Privacy Policy

Viera ("we", "us", "our") operates the creator marketplace at viera.al. This Privacy Policy describes what personal data we collect, why we collect it, the legal basis for processing it, how long we keep it, and your rights over it.

This policy applies to all users of the Platform, including visitors, registered creators, and registered brands, regardless of whether they are located in Albania, the European Union, or elsewhere.

1. Data Controller

The data controller responsible for your personal data is:

2. What Data We Collect

Data you provide directly:

• Account data — name, email address, password (stored as a secure bcrypt hash, never in plaintext).
• Profile data — bio, location, niche, portfolio links, social media handles, profile photo.
• Business data (brands) — company name, website, industry, logo.
• Financial data — campaign budgets, invoice amounts, payment status. We do not store card numbers or bank account details; card payments are handled exclusively by Stripe.
• Communications — messages sent between brands and creators through the Platform.
• Content submissions — URLs to content delivered as part of campaign bookings.

Data collected automatically:

• Log data: IP address, browser type, pages visited, access timestamps.
• Device data: operating system, screen resolution, language setting.
• Session cookies managed by Supabase Auth for login state.

Data from social platform connections (OAuth):

• When you voluntarily connect your Instagram, TikTok, or YouTube account, we may access your public profile name, profile picture, follower count, and engagement metrics made available by that platform's API.
• We do not access private messages on those platforms, post content on your behalf, or access your social platform credentials.
• Social platform data is used solely to populate your Viera creator profile and help brands assess fit.
• You can disconnect any social account at any time from your dashboard settings.

3. Legal Basis for Processing (GDPR Article 6)

For users in the European Union and Albania, we process your data on the following legal bases:

• Contract performance (Art. 6(1)(b)) — processing your account data, campaign data, bookings, messages, and payments is necessary to provide the service you signed up for.
• Legitimate interests (Art. 6(1)(f)) — log data and device data are processed to maintain security, prevent fraud, and improve the Platform. Our legitimate interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)) — invoice and financial records are retained as required by Albanian tax and accounting law.
• Consent (Art. 6(1)(a)) — connecting a social account via OAuth is always optional and based on your explicit consent. You may withdraw consent at any time.

4. How We Use Your Data

• To create and manage your account.
• To operate the marketplace — matching creators with brand campaigns.
• To process payments and generate invoices.
• To send platform notifications (campaign updates, booking confirmations, payment status).
• To verify creator profiles and maintain platform quality.
• To prevent fraud, abuse, and security incidents.
• To comply with legal and regulatory obligations.
• To respond to support and data access requests.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

5. Who We Share Your Data With

We do not sell your personal data. We share data only in the following circumstances:

• Between brands and creators — creator profile information (name, photo, bio, niche, pricing, social stats) is visible to brands as part of the marketplace. Campaign briefs are visible to creators who apply. Messages are visible to both parties in a conversation.
• Supabase — our database and authentication provider. Data is stored in Supabase-managed infrastructure. Supabase processes data as a data processor on our behalf.
• Stripe — our payment processor. When you complete a payment, Stripe processes your payment data under Stripe's own privacy policy. We receive only a payment confirmation and reference number.
• Vercel — our hosting provider. Vercel may process request logs as part of serving the Platform.
• Legal requirements — we may disclose data when required by Albanian law, a court order, or a supervisory authority.

6. International Data Transfers

Supabase, Stripe, and Vercel are international service providers whose infrastructure may be located in the United States or other countries outside Albania and the European Economic Area. Where such transfers occur, they are governed by Standard Contractual Clauses approved by the European Commission or equivalent transfer safeguards, as required by GDPR Chapter V. You may request information about the specific safeguards in place by contacting us at privacy@viera.al.

7. Data Retention

• Account and profile data — retained for as long as your account is active. Deleted within 30 days of a confirmed account deletion request.
• Messages and campaign data — retained for the duration of your account. Deleted with your account, subject to any legal hold.
• Financial records (invoices, payment records) — retained for 7 years as required by Albanian tax law, even after account deletion. This data is anonymised to the minimum extent possible.
• Log data — retained for up to 90 days for security purposes, then deleted.

8. Your Rights

Depending on your location, you have the following rights regarding your personal data. To exercise any of them, email privacy@viera.al with the subject line matching your request. We will respond within 30 days.

• Right of access (Art. 15 GDPR) — request a copy of all personal data we hold about you.
• Right to rectification (Art. 16 GDPR) — request correction of inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17 GDPR) — request deletion of your account and personal data. See our Data Deletion page for full instructions.
• Right to restriction of processing (Art. 18 GDPR) — request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20 GDPR) — request a copy of your data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR) — object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests.
• Right to withdraw consent — where processing is based on consent (e.g. social account connections), you may withdraw at any time without affecting the lawfulness of prior processing.

9. Cookies

We use only essential cookies:

• Authentication cookies — set by Supabase Auth to keep you logged in across page loads. These are strictly necessary and cannot be disabled without breaking login.
• Preference cookies — to remember your language and theme setting (stored in localStorage).

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

10. Security

All data in transit is encrypted via HTTPS/TLS. Data at rest is stored in Supabase with row-level security (RLS) policies that ensure users can only access their own data. Passwords are hashed using bcrypt and never stored in plaintext. We conduct regular security reviews of our access policies and database configurations.

11. Children

Viera is not directed at anyone under 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us at privacy@viera.al and we will delete the account promptly.

12. Supervisory Authorities

If you believe we have handled your data unlawfully, you have the right to lodge a complaint with a supervisory authority:

• Albania — Commissioner for the Right to Information and Personal Data Protection: www.idp.al
• Germany — Federal Commissioner for Data Protection and Freedom of Information (BfDI): www.bfdi.bund.de
• European Union — the supervisory authority of your EU member state of residence.

We ask that you contact us first so we can try to resolve your concern directly.

13. Changes to This Policy

We may update this policy as the Platform evolves or regulations change. Significant changes will be communicated via email or an in-platform notification at least 14 days before taking effect. The "last updated" date at the top of this page always reflects the current version.

14. Contact

For all privacy-related questions, requests, or complaints:

Email: privacy@viera.al