Privacy Policy

Last updated: February 2026

v1.0

This policy explains what data we collect, how we use it, who we share it with, and what rights you have. It applies to all users of TrackBounty — Creators, Clients, and visitors.

1. Who We Are

TrackBounty is a platform operated from the United Kingdom. We are the data controller for the personal information we collect through the TrackBounty website, web application, Discord bot, and related services.

TrackBounty
United Kingdom
Email: trackbountymusic@gmail.com

2. Data We Collect

Account Information

Email address — for login, verification, and communication.
Display name — shown on your profile.
Password — stored securely using bcrypt hashing. We cannot see your password.
Account type — Creator, Label, Artist, Agency, or Manager.

Profile Information

Region — for matching with relevant campaigns.
PayPal email — for receiving payments (Creators only). Shared only with Clients who need to pay you.
Company/artist details — name, website, description (Clients only).

TikTok Data

Username, follower count, average views, engagement rate, post count — retrieved via TikTok APIs during account verification and periodic updates.
Submission metrics — view counts, likes, comments, shares on submitted TikTok videos.

This data is publicly available on TikTok. We retrieve it to operate campaign tracking and fraud detection.

Discord Data (Optional)

Discord ID, username, avatar — collected via Discord OAuth if you choose to link your Discord account.
Discord email — if available and you consent, used to link or create your account.

Technical Data

IP address, browser type, device information — collected automatically for security and fraud prevention.
Access timestamps — when you log in and use the platform.

3. How We Use Your Data

We use your personal data to:

Operate the Service — create and manage your account, process registrations, run campaigns.
Verify identity — confirm TikTok account ownership through bio code verification.
Match campaigns — connect Creators with relevant campaigns based on audience, region, and niche.
Track performance — monitor submission metrics and calculate earnings.
Detect fraud — identify suspicious patterns in engagement data to protect platform integrity.
Process payments — share PayPal email with Clients to facilitate Creator payments.
Send transactional emails — account verification, password reset, submission updates, payment notifications.
Send marketing emails — product updates and new features (only with your explicit consent; you can opt out at any time).
Improve the Service — analyse usage patterns to enhance platform features and performance.

4. Legal Basis for Processing (GDPR)

Under UK GDPR and the Data Protection Act 2018, we process your data on the following bases:

Contract — processing necessary to provide the Service to you: account management, campaign participation, payment tracking, TikTok verification.
Legitimate interest — fraud detection, platform security, service improvement, and protecting the rights of our users. We have assessed that these interests do not override your fundamental rights.
Consent — marketing communications and optional data collection (e.g., profile discoverability). You can withdraw consent at any time.
Legal obligation — retaining financial records as required by UK tax and accounting law.

This is an important section. TrackBounty is a marketplace, and some data is shared between users to make the platform work.

What Clients Can See About Creators

Creators in their workspace: Public profile (display name, TikTok username, follower count, engagement rate, region, niche tags), submission details and performance metrics for that Client's campaigns, payment status for that Client's campaigns.
Creators in the discovery pool: If a Creator has enabled profile discoverability, Clients can see their public profile for invitation purposes. No campaign-specific data is shared.

What Clients Cannot See

A Creator's performance on other Clients' campaigns.
A Creator's earnings from other Clients.
A Creator's email address, PayPal details, or private account settings.

What Creators Can See About Clients

Client's company name, brand colour, description, and campaign details.
Campaign requirements, payment structures, and deadlines.

6. Third-Party Services

We use the following third-party services to operate the platform:

Stripe — our primary payment processor. Stripe is an FCA-authorised payment institution that processes campaign funding, holds funds on behalf of users, and facilitates Creator withdrawals. When you make a payment or receive a withdrawal, Stripe processes your transaction data (payment amounts, bank/card details) in accordance with Stripe's Privacy Policy. TrackBounty does not store your full card numbers or bank account details — this data is held by Stripe.
PayPal — available as an alternative payment and withdrawal method. PayPal email addresses are used to process Creator withdrawals. Data processed according to PayPal's privacy policy.
TikTok APIs — to verify account ownership and retrieve publicly available engagement metrics.
Discord OAuth — for optional account linking. Data processed according to Discord's privacy policy.
Hosting provider — our servers are hosted in data centres with appropriate security measures.

We do not sell your personal data to third parties. We do not use third-party advertising or tracking cookies.

7. Cookies

TrackBounty uses a single essential cookie:

tb_web_session — an HTTP-only session cookie that maintains your login. Expires after 72 hours. Required for the Service to function.

We may also set a temporary cookie during Discord OAuth authentication, which is deleted immediately after the login flow completes.

We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookies. No cookie consent banner is required as we only use strictly necessary cookies.

8. Data Retention

Active accounts: Data is retained for as long as your account is active.
Deleted accounts: Personal information is removed within 30 days of account deletion, except where we are legally required to retain it.
Financial records: Payment records and transaction data may be retained for up to 7 years for UK tax and accounting compliance.
Anonymised data: Aggregated, anonymised submission metrics may be retained indefinitely for platform analytics. This data cannot identify you.
Security logs: IP addresses and access logs are retained for 90 days for security and fraud investigation purposes.

9. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate or incomplete data.
Right to erasure — request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
Right to data portability — receive your data in a structured, machine-readable format.
Right to restrict processing — request that we limit how we use your data while a complaint is being resolved.
Right to object — object to processing based on legitimate interests.
Right to withdraw consent — opt out of marketing communications at any time via your email preferences settings or by contacting us.

To exercise any of these rights, email trackbountymusic@gmail.com. We will respond within 30 days (extendable to 90 days for complex requests, with notification).

10. International Data Transfers

Our servers are hosted in data centres with appropriate security measures. If your data is transferred outside the UK, we ensure it is protected through:

Standard Contractual Clauses (SCCs) approved by the ICO.
Transfers to countries with UK adequacy decisions.
Appropriate safeguards as required by UK data protection law.

11. Children's Privacy

TrackBounty is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, please contact us immediately and we will remove the account and associated data.

Users between 13 and 18 may use the Service with parental or guardian permission. Payment features require users to be at least 18 years old.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the platform at least 14 days before the changes take effect.

We encourage you to review this policy periodically. The "Last updated" date at the top indicates when this policy was last revised.

13. Contact & Complaints

For privacy-related enquiries or to exercise your data rights: