Effective date: 11 July 2026 Last updated: 11 July 2026
This Privacy Policy explains how FistBump ("FistBump", "we", "us", or "our") collects, uses, shares, and protects personal information when you use the FistBump web application and related services (the "Service").
The FistBump web app is the operator-side product used by brands and agencies to run influencer-marketing campaigns end to end: discovering and managing creators, building briefs, sending outreach, signing contracts, messaging, and paying creators.
This policy covers the web app for operators (agency/brand teams). The separate FistBump mobile app used by creators has its own privacy policy.
Questions? Contact privacy@fist-bump.eu.
1. Who we are
FistBump European Union European Union Contact: privacy@fist-bump.eu
Controller vs processor — an important distinction
- For the personal data of your own team members (your account and organization), FistBump is the data controller.
- For personal data about creators and prospects that your organization imports, adds, or manages in FistBump (for example via manual entry or CSV import), your organization is the data controller and FistBump acts as a data processor on your behalf, under our customer agreement / Data Processing Agreement. You are responsible for having a lawful basis to upload and process that data.
2. Information we collect
Account & organization data (you provide)
- Name, email, phone number, password (or Google Sign-In profile if you use it).
- Your organization, team membership, and role/permissions.
- Billing and plan information for your subscription (where applicable).
Campaign & workflow data (you create in the Service)
- Campaigns, briefs, collections, templates, deals, contracts, deliverables, reviews, and related notes and settings.
- Messages and communications you send to creators through the Service.
Creator & prospect data (you add/import — you are the controller)
- Creator names, contact details, social handles/links, audience and content information, ratings, and internal notes your team records.
Connected mailbox data (if you connect one)
- If you connect an email mailbox (e.g., Gmail) to send and track outreach, we access and process the messages and metadata necessary to send on your behalf and match replies to the right campaign/creator. Access tokens are encrypted at rest. See "Google API data" below.
Payment data
- Information needed to pay creators is processed by our payment providers (Stripe, PayPal). We store limited references (payout status, provider identifiers) and amounts, not full financial credentials.
Automatically collected data
- Device and usage data, log and diagnostic data (including IP address and timestamps), and product-analytics events used to understand and improve the Service.
3. How we use information
- Provide, operate, and secure the Service and your account.
- Enable campaign management, outreach, contracting, messaging, and payments.
- Send transactional communications and service notifications.
- Provide support and respond to requests.
- Analyze and improve the Service (product analytics).
- Detect, prevent, and address fraud, abuse, and security issues.
- Comply with legal obligations.
Legal bases (GDPR): performance of a contract, legitimate interests (operating, securing, and improving the Service), consent (e.g., connecting a mailbox, certain analytics), and legal obligation.
4. Google API data (connected Gmail / Google Workspace)
If you connect a Google account to send outreach, FistBump's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We access Gmail data only to provide user-facing features you enable (sending outreach, tracking and matching replies to campaigns).
- We do not use Google user data for advertising, and we do not sell it.
- We do not allow humans to read your Google data except with your consent for support, for security/abuse investigations, or where required by law.
- We do not transfer or use Google user data for purposes unrelated to the features you enabled.
You can disconnect your mailbox at any time in the Service's settings, which revokes our ongoing access.
5. How we share information
We do not sell personal information. We share it only:
- Within your organization — with your team members, according to roles/permissions.
- With creators you engage — the information necessary to run a collaboration (e.g., messages, briefs, deal terms).
- With service providers (processors) under contract, including:
- Cloudflare — application hosting (Workers) and file storage (R2, EU).
- Supabase / Postgres hosting — database.
- Stripe, PayPal — payments and payouts.
- Google — sign-in and, if connected, Gmail API for outreach.
- Resend — transactional email.
- Zernio — social publishing/metrics (where used).
- Sentry — error/crash diagnostics.
- PostHog — product analytics.
- Inngest — background job processing.
- For legal reasons — where required by law or to protect rights, safety, and security.
- In a business transfer — merger, acquisition, or asset sale, subject to this policy.
6. International transfers
We store personal data primarily in the European Union. Where data is transferred outside your country, we use appropriate safeguards such as the Standard Contractual Clauses or an adequacy decision.
7. Data retention
We retain personal data for as long as your account/organization is active and as needed to provide the Service, then delete or anonymize it within a reasonable period, except where retention is required for legal, tax, accounting, dispute-resolution, or signed-agreement recordkeeping purposes. For creator/prospect data where your organization is the controller, we retain, export, or delete it according to your instructions and our customer agreement.
8. Your rights
Depending on your location, you may have rights to access, correct, delete, restrict, or object to processing, to data portability, and to withdraw consent. EU/EEA/UK users may lodge a complaint with a supervisory authority. California residents have rights under the CCPA/CPRA; we do not sell or "share" personal information as defined there.
To exercise your rights, contact privacy@fist-bump.eu. If your request concerns creator/prospect data your organization controls, we will refer you to, or act on the instructions of, that organization.
9. Security
We use technical and organizational measures including encryption in transit, encryption of sensitive credentials (such as mailbox tokens) at rest, access controls, and audit logging. No system is perfectly secure, so we cannot guarantee absolute security.
10. Data controllers using FistBump (customer obligations)
If you use FistBump to process other people's personal data (creators, prospects), you agree to: (a) have a valid lawful basis and provide required notices to those individuals; (b) honor their data-subject requests; and (c) enter into our Data Processing Agreement. FistBump processes that data only on your documented instructions.
11. Children
The Service is intended for business use by individuals 18 or older. It is not directed to children.
12. Changes
We may update this policy. Material changes will be communicated through the Service or by email, and the "Last updated" date will change. Continued use after changes take effect constitutes acceptance.
13. Contact
FistBump European Union Email: privacy@fist-bump.eu · Support: support@fist-bump.eu
© 2026 FistBump. All rights reserved.