1. Who we are (Data Controller)
UGCFrame, based in Malaysia. Privacy contact: privacy@ugcframe.com.
2. What we collect
2.1 Account data
Email, display name, chosen handle, password hash (we never see your plain-text password), authentication provider identifiers (e.g. Google OAuth ID).
2.2 Profile and portfolio content
Anything you publish on your creator subdomain — bio, niche tags, photos, videos, rate cards, brand logos, testimonials, social-media links.
2.3 Payment data
Processed by Stripe. We store a Stripe customer ID, subscription ID, plan tier, and renewal date. We do not store card numbers.
2.4 Inquiry submissions
When a brand submits the contact form on your creator subdomain, we store the brand's name, contact email, budget range, and message so you can read it in your dashboard inbox.
2.5 Analytics + technical data
With your consent (see our Cookie Policy), we use Google Analytics 4 on the marketing site and authenticated dashboard to understand product usage. Independently, on every creator subdomain visit, we record an anonymous view count in our own database for the creator's analytics panel (no IP address, no cookie). We may briefly process IP addresses for rate-limiting and abuse prevention without storing them.
3. Why we use your data (Legal basis)
- Contract: to provide your account, host your portfolio, process payments, deliver inquiries.
- Consent (PDPA s.6 / GDPR Art. 6(1)(a)): for optional analytics + marketing cookies.
- Legitimate interest (GDPR Art. 6(1)(f)): for security, fraud prevention, and product improvement based on aggregate first-party metrics.
- Legal obligation: tax records, lawful requests from authorities.
4. Who we share with (Subprocessors)
We use third-party processors to run the service. See our full Subprocessors list. Each subprocessor has its own privacy policy and security commitments.
5. International transfers
Several subprocessors (Stripe, Supabase, Vercel, Resend) store data in the United States. Where required, transfers rely on Standard Contractual Clauses or equivalent safeguards. PDPA section 129 transfers are based on the subprocessor's commitments and adequate-protection assessment.
6. Retention
We keep account and portfolio data while your account is active. After you delete your account, content is removed within 30 days (backups purge within 90 days). Stripe payment records are kept for 7 years for tax purposes. Inquiry submissions are kept for as long as you keep them in your inbox.
7. Your rights
Under PDPA section 30 (Access) and section 34 (Correction), and equivalent GDPR Articles 15–22, you can:
- Request a copy of the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your account and associated personal data
- Object to or restrict certain processing
- Withdraw consent for analytics / marketing cookies at any time via the cookie-preferences link in the footer
- (EU/UK) Lodge a complaint with your local supervisory authority
To exercise any of these rights, email privacy@ugcframe.com. We respond within 21 days under PDPA s.12.
8. Children
UGCFrame is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has signed up, contact privacy@ugcframe.com and we will remove the account.
9. Security
We use industry-standard safeguards — TLS in transit, encrypted storage at rest, row-level security on every user-owned database table, server-side authorization on every mutation, idempotent signature-verified payment webhooks, and rate-limited public endpoints. No system is perfectly secure; report concerns to security@ugcframe.com.
10. Changes
Material changes will be notified by email at least 14 days before taking effect.
11. EU / UK addendum (GDPR / UK GDPR)
For visitors and customers in the EU / EEA / UK, the legal basis for each processing activity is described above. You have the rights set out in GDPR Articles 15–22 and may complain to your national data protection authority.