Privacy Policy

Following is operated by Following Agency FZ-LLC, a company registered in the United Arab Emirates. Our registered contact for privacy questions is hello@following.ae. When this policy says “we”, “us”, or “Following”, it means Following Agency FZ-LLC.

This policy covers our marketing site (following.ae), the brand and analytics platform (analytics.following.ae), and the influencer creator app (creatorapp.following.ae). It applies to anyone who visits the site, registers as a creator, signs up as a brand, or interacts with our APIs.

We try to collect the minimum amount of data required to do the job. Here's the complete list, broken down by context.

From every visitor

• IP address, browser, device, country, referring URL, and pages viewed (standard web analytics)
• Cookies for session management and analytics. You can block these in your browser; the site still works

When a creator signs in with Instagram

Following uses Meta's Instagram Login API. When you tap “Continue with Instagram”, we redirect you to Instagram, you grant us permission, and Instagram sends us back a token. With that token we read:

• Profile basics: your Instagram user ID, username, account type (Creator or Business), profile-picture URL, biography, and follower / follows / media counts
• Media list: your recent post IDs, captions, post types, timestamps, and permalinks. We use these to detect campaign deliverables you publish
• Audience demographics (only if you qualify for that scope): aggregate age range, gender, and country breakdowns of your followers, never their individual identities
• Post insights: reach, impressions, engagement, and saves, per post you create. Used to confirm campaign performance

We store a long-lived access token (60 days, refreshable), encrypted at rest with a key only our servers can access. We never share or sell this token.

When a creator completes their profile

• Email address (for receipts and notifications)
• Phone number, if you provide one (for cashback payouts and account recovery if you ever lose access to Instagram)
• Bank account / IBAN, only when you initiate a withdrawal, used solely to send your earnings

When a brand signs up

• Company name, billing details, work email, and the Instagram handles of creators searched on our platform
• Payment information processed by Stripe; we never see or store your card number

When you contact us

• Anything you tell us in the contact form, in WhatsApp, or by email. Used only to reply

• To run the product: verify creator accounts, match brands to creators, track sponsored posts, calculate cashback, and process withdrawals
• To compute analytics that brands use to evaluate creators (engagement, audience quality, content category, fraud score). All audience data is aggregated; no brand can see a creator's individual followers
• To send transactional messages (signup verification, earnings notifications, withdrawal updates) via WhatsApp, SMS, or email
• To detect fraud, abuse, and policy violations on our platform
• To improve the product, anonymously and in aggregate

We do not use your data to train any AI model. We do not sell your data. We do not show ads on the platform.

We share data only with service providers we genuinely need to operate. Each is bound by contract to use it solely for the purpose we specify.

• Meta Platforms: Instagram OAuth and Graph API, for the connect flow itself
• Apify: public-profile scraping for creators not yet OAuth-connected, used for our Creator Search index
• Anthropic: Claude AI models, used for receipt OCR and content analysis. Receipts are sent to Anthropic for parsing only and not retained by them
• Supabase: our primary database, hosted in a managed Postgres instance
• Cloudflare R2: object storage for avatars and receipt images
• Twilio: WhatsApp Business messaging and one-time codes
• Stripe: brand-side payment processing
• Vercel and Hetzner: web hosting and application servers

We may disclose data when legally required (court order, government request) or to protect the safety of our users and platform.

• Active accounts: for as long as your account is open. You can delete it at any time from the creator app or by emailing us
• Closed accounts: most personal data is soft-deleted within 30 days. We retain transactional records (payouts, tax, fraud history) for up to 7 years where UAE law requires
• Instagram tokens: deleted immediately on disconnection or revocation
• Web analytics: aggregated within 90 days, individual records purged

You can ask us to:

• Show you a copy of your data
• Correct anything that's wrong
• Delete your account and all associated data
• Disconnect Instagram and revoke our access
• Stop sending you marketing messages

Email hello@following.ae with the subject “Privacy request” and we'll respond within 30 days.

You can also revoke our app's access from inside Instagram at any time by going to Settings → Apps and websites → Active and removing Following. We pick up the signal automatically and close the OAuth session on our side.

Two ways to delete everything we have on you:

1. Inside the creator app, go to Settings → Account → Delete account. This soft-deletes your record immediately and triggers full purge within 30 days
2. Email hello@following.ae with the subject “Delete my data”. We'll confirm receipt within two business days and complete the deletion within 30 days

Meta also forwards us a deletion request when you remove Following from your Instagram apps. We honour those the same way as a direct request.

We use TLS for all traffic, encrypted access tokens at rest, scoped service credentials, and Postgres row-level security on multi-tenant tables. We do not store passwords for creators (Instagram OAuth handles authentication). We log every Instagram-related event for audit. None of this is a guarantee of absolute security; if we ever suffer a breach affecting your data we'll notify you within 72 hours of becoming aware.

We use a small number of cookies for session management and for first-party analytics. We do not use third-party advertising cookies, and we do not run cross-site tracking pixels. You can clear or block cookies in your browser without breaking the product.

Following is not for anyone under 18. If you believe a minor has registered, email us and we'll remove the account.

Following is operated from the UAE. Some of our service providers (Vercel, Stripe, Anthropic, Cloudflare) process data outside the UAE, primarily in the US and EU. By using Following you consent to this transfer. We work only with providers that meet recognised privacy standards.

When we materially change this policy we'll update the “Last updated” date at the top and, where the change affects existing users, notify you in the app or by email. Minor wording fixes don't trigger a notice.

Questions, complaints, or data requests: hello@following.ae.