Privacy Policy

Bunny Social is a service operated by Emma Group, Inc. ( “Bunny Social”, “we”, “us”, or “our”). We help brands run influencer campaigns and help creators apply to those campaigns through https://www.bunnysocial.com (the “Service”).

Our registered address is 3141 Stevens Creek Blvd #41640, San Jose, CA 19807, United States. For any privacy-related question, contact us at privacy@bunnysocial.com.

This policy applies to personal data we process when you use the Service, including when you submit a campaign brief, sign in to your account, apply as a creator, communicate with us, or simply browse our website.

We collect the following categories of personal data:

• Identity & contact data — your email address and (for brand accounts) your full name and company / brand name. Provided by you when you sign in or claim a campaign brief.
• Campaign brief data — the answers you give in our intake form, including campaign type, budget range, target audience, location preferences, target demographic, creative assets you upload, and any free-text remarks. This may include commercially sensitive information about your product or campaign.
• Authentication data — one-time codes hashed with a per-code salt before storage, the time the code was issued and its expiry, and the number of failed attempts. Codes are deleted on first successful use. We never store your one-time code in plain text.
• Creator-specific data — if you apply as a creator: social media handles, follower counts, public bio content, recent public posts (gathered via Apify), and the rates and channels you choose to bid on.
• Payment data — when you pay for a service, payment is processed by Stripe. We receive a transaction identifier and metadata sufficient to reconcile your order, but we do not store your full card number.
• Usage data — log data such as IP address, browser type, pages visited, referring URL, and timestamps.
• Cookies and similar technologies — see Section 7.
• Communications — messages you send us via the in-app chat widget, email, or any contact form.

We process personal data for the purposes below. Where we operate in the European Economic Area or the United Kingdom, the relevant GDPR legal basis is shown in brackets.

• To create and authenticate your account and process the campaign brief you submitted (performance of a contract).
• To match brands with appropriate creators, including using a large language model to score creator–campaign fit (performance of a contract and legitimate interests).
• To communicate with you about your account, briefs, proposals, and support requests (performance of a contract).
• To process payments and prevent fraud (performance of a contract and legal obligation).
• To monitor, secure, and improve the Service, including detecting abuse and abuse-of-rate-limiting on our authentication endpoints (legitimate interests).
• To send service announcements, transactional emails, and (where you have opted in) product updates (consent for non-essential email).
• To comply with applicable laws, including responding to lawful requests from public authorities (legal obligation).

We do not sell your personal data. We do not use automated decision-making (within the meaning of GDPR Art. 22) that produces legal or similarly significant effects on you without human review.

We share personal data only as needed to operate the Service or comply with the law. The list below sets out our current sub-processors and the purpose for which each receives data.

We may also share personal data with professional advisors (lawyers, auditors), with a successor in the event of a merger or acquisition, and with public authorities where required by law or to protect our legal rights.

Many of our sub-processors are located in the United States. When we transfer personal data of European Economic Area, United Kingdom, or Swiss residents outside their region, we rely on the European Commission's Standard Contractual Clauses (or the UK Addendum / Swiss equivalent, as applicable) and on the EU–U.S. Data Privacy Framework where the recipient is certified.

We use cookies and similar technologies (including browser local storage) for the following purposes:

• Strictly necessary — Firebase Authentication session storage (so you stay signed in) and the campaign-brief draft we save in your browser so you don't lose your progress.
• Analytics — Google Analytics, Google Tag Manager, and Microsoft Clarity, used to measure aggregate traffic and improve usability.
• Advertising — Meta Pixel, used to measure ad-campaign conversions and to build look-alike audiences.
• Support — Crisp chat widget, used so you can message us in real time.

Where required by law, we will only place non-essential cookies after you have given consent. You can withdraw consent at any time via your browser settings or any cookie banner we display.

• Account data (email, name, company name) — kept for as long as your account is active and for up to 24 months after closure to handle disputes and comply with legal obligations.
• Campaign briefs — kept for as long as the campaign is active and for up to 36 months afterwards for performance reporting and recurring-customer use cases. You may request earlier deletion (Section 10).
• One-time sign-in codes — automatically deleted on use, on the next request for the same email, or after 10 minutes of disuse, whichever comes first.
• Payment records — kept for the period required by tax and accounting law (typically 7 years in the U.S.).
• Server and security logs — kept for up to 13 months.

We apply administrative, technical, and physical safeguards to protect personal data against unauthorized access, loss, or alteration. Examples include hashing one-time sign-in codes with per-code salts, enforcing TLS in transit, scoping production access to authorized personnel, requiring strong authentication for our admin tools, and rate-limiting our authentication endpoints. No method of transmission over the Internet is completely secure; we cannot guarantee absolute security.

Depending on where you live, you may have the right to:

• access the personal data we hold about you and request a copy;
• request that inaccurate or incomplete data be corrected;
• request that we delete personal data (the “right to be forgotten”);
• object to or restrict processing carried out on the basis of our legitimate interests;
• withdraw any consent you previously gave (this does not affect the lawfulness of processing carried out before withdrawal);
• ask for your personal data to be transmitted to you or a third party in a structured, commonly used, machine-readable format;
• opt out of the “sale” or “sharing” of your personal information for cross-context behavioural advertising purposes (we do not sell, but Meta Pixel may constitute “sharing” under California law); and
• lodge a complaint with your local data-protection authority.

To exercise any of these rights, email privacy@bunnysocial.com. We will respond within the time required by applicable law (within 30 days under GDPR / 45 days under CCPA, with one extension permitted).

The Service is not directed to children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, contact us at privacy@bunnysocial.com and we will delete it.

We will post any updated version on this page and revise the “Effective date” at the top. If a change materially reduces your rights, we will give you reasonable advance notice (for example, by email to your registered address).

For privacy questions or to exercise the rights in Section 10, email privacy@bunnysocial.com. For account or product-support questions, email hello@bunnysocial.com.

See also our Terms & Conditions.