Privacy Policy

Last updated: March 2026

v1.0

This policy explains what data we collect, how we use it, who we share it with, and what rights you have. It applies to all users of TrackBounty — Creators, Clients, and visitors.

1. Who We Are

Data controller: TrackBounty LTD, a company registered in England and Wales (company number 17068830). Contact: support@trackbounty.com

TrackBounty is a platform operated from the United Kingdom. We are the data controller for the personal information we collect through the TrackBounty website, web application, Discord bot, and related services.

TrackBounty LTD
United Kingdom
Email: support@trackbounty.com

2. Data We Collect

Account Information

Email address — for login, verification, and communication.
Display name — shown on your profile.
Password — stored securely using bcrypt hashing. We cannot see your password.
Account type — Creator, Label, Artist, Agency, or Manager.

Profile Information

Region — for matching with relevant bounties.
PayPal/Wise/USDT address — for receiving withdrawals (Creators only). This information is never shared with Clients. All payouts are facilitated by TrackBounty LTD through supported third-party payout providers.
Company/artist details — name, website, description (Clients only).

TikTok Data

Username, follower count, average views, engagement rate, post count — retrieved from publicly available social media content and third-party data providers during account verification and periodic updates.
Submission metrics — view counts, likes, comments, shares on submitted TikTok videos.

This data is publicly available on TikTok. We retrieve it to operate bounty tracking and fraud detection.

Discord Data (Optional)

Discord ID, username, avatar — collected via Discord OAuth if you choose to link your Discord account.
Discord email — if available and you consent, used to link or create your account.

Technical Data

IP address, browser type, device information — collected automatically for security and fraud prevention.
Access timestamps — when you log in and use the platform.

3. How We Use Your Data

We use your personal data to:

Operate the Service — create and manage your account, process registrations, run bounties.
Verify identity — confirm TikTok account ownership through bio code verification.
Match bounties — connect Creators with relevant bounties based on audience, region, and niche.
Track performance — monitor submission metrics and calculate earnings.
Detect fraud — identify suspicious patterns in engagement data to protect platform integrity.
Arrange payouts — process Creator withdrawals through supported payment methods (PayPal, Wise, USDT). Creator payment details are never shared with Clients.
Send transactional emails — account verification, password reset, submission updates, payment notifications.
Send marketing emails — product updates and new features (only with your explicit consent; you can opt out at any time).
Improve the Service — analyse usage patterns to enhance platform features and performance.

4. Legal Basis for Processing (GDPR)

Under UK GDPR and the Data Protection Act 2018, we process your data on the following bases:

Contract — processing necessary to provide the Service to you: account management, bounty participation, payment tracking, TikTok verification.
Legitimate interest — fraud detection, platform security, service improvement, and protecting the rights of our users. We have assessed that these interests do not override your fundamental rights.
Consent — marketing communications and optional data collection (e.g., profile discoverability). You can withdraw consent at any time.
Legal obligation — retaining financial records as required by UK tax and accounting law.

This is an important section. TrackBounty is a marketplace, and some data is shared between users to make the platform work.

What Clients Can See About Creators

Creators in their workspace: Public profile (display name, TikTok username, follower count, engagement rate, region, niche tags), submission details and performance metrics for that Client's bounties, payment status for that Client's bounties.
Creators in the discovery pool: If a Creator has enabled profile discoverability, Clients can see their public profile for invitation purposes. No bounty-specific data is shared.

What Clients Cannot See

A Creator's performance on other Clients' bounties.
A Creator's earnings from other Clients.
A Creator's email address, PayPal details, or private account settings.

What Creators Can See About Clients

Client's company name, brand colour, description, and bounty details.
Bounty requirements, payment structures, and deadlines.

6. Third-Party Services

We use the following third-party services to operate the platform:

Stripe — a third-party payment provider that processes Client credit purchases. When you make a payment, Stripe processes your transaction data (payment amounts, card details) in accordance with Stripe's Privacy Policy. TrackBounty does not store your full card numbers or bank account details — this data is held by Stripe.
PayPal — available as an alternative payment and withdrawal method. PayPal email addresses are used to process Creator withdrawals. Data processed according to PayPal's privacy policy.
Third-party data providers — to access publicly available social media content and engagement metrics for platform features.
Discord OAuth — for optional account linking. Data processed according to Discord's privacy policy.
Resend — an email delivery service used to send transactional emails (account verification, password reset, team invitations). Resend receives your email address and email content. Data processed according to Resend's Privacy Policy.
Sentry — an error monitoring service used to detect and fix technical issues. Sentry may receive technical data including IP address, browser information, and error context. Data processed according to Sentry's Privacy Policy.
Google AI (Gemini) — an AI service powering creator profiling, sound analysis, campaign matching, and our AI chatbot. Text-based summaries of publicly available content and chatbot messages may be processed. Data processed under Google's Data Processing Addendum.
Hosting provider — our servers are hosted in data centres with appropriate security measures.

We do not sell your personal data to third parties. We do not use third-party advertising or tracking cookies.

7. Cookies

TrackBounty uses a single essential cookie:

tb_web_session — an HTTP-only session cookie that maintains your login. Expires after 72 hours. Required for the Service to function.

We may also set a temporary cookie during Discord OAuth authentication, which is deleted immediately after the login flow completes.

We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookies. No cookie consent banner is required as we only use strictly necessary cookies.

8. Data Retention

Active accounts: Data is retained for as long as your account is active.
Deleted accounts: Personal information is removed within 30 days of account deletion, except where we are legally required to retain it.
Financial records: Payment records and transaction data may be retained for up to 7 years for UK tax and accounting compliance.
Anonymised data: Aggregated, anonymised submission metrics may be retained indefinitely for platform analytics. This data cannot identify you.
Security logs: IP addresses and access logs are retained for 90 days for security and fraud investigation purposes.
Bug reports: If you submit a bug report through the chatbot, the description, page URL, and severity are stored until resolved, plus 90 days.

Automated Decision-Making and Profiling

TrackBounty LTD uses automated systems to profile Creator content, generate match scores, detect potentially fraudulent submissions, and categorise content. These automated processes may affect which campaigns you are recommended for. You have the right to request human review of any automated decision that significantly affects you. Contact: support@trackbounty.com

Sources of Personal Data

We collect personal data from:

Directly from you (signup, profile, submissions, chatbot interactions)
From publicly available social media content accessed through third-party data providers
From third-party services (Stripe for payment confirmation, Cloudflare for bot detection)
Generated by our systems (AI analysis, matching scores, fraud detection signals)

9. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate or incomplete data.
Right to erasure — request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
Right to data portability — receive your data in a structured, machine-readable format.
Right to restrict processing — request that we limit how we use your data while a complaint is being resolved.
Right to object — object to processing based on legitimate interests.
Right to withdraw consent — opt out of marketing communications at any time via your email preferences settings or by contacting us.

To exercise any of these rights, email support@trackbounty.com. We will respond within 30 days (extendable to 90 days for complex requests, with notification).

10. International Data Transfers

Our servers are hosted in data centres with appropriate security measures. If your data is transferred outside the UK, we ensure it is protected through:

Standard Contractual Clauses (SCCs) approved by the ICO.
Transfers to countries with UK adequacy decisions.
Appropriate safeguards as required by UK data protection law.

11. Children's Privacy

TrackBounty is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe someone under 18 has created an account, please contact us immediately and we will remove the account and associated data.

All users must be at least 18 years old to use the platform.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the platform at least 14 days before the changes take effect.

We encourage you to review this policy periodically. The "Last updated" date at the top indicates when this policy was last revised.

13. Contact & Complaints

For privacy-related enquiries or to exercise your data rights: