Effective date: 2 June 2026

Privacy Policy

Protecting and respecting your privacy is important to us. This Privacy Policy explains how we collect, use, disclose, and protect personal information about visitors and registered users who use or otherwise interact with the InfluencerMarketing.ai / IMAI platform (the "Platform" or the "Service"), and the rights and choices you have.

The Platform is operated by two affiliated companies. The company responsible for your personal information (your "Controller") depends on where you are:

• If you are a customer or individual in the United States, your Controller is L.D.R.S GROUP LLC, a Delaware (USA) limited liability company.
• If you are a customer or individual anywhere else in the world (including the EU/EEA, the United Kingdom, and Israel), your Controller is InfluencerMarketing.ai Ltd, an Israeli company located at 38 Habarzel St., 6971054 Tel Aviv, Israel.

In this Privacy Policy, "IMAI," "we," "us," and "our" refer to whichever of these companies is your Controller, together with their affiliates. Contact details for each are in the "How to Contact Us" section. The region-specific provisions for the EU/EEA, United Kingdom, California, and Israel appear in dedicated sections below.

Your use of the Platform, and any dispute about privacy, is subject to this Privacy Policy, our Terms of Service, and any other agreement you may have with IMAI. "Personal information" (also "personal data") means any information that can reasonably be used to identify you.

In short: we collect data about a wide range of influencers around the world — including TikTok, YouTube, and Instagram users who have built a sizeable following ("Influencers"). We process this information to provide our customers, who are representatives of brands and agencies ("Users"), with information about Influencers and their online performance, so Users can decide which Influencers to engage. Where Users run campaigns, we may also process limited data about the consumers who interact with those campaigns (for example, by clicking a tracked link). For Users who use our AI content-creation tools, we process the inputs needed to generate AI media, which can include a person's voice or image. Each of these is explained below.

This Service is intended for users aged 18 and over. It is not directed to children, and we do not knowingly collect personal information from anyone under 18.

1. Definitions

For the purposes of this Privacy Policy:

"Creator Account" means a social-media or content account operated by an Influencer on a third-party platform such as Instagram, TikTok, or YouTube.

"Connected Account" means a Creator Account that an Influencer has actively connected to the Platform — for example, by authorizing access through an interface provided by the social-media platform, or by otherwise granting us permission (through a third-party provider) to access data from that Creator Account for the purposes described here.

"MagicSocial" means the connection and authentication layer, powered by Phyllo, that we use to securely link certain Creator Accounts to our Platform on an OAuth basis. MagicSocial / Phyllo is an independent third party. We do not receive or store your social-media platform passwords.

"AI Subprocessors" means the independent third-party providers of artificial-intelligence services that we use to deliver certain features — including third-party AI model providers (large-language-model providers), video-generation providers, and a voice-generation provider — to which we may transmit limited input data in order to produce an output, such as a script, an analysis, an image, a video, or synthesized speech. We disclose these providers by category in the "Who We Share Data With" section.

"Generated Content" (UGC) means the AI content-creation features that let a User generate AI media — such as images, video, and synthesized voice — including from material the User uploads (for example, a product image, a portrait/face image, or a voice sample).

"Consumer Engagement Data" means the limited data we collect about end-consumers who interact with a User's campaign — for example, by clicking a tracked Influencer link or completing a purchase on the User's website.

2. Information We Collect

We collect personal information directly from you, from third-party sources, and automatically through your use of the Platform. We may combine information collected from these sources.

2.1 Information you give us.

Your name, email address, and contact details; login credentials; company or brand details, job title, and role; onboarding information and preferences you choose to provide (such as your role, usage intent, marketing budget, and teammates you invite); billing details (see 2.6); and anything else you choose to provide — for example, when you book a demo, contact support, or upload content or campaign details. We refer to this as "Registration Information."

2.2 Public information about Influencers.

Publicly available information generated by an Influencer's online activity on platforms such as Instagram, TikTok, and YouTube: name and handle; general location; profile image; gender and other characteristics where the Influencer has publicly disclosed them; social-media content (captions, hashtags, brands featured); and public performance data (followers, engagement rate, likes over time, assessed follower credibility, and audience demographics where public). We refer to this as "Influencer Information." Where we derive analytics or inferences about an Influencer or their audience, see Section 3 and the automated-processing disclosure in the EU/EEA section.

2.3 Information from Creator Account connections (MagicSocial / Phyllo).

Where an Influencer chooses to connect a Creator Account through MagicSocial / Phyllo on an OAuth basis, we may receive: profile and identity information; content and engagement information; audience and analytics information; and campaign and performance information, along with technical and diagnostic data. We do not receive or store your social-media platform passwords.

2.4 Information we collect automatically.

When you use our Platform and websites, we and our service providers use cookies and similar technologies to collect: operating system, browser, and device type; device identifiers; push-notification tokens; IP address and approximate location; device model; pages accessed; referring and exit pages; access counts and dates; and usage data such as clicks, views, navigation, and feature use. We use non-essential cookies and similar tracking only with your consent where consent is required (for example, in the EU/EEA and the UK, and as applicable under California and other US state laws). See our Cookie Policy and consent controls for details and to change your choices at any time.

2.5 Consumer Engagement Data.

When an end-consumer clicks a tracked Influencer link or completes a purchase or conversion on a User's connected website, we collect, on behalf of the relevant User: IP address (IPv4/IPv6), approximate geolocation (city, region, country), user-agent, browser, operating system, device type, and referrer; and, for conversions, transaction identifiers such as order ID, coupon code, and order value. We use this to attribute clicks and conversions and to provide campaign analytics to the User. For this data, the User (brand or agency) acts as the controller and IMAI acts as a processor/service provider on the User's documented instructions under our customer terms. Where required, the placement of tracking technologies on the User's website is subject to consent obtained on that website.

2.6 Billing and payment information.

To take payment, we and our payment processors collect billing name, a payment-card token and the last four digits, expiry, card type, and billing-entity details. For certain local card processing, we may collect a government identification number where required by the processor or by law (for example, a national identification number for Israeli card processing). For Influencer payouts, our payout processor collects bank or account details and any government identification it requires to verify identity. We keep government identification numbers only for as long as required and minimize or delete them when no longer needed (see Section 5, and the California and Israel sections).

2.7 Generated Content inputs, including biometric data.

When a User uses our Generated Content (UGC) features, we collect the inputs the User provides. These may include product information and images, a portrait or face image of a real person, and a voice sample of a real person. Where a face image or voice sample is used to create or drive an AI likeness or a cloned or synthetic voice, the resulting faceprint or voiceprint, and the underlying face and voice data, are biometric / special-category data. We also generate and store the resulting Generated Content (images, video, synthesized speech) and related generation details (such as prompts, references, the provider used, and output locations). Our processing of biometric data is subject to the explicit-consent and release requirements in Section 3.7 and the deletion rules in Section 5.

3. How We Use Your Information

We use personal information for the purposes below. Where you are in a region whose law requires a legal basis (such as the EU/EEA, the UK, or Israel), we identify the basis we rely on. Where we rely on consent, you may withdraw it at any time without affecting processing already carried out. Where we rely on legitimate interests, you may object (see the EU/EEA section).

3.1 Providing the Service

— to operate, secure, and provide the Platform, manage your account, take payment, and provide support. Basis: performance of a contract; legitimate interests.

3.2 Personalizing your experience

— to tailor content and features to you. Basis: legitimate interests; consent where required.

3.3 Connecting Influencers and Users

— to make Influencer Information available to Users for discovery and outreach. Basis: legitimate interests; for Connected Accounts, consent obtained through MagicSocial / Phyllo where applicable.

3.4 Campaign and performance analytics

— including Consumer Engagement Data (see 2.5). Basis: for Users, contract and legitimate interests; for consumer tracking, the User's basis as controller, plus consent for non-essential tracking where required.

3.5 Measuring and improving the Platform

— usage metrics and product analytics. Basis: legitimate interests.

3.6 Marketing and communications

— service messages and, where permitted, promotional messages. You can opt out of promotional messages at any time using the unsubscribe link or your settings. Basis: consent and/or legitimate interests, as permitted by local law.

3.7 Creating Generated Content, including biometric processing

— to produce the AI media a User requests, including by processing uploaded face images and voice samples to generate or drive an AI likeness or a cloned or synthetic voice, using our AI Subprocessors (video-generation and voice-generation providers).

Biometric / special-category basis. Where this processing involves biometric data used to identify or recreate a natural person, we rely on the explicit consent of that person, captured together with a written likeness and voice release, before the face or voice data is used. A User who uploads another person's face or voice must obtain that person's prior consent and release and confirm they have done so; we provide the consent-and-release mechanism and process biometric data only on that basis. Where US biometric laws apply (such as the Illinois Biometric Information Privacy Act, Texas CUBI, and Washington's biometric law), we obtain informed consent and maintain a published retention-and-destruction schedule before collecting biometric identifiers (see Section 5).

3.8 Labeling AI-generated content

— Generated Content that is created or materially altered by AI is labeled as AI-generated, and, where technically feasible, carries machine-readable provenance information. We do not knowingly enable the creation of a real person's likeness or voice without a valid release.

3.9 Brand-safety and risk analysis (automated processing)

— we run automated analysis of an Influencer's public posts (text, image, and video, including transcription) to produce brand-safety and risk indicators, scores, and recommendations for our Users. This is decision-support that we provide to Users; it is not a solely-automated decision by IMAI that produces legal or similarly significant effects on any individual. A User may consider these outputs as one input among others. You have the right to obtain information about the logic involved, to request human review, to express your point of view, and to contest an indicator you believe is inaccurate — see the EU/EEA, UK, California, and Israel sections. Basis: legitimate interests, balanced against your rights; the analysis is based on public content and is provided with accuracy and contestation safeguards.

3.10 Research and product development

— including aggregated and de-identified data to improve and develop our products. We do not attempt to re-identify de-identified data. Basis: legitimate interests.

3.11 Protecting rights, preventing fraud, and security.

Basis: legitimate interests; legal obligation.

3.12 Legal compliance.

Basis: legal obligation.

AI Subprocessors and model training. When we use AI Subprocessors to provide a feature, we transmit only the input needed to produce the requested output, and we contract for no-training and zero-data-retention handling where such terms are available, so that your content and any uploaded face or voice data are not used to train the providers' general models. See Section 6.

4. Who We Share Data With

We do not sell your personal information for money. We share personal information as described below.

4.1 Our affiliates

— within our corporate group, for operating, administering, and supporting the Service. This includes sharing between our two operating companies, L.D.R.S GROUP LLC (United States) and InfluencerMarketing.ai Ltd (rest of world), and with other affiliates within our group. Basis: legitimate interests.

4.2 Service providers (subprocessors).

We use vetted third-party providers that process personal information on our behalf, described here by category:

• Cloud hosting and storage — to host the Platform and store data and media.
• Creator-connection provider (MagicSocial / Phyllo) — to authenticate and connect Creator Accounts over OAuth.
• Influencer-data provider — our core influencer-data engine, which returns search and social-performance data.
• Social-intelligence and media/PR-data providers — for additional public social, audience, and media-contact data.
• AI model providers (large-language-model providers) — for search, sentiment and insights, scripts, and brand-safety analysis.
• Video-generation providers and a voice-generation provider — for Generated Content (UGC) features.
• Payment processors — for billing and Influencer payouts.
• Email-delivery providers — for transactional and campaign email.
• Analytics and monitoring providers — for product analytics and error monitoring.
• Identity and single-sign-on providers — for enterprise single sign-on.
• Business-automation and CRM providers — for internal workflow and event tracking.

Where these providers operate, and the named list. Some of these subprocessors operate in, or process data in, the United States and other regions outside the EU/EEA, the UK, or Israel. We keep a current named list of our subprocessors as part of our customer data-processing terms; the named list is available to enterprise customers and their counsel on request under a non-disclosure agreement. Transfer safeguards are described in Section 4A.

4.3 Users

— Influencer Information is made available to Users through the Platform for discovery, outreach, and campaign management. For Connected Accounts, additional data is shared according to the Influencer's connection consent.

4.4 Business transfers

— in connection with an actual or proposed merger, acquisition, financing, reorganization, sale of assets, or insolvency, personal information may be disclosed or transferred as part of that transaction, subject to this Privacy Policy or to notice.

4.5 Protecting rights and safety

— to protect the rights, property, safety, and security of IMAI, our Users, data subjects, or the public, and to enforce our terms.

4.6 Legal compliance

— to comply with applicable law, legal process, or a lawful governmental request.

4.7 Aggregate and de-identified information

— which is not personal information, for any lawful purpose.

4A. International Data Transfers

We are a global service. Your personal information may be transferred to, stored in, and processed in the United States and in other countries outside your home jurisdiction. This includes processing by our two operating companies — L.D.R.S GROUP LLC in the United States and InfluencerMarketing.ai Ltd in Israel — and by our cloud-hosting provider, our AI Subprocessors, and the other service providers identified by category in Section 4.2. Some of these countries may not provide the same level of data protection as your own.

Where we transfer personal data out of the EU/EEA, the United Kingdom, or Israel, we rely on an appropriate transfer mechanism, which may include:

• the EU Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Addendum (IDTA) or Addendum to the SCCs, together with a transfer risk assessment where required;
• transfers to countries that are recognized as providing an adequate level of protection; and
• another lawful safeguard or, where applicable, a permitted derogation under applicable law.

Where an Influencer has manifestly made information public, that public information may be processed wherever the Service operates, subject to applicable law.

You may request a copy of the relevant safeguard, or more information about our international transfers, using the contact details in "How to Contact Us."

5. Security and Data Retention

Security. We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption of data in transit. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Retention. We keep personal information only for as long as necessary for the purposes described in this Privacy Policy, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. We apply a documented data-retention schedule by data category. Our current retention periods are:

Data Category	Retention Period
Registration & account information	Duration of account + up to 3 years after closure (for legal / dispute purposes)
Billing & transaction records	7 years (to meet tax and accounting obligations)
Government identification numbers	Deleted or minimized promptly once the payment or verification purpose is complete; not retained beyond the underlying transaction
Public Influencer Information	Retained while the Service operates and for up to 2 years after last use; refreshed or removed if no longer publicly available
Connected Account data (OAuth)	While connected + up to 12 months after disconnection (or earlier on request)
Consumer Engagement Data	Up to 25 months from collection (for campaign analytics and attribution)
Biometric data (face/voice inputs, faceprint/voiceprint)	Deleted within 30 days of the purpose being satisfied (e.g., the generation is complete), or on withdrawal of consent / valid deletion request, whichever is earlier
Generated Content (output media)	Retained while associated with an active User account; deleted within 90 days of account closure or a valid request
Usage and log data	Up to 13 months
Support communications	Up to 3 years

Biometric data — special rules. Consistent with applicable biometric laws (such as the Illinois Biometric Information Privacy Act), we maintain a written policy for the retention and destruction of biometric data. Biometric identifiers and the underlying face and voice inputs are destroyed when the initial purpose is satisfied or within the period above, whichever occurs first, and are deleted on withdrawal of consent or a valid deletion request. Deletion extends to copies held by our voice-generation and video-generation subprocessors (including deletion of any stored voice model or stored asset) and to our cloud storage.

Connected Accounts. Disconnecting a Creator Account stops new data collection; data already received is retained according to the schedule above and deleted on a valid request.

6. Use of Google Workspace APIs and AI Training

Where we access Google Workspace APIs, the data obtained is not used to develop, improve, or train generalized or non-personalized AI or machine-learning models, and is used solely for the limited, stated purposes.

More broadly, when we use AI Subprocessors to provide a feature, we transmit only the input needed to produce the requested output, and we contract for no-training and zero-data-retention handling where such terms are available, so that your content and any uploaded face or voice data are not used to train the providers' general models.

7. Your Privacy Rights

Depending on where you live, you have rights over your personal information. We honor the rights described in this section and in the region-specific sections that follow.

How to exercise your rights. To make a request, email us at [email protected] (you may also use [email protected]). We handle requests through a manual review process and will respond within the time required by applicable law — and in any event within 30 days of a verifiable request, unless the law allows an extension, in which case we will tell you. We may need to verify your identity before acting on your request, and we will not discriminate against you for exercising your rights. You may use an authorized agent where the law permits.

The rights available to you may include the right to access the personal information we hold about you; to correct inaccurate information; to delete your information; to restrict or object to certain processing; to port your information to another provider; to withdraw consent; and to opt out of certain sharing or targeted advertising. Region-specific details are below.

8. Additional Information for Individuals in the EU/EEA

Controller. For individuals in the EU/EEA (and, generally, anyone outside the United States), your Controller is InfluencerMarketing.ai Ltd, 38 Habarzel St., 6971054 Tel Aviv, Israel.

Legal bases. We rely on the bases stated in Section 3 (performance of a contract, legitimate interests, consent, and legal obligation). For special-category (biometric) data in Generated Content features, we rely on your explicit consent under Article 9(2)(a) GDPR.

International transfers. See Section 4A. Personal data is processed in the United States and other regions under SCCs, adequacy decisions, or other lawful safeguards.

Your GDPR rights. You have the right to access; rectification; erasure ("right to be forgotten"); restriction of processing; data portability; objection (including to processing based on legitimate interests and to direct marketing); and the right to withdraw consent at any time. To exercise these rights, email us at [email protected]. You also have the right to lodge a complaint with your local data-protection supervisory authority.

Automated decision-making and profiling. We generate (a) brand-safety and risk indicators and scores about Influencers from their public content, and (b) audience and performance profiling and inferences about Influencers and their audiences. These outputs are produced by AI models analyzing public posts and are provided to Users as decision-support. We do not use them to make a solely-automated decision that produces legal or similarly significant effects on an individual. You may request information about the logic involved, request human review, express your point of view, and contest an indicator you believe is inaccurate, by emailing [email protected].

9. Additional Information for Individuals in the United Kingdom

This section supplements the policy for individuals in the United Kingdom under the UK GDPR and the Data Protection Act 2018. For UK individuals (outside the United States), your Controller is InfluencerMarketing.ai Ltd, Tel Aviv, Israel.

The legal bases, the rights (access, rectification, erasure, restriction, portability, objection, and withdrawal of consent), and the automated-decision and profiling provisions described in Section 8 apply equally in the UK. For transfers out of the UK we rely on the UK International Data Transfer Addendum (IDTA) or another approved mechanism (see Section 4A). To exercise your rights, email [email protected]. You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

10. Additional Information for California Residents

This section supplements the policy for California residents under the California Consumer Privacy Act, as amended by the CPRA. For California residents and other US personal data, the "business" is L.D.R.S GROUP LLC, a Delaware (USA) company, contactable at [email protected] and at the address in "How to Contact Us."

Categories of personal information we collect (in the last 12 months): identifiers (name, email, phone, mailing address, user and online identifiers, login credentials, IP address); commercial information (products or services considered, purchase history); internet and network activity (browsing, clicks, feature use); approximate geolocation (including from campaign clicks and conversions); social-media account information; payment information; professional information (company, role); and inferences and profiles drawn from the above.

Sensitive personal information. Depending on the features you use, we may process sensitive personal information, including: account login credentials; precise geolocation in limited cases; a government identification number where required for payment or identity verification; and, for Generated Content features, biometric information (face or voice data used to identify or recreate a person). We use sensitive personal information only for purposes permitted by law (such as providing the service you request and security), and we honor your right to limit the use of sensitive personal information. We process biometric information only with your consent (see Section 3.7).

Sale and sharing. We do not sell personal information for money, and we do not sell Creator Account data. To the extent any use of cookies, analytics, or campaign tracking constitutes "sharing" for cross-context behavioral advertising under the CPRA, you may opt out through our cookie and consent controls and the "Do Not Sell or Share My Personal Information" link on our website, and we honor Global Privacy Control (GPC) browser signals.

Automated decision-making technology and profiling. We use automated processing for brand-safety scoring and audience profiling as described in Sections 3.9 and 8. Subject to applicable CPRA regulations, you may have rights to notice, access, and opt-out regarding certain automated decision-making technology; contact us to exercise them.

Sources, purposes, and disclosures. We collect personal information directly from you, from public sources, from our service providers, and automatically. We use it for the purposes in Section 3. We disclose it for business purposes to the service-provider categories in Section 4.2, to our affiliates, and to Users.

Retention. We retain each category of personal information according to the schedule in Section 5.

Your California rights. You have the right to know and access; to delete; to correct; to opt out of sale or sharing; to limit the use of sensitive personal information; to data portability; and to non-discrimination for exercising your rights. To submit a request, email [email protected]. You may use an authorized agent.

11. Additional Information for Individuals in Israel

This section supplements the policy under the Israeli Privacy Protection Law (PPL), as amended. For individuals in Israel, your Controller and database owner is InfluencerMarketing.ai Ltd, 38 Habarzel St., 6971054 Tel Aviv, Israel.

We process personal information held in our databases for the purposes described in this Privacy Policy, and we provide notice at the point of collection as required. You have the right to review, correct, and request deletion of information about you held in our databases, subject to the exceptions permitted by law. To exercise these rights, email [email protected]. Where we process sensitive information — for example, a national identification number collected for local card processing, or biometric data for Generated Content features — we apply heightened safeguards and process it only on a lawful basis, including your consent for biometric data.

12. Children

The Service is intended for users aged 18 and over. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete it. Where Generated Content features are used, Users must not upload the face or voice of a minor.

13. Changes to this Privacy Policy

We review this Privacy Policy periodically and may update it. When we do, we will post the updated version here and, where required, provide additional notice. If you continue to use the Service after an update takes effect, you accept the updated Privacy Policy. The current version is always available at https://influencermarketing.ai/privacy-policy.

14. How to Contact Us

Our Data Protection Officer, or any privacy question or to exercise your right can be reached at [email protected].

The company responsible for your personal information depends on your region:

---

Effective date: 2 June 2026