Privacy Policy

Welcome to Krrio ("Platform", "we", "our", or "us"). Krrio is a performance-based creator marketing platform operated by Sakillion Innovations Private Limited, a company incorporated under the Companies Act, 2013. We connect brands with content creators for authentic promotional campaigns, track performance through official social media APIs, and facilitate transparent, compliant influencer marketing.

This Privacy Policy ("Policy") explains in detail what personal information we collect when you visit our website (www.krrio.com), register an account, connect your social media profiles, or participate in campaigns. It describes how we use, protect, share, and retain that information, and what choices and rights you have over your data.

By accessing or using the Krrio Platform, you agree to the collection and use of your information in accordance with this Policy. If you do not agree with any part of this Policy, please do not access or use the Platform.

This Policy should be read together with our Terms & Conditions for Creators and Terms & Conditions for Brands.

The data controller responsible for your personal data is Sakillion Innovations Private Limited, operating the Krrio platform. Our full details are:

We collect the minimum amount of data necessary to operate the Platform and deliver our services. We collect data through three primary means: information you provide directly, data collected automatically through your use of the Platform, and data received from connected third-party social media platforms.

3.1 Data You Provide Directly — Creators

3.2 Data You Provide Directly — Brands

3.3 Data Collected Automatically

When you access or use the Platform, we automatically collect certain technical information:

This data is collected using server logs, cookies, and similar tracking technologies. It is used in aggregated and anonymized form wherever possible. No automated profiling that produces legal or similarly significant effects is conducted without human oversight.

3.4 Data We Explicitly Do NOT Collect

We want to be transparent about what we do not collect or access:

• Private Messages: We have no access to Instagram Direct Messages, Facebook Messenger, YouTube messages, or any private communications on any platform.
• Passwords: We never request, store, or access your passwords for any third-party platform. Authentication is handled exclusively via official OAuth.
• Private Account Content: We cannot access content from private accounts or posts not submitted to our platform.
• Follower/Following Lists: We do not access or store your follower or following lists from any social media platform.
• Contacts: We do not access phone contacts, email contacts, or friend lists.
• Precise Location / GPS: We do not collect GPS or precise location data beyond the city you declare during onboarding.
• Device Identifiers: We do not collect IMEI numbers, hardware identifiers, or similar device-level identifiers beyond standard browser information.
• Complete Financial Data: Card numbers, full bank account details, and CVVs are processed exclusively by Razorpay (PCI-DSS certified). We store only masked references and payout confirmation data.
• Unauthorized API Data: We do not access any data beyond the specific API scopes authorized by you during the OAuth connection flow.

We use your personal data only for the purposes described here. We do not use your data for automated decision-making that produces significant legal effects without human review, and we never use your data to train AI models.

4.1 Providing and Operating the Platform

• Creating and maintaining your account and user profile
• Matching creators with relevant brand campaigns based on niche, audience, and location
• Facilitating the campaign application, approval, and content submission workflow
• Tracking campaign performance via officially authorized social media APIs
• Processing payouts to creators via Razorpay (UPI / bank transfer)
• Generating payout reports, Form 16/16A, and TDS documentation

4.2 Safety, Security, and Fraud Prevention

• Detecting and preventing fraudulent activity, fake engagement, or bot-driven metric inflation
• Monitoring for suspicious traffic patterns, datacenter IPs, and anomalous engagement velocity
• Verifying the authenticity of creator accounts and audience quality
• Maintaining audit logs of data access for security and compliance purposes
• Responding to and investigating reported violations of our Terms

4.3 Legal Compliance

• Meeting our obligations under the Indian Income Tax Act (TDS deductions under Section 194R)
• Complying with the Information Technology Act, 2000 and IT Rules, 2021
• Responding to lawful requests from government authorities or courts
• Meeting GDPR obligations for EU users and CCPA obligations for California residents
• Complying with the Digital Personal Data Protection Act (DPDP Act), India
• Maintaining records required for Meta Platform compliance audits

4.4 Communication

• Sending transactional notifications: campaign approvals, payment confirmations, content review updates
• Sending platform updates, policy changes, and security alerts
• Sending promotional communications about new campaigns or features — you can opt out at any time
• Responding to your support requests, disputes, and appeals

4.5 Analytics and Platform Improvement

• Understanding how the Platform is used to improve features and user experience
• Generating aggregated, anonymized reports about campaign performance trends
• Testing new features with a subset of users (with notice where material)

Connecting your social media account is a core feature of Krrio for creators. We handle this integration with the highest degree of care and transparency, in full compliance with Meta Platform Policies, Google API Services User Data Policy, and all applicable platform developer terms.

5.1 How the Connection Works

When you choose to connect your Instagram or YouTube account, you are redirected to the official Meta or Google authorization page. You review the specific permissions we are requesting, and if you agree, the platform issues us a secure OAuth access token. At no point do we ask for, see, or store your social media password.

5.2 What We Access — Instagram (via Meta Graph API)

5.3 What We Access — YouTube (via Google API)

5.4 Strict Limitations on What We Access

Even with the above permissions, we operate under strict self-imposed and platform-mandated limitations:

• Post-specific only: We only fetch data for the specific post URL you explicitly submit to a campaign. We do not scan or retrieve data from your entire account history.
• No historical data: We cannot access content or analytics for posts published before you connected your account to Krrio.
• No private content: We cannot access posts, stories, or reels that are not publicly published.
• Read-only: We have no ability to post content, leave comments, send messages, follow/unfollow, or take any action on your account. Our access is strictly read-only.
• No DM access: We cannot read, send, or access any direct messages or private communications.
• No follower lists: We do not access or store your follower or following lists.
• No audience PII: We do not receive or store any personally identifiable information about your followers or viewers. Insights data is aggregated (e.g., view counts, not viewer identities).

5.5 Token Storage and Security

OAuth access tokens are encrypted using AES-256-GCM before being stored in our database. Encryption keys are managed using industry-standard key management practices. Access to decrypted tokens is strictly limited to the background jobs that fetch campaign metrics. Tokens are never exposed to client-side code, logged in plaintext, or shared with any third party beyond the social media platform itself.

5.6 Revoking Access

You can disconnect your social media account at any time through two methods:

• Krrio Settings: Go to your Creator Settings page and disconnect the account. We will immediately stop fetching new data.
• Platform Settings: Revoke Krrio's access from your Instagram Settings → Apps and Websites, or Google Account → Third-party apps. The token will be invalidated immediately.

Upon disconnection, we retain historical performance data already fetched (for past campaigns you participated in) as required for payout records and dispute resolution, but we stop fetching any new data immediately.

For users in the European Union (GDPR) and under the principles of the Indian Digital Personal Data Protection Act (DPDP Act), we process your personal data on the following legal bases:

We never sell your personal data. We do not rent, trade, or monetize your personal information to any third party for their marketing purposes. Data sharing is limited to the following circumstances, all of which are necessary for platform operations:

7.1 Service Providers and Partners

7.2 Data Visible Within the Platform

7.3 Legal Disclosures

We may disclose your data when:

• Required by Indian law, regulation, court order, or government authority
• Required under GDPR, CCPA, or other applicable regulations
• Necessary to protect our legal rights or to enforce these Terms
• Necessary to prevent fraud, illegal activity, or threats to safety
• In connection with a business merger, acquisition, or sale of assets (you will be notified in advance)

We will notify affected users of any significant disclosures to the extent permitted by law.

Krrio implements a layered, defense-in-depth security architecture to protect your personal data. Our security practices follow ISO 27001 principles and industry best practices.

8.1 Technical Safeguards

8.2 Organizational Safeguards

• Role-Based Access Control (RBAC): Staff access to personal data is strictly limited to job function requirements. No engineer has blanket access to production user data.
• Least Privilege: Minimum necessary permissions are granted by default; elevated access requires approval and is time-limited.
• Audit Logging: All data access, modification, and deletion events are logged and retained for security auditing.
• Regular Security Reviews: Quarterly access permission audits and periodic security assessments.
• Incident Response: We maintain a documented incident response plan. In the event of a data breach, we will notify affected users and relevant authorities within 72 hours as required by law.
• Vendor Security: All third-party vendors with access to personal data are subject to data processing agreements and security assessments.

8.3 Your Responsibilities

• Use a strong, unique password for your Krrio account
• Do not share your login credentials with anyone
• Report any suspected unauthorized access immediately to support@krrio.com
• Log out from shared or public devices after using the Platform

No method of transmission over the internet or electronic storage is 100% secure. While we implement robust security measures, we cannot guarantee absolute security and encourage you to take the steps above to protect your account.

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

When you delete your account, we will deactivate it within 30 days. We will delete or anonymize your personal data within 90 days, except where retention is required by law (e.g., transaction records for 7 years). Data retained for legal compliance is stored securely and access is restricted.

You have a number of rights over your personal data. We are committed to honoring these rights promptly and without restriction, except where limited by applicable law.

10.1 Universal Rights (All Users)

10.2 Additional Rights — EU Users (GDPR)

• Right to Object: Object to processing based on legitimate interests
• Right Not to Be Subject to Automated Decisions: Request human review of any significant automated decisions
• Right to Lodge a Complaint: File a complaint with your national Data Protection Authority (DPA)

10.3 Additional Rights — Indian Users (DPDP Act)

• Right to Grievance Redressal: Contact our Grievance Officer (see Section 16)
• Right to Nominate: Nominate a person to exercise data rights on your behalf in case of incapacity

10.4 Additional Rights — California Residents (CCPA)

• Right to Know: What categories of personal information we collect and why
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out of Sale: We do not sell personal information — this right is automatically fulfilled
• Non-Discrimination: We will not discriminate against you for exercising any CCPA rights

We will respond to all rights requests within 30 days. For complex requests, we may extend this by an additional 60 days with notice. We may need to verify your identity before processing certain requests.

The Krrio Platform is not intended for, directed at, or designed for children under the age of 18.

We do not knowingly collect personal data from anyone under 18 years of age. All users must affirmatively represent during registration that they are 18 or older. If we discover that we have inadvertently collected personal data from a minor, we will take immediate steps to delete that information from our systems and terminate the associated account.

If you are a parent or guardian and believe that your child has registered on Krrio or provided us with personal information, please contact us immediately at privacy@krrio.com. We will investigate and take appropriate action within 48 hours.

We use cookies and similar tracking technologies on our website and Platform to provide functionality, analyze usage, and improve your experience.

12.1 Types of Cookies We Use

12.2 Managing Cookies

You can control and delete cookies through your browser settings. Most browsers allow you to refuse all cookies or accept only certain types. Note that disabling strictly necessary cookies will prevent you from logging in or using the Platform.

We do not use cookies for cross-site behavioral advertising or remarketing. We do not place cookies on Meta platforms or any third-party websites.

Krrio is headquartered in India. Your data is primarily stored on servers located in India. However, some of our service providers (such as cloud infrastructure and email providers) may process data in other countries.

Where data is transferred outside India or the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for EU data
• Data Processing Agreements with all vendors handling personal data
• Ensuring vendors comply with equivalent data protection standards

By using the Platform, you consent to your data being transferred to and processed in India and other countries where our service providers operate.

Krrio integrates with Meta Platforms, Inc. (Instagram, Facebook) via the official Meta Graph API. We are committed to full compliance with Meta's Platform Terms, Developer Policies, Branded Content Policies, and Privacy Policies.

14.1 Our Commitments to Meta

• Authorized Access Only: All Meta API access is conducted within authorized scopes, with proper user consent obtained through Meta's official OAuth flow.
• No Data Scraping: We do not scrape, crawl, or harvest any public or private data from Meta platforms outside of authorized API access.
• No Engagement Manipulation: We do not purchase, sell, or facilitate fake likes, comments, followers, or views. All engagement tracked is organic and authentic.
• No Unauthorized Automation: We do not use bots, scrapers, or automation tools that violate Meta's Automated Behavior policies.
• No Pixel Tracking on Meta: We do not use Facebook Pixel or any tracking technology on Meta-owned platforms.
• Data Minimization: We request only the minimum API permissions necessary to track campaign metrics for posts explicitly submitted by creators.
• Branded Content Compliance: We require all creators to use Meta's Paid Partnership label for all sponsored content posted as part of Krrio campaigns.
• Transparency with Meta: We cooperate fully with any Meta compliance audits or investigations and will promptly report any security incidents.

14.2 Data Received from Meta

Data received from Meta through the Graph API is used exclusively for the purpose of tracking campaign performance for posts submitted by creators. This data is:

• Not sold, rented, or transferred to any third party
• Not used to build profiles of Meta users beyond campaign participants
• Not used to target advertising to Meta users
• Retained only for the periods described in Section 9
• Accessible only to the brand whose campaign the content was submitted to, and to Krrio's fraud detection systems

As required by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Digital Personal Data Protection Act, Krrio has appointed a Grievance Officer to address user complaints and concerns related to data privacy.

You may also escalate unresolved complaints to your country's relevant data protection authority. For EU users: your national supervisory authority. For Indian users: the Data Protection Board of India (once operational under the DPDP Act).

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will communicate material changes to you in the following ways:

• Sending an email to the address associated with your account at least 15 days before the changes take effect
• Displaying a prominent in-app notification when you log in
• Updating the "Last Updated" date at the top of this page

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the changes, you must stop using the Platform and may request deletion of your account.

Previous versions of this Policy are available upon request by emailing privacy@krrio.com.

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please reach out to us: