Privacy Policy

From creators applying to the roster: legal name, display name, date of birth, email, phone, country of residence, government-issued identification (URL upload), headshot, social-platform handles, follower counts, engagement metrics, audience demographics auto-fetched from your linked accounts, brand-deal history you choose to disclose, payout details (bank, Stripe Connect account, Trolley recipient ID). From brands submitting briefs: company legal name, company website, industry, country, contact name, work email, job title, campaign objective, target audience notes, budget band, deliverable requirements, brand-safety flags, NDA preferences. From all visitors: anonymized analytics events (page views, country-level geo, browser, screen size) via Plausible — cookieless and IP-anonymized. Strictly-necessary authentication cookies via Supabase Auth when signed in.

Primary purpose (APP 3 + 6): to evaluate creator applications, deliver brand campaigns, issue invoices, and send payouts — i.e., the services you are signing up to receive. Secondary purposes (APP 6.2(a) — within reasonable expectation): platform operation, fraud prevention, audit logging, AANA/ACMA/ASIC compliance scanning on deliverables. Consent (APP 3.3 / 6.1(a); GDPR Art. 6(1)(a); PIPL Art. 13): marketing communications, optional analytics enrichment, cross-border data transfers from mainland China. Legal obligation (APP 6.2(b); GDPR Art. 6(1)(c)): retain payout + tax records for 7 years under Australian AML/CTF and ATO rules; respond to lawful regulator requests (OAIC, ACMA, ATO, ASIC, foreign equivalents). Contract performance (where applicable; GDPR Art. 6(1)(b)): legal basis used for EEA/UK creators and brand contacts.

We share necessary personal information with the following sub-processors. Each is bound by a data-processing agreement that imposes substantially-equivalent privacy protections (APP 8.2), and either operates in an APP 8.2 reasonable-belief jurisdiction, on the EU adequacy list, or under SCCs / IDTAs / CAC Standard Contracts as applicable. — Supabase (AWS Sydney ap-southeast-2) — authentication, session cookies. Data residency: Australia. — Neon Postgres (AWS Singapore ap-southeast-1) — primary application database. Data residency: Singapore. — Vercel (multi-region edge; primary compute Sydney) — web app hosting, runtime logs. — Resend (US) — transactional email delivery (application receipts, brief receipts, decision notifications). — TikHub + HikerAPI (CN/HK) — social-platform stats fetch for creator applications. — DocuSeal (US) — contract signing envelopes. — Stripe Connect (AU, US, EEA) — creator payout rails (AUD-first; native currencies for SEA + JP/KR). — Trolley (CA) — international payouts where Stripe Connect coverage is unavailable. — Plausible (EU) — cookieless web analytics. — Cloudflare (multi-region) — DNS, CDN, DDoS protection.

Under APP 8.1 we will take reasonable steps to ensure overseas recipients do not breach the APPs in relation to your personal information. Australia → Singapore (Neon): SCCs equivalent + DPA in place; Singapore PDPA recognised as substantially-similar. Australia → United States (Resend, DocuSeal, Stripe US arm, Trolley): SCCs equivalent + DPA in place; supplementary measures (encryption-in-transit, access controls, audit logging). Mainland China → Australia / Singapore (for mainland-residing creators): CAC Standard Contract filed prior to onboarding, per PIPL Art. 38–39. EEA / UK → AU + third countries: EU SCCs (2021/914) and UK IDTA / UK Addendum where applicable. All cross-border transfers are logged in the audit ledger.

Application data: 24 months from final decision, then purged unless creator is signed. Signed-creator data: duration of representation + 24 months. Brand brief data: 36 months from submission. Payout + invoice records: 7 years (AML/tax retention). Audit log: 24 months rolling. Plausible analytics: aggregated, no individual retention beyond 30 days.

Australia (Privacy Act 1988 + APPs 12–13): right to access, correct, and request anonymity or pseudonymity where lawful and practicable. We respond to access + correction requests within a reasonable time (target: 30 days). EEA / UK (GDPR + UK GDPR Art. 15–22): right to access, rectification, erasure, restriction, portability, objection, and to withdraw consent. California (CCPA / CPRA): right to know, delete, correct, opt out of "sale or share," and limit use of sensitive personal information. We do not sell or share personal information for cross-context behavioural advertising. Mainland China (PIPL Art. 44–47): rights to access, copy, transfer, correct, delete, restrict, and withdraw consent. Singapore (PDPA), Japan (APPI), Korea (PIPA), Thailand (PDPA-TH): equivalent access, correction, and consent-withdrawal rights. To exercise any of these rights, email privacy@signalxmedia.com.au. We respond within 30 days (or shorter where required by local law).

Under Part IIIC of the Privacy Act, if a breach is likely to result in serious harm, we will notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable. Where the breach also touches EEA, UK, or other jurisdictions, we will additionally notify the relevant supervisory authority within the statutory window (72 hours for GDPR/UK GDPR).

SignalXMedia does not knowingly process personal information of users under 18. The application form rejects applicants under 18; brand contacts must confirm they are 18 or older to submit a brief. If you believe we hold data on a minor, contact privacy@signalxmedia.com.au and we will delete it.

We store data encrypted at rest (AES-256) and in transit (TLS 1.2+). Access is role-based, audit-logged, and reviewed quarterly. We do not have a SOC 2 report yet; our internal control framework is documented and available to enterprise brand partners under NDA.

Privacy queries: privacy@signalxmedia.com.au. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or with your local supervisory authority (ICO in the UK, CNIL in France, etc.).