Back

Vaiku Oy - Privacy Policy

Last updated: April 11, 2026

1. Data Controller

The data controller is Vaiku ("Service"). Contact: info@vaiku.io.

2. Scope

This policy describes how Vaiku processes personal data of companies and content creators (influencers) using the service.

3. Personal Data We Collect

a) All users

Name, email address, password (hashed), username, profile type, language preference

b) Company users

Company name, business ID (Y-tunnus), billing address, Stripe customer ID (card data is processed by Stripe — we do not store card numbers)

c) Content creators

Bio, location, website, phone number, profile picture, interests, payment details (IBAN, address), previous campaigns and collaboration partners

d) Social media integrations (Instagram, TikTok, YouTube, LinkedIn, Snapchat)

OAuth access and refresh tokens (encrypted at rest with AES-256-GCM), the creator's stable platform user ID, public username or display name, avatar URL, and bio/description. For Instagram, TikTok and YouTube we additionally collect public channel statistics (follower/subscriber counts, post/video counts, total view counts). Where Instagram or TikTok are connected via the Apify scraper fallback (when OAuth credentials are not configured), we additionally collect public post captions and per-post engagement counts to help brands evaluate creators. LinkedIn returns only the standard OIDC identity claims (sub, name, email, avatar URL, profile URL). Snapchat Login Kit returns only the stable external identifier and display name; the Snap @handle is self-declared by the creator before the OAuth flow starts so we can build a public profile link.

e) Campaign data

Applications (motivation text, expected reach, compensation proposal), content deliverables (URL, type, statistics), digital contracts (signatures, PDF)

f) Messaging

Message content, attachments, read status

g) Automatically collected

Campaign tracking link clicks: IP address, user agent, referrer, timestamp; cookies (see section 9)

4. Purposes and Legal Basis

Account creation and management, campaign management, payments, and messaging are processed on the basis of contract. Social media analysis (OAuth tokens, metrics, demographics) is processed based on your consent. Brand safety analysis, tracking link analytics, email notifications, and customer support are based on legitimate interest. Billing data is retained under a legal obligation (Accounting Act).

5. Sub-processors

In providing the service, we use third-party processors for database hosting, payment processing, email delivery, application hosting, social media integrations, automated content analysis, and customer support. Where data is transferred outside the EU/EEA, appropriate safeguards are in place in accordance with GDPR Article 46.

6. Data Retention

Account and profile data is retained for the duration of the account plus 3 years. Billing and accounting data is kept for 7 years (Accounting Act). Messages are retained for the duration of the account. Social media tokens are kept until the connection is revoked. Campaign data and contracts are retained for 7 years from the campaign end. Tracking link click data is kept for 2 years.

7. Data Subject Rights

Under the GDPR, you have the following rights:

  • Right of access — request a copy of your personal data
  • Right to rectification — correct inaccurate data
  • Right to erasure — request deletion of your data
  • Right to restriction of processing
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — for social media integrations at any time

To exercise your rights, contact us at info@vaiku.io. We will respond within one month.

You also have the right to lodge a complaint with the Data Protection Ombudsman (tietosuoja.fi).

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, and destruction. These measures are reviewed and updated as necessary to address changes in risk and technology.

9. Cookies

The service uses essential and functional cookies only: a NextAuth session JWT (30 days) to maintain login state, a NEXT_LOCALE cookie (1 year) for language preference, and a Crisp cookie (session) for customer support chat. We do not use third-party tracking or analytics cookies.

10. Third-party platform integrations

When you connect an external platform to your Vaiku profile, that platform's own terms and privacy policy also apply in addition to this policy:

YouTube API Services

Vaiku uses YouTube API Services to allow creators to connect their YouTube channel to their Vaiku profile. By connecting your YouTube channel, you agree to the YouTube Terms of Service in addition to this policy.

The data we retrieve from YouTube API Services is limited to public channel information for your own channel: channel ID, channel title, custom handle, description, thumbnail URL, subscriber count, video count, and total view count. We do not access private videos, watch history, subscription feeds, comments, memberships, or any other private data.

This data is used solely to display your YouTube channel information on your Vaiku profile so that brands evaluating you for paid campaigns can verify you own the channel and see your audience size. Vaiku's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

You can revoke Vaiku's access to your YouTube data at any time by clicking Disconnect on your Vaiku settings page, or by visiting the Google security settings page and removing Vaiku from the list of connected apps.

11. Changes to This Policy

We may update this privacy policy as the service develops. Significant changes will be communicated via email or through a notification in the service. The latest version is always available at this page.