This policy explains what personal data MyPR collects, how we use it, and the rights you have over it.
This Privacy Policy explains how MyPR FZ-LLC ("MyPR", "we", "us") collects, uses and shares personal data when you use the MyPR mobile app or websites (the "Service"). It applies whether you sign up as a brand, agency or creator. By using the Service you confirm that you have read and understood this policy.
We collect the following categories of personal data: • Account data: name, email, date of birth, country, profile photo, role (brand / agency / creator), phone number (optional). • Verification data: government-issued ID images (creator verification), trade licence and authorised signatory details (brands), UAE NMC or KSA GCAM media licence references where applicable. • Social profile data: handles, follower counts, engagement metrics and avatars from Instagram and TikTok, only after you connect these accounts. • Deal data: campaigns, applications, messages, submissions, approval history. • Payout data: bank name, the last 4 digits of your IBAN, account holder name and Ziina ID. We do not store full IBANs or card data. • Device and usage data: app version, device model, OS version, language, anonymised crash reports and basic usage analytics (screens viewed, actions taken).
We use your personal data to: • Create and operate your account and verify your identity. • Match brands with appropriate creators and run the application/approval flow. • Process and reconcile payouts. • Communicate service updates, transactional notifications and (with your consent) marketing. • Detect and prevent fraud, fake engagement and other abuse of the Service. • Comply with legal obligations and respond to lawful requests. Public social-data collection: to verify that a creator's audience is genuine, we read publicly available Instagram and TikTok profile information — handle, follower count, engagement metrics and avatar — using automated lookup and integrity-audit tools (our processors Apify, EnsembleData and RapidAPI). We collect this only for handles you have entered or connected, we use it solely for verification and matching, and we do not read private posts, direct messages or anything behind a login you have not authorised. We do not sell your personal data.
Where data protection law requires a legal basis, we rely on: • Performance of a contract — to operate your account and the Service you have signed up for. • Legitimate interests — to keep the Service safe, prevent fraud, and improve features. • Consent — for optional features such as marketing emails or connecting third-party social accounts. You can withdraw consent at any time. • Legal obligation — when we are required by law to keep certain records or to disclose data.
We share personal data only with parties that need it to deliver the Service: • Other MyPR users — your public profile, content, ratings and the deal-related information necessary for the other party to fulfil the deal. Brands see creators' display name, location, social handles and follower counts. Creators see brands' display name and campaign details. We do not share email addresses or payout details with the other side. • Legal and regulatory bodies — when required by law, court order or to protect the rights, property or safety of MyPR, our users or others. We do not transfer your data to any party for their own marketing.
We use a small, vetted set of third-party processors to run the Service. Each is bound by contract to process your data only on our instructions and to keep it secure. As of the effective date above they are: • Supabase — authentication, database hosting and our backend functions (data may be stored in the EU and US). • Stripe — card payment processing and creator payout transfers (Stripe Connect). • Ziina — stored as an alternative payout identifier where you choose to provide one. No live Ziina API call is made; the identifier is held so payouts can be reconciled. • Twilio — delivery of the one-time SMS verification codes used to sign you in, provisioned through Supabase's authentication layer. • Apify and EnsembleData — retrieval and integrity-auditing of public Instagram follower and engagement data so we can validate creator reach. • RapidAPI (instagram-scraper-stable-api) — lookup of public Instagram profile data when you connect or are verified. • Sentry — anonymised crash and error reporting for the mobile app and website. • Mapbox — map tiles and geocoding for on-site campaign locations. • Apple and Google — sign-in, OAuth and app distribution. • Instagram (Meta) and TikTok — OAuth sign-in and the social profile data you authorise us to read when you connect those accounts. We will update this list when we add or remove a processor. Payment processors and banks additionally receive the minimum data needed to settle a payout.
MyPR is established in the UAE, so the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL") is our primary framework. We handle your data on the PDPL bases of consent, performance of a contract, and our legitimate interest in running a safe marketplace, and we honour the PDPL data-subject rights set out in section 9 below. If you are in the European Economic Area or the United Kingdom, we also handle your data in line with the EU/UK GDPR: we identify a lawful basis for each processing activity (section 5), apply transfer safeguards (section 8), and you may exercise the full set of GDPR rights and complain to your local supervisory authority. Where PDPL and GDPR both apply, we give you the stronger protection.
MyPR operates from the UAE and our infrastructure providers may store data in the UAE, EU or US. Where data is transferred outside the country in which you live, we rely on appropriate safeguards such as standard contractual clauses with the receiving party.
We keep personal data only for as long as we need it for the purposes described above: • Account data — while your account is open, plus 12 months after deletion for fraud prevention and to honour any open obligations. • Transactional records (deals, payouts, invoices) — 7 years after the end of the deal, in line with UAE accounting requirements. • Verification documents — 24 months after verification expires or your account is closed, whichever is later. • Marketing preferences — until you withdraw consent. After these periods we delete or fully anonymise the data.
Subject to local data protection law, you have the right to: • Access the personal data we hold about you. • Correct inaccurate or incomplete data. • Delete your data ("right to be forgotten") where we are no longer legally required to keep it. • Object to or restrict certain processing. • Withdraw consent at any time, where consent is the legal basis. • Receive a portable copy of the data you have provided to us. You can generate a machine-readable JSON export of your own account data at any time from the mobile app under Profile, and you can delete your account from the same screen. • Lodge a complaint with the relevant data protection authority. To exercise any of these rights, email legal@mypr.app from the address linked to your account. We will respond within 30 days.
We use industry-standard technical and organisational measures to protect your data, including TLS encryption in transit, encrypted database storage, role-based access controls and audit logging. We never store full IBAN or card numbers. No system is 100% secure, however, and we cannot guarantee absolute security. Notify us immediately if you suspect your account has been compromised.
The Service is not intended for anyone under 18 and is not directed at children. We require every user to confirm they are at least 18 years old before they can sign up, and we do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided personal data to us, contact legal@mypr.app and we will delete it.
Every user can report another user, a campaign, a message or a piece of content from within the app. We triage reports on the following service levels: • Reports that flag an immediate safety risk (threats, harassment, sexual content involving minors, or other imminent harm) are reviewed within 1 hour, around the clock, and the offending content or account is restricted while we investigate. • All other reports are reviewed within 24 hours. We may remove content, suspend accounts, or escalate to the relevant authorities. You will be told the outcome of a report you raise, and any user we action can appeal by emailing legal@mypr.app.
Our websites use a small number of strictly-necessary cookies for sign-in and security, and (with your consent) analytics cookies to understand aggregate usage. The MyPR mobile app does not use cookies but does store a session token securely on your device.
We may update this Privacy Policy from time to time. The current version and effective date are shown at the top of this screen. Material changes will be notified in-app before they take effect.
If you have questions or complaints about how we handle your personal data, email legal@mypr.app. If you are based in the EU/UK and we cannot resolve your concern, you may also contact your local data protection authority.
Effective 2026-06-02 · Document version 1.2