Privacy Policy

1. Who we are

Madcat is a marketplace operated by Madcat, Inc. (“Madcat”, “we”, “us”) that connects gamers (“Creators”) with game studios and brands (“Brands”) commissioning user-generated video content (UGC). This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and what choices you have.

2. What we collect

2.1 Information you give us

• Account. Email address and authentication tokens issued by our auth provider (Supabase).
• Profile. Display name, date of birth (for age verification), country of residence, profile photo, social handles (TikTok, YouTube, Instagram), and a short bio.
• Reference content. Sample video files you upload during onboarding and submitted gig deliverables, including any embedded metadata.
• Brand details. If you sign up as a Brand: company name, website, and any payment / billing details you provide.
• Communications. Messages you send us or post inside the platform (e.g. campaign briefs, application pitches, support tickets).

2.2 Information we collect automatically

• Device and usage. Browser type, operating system, language, time zone, screen resolution, referring URL, pages viewed, links clicked, IP address (truncated where allowed), and approximate location derived from IP.
• Cookies and similar. Strictly necessary cookies for authentication, plus first-party analytics and error-monitoring identifiers. See Section 7.

2.3 Information from third parties

• Payment processors. Once we enable Stripe Connect for creator payouts, Stripe shares transfer status, payout method status, and limited identity-verification outcomes with us.
• Social platforms. When you link a social handle, we may fetch publicly available data (e.g. follower count, post embeds) to display on your profile.

3. How we use it

• Operate the platform: authenticate you, show you relevant campaigns, route applications to Brands, deliver videos, and process payouts.
• Verify eligibility: confirm you are at least 18 years old and reside in a supported country.
• Improve the product: aggregate usage analytics, fix bugs surfaced through error monitoring, and test new features.
• Communicate: send transactional email (gig approvals, payment confirmations, password resets) and, with your consent, product updates.
• Comply with law and enforce our terms: respond to lawful requests, prevent fraud, investigate abuse, and enforce the Terms of Service.

4. Legal bases (EU / UK / EEA users)

If you are in the EU, the UK, or the EEA, we rely on the following legal bases under the EU General Data Protection Regulation (GDPR) and the UK GDPR:

• Contract — Art. 6(1)(b) GDPR. Most processing is necessary to perform the contract you enter when you sign up: authenticating you, matching you with campaigns, routing applications, delivering videos, and processing payouts.
• Legitimate interests — Art. 6(1)(f) GDPR. For product analytics, error monitoring, fraud and abuse prevention, network and platform security, and limited promotional use of accepted creator work. We have weighed these interests against your fundamental rights and consider them not overridden; you may object at any time via privacy@madcat.gg.
• Consent — Art. 6(1)(a) GDPR. For optional marketing communications and any non-essential cookies or tracking identifiers. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligation — Art. 6(1)(c) GDPR. For tax, accounting, anti-money-laundering, and know-your-customer obligations that apply once we process payments, as well as for responding to lawful requests from authorities.

5. How we share it

We do not sell your personal information. We share it only with:

• Brands you apply to. When you apply to a campaign, the posting Brand sees your application: display name, country, age confirmation, languages, bio, social handles, sample videos, and your application pitch text.
• Service providers / subprocessors. Vendors that help us run the platform under written data-processing agreements (Art. 28 GDPR). The table below names the provider, the role, where they process data, and the international-transfer mechanism we rely on under GDPR Chapter V. Many US-based providers are certified under the EU–US Data Privacy Framework (DPF); for providers without DPF certification we rely on the European Commission’s Standard Contractual Clauses (SCCs) plus, where appropriate, supplementary measures.
• Legal and safety. Where required by law, court order, or in good-faith belief that disclosure is necessary to protect rights, safety, or property.
• Corporate transactions. In connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections.

5.1 Subprocessor table

We may update the list of subprocessors from time to time and will post any change here. If you have concerns about a specific subprocessor, contact privacy@madcat.gg.

6. International transfers

Our service providers may process your data in the United States and other countries outside your home country. Where we transfer EEA / UK personal data internationally, we rely on the European Commission’s Standard Contractual Clauses or equivalent safeguards.

7. Cookies and tracking

We use a small set of strictly necessary cookies for authentication and session security. We also use first-party analytics identifiers (PostHog) and error-monitoring identifiers (Sentry) to understand how the product is used and to find bugs. We do not run third-party advertising trackers.

You can block cookies in your browser, but the platform may not function correctly without authentication cookies.

8. Your choices and rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your account and associated personal information (subject to legal retention requirements).
• Object to or restrict certain processing.
• Receive a portable copy of the information you provided.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local data-protection authority.

California residents have additional rights under the CCPA / CPRA, including the right to know what we collect, the right to delete, and the right to opt out of any sale or sharing of personal information (which we do not engage in).

To exercise any of these rights, email privacy@madcat.gg. We will respond within 30 days.

9. Data retention

• Active accounts. We retain your information for as long as your account is active.
• Deleted accounts. Soft-deleted profiles are retained for 30 days in case of recovery. After that they are anonymised. Uploaded videos in our storage are deleted from Cloudflare R2 within 30 days of soft-delete.
• Financial records. Payment, invoice, and tax records are retained for 7 years to meet accounting and tax requirements.
• Audit logs. Logs of admin actions and security-relevant events are retained for 2 years.

10. Security

We use TLS in transit, encryption at rest for stored files, scoped database access (Postgres row-level security), and limited admin access controlled via role-based access. No system is perfectly secure; we do not guarantee absolute security.

11. Children

Madcat is not directed to children. You must be at least 18 years old to create an account. If we learn we have collected information from a child under 16 without parental consent, we will delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “Last updated” date. If we make material changes that affect your rights, we will notify you by email or an in-app notice at least 30 days before the change takes effect.

13. Contact

Madcat, Inc. [entity + registered address TBD]
Privacy: privacy@madcat.gg
Legal: legal@madcat.gg