Legal

Privacy policy

Last updated:

1. Who we are

PeachParty is operated by SteadyGo AB, a Swedish limited company registered with Bolagsverket and headquartered in Sweden. SteadyGo AB is the data controller for the personal data processed through peachparty.io. You can reach our data-protection contact at privacy@peachparty.io.

2. What personal data we collect

  • Account data β€” name, email, password hash (or Google OAuth identifier), account role (creator, brand, admin).
  • Profile data β€” bio, profile photo, portfolio media, niches, languages, social follower counts, birth year.
  • Transaction data β€” orders, briefs, proposals, deliveries, payouts (via Stripe Connect), subscription history.
  • Communication data β€” messages between brands and creators, support emails, notification preferences.
  • Usage data β€” pages viewed, device type, IP address (for security and abuse prevention), referrer URL.
  • Identity verification β€” for creators who connect Stripe, KYC data (ID document, address) is collected directly by Stripe β€” we do not see or store this information.

3. Why we process it

We process your data to:
  • Operate your account and the matchmaking marketplace
  • Process payments through Stripe Connect (creator payouts) and Stripe Billing (subscriptions)
  • Send transactional email (order updates, payouts, security alerts) via Resend
  • Send marketing email (only with your opt-in consent β€” easily revoked in settings)
  • Prevent fraud, off-platform circumvention, and abusive use
  • Comply with Swedish tax and accounting law
  • Analyze product usage in aggregate to improve the service

4. Legal basis (GDPR Art. 6)

  • Contract performance β€” account, orders, deliveries, payouts.
  • Legal obligation β€” tax records, accounting records, anti-money-laundering checks.
  • Legitimate interest β€” fraud prevention, security logging, product analytics. You may object at any time.
  • Consent β€” marketing email and any optional cookies. Withdrawable at any time.

5. Sub-processors we share data with

We use the following processors. Each is bound by a Data Processing Agreement and (where applicable) Standard Contractual Clauses for transfers outside the EU/EEA:
  • Stripe, Inc. (USA) β€” payments, KYC, payouts
  • Supabase Inc. (Frankfurt, EU) β€” database and file storage
  • Vercel Inc. (USA, with EU edge nodes) β€” hosting
  • Resend (USA) β€” transactional and marketing email delivery
  • Google LLC (USA) β€” OAuth identity (only if you sign in with Google)
  • Sentry (USA) β€” error monitoring
We do not sell personal data to third parties. We may disclose data to public authorities where required by Swedish or EU law.

6. How long we keep your data

  • Active account data β€” for the lifetime of your account.
  • Closed account data β€” deleted within 30 days of closure, except records we must retain for legal reasons.
  • Accounting records β€” 7 years (Swedish BokfΓΆringslagen).
  • KYC records held by Stripe β€” retained per Stripe's policy (typically 5 years post-account closure).
  • Server access logs β€” 90 days.
  • Marketing email opt-out records β€” kept indefinitely to honor your opt-out.

7. Your rights under GDPR

You have the right to:
  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erase your data (subject to legal retention requirements)
  • Restrict or object to processing
  • Receive your data in a portable format (JSON export available in settings)
  • Withdraw consent for marketing at any time
  • Lodge a complaint with Integritetsskyddsmyndigheten (IMY) β€” the Swedish DPA β€” at imy.se
To exercise your rights, email privacy@peachparty.io. We respond within 30 days.

8. International data transfers

Some sub-processors (Stripe, Vercel, Resend, Google, Sentry) are based in the United States. Transfers are made under Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. Supabase data is stored in Frankfurt (EU) by default.

9. Cookies and tracking

We use only strictly necessary cookies (session, CSRF, affiliate attribution). We do not use third-party advertising trackers or analytics cookies that profile individuals. A cookie banner is shown on first visit per the ePrivacy Directive.

10. Children's privacy

PeachParty is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete the account.

11. Security

We use TLS 1.2+ in transit, encryption at rest for sensitive fields, role-based access control internally, and Stripe's PCI-compliant infrastructure for all payment data. We never store full payment card numbers ourselves.

12. Changes to this policy

When we materially change this policy, we will notify you by email and via in-app banner at least 14 days before the change takes effect.

13. Contact

SteadyGo AB
Sweden
Privacy contact: privacy@peachparty.io
General contact: hello@peachparty.io