Privacy Policy

Last updated: April 2026  ·  Terms of Service →

1. Overview

stuffmybio ("we", "us", "our") is operated by Vinaveda Studios LLC. We build creator tools that help Instagram and TikTok creators monetize their content through affiliate commerce.

We collect the minimum data needed to operate the service. Nothing we collect is sold to third parties. This policy explains what data we process, why, how it is stored, and what rights you have over it.

Our legal basis for processing personal data (under GDPR) is a combination of contract performance (running the service you signed up for), legitimate interests (product analytics and fraud prevention), and consent (non-essential cookies, where applicable).

2. Data we collect

2.1 Account data

  • Email address and authentication identifier (via Supabase Auth)
  • OAuth tokens for Google Sign-In (if used)
  • Your chosen stuffmybio username (public)
  • Profile display name, bio, and avatar image (public, optional)

2.2 Instagram and TikTok integration data

  • Your Instagram handle and a Graph API access token (encrypted at rest using AES-256)
  • Your TikTok handle (public identifier only — no OAuth token unless you connect TikTok Shop)
  • Reel metadata fetched from the Instagram Graph API: media IDs, thumbnails, caption text, and timestamps
  • We do not store your Instagram password or access your DMs, comments, or followers list

2.3 Product and storefront data

  • Products you confirm, edit, or manually add to your storefront
  • Content cards (text tiles) you write
  • Affiliate URL mappings (the redirect target is never exposed client-side; we proxy all outbound clicks through /r/[product_id])

2.4 Usage and analytics data

  • Storefront page views (visitor count, referrer, country at city level)
  • Outbound click counts on product tiles (no visitor PII stored)
  • Dashboard feature interactions (with your analytics consent, via PostHog)

2.5 Billing data

  • Stripe customer ID and subscription status
  • We never store full credit card numbers — those go directly to Stripe

3. Data we never collect

  • Your Instagram or TikTok password
  • Your DMs, comments, or followers list
  • Cross-site browser fingerprints
  • Third-party retargeting pixels
  • Sensitive categories of data (health, political views, etc.)
  • Data from visitors to your storefront beyond aggregate click counts

4. Cookies and tracking

We use a minimal set of cookies. You are shown a consent banner on first visit. Essential cookies do not require consent.

CookiePurposeExpiryRequired
sb-*Supabase auth session7 daysEssential
sm_consentRemembers your cookie preferences1 yearEssential
ph_*PostHog analytics (set only with consent)1 yearAnalytics
sm_r_*Affiliate receipt cookie (tracks which creator referred a purchase — lives in browser for 30 days for commission attribution)30 daysEssential

You can withdraw your analytics consent at any time by clicking "Manage preferences" in the cookie banner (re-open it by clearing the sm_consent cookie in your browser's DevTools → Application → Cookies).

5. Third-party processors

We use the following sub-processors. We have Data Processing Agreements in place where required by GDPR.

Supabase

Postgres database, authentication, and file storage

Location: us-east-1 (AWS)

Privacy policy

Vercel

Next.js hosting, Edge Network CDN

Location: Global edge, HQ in USA

Privacy policy

Stripe

Payment processing, subscription billing

Location: USA

Privacy policy

PostHog

Product analytics — only loaded with your explicit consent

Location: US or EU Cloud (configurable)

Privacy policy

Resend

Transactional email (sign-up confirmation, billing receipts)

Location: USA

Privacy policy

Amazon (PA-API)

Product search and affiliate link generation

Location: USA

Privacy policy

6. Data storage and security

  • All data is stored in Supabase Postgres in us-east-1, encrypted at rest by AWS
  • Instagram access tokens are further encrypted with AES-256 before storage
  • All traffic uses TLS 1.2+ in transit
  • Row-level security (RLS) policies on the database prevent any user from reading another user's data
  • We follow responsible disclosure — report vulnerabilities to security@stuffmybio.com

7. Data retention

We keep your data for as long as your account is active. On account deletion:

  • All personal data (email, Instagram tokens, products, content) is deleted within 7 days
  • Aggregated, anonymized analytics data (click counts without user association) may be retained indefinitely
  • Stripe records are retained per Stripe's own legal obligations (typically 7 years for billing records)

8. Your rights (GDPR & CCPA)

If you are in the EU, EEA, UK, or California, you have the following rights:

AccessRequest a copy of all personal data we hold about you.
RectificationAsk us to correct inaccurate data.
Erasure (“right to be forgotten”)Ask us to delete your account and all associated data.
RestrictionAsk us to pause processing while a dispute is resolved.
PortabilityReceive your data in a machine-readable format.
ObjectObject to processing based on legitimate interests (e.g., analytics).
Withdraw consentWithdraw consent for non-essential cookies at any time.

To exercise any of these rights, email privacy@stuffmybio.com with "Privacy Request" in the subject line. We respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France, or the DPC in Ireland).

9. Children's privacy

stuffmybio is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal data from minors. If you believe a child has created an account, contact us at hello@stuffmybio.com and we will delete it promptly.

10. Changes to this policy

We'll email you about material changes to this Privacy Policy at least 14 days before they take effect. Minor updates (typos, clarifications that don't change rights) may be made without notice, but the "Last updated" date above will always reflect when the document last changed.

11. Contact us

Data controller: Vinaveda Studios LLC
General: hello@stuffmybio.com
Privacy requests: privacy@stuffmybio.com
Security vulnerabilities: security@stuffmybio.com

Note: This privacy policy was drafted to cover the current feature set and should be reviewed by a qualified lawyer before public launch, especially for EU GDPR Articles 13 & 14 compliance and any state-specific requirements.
Back to top ↑