B
Bisket

Privacy Policy

Effective Date: April 21, 2026

Viral Hub Marketing LLC ("Company," "we," "us," or "our") operates the Bisket platform (the "Service") as a DBA (doing business as) trade name. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read it carefully. By using the Service, you consent to the practices described in this policy.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, profile photo, and organization details provided during registration (via Google OAuth)
  • Talent Data: Information about creators/influencers you manage, including names, contact information (email, phone), date of birth, location, social media handles, bios, rate cards, pricing, tags, and notes
  • Campaign Data: Campaign briefs, client information, budgets, requirements, talent selections, and deal terms
  • Communications: Any messages, feedback, or correspondence you send to us
  • Intake Form Submissions: Information submitted by talent through agency-specific application forms
  • Import Data: CSV files and Google Sheets data you upload for roster management

1.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, actions taken, timestamps, and referring URLs
  • Device Information: Browser type, operating system, device identifiers, and IP address
  • Cookies and Similar Technologies: Session cookies for authentication and preference storage. We use essential cookies only — no third-party advertising or tracking cookies

1.3 Information from Third-Party Sources

  • Social Media Platforms: Publicly available data from Instagram, TikTok, and YouTube, including follower counts, engagement rates, average views, audience demographics, and recent content metadata, retrieved via authorized platform APIs (YouTube Data API v3) and scrapers
  • Google Services: When you connect Google Drive or Google Sheets, we access file listings and CSV data from your authorized Google account for import purposes only
  • Authentication Provider: Profile information from Google when you sign in via Google OAuth through Supabase

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate users and manage accounts and organizations
  • Manage talent rosters and sync social media analytics
  • Match talent to campaign briefs using AI-powered analysis
  • Generate AI-powered content, including talent summaries, campaign matching results, and daily news briefings
  • Generate public-facing media kits and proposals
  • Process talent intake form submissions
  • Import and deduplicate roster data
  • Send transactional communications (account verification, team invitations)
  • Monitor and enforce acceptable use of the Service
  • Comply with legal obligations

3. Third-Party Service Providers

We share information with the following categories of third-party service providers who process data on our behalf:

ProviderPurpose
SupabaseDatabase hosting, authentication, and data storage
VercelApplication hosting and deployment
Anthropic (Claude AI)AI-powered campaign matching, talent summaries, and news briefings
RailwaySocial media data collection infrastructure (Instagram, TikTok, YouTube, Facebook)
Google APIsYouTube Data API, Google Drive/Sheets integration, OAuth authentication

These providers are contractually bound to use your data only as necessary to perform services on our behalf and in accordance with this Privacy Policy.

4. AI Data Processing Disclosure

We use Anthropic's Claude AI models to process certain data you provide, including:

  • Campaign briefs are sent to the AI to extract structured requirements for talent matching
  • Talent profile data (public information only) is sent to the AI to generate summaries and brand-fit analyses
  • News articles from RSS feeds are sent to the AI for summarization in daily briefings

AI-generated content is used for informational purposes and to assist with business decisions. We do not use your data to train AI models. Anthropic's data handling practices are governed by their own privacy policy and API terms.

5. Public Data and Media Kits

Certain talent information may be displayed publicly through media kits, proposals, and campaign reports. Publicly visible information is limited to a curated subset and explicitly excludes:

  • Email addresses and phone numbers
  • Date of birth
  • Internal notes
  • Agent contact information
  • Exclusivity arrangements
  • Profile completeness scores
  • Internal status designations
  • UGC pricing rates
  • AI-generated talent intelligence reports

A security-boundary transformer enforces this separation between internal and public data.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing agreements).

Talent data managed through your organization's account is retained until deleted by authorized users or upon organization account termination.

7. Data Security

We implement commercially reasonable technical and organizational measures to protect your data, including:

  • HTTPS encryption in transit (HSTS enforced)
  • Row-level security and multi-tenant isolation at the database level
  • Server-side authentication checks on all protected routes
  • Security headers including Content Security Policy and X-Content-Type-Options
  • Rate limiting on sensitive operations
  • Role-based access controls

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee its absolute security.

8. Your Rights and Choices

8.1 All Users

  • Access: You can access your account data through the Service settings
  • Correction: You can update your profile information at any time
  • Deletion: You can delete your account through the Service settings, which triggers GDPR-compliant data erasure
  • Data Export: You can export your roster data in CSV format

8.2 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information we collect, use, and disclose
  • Right to request deletion of your personal information
  • Right to opt out of the "sale" of personal information — we do not sell personal information
  • Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@bisket.io.

8.3 European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or equivalent law:

  • Right of access — obtain a copy of the personal data we hold about you
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure — request deletion of your personal data ("right to be forgotten")
  • Right to restriction — ask us to limit how we process your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time
  • Right to lodge a complaint — file a complaint with your local data protection supervisory authority

Legal basis for processing:

  • Contract performance — providing and operating the Service you have signed up for
  • Legitimate interests — improving the Service, security monitoring, fraud prevention
  • Legal obligation — complying with applicable law
  • Consent — where you have explicitly given consent (e.g., connecting Google Drive)

To exercise any of these rights, contact us at privacy@bisket.io. We will respond within 30 days. You may also contact your national data protection authority — a full list is available at edpb.europa.eu.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

10. International Data Transfers

Viral Hub Marketing LLC is based in the United States. Your information may be transferred to and processed in the United States and other countries where our service providers operate (including Supabase, Vercel, Anthropic, and Railway). These countries may have different data protection laws than your jurisdiction.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on applicable transfer mechanisms such as Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other lawful transfer mechanisms. By using the Service, you acknowledge that your data may be transferred and processed outside your country of residence.

11. Do Not Track

We do not currently respond to "Do Not Track" signals. We do not use third-party advertising or behavioral tracking cookies.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on the Service and updating the "Effective Date." Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

By using Bisket, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. See also our Terms of Service.