Privacy Policy

Last updated: May 26, 2026. English is the controlling version. Russian is provided for convenience.

Controller

Spody App, LLC is the data controller for ugcgo.ai account, marketplace, website, and AI Studio data unless a separate agreement says otherwise.

• Legal entity: Spody App, LLC
• Brand: ugcgo.ai
• Registered office: 131 Continental Dr, Suite 305, Newark, Delaware 19713, USA
• Registered agent: Legalinc Corporate Services Inc.
• Privacy contact: privacy@ugcgo.ai

Scope

This Policy covers our public website, platform, admin-facing moderation operations, marketplace, creator and brand dashboards, AI Studio, templates, emails, support, analytics, and payment-related records that we control. Third-party services such as Stripe, social platforms, AI providers, and payment or payout rails may have their own privacy policies.

Data We Collect

• Account data: email, name, role, password hash handled by Supabase, login/session metadata, profile fields, avatar, website, social links, language, and preferences.
• Brand data: company name, website, bio, campaign briefs, budgets, requirements, content references, brand profile media, payment status, and moderation status.
• Creator data: creator profile, portfolio, niches, pitch text, deliverables, self-disclosed audience data, payout readiness, and social-account verification data.
• Marketplace content: messages, applications/pitches, deal state, deliverable URLs, proof links, public metrics, revision requests, disputes, and evidence URLs.
• AI Studio data: prompts, uploaded starting images, generated images/videos/scripts, generation metadata, credit usage, and safety logs.
• Payment data: Stripe customer IDs, checkout/session IDs, payment intents, transfer status, refunds, chargebacks, ledger entries, payout readiness, and tax/KYC signals. We do not store full card numbers.
• Device and usage data: IP address, approximate location from network data, device/browser, pages viewed, feature events, errors, referrers, campaign attribution, and security logs.
• Support and legal data: emails, takedown reports, appeals, notices, compliance records, moderation notes, and communications.

How We Use Data

• Operate accounts, authentication, dashboards, marketplace matching, messages, campaign workflows, and deliverable review.
• Process payments, refunds, payouts, escrow state, dispute evidence, tax/KYC checks, fraud controls, and chargeback defense.
• Provide AI generation, script drafting, image/video generation, content moderation, safety scoring, and quality review.
• Verify social handles, fetch public post metrics for submitted proof links, calculate engagement/quality signals, and display authorized public profile data.
• Detect abuse, spam, fake engagement, impersonation, illegal content, payment risk, policy violations, and security incidents.
• Send transactional emails, support replies, policy notices, moderation notices, payout updates, and important product updates.
• Measure product performance, debug errors, improve UX, understand SEO/marketing attribution, and maintain internal business records.
• Comply with law, enforce Terms, answer rights requests, process takedowns, and cooperate with lawful requests.

Legal Bases

Where GDPR, UK GDPR, or similar laws apply, we rely on the following legal bases:

• Contract: account operation, marketplace workflows, payments, payouts, deliverables, support, and AI Studio services you request.
• Legitimate interests: security, fraud prevention, moderation, product analytics, marketplace integrity, business operations, and legal defense, balanced against user rights.
• Consent: optional social-account linking, optional marketing emails where required, certain cookies/analytics where required, and optional AI or media uploads.
• Legal obligation: tax, accounting, payment compliance, sanctions/fraud checks, consumer protection, content reports, and lawful requests.
• Vital/public safety interests: urgent action involving CSAM, nonconsensual intimate imagery, threats, fraud, or serious harm.

Providers

We use vendors to run ugcgo.ai. They process data under their own terms and, where applicable, our agreements or settings.

• Supabase: authentication, database, file storage, row-level security, and server-side admin operations.
• Vercel: hosting, serverless functions, logging, and deployment infrastructure.
• Stripe: Checkout, payment processing, Connect onboarding, payouts, fraud controls, refunds, chargebacks, and financial compliance.
• Resend: transactional emails and notices.
• fal.ai: image and video generation queue for supported AI models.
• Fireworks AI: script generation and AI QA / brand-safety assistance.
• OpenAI: optional moderation and safety analysis when configured.
• ScrapeCreators, Apify, and YouTube Data API: public social-profile and public post-metric retrieval for linked handles and submitted proof URLs.
• PostHog: first-party product analytics where configured.
• Sentry: error monitoring and reliability diagnostics where configured.

Social Data

Creators may voluntarily connect social handles or submit proof links. We collect only the public data needed for marketplace trust, campaign proof, engagement verification, and dispute evidence.

• Public username, display name, bio, profile photo, follower count, public posts, public engagement metrics, and submitted campaign post URLs.
• Bio-code or similar ownership verification data used to confirm that the creator controls the handle.
• Derived engagement rate, quality score, fraud-risk signals, and proof snapshots shown in the dashboard when available.
• Self-disclosed audience demographics. We do not infer sensitive demographics for MVP marketplace matching without clear labeling and consent.

You can disconnect a social handle from the dashboard or contact us. We may retain historical snapshots where needed for paid deal records, dispute resolution, chargeback defense, fraud prevention, and legal compliance.

AI And Moderation Data

When you use AI Studio or submit content for moderation, prompts, files, URLs, captions, outputs, thumbnails, model metadata, safety scores, and review notes may be processed by us and by AI providers. Do not submit secrets, regulated personal data, medical records, financial account data, government IDs, biometric data, or content you do not have rights to process.

Moderation logs may include policy flags, traffic-light status, reviewer notes, appeal state, and statements of reasons. We avoid exposing raw model payloads to users where doing so could leak sensitive data, enable evasion, or compromise safety systems.

Cookies

• Essential: authentication/session tokens, security, CSRF protection, and service routing.
• Preferences: theme and language choices stored in localStorage.
• Analytics: first-party analytics events through PostHog when configured.
• Payments: Stripe may use cookies or similar technologies during checkout or onboarding.

We do not use third-party advertising cookies and we do not sell or share personal data for cross-context behavioral advertising. If a browser sends a legally recognized opt-out signal such as Global Privacy Control, we will treat it as an opt-out of sale/share where applicable.

Sharing

We share data only as needed to run the platform, with your counterparties, with service providers, with payment and payout providers, with law enforcement or regulators where legally required, with professional advisers, and in a merger, acquisition, financing, restructuring, or sale of assets subject to appropriate safeguards. We do not sell personal data.

Retention

• Account and profile data: while your account is active, then as needed for legal, tax, security, and dispute purposes.
• Messages, deal records, payment records, disputes, snapshots, and deliverable proof: normally up to 24 months after campaign closure, or longer where tax, chargeback, legal, safety, or fraud records require it.
• AI generation records: while needed to provide the feature, support billing/credits, debug safety issues, and comply with abuse-prevention duties.
• Security logs and analytics: retained for a limited period appropriate to security, reliability, and product analysis.
• Takedown, appeal, and serious safety records: retained as needed to document compliance and prevent repeat abuse.

We may de-identify or aggregate data and keep it for analytics, security, and business reporting.

Your Rights

Depending on where you live, you may have rights to access, correct, delete, export, restrict, object to, or withdraw consent for certain personal data. California and other U.S. state privacy laws may also give rights to know, delete, correct, opt out of sale/share, limit sensitive-data use, and appeal a denied request. We do not discriminate against users for exercising privacy rights.

To exercise rights, email privacy@ugcgo.ai. We may verify your identity and may keep data where necessary for contracts, payments, tax, safety, fraud prevention, legal claims, or compliance. Authorized agents should include proof of authorization.

Security

We use HTTPS, Supabase row-level security, JWT-based authentication, server-side API proxies, least-privilege keys where available, logging, moderation gates, and payment-provider controls. No system is perfectly secure, so you should use a strong unique password and tell us immediately if you suspect unauthorized access.

Children

ugcgo.ai is for users who are at least 18. We do not knowingly collect personal data from children under 13, and we do not knowingly allow minors to create marketplace accounts. If you believe a child submitted personal data, contact privacy@ugcgo.ai.

Contact

Privacy requests: privacy@ugcgo.ai. Legal notices: legal@ugcgo.ai.