Privacy Policy

Last Updated: January 1, 2026

1. Introduction and Scope

Welcome to PopScal ("PopScal," "we," "us," or "our"). This Privacy Policy describes how we collect, use, share, disclose, and protect personal information when you use our platform, website at popscal.com, mobile applications, and all related services (collectively, the "Platform" or "Services"). PopScal is operated by [PopScal Technologies Private Limited / PopScal Inc.], a company registered under applicable law with its principal office in India.

This Privacy Policy applies to all users of PopScal, including:

  • Creators who use the Platform to manage their digital presence, sell products, and engage with their audience;
  • Buyers who purchase digital products through the PopScal Marketplace;
  • Visitors who browse the Platform or use any feature without registration;
  • Users who connect their Instagram or other social media accounts to access Auto DM, analytics, or link-in-bio features.

PopScal is an all-in-one creator economy platform that combines the following core features:

  • Digital Products Marketplace: A marketplace where Creators can list and sell digital products to Buyers globally, similar in function to established digital content platforms.
  • Instagram Auto DM Automation: A feature allowing Creators to configure keyword-triggered automated direct messages on Instagram through Meta's official APIs.
  • Analytics Dashboard: An Instagram analytics interface that displays Creator performance metrics as a publicly accessible or private web profile.
  • Link in Bio / Multi-Link Page: A customizable landing page that aggregates multiple links and content for Creators to share with their audience.

By accessing or using any feature of PopScal, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

2. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

  • "Personal Data" or "Personal Information": Any data about an individual who is identified or identifiable, as defined under the Digital Personal Data Protection Act, 2023 (India) and applicable international privacy laws, including the GDPR.
  • "Data Principal": The individual whose personal data is being processed. Under Indian law (DPDP Act, 2023), this refers to you as the user.
  • "Data Fiduciary": PopScal, which determines the purpose and means of processing personal data. Under Indian law, PopScal acts as the Data Fiduciary.
  • "Data Processor": Third parties who process personal data on behalf of PopScal under a binding agreement.
  • "Sensitive Personal Data or Information (SPDI)": As defined under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including passwords, financial information, health data, biometrics, and similar categories.
  • "Creator": A registered user who uses PopScal to sell digital products, manage a link-in-bio page, utilize Auto DM features, or display Instagram analytics.
  • "Buyer": A user who purchases digital products through the PopScal Marketplace.
  • "Instagram Data": Data accessed via Meta's official Instagram APIs when you connect your Instagram Business or Creator account to PopScal.
  • "Auto DM Data": Data related to comments, direct messages, story replies, or live interactions processed to trigger automated responses on Instagram.
  • "Cookies": Small text files stored on your device that help us improve your experience on the Platform.

3. Information We Collect

We collect information in the following categories depending on how you use our Platform:

3.1 Information You Provide Directly

  • Registration and Account Information: When you create an account, we collect your name, email address, username, password, phone number, date of birth (for age verification), and profile picture.
  • Creator Profile Data: Social media handles, biography, profile photo, website links, categories of content, promotional descriptions, media kit data, and custom link-in-bio configurations.
  • Marketplace and Product Data: Digital product descriptions, pricing, file uploads, product images, cover art, sales copy, license terms, and product categories when you list products.
  • Payment and Financial Information: Billing name and address, bank account details (for payouts to Creators), UPI IDs, and invoicing information. Full payment card numbers are processed directly by our third-party payment processors and are not stored by PopScal.
  • Communications: Messages you send to our support team, responses to surveys, feedback forms, dispute submissions, and any other correspondence with PopScal.
  • Instagram Auto DM Configuration: Keyword triggers, automated reply templates, target audiences, timing rules, and other configurations set up by Creators for the Auto DM feature.
  • Tax Information: PAN, GSTIN, or other tax identification details required for compliance with Indian tax law.
  • Identity Verification Documents: Government-issued identification may be requested for account verification, compliance purposes, or fraud prevention.

3.2 Information Collected from Third-Party Platforms

When you connect your social media accounts or log in using third-party credentials, we may receive:

  • Instagram / Facebook: Account ID, username, profile picture, follower count, media data, comment text, direct message metadata (when Auto DM is active), story interaction data, live chat data, and engagement analytics — strictly through Meta's official APIs and only as permitted by Meta's Platform Policy.
  • Google: Profile name, email address, and profile picture when you register or log in with Google OAuth.
  • Other Social Networks: Profile data as authorized by you and permitted by the respective platform's API policies.

We do not access, collect, or store private Instagram direct message content beyond what is strictly necessary to trigger and deliver automated responses you have configured. We never use Instagram data for advertising, profiling, or unsolicited messaging.

3.3 Information Collected Automatically

  • Device and Technical Data: IP address, device type, operating system, browser type and version, screen resolution, device identifiers (IDFA/GAID), and time zone.
  • Usage and Analytics Data: Pages viewed, features used, search queries, time spent, navigation paths, click data, file downloads, and interaction logs.
  • Transaction Data: Purchase history, subscription status, download records, refund history, and payment reconciliation data.
  • Log Data: Server logs including access timestamps, error reports, crash logs, and diagnostic information.
  • Location Data: Approximate geographic location derived from IP address; precise location only if you explicitly grant permission through your device settings.

3.4 Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

  • Essential Cookies: Required for the Platform to function, including authentication, session management, and security features.
  • Functional Cookies: Remember your preferences, language settings, and display configurations.
  • Analytics Cookies: Collect aggregated data about Platform usage to help us improve features and performance (e.g., Google Analytics).
  • Marketing Cookies: Used to display relevant advertising and track campaign effectiveness; only with your consent where required by law.

You may manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Platform. For more details, see our Cookie Policy at popscal.com/cookies.

4. How We Use Your Information

We process personal data for the following purposes and on the legal bases described:

4.1 To Provide and Operate the Platform

  • Creating and managing your account;
  • Processing digital product listings, sales, and deliveries through the Marketplace;
  • Enabling and operating the Instagram Auto DM feature based on your configurations;
  • Generating and displaying Instagram analytics in your dashboard and public-facing profile;
  • Publishing and managing your link-in-bio page and multi-link configurations;
  • Processing payments, calculating taxes, and remitting payouts to Creators;
  • Providing customer support and resolving disputes;
  • Sending transactional communications including purchase confirmations, payout notifications, and security alerts.

Legal Basis: Performance of contract; legitimate interests.

4.2 For Security, Fraud Prevention, and Compliance

  • Verifying user identity and preventing unauthorized access;
  • Detecting and investigating fraudulent transactions, chargeback abuse, and policy violations;
  • Monitoring for prohibited content, CSAE, and child safety violations;
  • Complying with applicable laws including the IT Act 2000, DPDP Act 2023, GST laws, PMLA, and international obligations;
  • Responding to law enforcement requests, court orders, and government directives.

Legal Basis: Compliance with legal obligations; legitimate interests; vital interests.

4.3 For Analytics and Platform Improvement

  • Analyzing how users interact with the Platform to identify improvements;
  • Conducting internal research and A/B testing for new features;
  • Creating aggregated, anonymized, or de-identified datasets for business intelligence;
  • Training internal models and systems (not for training AI models sold to third parties).

Legal Basis: Legitimate interests; with consent where required.

4.4 For Marketing and Communications

  • Sending newsletters, product announcements, and promotional offers — only with your consent or as otherwise permitted by law;
  • Personalizing your experience on the Platform based on your usage patterns and preferences;
  • Running referral programs and affiliate campaigns.

Legal Basis: Consent; legitimate interests. You may opt out at any time.

4.5 For AI and Automated Features

Certain features of PopScal may be powered by artificial intelligence, including the Auto DM response system, content recommendations, and analytics summaries. When you use these features:

  • Your inputs (keywords, templates, account data) are processed by AI Service Providers including OpenAI and others;
  • Outputs generated by AI are provided "as is" and do not constitute professional advice;
  • You remain responsible for reviewing and approving AI-generated content before it is used or distributed;
  • AI processing is subject to the privacy policies of the respective AI Service Providers.

Legal Basis: Performance of contract; consent where required.

5. Instagram Data Handling

PopScal integrates with Instagram through Meta's official APIs to provide Auto DM automation and analytics features. This section specifically governs how we handle Instagram data.

5.1 Data We Access via Instagram APIs

  • Basic Profile: Account ID, username, profile picture, and bio;
  • Comments and Interactions: User comments on your posts, story replies, and Instagram Live comments that match configured triggers;
  • Direct Message Metadata: Sufficient information to send an automated reply per Meta's 24-hour messaging policy — we do not store full conversation history;
  • Analytics Data: Follower count, reach, impressions, engagement metrics, and content performance data as permitted by Meta's API.

5.2 How We Use Instagram Data

  • To detect keyword triggers in comments or messages and send the automated reply you have configured;
  • To display your Instagram performance metrics in your PopScal analytics dashboard;
  • To populate your creator profile with your Instagram username and photo.

We do not use Instagram data for advertising, profiling, building audience segments for third parties, or any purpose not disclosed in this Policy.

5.3 Data Retention and Deletion

  • Instagram data is stored only while your Instagram account remains connected to PopScal;
  • Upon disconnection of your Instagram account, all associated Instagram data will be deleted from our active systems within 30 days;
  • You may request immediate deletion by contacting us at privacy@popscal.com.

5.4 Meta API Compliance

Our use of information received from Instagram and Facebook APIs adheres to Meta's Platform Terms, Instagram's Platform Policy, and all applicable Data Use Policies. We do not transfer Instagram API data to advertising platforms, data brokers, or analytics companies. All automated messages are triggered solely by user-initiated actions (comments, DM, story reply, or live interaction).

6. How We Share Your Information

PopScal does not sell your personal data to third parties. We share data only in the following circumstances:

6.1 Service Providers and Data Processors

We engage trusted third-party service providers to help operate the Platform:

  • Payment Processors: Razorpay, Stripe, PayPal, and Payglocal process payments on our behalf. They collect and process payment data under their respective privacy policies.
  • Cloud and Hosting: Cloud infrastructure providers who host PopScal's servers under strict data processing agreements.
  • Analytics Providers: Google Analytics and similar tools for usage analysis.
  • AI Service Providers: OpenAI and similar providers for AI-powered features.
  • Email and Communication Services: Transactional email providers for account notifications.
  • Identity Verification: Third-party KYC providers for fraud prevention and compliance.

All service providers are bound by data processing agreements that restrict their use of your data to the services they provide to us.

6.2 Creator-to-Buyer and Buyer-to-Creator Sharing

When a purchase is made, necessary transaction details (name, email, delivery information) are shared between the Buyer and the Creator/Seller to fulfill the order. Creators are responsible for handling this information in compliance with applicable law.

6.3 Public Profile Data

Information you choose to make public on your PopScal profile — including your creator name, profile photo, links, product listings, and Instagram analytics you elect to display — will be visible to all users of the Platform and the general public.

6.4 Legal Obligations and Safety

We may disclose your information to law enforcement, courts, regulators, or government authorities when required by law, court order, government directive, or where we believe in good faith that disclosure is necessary to:

  • Comply with the IT Act 2000, DPDP Act 2023, GST laws, or any other applicable law;
  • Enforce our Terms of Service or Privacy Policy;
  • Protect the rights, property, or safety of PopScal, our users, or the public;
  • Respond to requests from the Grievance Officer, law enforcement, or competent regulatory authorities.

6.5 Business Transfers

If PopScal undergoes a merger, acquisition, restructuring, sale of assets, or insolvency proceedings, your personal data may be transferred to the acquiring entity as part of such transaction. We will provide notice of any such transfer and require the recipient to honour this Privacy Policy.

6.6 Aggregated and De-identified Data

We may share anonymized, aggregated, or de-identified data with third parties for research, business intelligence, or marketing purposes. Such data does not identify individual users.

7. Data Storage and International Transfers

PopScal is operated from India. Your personal data may be processed and stored on servers located in India and in other jurisdictions where our service providers operate, including the United States, Singapore, and the European Union.

When we transfer personal data outside India, we ensure appropriate safeguards are in place in accordance with the DPDP Act 2023 and applicable international standards, including:

  • Standard Contractual Clauses (SCCs) for transfers to the EU/EEA;
  • Adequacy decisions where applicable;
  • Data Processing Agreements with all international service providers;
  • Compliance with Section 16 of the DPDP Act 2023 regarding cross-border data transfers.

If you are located in the European Economic Area, the United Kingdom, or other jurisdictions with specific data protection laws, additional safeguards apply as described in Section 14.

8. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

  • Account Data: Retained for the duration of your account plus up to 3 years after closure for legal and audit purposes.
  • Transaction and Financial Data: Retained for 8 years as required under Indian accounting and GST laws.
  • Instagram API Data: Deleted within 30 days of disconnecting your Instagram account.
  • Support Communications: Retained for 3 years from the date of resolution.
  • Marketing Data: Retained until you withdraw consent or opt out.
  • Legal Hold Data: Retained for as long as required by applicable legal proceedings.

When data is no longer needed, we securely delete or anonymize it. Data held in backup archives is isolated from further processing and deleted on a rolling schedule.

9. Data Security

PopScal implements robust technical, organizational, and physical security measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction. Our security practices include:

  • Encryption of personal data in transit (TLS/SSL) and at rest (AES-256 or equivalent);
  • Access controls and role-based permissions limiting data access to authorized personnel only;
  • Regular security audits and penetration testing;
  • Intrusion detection and monitoring systems;
  • Secure data centres complying with ISO 27001 or equivalent standards;
  • Incident response procedures compliant with the DPDP Act 2023 and applicable breach notification requirements;
  • Staff training on data protection and privacy practices.

Despite these measures, no security system is impenetrable. We cannot guarantee absolute security of data transmitted over the internet. You are responsible for maintaining the confidentiality of your account credentials. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the appropriate regulatory authority as required by law.

10. Children's Privacy

The PopScal Platform is not intended for use by individuals under the age of 18 years. We do not knowingly collect, solicit, or process personal data from minors under 18. If you are under 18, you may use the Platform only under the direct supervision of a parent or legal guardian who has agreed to these terms.

If we become aware that we have inadvertently collected personal data from a minor under 18 without parental consent, we will promptly delete that data. Parents or guardians who believe we may have collected data from their child should contact us at privacy@popscal.com.

In compliance with the Digital Personal Data Protection Act, 2023, PopScal shall not process personal data of children (defined as individuals below 18 years under the Act) without verifiable parental consent, and shall not undertake tracking, behavioural monitoring, or targeted advertising directed at children.

11. Your Rights as a Data Principal

Depending on your location and applicable law, you have the following rights with respect to your personal data:

11.1 Rights Under the DPDP Act 2023 (India)

  • Right to Access: You may request information about the personal data we process about you and a summary of processing activities.
  • Right to Correction and Erasure: You may request correction of inaccurate or outdated personal data, and erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
  • Right to Grievance Redressal: You may register a complaint with our Grievance Officer (see Section 17). If unsatisfied, you may approach the Data Protection Board of India.
  • Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.

11.2 Rights Under GDPR (EU/UK Users)

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate personal data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data under certain conditions.
  • Right to Restriction of Processing: Request that we restrict processing in certain circumstances.
  • Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@popscal.com or through your account settings. We will respond within 30 days (or as required by applicable law).

11.3 Rights Under CCPA (California, USA)

  • Right to know what personal information is collected, used, disclosed, or sold;
  • Right to delete personal information;
  • Right to opt out of the sale or sharing of personal information (PopScal does not sell personal data);
  • Right to non-discrimination for exercising CCPA rights;
  • Right to correct inaccurate personal information.

California residents may submit requests by emailing privacy@popscal.com with the subject line "California Privacy Request."

12. Opt-Out and Communication Preferences

  • Marketing Emails: You may unsubscribe from promotional emails at any time using the unsubscribe link in any marketing email or by contacting support@popscal.com.
  • Push Notifications: Manage push notification preferences through your device settings or the PopScal app settings.
  • Cookies: Manage cookie preferences through your browser settings or our cookie consent tool.
  • Instagram Data: Disconnect your Instagram account at any time through your PopScal account settings.
  • Account Deletion: Request account deletion through your account settings or by emailing support@popscal.com. Note that certain data may be retained as required by law.

13. Third-Party Links and Services

The Platform may contain links to third-party websites, services, or applications not operated by PopScal. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through PopScal. PopScal is not responsible for the privacy practices of any third-party services.

Where you connect PopScal to third-party platforms (Instagram, Google, Facebook, payment processors), your data shared with those platforms is also governed by their respective privacy policies:

  • Meta/Instagram: https://www.facebook.com/privacy/policy
  • Google: https://policies.google.com/privacy
  • Razorpay: https://razorpay.com/privacy
  • Stripe: https://stripe.com/privacy
  • PayPal: https://www.paypal.com/privacy

14. Jurisdiction-Specific Provisions

14.1 Indian Users — DPDP Act 2023 Compliance

PopScal processes personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and its implementing rules. As a Data Fiduciary, PopScal:

  • Processes personal data only for lawful purposes with your consent or for legitimate uses as defined under the DPDP Act;
  • Provides clear notice of the purposes for which personal data is processed;
  • Does not process personal data beyond what is necessary for the stated purpose;
  • Ensures reasonable security safeguards as prescribed under applicable rules;
  • Enables exercise of Data Principal rights as described above.

If you have concerns about processing of your personal data, you may contact our Grievance Officer (Section 17) or approach the Data Protection Board of India once operational.

14.2 EU/EEA and UK Users — GDPR Compliance

For users in the EU/EEA and UK, PopScal acts as the Data Controller for personal data processed through the Platform. We process your data on the following legal bases:

  • Contract performance: to provide the Services you have requested;
  • Legitimate interests: for security, fraud prevention, product improvement, and business operations;
  • Legal obligation: to comply with applicable laws and regulations;
  • Consent: for marketing communications and certain tracking technologies.

You have the right to lodge a complaint with your national data protection authority. For EU users, a list of supervisory authorities is available at https://edpb.europa.eu. UK users may contact the Information Commissioner's Office (ICO) at https://ico.org.uk.

14.3 Users Outside India and EU

Where you access the Platform from other jurisdictions, we apply the higher of the standard required by (a) the laws of India, (b) the GDPR, or (c) your local privacy law, to the extent reasonably practicable. We are committed to international privacy standards including APEC Privacy Framework principles.

15. AI and Machine Learning

PopScal uses artificial intelligence and machine learning technologies to power certain features including Auto DM response generation, content recommendations, and analytics insights. Key principles governing our AI use:

  • We do not use your personal data to train AI models for sale to third parties;
  • AI outputs are supplementary tools and should not be relied upon as professional advice;
  • You remain responsible for reviewing AI-generated content before publication or sending;
  • We do not use AI for decisions that produce legal or similarly significant effects without human review;
  • AI processing involving personal data is subject to the same legal bases described in Section 4.

16. Changes to This Privacy Policy

PopScal reserves the right to update this Privacy Policy at any time. When we make material changes, we will:

  • Post the updated policy on our website at popscal.com/privacy with a revised "Last Updated" date;
  • Send you an email notification to your registered email address;
  • Display a prominent notice within the Platform for a period of at least 30 days.

Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using the Platform and may request deletion of your account.

17. Grievance Officer and Contact Information

In compliance with Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and applicable provisions of the DPDP Act 2023, PopScal has designated a Grievance Officer:

Grievance Officer / Data Protection Officer

PopScal Technologies

Email: privacy@popscal.com

Support: support@popscal.com

Website: popscal.com

Grievance Response: Within 24 hours of acknowledgement; resolved within 15 days

All privacy-related grievances will be acknowledged within 24 hours and resolved within 15 business days. Unresolved grievances may be escalated to the Data Protection Board of India (once operational) or the relevant court of competent jurisdiction.

PopScal | popscal.com | privacy@popscal.com

This Privacy Policy is governed by the laws of India. Jurisdiction: Bengaluru, Karnataka, India.