Privacy Policy

Legal | Collebrity

Collebrity โ€” Privacy Policy (India / DPDPA 2023)

Version 1.0 | Effective Date: 03 June 2026  |  Applicable Law: Digital Personal Data Protection Act, 2023 (India)

IMPORTANT NOTICE
This Privacy Policy describes how Collebrity Private Limited collects, uses, stores, and shares your personal data when you use the Collebrity platform. This Policy is published in compliance with Section 5 of the Digital Personal Data Protection Act, 2023 ("DPDPA") and Rule 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Please read this Policy carefully before using the Platform.

1. Introduction and Identity of the Data Fiduciary

1.1 This Privacy Policy ("Policy") is published by Collebrity Private Limited, a company incorporated under the Companies Act, 2013, bearing Corporate Identification Number U63122KA2025FTC206151, with its registered office at Flat No. 504, Veerasandra, Veerasandra Gollahalli Main Road, Bengaluru, Karnataka โ€” 560100, India ("Collebrity", "we", "us", "our").

1.2 Collebrity is the Data Fiduciary within the meaning of Section 2(i) of the Digital Personal Data Protection Act, 2023 ("DPDPA") in respect of personal data collected through the Platform at collebrity.com and through the Collebrity mobile applications on iOS and Android.

1.3 This Policy applies to all individuals who use the Platform in any capacity, including Brands, Individuals, Creators / Influencers / Celebrities (used interchangeably throughout this Policy), and Talent Managers, collectively referred to as "Data Principals" or "Users".

1.4 Capitalised terms used but not defined in this Policy shall have the meanings assigned to them in Collebrity's Terms and Conditions, available at collebrity.com/legal/terms-and-conditions.

2. Personal Data We Collect

2.1 We collect personal data that you provide directly to us, data generated through your use of the Platform, and data obtained from third-party sources (including social media platforms via authorised API integrations). The categories of personal data collected are described below.

2.A Data Collected from Creators / Influencers

The following personal data is collected from Users who register on the Platform as Creators:

Data Category

Specific Data Fields

How Collected

Identity Data

First name, last name

Registration form

Contact Data

Email address, mobile number

Registration form

Location Data

Country, state, city of residence

Registration form

Demographic Data

Birth year, gender, preferred language

Registration form

Professional Data

Business category/content niche

Registration form / Storefront

Sensitive Data โ€” Ethnicity

Ethnicity (optional; see Clause 5)

Registration form (opt-in)

Tax and Financial Data

PAN (Permanent Account Number), GST number (if applicable), bank account details (account number, IFSC code, account holder name)

KYC verification process

Social Media Data

Verified follower count, engagement rate, audience demographics, content category โ€” pulled from Instagram and YouTube APIs (and other platforms as added)

Social media API integration (authorised by Creator)

Platform Activity Data

Orders placed, campaigns participated in, Storefront listings, ratings received, messages sent through the Platform

Automatically generated through Platform use

Device and Technical Data

IP address, browser type, operating system, device identifier, session data

Automatically collected

2.B Data Collected from Brands / Agencies / Individuals

The following personal data is collected from Users who register on the Platform as Brands, Advertising Agencies, or individuals (i.e., natural persons placing orders for personal, non-commercial purposes such as personalised greetings):

Data Category

Specific Data Fields

How Collected

Business Identity Data

Brand name, business website URL

Registration form

Contact Person Data

First name, last name, designation, email address, mobile number

Registration form

Location Data

Country, state, city

Registration form

Demographic Data

Birth year, gender of account holder

Registration form

Business Category Data

Industry/business niche

Registration form

Tax and Billing Data

PAN, GST Identification Number (GSTIN), billing address

KYC / invoicing process

Payment Data

Payment card details, bank account details (processed via the Platform's authorised Payment gateway / payment Aggregator; not stored on Collebrity's servers)

 

Campaign Data

Campaign Briefs, target audience specifications, product information, creative assets uploaded by the Brand

Platform use

Platform Activity Data

Orders placed, campaigns created, Wallet balance and transaction history, team user actions

Automatically generated

Device and Technical Data

IP address, browser type, operating system, device identifier, session data

Automatically collected

Social Media Data

Verified follower count, engagement rate, audience demographics, content category โ€” pulled from Instagram and YouTube APIs (and other platforms as added)

Social media API integration (authorised by Creator)

2.C Data Collected from Talent Managers

Talent Managers provide data substantially similar to Creators at registration, including identity data, contact data, location data, demographic data, professional data, PAN, bank details, and platform activity data generated through their management of Creator accounts.

2.D Data Collected Automatically

When you access and use the Platform, we automatically collect the following data:

  • Log and usage data, including pages visited, features used, search queries, and time spent on the Platform;

  • Device and browser information, including IP address, browser type and version, operating system, and screen resolution;

  • Cookie data and tracking data from third-party analytics and advertising tools, including Google Analytics and Meta Pixel, as further described in Clause 11 and our Cookie Policy; and

  • Social media API data, where a Creator has linked their social media account through the Platform's authorised API integration. The specific data fields pulled from each social media platform are subject to that platform's API permissions and data access policies.

3. Purposes for Which We Process Your Personal Data

3.1 We process personal data only for specific, clear, and lawful purposes as required by Section 4 of the DPDPA. The table below sets out each processing purpose, the data used, and the legal basis under the DPDPA.

Processing Purpose

Data Used

Legal Basis (DPDPA 2023)

Account registration and identity verification

Identity data, contact data, demographic data

Legitimate uses for fulfilment of services โ€” S.7(a)

KYC verification for payment processing and TDS compliance

PAN, bank account details, GST number

Compliance with law โ€” S.7(f); Income Tax Act 1961

Order processing and campaign management

Identity data, professional data, platform activity data

Legitimate uses for fulfilment of services โ€” S.7(a)

Influencer discovery and brand-creator matching

Professional data, social media data, location data, ethnicity (optional)

Consent โ€” S.6; and legitimate uses โ€” S.7(a)

Payment processing and Escrow management

Payment data (via authorised Payment Aggregator), Wallet transaction data

Legitimate uses for fulfilment of services โ€” S.7(a)

TDS deduction and tax compliance

PAN, creator fee amounts, talent manager commission amounts

Compliance with law โ€” S.7(f); Income Tax Act 1961

Platform analytics and performance measurement

Device data, platform activity data, campaign performance data

Legitimate uses for improving services โ€” S.7(a)

AI-based search and recommendation engine (Brand-facing)

Professional data, social media data (incl. follower count, engagement, demographics, content category and other API-supplied metrics), platform activity data, ratings data

Legitimate uses for fulfilment of services โ€” S.7(a); consent for any sensitive-category inputs (including ethnicity) โ€” S.6

AI-based fraud detection and platform safety

Device data, IP address, social media data, platform activity data

Legitimate uses for safety โ€” S.7(a)

Marketing communications (email, SMS, WhatsApp, push notifications)

Contact data, platform activity data

Consent โ€” S.6

Dispute resolution

Order data, communications data, Deliverables data

Legitimate uses โ€” S.7(a); Compliance with legal obligations

Grievance redressal

Identity data, complaint details

Compliance with law โ€” S.7(f); IT Rules 2021

Safety and security of the Platform

Device data, IP address, platform activity data

Legitimate uses for safety โ€” S.7(a)

Legal proceedings and regulatory compliance

All relevant personal data

Compliance with law โ€” S.7(f)

Please verify: The two AI-related rows in the table above did not extract cleanly from the PDF โ€” the columns were jumbled in the source. I've reassembled them as faithfully as I could, and there was also a stray fragment ("Social media data, engagement data, platform activity data โ€” Consent S.6; legitimate uses S.7(a)") whose row was unclear. Please check these rows against your original document before publishing.

3.2 We do not use your personal data for any purpose incompatible with the purposes disclosed in this Policy. If we intend to process your data for a new purpose, we shall obtain fresh consent or establish a new lawful basis before doing so, and shall update this Policy accordingly.

4. Legal Basis for Processing under the DPDPA 2023

4.1 Under the Digital Personal Data Protection Act, 2023, processing of personal data requires either (a) the consent of the Data Principal, or (b) a legitimate use as specified in Section 7 of the DPDPA.

4.2 Consent (Section 6, DPDPA 2023). Where we rely on your consent, we shall obtain it through a clear, affirmative action (such as clicking a checkbox or a designated consent button) before collecting the relevant data. The consent notice shall be in plain language, specify the personal data to be collected and the purpose for which it will be used, and inform you of your right to withdraw consent at any time. We process the following categories of data on the basis of consent:

  • Ethnicity data (see Clause 5 for detailed provisions);

  • Marketing communications via email, SMS, WhatsApp, and push notifications; and

  • Use of non-essential cookies and tracking technologies (see Clause 11).

4.3 Legitimate Uses (Section 7, DPDPA 2023). We process personal data without consent in the following circumstances recognised as legitimate uses under Section 7 of the DPDPA:

  • Fulfilment of services requested by the User, including order processing, payment facilitation, and platform feature access โ€” Section 7(a);

  • Employer obligations โ€” not applicable (Users are not employees of Collebrity);

  • Response to medical emergencies โ€” not applicable;

  • Public interest purposes โ€” not applicable to routine platform operations;

  • Discharge of functions under law, including TDS deduction and remittance under the Income Tax Act, 1961, and compliance with IT Rules 2021 โ€” Section 7(f); and

  • Compliance with any order or judgement of a court or tribunal or any other statutory authority โ€” Section 7(g).

5. Sensitive Personal Data โ€” Ethnicity

Special Category Data Notice
Ethnicity is a sensitive category of personal data under the DPDPA 2023 and a Special Category of data under Article 9 of the EU General Data Protection Regulation (GDPR). Its collection and processing requires explicit, informed, purpose-specific, and withdrawable consent. The provisions of this Clause govern all collection and processing of ethnicity data by Collebrity.

5.1 Why We Collect Ethnicity Data. Collebrity collects ethnicity data, on a strictly voluntary opt-in basis, from Creators who wish to be discoverable in culturally targeted campaigns. The purpose is to enable Brands to identify Creators whose identity and audience demographics align with their campaign's target community. Ethnicity data is treated by Collebrity as a sensitive category of personal data in all jurisdictions, regardless of whether the law applicable to a particular Data Principal categorises it as such. For Users to whom the EU General Data Protection Regulation applies, ethnicity data is processed only on the basis of explicit consent within the meaning of Article 9(2)(a) of the GDPR.

5.2 Voluntary Nature. Providing ethnicity data is entirely optional. A Creator may register and use all features of the Platform without disclosing their ethnicity. Declining to provide ethnicity data will not affect a Creator's ability to receive Orders or participate in Campaigns, except in cases where a Brand has specifically applied an ethnicity filter in their search.

5.3 Consent Mechanism. Before any Creator is permitted to record ethnicity data on the Platform, Collebrity shall present a dedicated, in-product consent notice that, in compliance with Section 6(3) of the DPDPA, 2023 (and where applicable, Article 9(2)(a) of the GDPR for EU/EEA Users): (a) identifies ethnicity as a sensitive category of personal data; (b) states the specific purpose for which it will be used (Clause 5.1 above); (c) explains how it will be used in Brand search filters; (d) confirms whether and how it will be shared with Brands; (e) confirms that it will not be displayed publicly on the Creator's Storefront; (f) explains how the Creator may exercise their rights under Sections 6(4)-(6) and 13 of the DPDPA (including the right to withdraw consent); and (g) explains the manner of complaint to the Data Protection Board of India. Collection of ethnicity data shall not commence until the Creator provides explicit affirmative consent through the in-product tick associated with this notice.

5.4 Use of Ethnicity Data. Ethnicity data shall be used solely as a discoverable filter in Brand search queries. When a Brand selects an ethnicity filter, only Creators who have voluntarily provided matching ethnicity data and have consented to its use will appear in the filtered results. Collebrity does not display ethnicity data on the Creator's public Storefront profile.

5.5 Sharing of Ethnicity Data. Ethnicity data is not shared with Brands in a directly identifiable form. It is used by Collebrity's search algorithm to generate filtered results. A Brand using the ethnicity filter will see search results limited to matching Creators, but will not receive a data export of ethnicity values.

5.6 AI-Based Processing of Ethnicity Data. Where ethnicity data is used as an input to Collebrity's AI-based matching algorithm, the Creator consents to such algorithmic processing as part of the ethnicity data consent mechanism under Clause 5.3. The Creator has the right to opt out of algorithmic processing of their ethnicity data by withdrawing consent under Clause 5.7.

5.7 Withdrawal of Consent. A Creator may withdraw consent to the collection and use of their ethnicity data at any time by: (a) updating their profile settings to remove the ethnicity data field; or (b) writing to [email protected]. Upon withdrawal of consent, Collebrity shall cease using the ethnicity data for filtering purposes and shall delete the data within Thirty (30) days of receipt of the withdrawal request. Withdrawal of consent shall not affect the lawfulness of processing carried out before the withdrawal.

6. Retention of Personal Data

6.1 We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law, whichever is longer. We do not retain personal data indefinitely.

6.2 The following retention periods apply to each category of personal data:

Category of Data

Retention Period

Basis for Retention Period

Active user account data (identity, contact, professional data)

Duration of the Account, plus Twenty-Four (24) months from the date of the last Order or transaction on the Account

Platform operations and legitimate interests in resolving post-closure disputes

Transaction and payment records (Order value, Commission, payout amounts)

Seven (7) years from the date of the transaction

Income Tax Act, 1961; Companies Act, 2013 โ€” mandatory statutory retention

KYC documents (PAN, bank details)

Duration of the Account, plus Five (5) years from Account closure

Prevention of Money Laundering Act, 2002 obligations; Tax audit requirements

Campaign and creative data (Campaign Briefs, Deliverables)

Three (3) years from Campaign completion

Dispute resolution and IP claim defence

Platform activity and analytics data

Two (2) years from date of generation, then aggregated and anonymised

Platform improvement and analytics

Social media API data (follower count, engagement data)

Refreshed at each API sync; individual historical snapshots retained for Two (2) years

Analytics and Creator profile accuracy

Ethnicity data

Until consent is withdrawn or Account is closed, whichever is earlier; deleted within Thirty (30) days of withdrawal

Consent-based processing; mandatory deletion upon withdrawal

Deleted account data

Account data purged within Thirty (30) days of deletion request being processed, subject to completion of pending Orders and Disputes. Transaction records retained for statutory periods above.

DPDPA Section 8(7); GDPR Article 17 (for EU users)

Dispute and grievance records

Three (3) years from closure of the dispute or grievance

IT Rules 2021; limitation period for legal claims

Communications and messages (Platform chat)

Two (2) years from Order completion

Dispute resolution

Marketing consent records

Duration of the Account plus Two (2) years, or until consent is withdrawn

Evidence of lawful marketing processing

6.3 Upon expiry of the applicable retention period, we shall securely delete or anonymise personal data such that the individual is no longer identifiable from the retained data. Anonymised data may be retained indefinitely for analytical purposes.

6.4 Notwithstanding the above retention periods, we may retain personal data for longer periods where required by a court order, regulatory investigation, or other legal obligation, for the duration of such requirement.

7. Sharing of Personal Data with Third Parties

7.1 We do not sell your personal data to third parties. We share personal data only in the circumstances described below and only to the extent necessary for the stated purpose.

7.2 Data Processors. We share personal data with the following categories of Data Processors (entities that process data on our behalf under binding data processing agreements), as permitted under Section 8(3) of the DPDPA:

Third Party / Category

Data Shared

Purpose

Payment Gateway Service Providers

Payment card details, bank account details, Order value, User identity data for KYC

Processing brand payments, managing Collebrity Holding, disbursing Creator payouts

Email marketing service provider

Email address, name, platform activity data (for segmentation)

Sending transactional and promotional emails

WhatsApp / SMS notification service

Mobile number, name

Sending Order updates, notifications, and promotional messages (with consent)

Cloud infrastructure provider (authorised cloud infrastructure provider)

All personal data stored on the Platform

Data storage, hosting, and infrastructure services across India, the US, and the EU server regions

Finance and accounting software

Transaction records, invoicing data, TDS-related data

Bookkeeping, tax filing, and financial reporting

Analytics service providers (Google Analytics, Meta Pixel)

Device data, IP address, browsing behaviour on the Platform, page visit data

Platform performance analytics and marketing effectiveness measurement

Social media platforms (Instagram/Meta, YouTube/Google APIs)

Creator's account authorisation token (to pull analytics); data shared back includes verified follower counts and engagement metrics

Creator analytics verification and Storefront data population

7.3 Sharing of Data between Users and Public Visibility on the Platforms. Certain information shared by Users on the Platform, including information received through authorised API connections with social media platforms, may be visible to other Users or publicly accessible on the Platform, as described below:

(a) Creator Storefronts. A Creator's Storefront may be publicly visible to both registered and non-registered visitors of the Platform. This may include the Creator's display name, username or handle, profile photo, professional category, content niche, service listings and pricing, social media handles, ratings, reviews, authorised sample work or Deliverables, and social media analytics obtained through authorised API connections, such as follower count, engagement metrics, audience demographics, content category, reach, views, impressions, and other platform-provided performance data.

(b) Brand Profiles and Campaign Information. Brand names, campaign categories, campaign details, and related brand profile information may be visible to Creators who receive Campaign invitations or participate in related Orders. Where a Brand connects its social media accounts or other external platforms through authorised API integrations, Collebrity may process and display relevant connected-platform data for campaign verification, profile enrichment, analytics, reporting, and marketplace trust features, subject to the permissions granted by the Brand.

(c) Talent Manager Profiles. Talent Manager profiles and related professional information may be visible to Brands in connection with campaigns or Creator accounts managed by the Talent Manager. Where a Talent Manager connects social media accounts or manages API-connected Creator accounts, Collebrity may process relevant social platform data for Creator management, verification, analytics, reporting, and campaign coordination purposes, subject to the permissions granted through the Platform.

(d) Ratings and Reviews. Ratings, reviews, and feedback submitted by Brands may be displayed on the relevant Creator's Storefront. Similarly, ratings [the source text ends here mid-sentence โ€” please complete this clause from your original]

7.4 Sharing with Law Enforcement and Regulatory Authorities. We may disclose personal data to government authorities, law enforcement agencies, courts, or tribunals in the following circumstances: (a) in compliance with any applicable law, regulation, court order, or legal process; (b) in response to a valid request from a government or regulatory authority in India; (c) to protect the rights, property, or safety of Collebrity, its Users, or the public; or (d) to detect, investigate, or prevent fraud, security breaches, or illegal activity. We shall endeavour to notify the affected User of any such disclosure to the extent permitted by applicable law.

7.5 Corporate Transactions. In the event of a merger, acquisition, sale of assets, or other corporate restructuring, personal data held by Collebrity may be transferred to the acquiring or successor entity. We shall notify Users of any such transfer in advance to the extent practicable, and shall ensure that the acquiring entity is bound by obligations no less protective than those in this Policy.

8. International Transfers of Personal Data

8.1 International Storage and Processing. Collebrity uses cloud infrastructure and service providers with server locations in India, the United States, and the European Union. As a result, personal data may be processed, transferred, or stored on servers located outside India as part of normal Platform operations.

8.2 India to United States Transfers. Personal data of Users located in India may be processed on servers located in the United States for purposes including platform operations, analytics, infrastructure management, security, and related technical services. Such transfers are subject to the contractual and security protections implemented by Collebrity and its authorised cloud infrastructure providers, including applicable data processing agreements.

8.3 Transfers Involving European Union Data. Where personal data of users located in the European Union or European Economic Area ("EU/EEA") is processed, any transfer of such data between the EU, India, or other jurisdictions shall be carried out in accordance with applicable GDPR requirements, including the use of appropriate contractual safeguards such as the European Commission's Standard Contractual Clauses ("SCCs"), where required.

8.4 EU/EEA Availability and Data Segregation. As of the effective date of this Policy, the Platform is not actively offered, marketed, or intended for residents of the EU/EEA. Collebrity intends to expand services to EU/EEA users only after implementing the infrastructure, operational processes, and compliance measures required under applicable GDPR laws, including appropriate consent management, international transfer safeguards, breach notification procedures, and EU-related compliance roles where applicable. Until such implementation is completed, Collebrity may use reasonable measures, including geographic checks and country selection controls, to limit onboarding by EU/EEA residents.

8.5 International Transfer Safeguards. In all cases involving international transfers of personal data, Collebrity shall implement proper/appropriate contractual, technical, and organisational safeguards to protect personal data to a standard equivalent to/required under the DPDPA 2023 and Applicable Indian law.

9. Security Safeguards

9.1 Collebrity implements appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, loss, or destruction, as required by Section 8(5) of the DPDPA.

9.2 Our security measures include:

  • Encryption of personal data in transit using industry-standard TLS/SSL protocols;

  • Restricted access controls ensuring that personal data is accessible only to authorised personnel with a business need;

  • Payment data security through PCI-DSS compliant payment gateways (authorised Payment Aggregator). Collebrity does not store full payment card numbers on its own servers;

  • Regular security assessments and vulnerability testing of the Platform infrastructure;

  • Access logging and monitoring for anomalous activity; and

  • Secure deletion protocols for data that has reached the end of its retention period.

9.3 Data Breach Notification. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of Data Principals, Collebrity shall report the breach to the Data Protection Board of India as required under Section 8(6) of the DPDPA, and shall notify the affected Data Principals in the manner and within the timeframes prescribed under the DPDPA and its rules.

9.4 Notwithstanding our security measures, no internet-based platform can guarantee absolute security. Users are responsible for maintaining the confidentiality of their Account credentials and for reporting any suspected unauthorised access promptly to [email protected].

10. AI-Based Processing and Automated Decision-Making

10.1 AI-Based Features and Processing. Collebrity may use AI systems, machine learning models, automated analysis tools, and algorithmic ranking systems in connection with Platform operations and User data for purposes including:

(a) influencer-brand matching and Creator discovery recommendations;

(b) personalised search rankings and content visibility;

(c) Content scoring and campaign suitability assessments;

(d) fraud detection and platform safety measures, including the detection of fake followers, suspicious engagement activity, spam, scams, policy violations, or potentially abusive behaviour;

(e) Pricing recommendations and campaign performance insights for Brands, Creators, and Talent Managers;

(f) Audience demographic analysis and analytics based on authorised social media API data and Platform activity;

(g) Recommendation, filtering, and relevance systems designed to improve marketplace functionality and User experience; and

(h) Improving, testing, monitoring, and maintaining the quality, safety, and performance of the Platform and its recommendation systems.

10.2 Automated Profiling and Human Review. Certain AI-based features may involve automated profiling or ranking of Users based on personal data, Platform activity, social media analytics, engagement metrics, ratings, campaign performance, or related signals. Such processing may affect search visibility, recommendations, fraud-risk assessments, campaign matching, or related Platform functionality.

Collebrity does not rely solely on automated processing to make decisions that produce legal or similarly significant adverse effects on Users without reasonable human oversight where required under applicable law.

Where a User believes that an automated decision or profiling outcome has materially affected them, the User may:

(a) Request a human review of the relevant determination; and

(b) Contest the outcome through the grievance mechanism described in Clause 14.

10.3 Use of Ethnicity Data. Where a Creator voluntarily provides ethnicity data with ex [the source text ends here mid-sentence โ€” please complete this clause from your original]

11. Cookies and Tracking Technologies

11.1 We use cookies and similar tracking technologies on the Platform to enable essential functionality, measure platform performance, and serve relevant advertising. A detailed description of cookies used on the Platform is set out in our Cookie Policy (available at collebrity.com/cookies).

11.2 The following categories of cookies are currently deployed on the Platform:

Cookie Category

Examples

Purpose

Consent Required

Strictly Necessary

Session cookies, login tokens, CSRF tokens

Essential for Platform functionality; cannot be disabled

No

Analytics

Google Analytics (_ga, _gid)

Measuring Platform traffic, user behaviour, and feature usage

Yes

Advertising / Retargeting

Meta Pixel, Google Ads remarketing tags

Measuring ad campaign effectiveness; serving targeted advertising to users on social media platforms

Yes

Functional

Language preference, UI settings

Remembering user preferences for a better experience

No (but may be disabled)

11.3 When you first access the Platform, you will be presented with a cookie consent banner that allows you to (a) accept all cookies, (b) reject all non-essential cookies, or (c) customize your cookie preferences by category. Strictly Necessary cookies are not subject to consent. The cookie consent banner shall be presented at India launch and shall continue to operate at all subsequent launches.

11.4 Third-Party Cookies. The Google Analytics and Meta Pixel tracking technologies deploy third-party cookies on the Platform. The data collected by these tools is governed by Google's and Meta's respective privacy policies. We recommend that you review those policies for information on how these companies handle data collected through their tracking technologies.

11.5 No Third-Party Advertising on the Platform. Collebrity does not currently permit third-party advertisers to serve advertisements to Users on the Platform. The advertising technologies deployed (including Meta Pixel) are used solely for Collebrity's own marketing measurement and retargeting purposes and not to serve ads from external brands to Platform Users.

12. Marketing Communications

12.1 With your prior consent, Collebrity may send you promotional and marketing communications through the following channels: email, SMS, WhatsApp notifications, and in-app push notifications.

12.2 Consent for marketing communications shall be obtained separately from the consent given for Terms and Conditions acceptance, through a clear opt-in mechanism. You are under no obligation to consent to marketing communications to use the Platform. Transactional communications โ€” such as Order confirmations, payment receipts, dispute notifications, and Account-related alerts โ€” are sent regardless of marketing consent and do not require separate consent as they are necessary for the provision of the Services.

12.3 CAN-SPAM Act (United States). For marketing emails sent to Users in the United States, Collebrity complies with the requirements of the CAN-SPAM Act, 2003, including: (a) including a clear identification of the sender; (b) including a valid physical mailing address; and (c) providing a functional and accessible opt-out mechanism in every marketing email. Opt-out requests shall be honoured within Ten (10) business days.

12.4 Withdrawal of Marketing Consent. You may withdraw consent to marketing communications at any time by: (a) clicking the "Unsubscribe" link in any marketing email; (b) adjusting notification preferences in your Account settings; or (c) writing to [email protected]. Withdrawal of marketing consent shall not affect the lawfulness of marketing communications sent before the withdrawal.

13. Your Rights as a Data Principal

13.1 Under Sections 11 to 14 of the DPDPA 2023, you have the following rights in relation to your personal data processed by Collebrity. To exercise any of these rights, please write to [email protected] or use the grievance mechanism described in Clause 14.

Right

What It Means

How to Exercise

Right to Access (Section 11)

You have the right to obtain a summary of the personal data we hold about you and the purposes for which it is being processed.

Submit a request to [email protected]

Right to Correction (Section 12(a))

You have the right to correct inaccurate or misleading personal data.

Update in Account settings or submit a request

Right to Completeness (Section 12(b))

You have the right to have incomplete personal data completed.

Submit a request to [email protected]

Right to Erasure (Section 12(c))

You have the right to have your personal data erased once the purpose for which it was collected is no longer being served, subject to statutory retention obligations (see Clause 6).

Submit a deletion request or initiate Account deletion

Right to Grievance Redressal (Section 13)

You have the right to lodge a grievance with Collebrity's Grievance Officer regarding any breach of the DPDPA or this Policy, and to have the grievance addressed within the prescribed time.

Contact the Grievance Officer (Clause 14)

Right to Nominate (Section 14)

You have the right to nominate another individual to exercise your rights in the event of your death or incapacity.

Submit a nomination request to [email protected]

Right to Withdraw Consent (Section 6(4))

You may withdraw consent at any time. Withdrawal will not affect processing carried out before withdrawal. For specific consent-based processing (such as ethnicity data and marketing), withdrawal will result in cessation of that specific processing.

Update profile settings or contact us

Right to Complain to the Data Protection Board (Section 13(3))

If your grievance is not resolved by Collebrity's Grievance Officer to your satisfaction, you have the right to approach the Data Protection Board of India.

File a complaint at www.dataprotectionboard.gov.in [to be updated when the Board is operational]

13.2 We shall respond to requests for exercise of rights within such period as may be prescribed under the DPDPA and its rules. Where a request cannot be fulfilled for legal reasons (for example, where data must be retained for statutory compliance), we shall inform you of the reason in writing.

14. Grievance Mechanism

14.1 In accordance with Section 13 of the DPDPA, 2023, Section 8(9) of the DPDPA, and Rule 3(2) of the IT Rules 2021, Collebrity has appointed a Resident Grievance Officer / Data Protection Contact. The current name, designation, and contact details are published at collebrity.com/grievance and shall be promptly updated upon any change. As at the date of this Policy:

Designation: Resident Grievance Officer / Data Protection Contact; Name: Gilbert Doss; Contact Email: [email protected] (monitored by the Resident Grievance Officer); Grievance Portal: https://collebrity.com/contact.

Where the contact details published at collebrity.com/grievance differ from those set out in this Policy, the details published on the Platform's grievance redressal page shall prevail.

Designation

Resident Grievance Officer / Data Protection Contact

Name

Gilbert Doss

Contact Email

[email protected]

Grievance Portal

https://collebrity.com/contact

14.2 Grievance Process. If you have any complaint or concern regarding the processing of your personal data, or wish to exercise any of the rights described in Clause 13, please submit your grievance in writing to the Grievance Officer at the email or portal above. Your grievance should include: (a) your name and registered email address; (b) a description of the concern or the right you wish to exercise; and (c) any supporting documentation.

14.3 Response Timelines. Collebrity shall acknowledge receipt of your grievance within Twenty-Four (24) hours and shall endeavour to resolve it within such period as may be prescribed under the DPDPA and its rules (currently proposed at Thirty (30) days from receipt).

14.4 Data Protection Board. If your grievance is not resolved to your satisfaction, you have the right to file a complaint with the Data Protection Board of India, once constituted and operational under the DPDPA. The contact details of the Data Protection Board will be updated in this Policy upon operationalisation.

15. Children's Data

15.1 The Platform is not directed at persons below the age of Eighteen (18) years. Collebrity does not knowingly collect personal data from minors. The Platform enforces a minimum age requirement of 18 years at registration through a birth year selection mechanism.

15.2 If you are a parent or guardian and become aware that a person below the age of 18 has registered on the Platform, please contact us immediately at [email protected]. Upon verification, we shall promptly delete the Account and all associated personal data.

15.3 Collebrity does not engage in behavioural monitoring, targeted advertising, or tracking of users known to be minors, in compliance with Section 9 of the DPDPA and applicable international standards including the Children's Online Privacy Protection Act (COPPA) for US users.

16. Third-Party Links and Services

16.1 The Platform may contain links to third-party websites, social media platforms (including Instagram, YouTube, TikTok, and others), and external services. This Policy applies only to data processed by Collebrity through the Platform. We are not responsible for the privacy practices or content of third-party websites or services.

16.2 When a Creator links their social media account to the Platform through an API integration, such integration is governed by the terms of the relevant social media platform (including Meta's Developer Platform Policy and Google's API Services User Data Policy). Collebrity uses data obtained through social media APIs only in accordance with the applicable API platform's terms and only for the purposes disclosed in this Policy.

17. Changes to This Policy

17.1 We may update this Policy from time to time to reflect changes in our data processing practices, applicable law, or Platform features. Material changes to this Policy shall be communicated to registered Users by email to their registered email address at least Fourteen (14) days before the change takes effect.

17.2 Continued use of the Platform after the effective date of any change to this Policy shall constitute your acceptance of the revised Policy. If you do not agree to a revised Policy, you may close your Account before the effective date.

17.3 The version number and date of last revision of this Policy are displayed in the header and footer of this document and on the Platform's privacy page.

18. Contact Us

For all queries, requests, or concerns relating to this Policy or the processing of your personal data, please contact us through any of the following channels:

General Support

[email protected]

Privacy and Data Protection

[email protected]

Grievance Officer

[email protected]

Grievance Portal

https://collebrity.com/contact

Registered Office

Collebrity Private Limited, Flat No. 504, Veerasandra, Veerasandra Gollahalli Main Road, Bengaluru, Karnataka โ€” 560100, India

Schedule A โ€” Key Definitions

"Data Fiduciary" has the meaning assigned to it in Section 2(i) of the DPDPA โ€” any person who alone or in conjunction with others determines the purpose and means of processing of personal data.

"Data Principal" has the meaning assigned to it in Section 2(j) of the DPDPA โ€” the individual to whom the personal data relates.

"Data Processor" has the meaning assigned to it in Section 2(k) of the DPDPA โ€” any person who processes personal data on behalf of a Data Fiduciary.

"DPDPA" means the Digital Personal Data Protection Act, 2023 (No. 22 of 2023), and includes any rules, regulations, or directions issued thereunder.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"Personal Data" has the meaning assigned to it in Section 2(t) of the DPDPA โ€” any data about an individual who is identifiable by or in relation to such data.

"Processing" has the meaning assigned to it in Section 2(x) of the DPDPA โ€” an automated operation or set of operations performed on digital personal data, including collection, recording, storage, use, sharing, disclosure, or deletion.

"Sensitive Personal Data" under the DPDPA, refers to personal data whose processing is likely to cause significant harm to the Data Principal, as may be specified by the Government of India. For the purposes of this Policy, ethnicity data is treated as sensitive personal data requiring explicit consent.