |
| Billing and invoice data | 6 years after the relevant transaction | HMRC record-keeping requirements |
| Creator data (social media) | Duration of your account. Deleted when you disconnect a platform or delete your account | To provide the media kit service |
| Campaign and deal data you contribute | Duration of your account. Deleted on account deletion, except where already anonymised | To provide benchmarking and predictive features |
| Client-side analytics events (Statsig) | 1 year | Statsig's retention period on the current plan |
| Session recordings (Statsig) | 30 days | Statsig's default retention period |
| Server-side logs (HyperDX) | 30 days | HyperDX's retention period on the current plan |
| Anonymised aggregate data (including data used for statistical models) | Retained indefinitely | Truly anonymised data is not personal data under UK GDPR. It cannot be used to identify you and is used for aggregate analysis, benchmarking, and model training. |
Under the UK GDPR, you have the following rights in relation to your personal data:
How to exercise your rights: email us at contact@owlscran.com. We will respond within 30 days. If your request is complex or we receive a large number of requests, we may extend this by a further 60 days, in which case we will notify you.
Right to complain: if you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). You can contact the ICO at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.
We implement appropriate technical and organisational measures to protect your personal data, including:
No method of transmission over the internet or electronic storage is completely secure. While we take reasonable steps to protect your personal data, we cannot guarantee absolute security.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and will notify affected individuals without undue delay where the breach is likely to result in a high risk.
The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. By using the Services, you confirm that you are at least 18 years old. If we become aware that we have collected personal data from a person under 18, we will delete that data and close the associated account. If you believe we may have collected data from someone under 18, please contact us at contact@owlscran.com.
We may update this privacy policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. The "Last updated" date at the top of this policy indicates when it was most recently revised. If we make material changes, we will notify you by email or by posting a prominent notice on the Services before the changes take effect. We encourage you to review this policy periodically.
If you have any questions about this privacy policy, wish to exercise your data protection rights, or want to make a complaint, please contact us:
Questions or concerns? Contact us at contact@owlscran.com
| Session recording | Consent (Art. 6(1)(a)) | Recording browsing sessions for product improvement. Only activated if you opt in via our cookie banner. You may withdraw consent at any time. |
| Server-side error monitoring and observability | Legitimate interest (Art. 6(1)(f)) | Diagnosing errors, monitoring service health, and maintaining platform stability via HyperDX. Our legitimate interest is ensuring the Services operate reliably and securely. |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | Retaining billing and invoice data for HMRC record-keeping requirements. |
| Anonymisation and aggregation for statistical analysis and AI model training | Legitimate interest (Art. 6(1)(f)) | We anonymise and aggregate creator statistics across the platform to produce insights, benchmarks, and predictive models. See section 3.1 for full details. |