Legal

Privacy Policy

Effective date: 5 March 2025
Last updated: 24 March 2026

1. Who we are

Pact is a creator-brand deal infrastructure platform operated by Wave The Agency Limited (company no. 13882893), a company registered in England and Wales. Our platform is available at mypact.co and enables content creators and brands to negotiate, contract, and settle partnership deals.

For the purposes of UK data protection law, Wave The Agency Limited is the data controller of the personal data we collect through Pact.

Contact: privacy@mypact.co

2. What data we collect

2.1 Account data

When you create an account we collect:

• Your name and email address
• Your company name (brands) or creator handle (creators)
• Your website URL and social media profile links
• Profile photo or brand logo

2.2 Identity and payment verification

To process payments and comply with financial regulations we collect:

• Bank account or Stripe Connect onboarding information
• Identity verification data where required by Stripe
• Billing address

2.3 Deal and transaction data

When deals are created on the platform we collect:

• Deal terms, deliverables, and agreed fees
• Content submitted for brand review
• Contract documents generated or uploaded via the Platform
• Payment records and payment transaction history
• Invoice data

2.4 Social account data

If you connect your social accounts we collect:

• Social platform handles and follower counts
• Engagement rate data provided by you or verified via OAuth
• OAuth access tokens (stored encrypted, never exposed in the UI)

2.5 Communications

We collect messages sent through the in-platform deal messaging system. We do not read private messages except where required to investigate a reported violation of our terms.

2.6 Usage data

We collect standard server logs including IP address, browser type, pages visited, and timestamps. We use this data for security monitoring and platform improvement.

3. How we use your data

We use your personal data to:

• Create and manage your Pact account
• Facilitate deals, contracts, and payments between creators and brands
• Process payments and creator payouts through our regulated payment infrastructure
• Generate contracts and deliver them to both parties for electronic signature
• Send transactional emails (deal updates, payment confirmations, contract notifications)
• Verify business email addresses at the point of registration
• Detect and prevent fraud, policy violations, and misuse of the platform
• Comply with our legal obligations, including financial regulations and tax reporting
• Improve the platform through aggregated, anonymised analytics

4. Legal basis for processing

We process your personal data on the following legal bases under UK GDPR:

• Contract performance: to provide the services you have signed up for
• Legal obligation: to comply with financial regulations and tax law
• Legitimate interests: to detect fraud, secure the platform, and improve our services
• Consent: where you have explicitly opted in, such as connecting social OAuth accounts

5. How we share your data

5.1 With other platform users

Your public profile information (name, handle, bio, social accounts, rate card) is visible to other users of the platform. Your email address is never shared with other users.

5.2 With third-party service providers

We share data with carefully selected third-party providers to operate the platform. Categories of provider include:

• A regulated payment processor and financial infrastructure provider — for payment processing, creator onboarding, payment protection, and payouts
• A document management and e-signature provider — for contract generation and signing
• A transactional email delivery provider — for deal and payment notifications
• A cloud database and authentication provider — for secure data storage and user authentication
• A cloud hosting provider — for platform infrastructure
• A document generation provider — for invoice and report PDF generation
• A business email verification provider — for verifying brand email addresses

All providers are contractually bound to process data only on our instructions and in accordance with applicable data protection law. A full list of sub-processors is available on request by contacting privacy@mypact.co.

5.3 Legal disclosures

We may disclose your data where required by law, court order, or regulatory authority. We will notify you where we are legally permitted to do so.

6. Aggregated and Anonymised Data

We may create anonymised, aggregated datasets derived from information collected through the Platform. This data does not identify you personally and cannot be used to re-identify any individual user.

We use aggregated data for the following purposes:

• Improving and developing the Platform and its features
• Generating market intelligence, industry benchmarks, and trend reports
• Creating research publications and data products for commercial distribution
• Providing anonymised insights to third parties, including brands, agencies, and industry bodies

This aggregated data may be shared with or sold to third parties. Because this data is fully anonymised and aggregated, it is no longer considered personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Your individual personal data will never be sold, shared for marketing purposes, or disclosed to third parties without your explicit consent, except as required to provide the Platform's services (for example, sharing your profile information with a Brand you have entered into a partnership with) or as required by law.

7. Data retention

We retain your account data for as long as your account is active. If you close your account, we retain transaction and contract records for 7 years to comply with financial and tax regulations. Message history is retained for 3 years.

Blacklist records (for banned accounts) are retained indefinitely to prevent re-registration.

8. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data (subject to legal retention obligations)
• Object to processing or request restriction
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@mypact.co. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

Pact uses strictly necessary cookies for authentication and session management. We do not use advertising cookies or third-party tracking cookies. You cannot opt out of strictly necessary cookies as they are required for the platform to function.

10. Cookies and Consent

We use cookies and similar technologies to understand how Pact is used and to improve the platform. Visitors from the European Economic Area, United Kingdom, and Switzerland are asked to consent before any analytics cookies are set. Outside these regions, analytics cookies are enabled by default but can be disabled at any time via the Cookie preferences link in the footer.

Cookie categories:

• Essential — required for the site to function (authentication, session). Cannot be disabled.
• Analytics — Google Analytics 4. Measures page views, sessions, and conversion funnels.
• Advertising — not currently used. Listed for transparency under Google Consent Mode v2.

We do not use cookies for advertising or profiling. You can change your preferences at any time via the Cookie preferences link in the footer or by clearing your browser storage.

11. International transfers

Some of our service providers (including Stripe) may process data outside the UK. Where this occurs, we ensure adequate safeguards are in place, including reliance on the UK's adequacy decisions and Standard Contractual Clauses where applicable.

12. Security

We implement appropriate technical and organisational measures to protect your data, including encrypted data storage, row-level security on our database, and strict access controls. Payment data is handled exclusively by Stripe and is never stored on our servers.

13. Children

Pact is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us at privacy@mypact.co and we will delete it promptly.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you by email and display a notice on the platform when material changes are made. Continued use of Pact after the effective date constitutes acceptance of the updated policy.

15. Contact

Wave The Agency Limited
Company No. 13882893
ICO Registration No. ZC116182
privacy@mypact.co
mypact.co

Wave The Agency Limited is registered with the Information Commissioner's Office (ICO) under registration number ZC116182.