Privacy Policy

Overview

Qolab is a marketplace connecting Instagram creators, brands, and agencies across India. We handle personal and business data to make the marketplace work — creator discovery, Meta-verified audience analytics, fair-pay pricing, Razorpay escrow payments, GST-compliant invoicing, and dispute resolution. This policy explains, in plain English, what we collect, why, and what rights you have.

The DPDP Act is currently enforceable, with the DPDP Rules, 2025 operationalising its framework. We are fully committed to its principles: collect only what we need, use it only for the purposes you consented to, keep it secure, and respect your rights as a Data Principal.

Who we are

Qolab is operated by Cheqtech Solutions Private Limited, a company incorporated in India.

Company: Cheqtech Solutions Private Limited
CIN: U62013KA2025PTC211387
GST: 29AANCC2860N1Z0
Registered office: Unit 101, 139/88, Oxford Towers, HAL Old Airport Road, Kodihalli, Bengaluru – 560008, Karnataka, India
Contact: hello@qolab.in · +91 95800 88540

For the purposes of the DPDP Act, we are the Data Fiduciary — the party that determines how your data is processed. Our Grievance Officer, Nodal Officer, and Chief Compliance Officer details are in the Grievance Officer section.

Itemised data notice

Per the DPDP Rules, 2025, here is an itemised list of every category of personal data we collect, the specific purpose for each, and our lawful basis (consent / contractual necessity / legitimate interest).

Data category	Specific purpose	Lawful basis
Name, email, phone, city, state	Identify you, sign you in, send transactional emails, resolve disputes	Consent (at signup) + contractual necessity
Instagram handle + Meta Graph API data (follower count, engagement, reach, impressions, audience demographics)	Compute your fair-pay rate, show verified analytics to brands, matchmaking	Consent (via Meta OAuth)
Long-lived Instagram access token (encrypted)	Keep your Instagram analytics current without re-authentication	Consent (via Meta OAuth)
Company name, GST number, industry, budget range (brands)	Run campaigns, issue GST invoices, match to relevant creators	Contractual necessity
Agency name, roster, categories represented	List your agency and roster on the platform, route brand requests	Contractual necessity
Booking terms, deliverables, chat messages, delivered content URLs	Execute the booking contract, hold escrow, resolve disputes	Contractual necessity
Razorpay transaction ID, settlement status (not card/UPI details)	Escrow, GST invoicing, payout tracking	Contractual necessity
Device info (IP, user-agent, device type)	Fraud prevention, abuse detection, security logs	Legitimate interest
Error / performance logs	Fix bugs and outages	Legitimate interest
Support correspondence	Respond to queries, improve support quality	Contractual necessity

We do not collect sensitive personal data (religion, caste, biometrics, health, political views, sexual orientation) and we never ask for it.

Instagram Graph API data

Because we use Meta's official Instagram Graph API (via Instagram Login for Business), creators who connect their account explicitly grant us — through Meta's OAuth consent screen — permission to access specific types of data. We never scrape Instagram and we never use the deprecated Instagram Basic Display API.

Exact permissions we request

These are the Meta permissions shown on the OAuth screen when you connect Instagram:

instagram_business_basic: Instagram user ID, username, account type (Business/Creator), profile picture URL, media count, follower/following counts, bio
instagram_business_manage_insights: Reach, impressions, profile views, website clicks, audience demographics (aggregated — age ranges, gender split, top cities/countries). Never individual follower identities.
pages_show_list: List of Facebook Pages you manage — required by Meta to link your Instagram Business account
pages_read_engagement: Aggregate engagement data on the linked Facebook Page (supporting signal for our fair-pay calculation)

We only access data permitted by your Instagram authorisationand do not retain data longer than necessary for the disclosed purpose. If Meta extends or changes these permissions, we'll update this page and notify affected creators.

Access tokens

We receive a long-lived Instagram access token (valid 60 days) and store it encrypted at rest in our database. An internal cron job refreshes it before expiry while your account stays connected. We never share the token with brands, agencies, or other creators.

What we DO NOT collect from Meta

Your Instagram password — Meta handles authentication.
Your direct messages (DMs).
Individual follower identities — only aggregated demographics.
Data about people who follow you — only your own metrics.
Any data from before you connected your account.

Revoking Instagram access (7-day purge)

You can disconnect Instagram at any time from your Qolab profile settings, or directly from Instagram → Settings → Apps and Websites → remove Qolab. On disconnect:

Your access token is revoked with Meta immediately.
Analytics sync stops immediately.
Cached Instagram insights (reach, impressions, demographics, media snapshots) are permanently purged within 7 days via an automated daily job.

Automated pricing decisions (fair-pay algorithm)

Qolab uses an automated algorithm to compute a suggested fair-pay rate for your creator profile from your Instagram engagement metrics. Under DPDP Rules, 2025, we disclose this clearly:

What it does: Combines your real follower count, engagement rate, and reach (all from Meta Graph API) with niche + geography fit to compute a suggested reel / story / post rate in INR.
What it produces: A suggested rate only — it's a starting point for negotiation, not a final price. You can override it freely.
What it does NOT do: It does not make binding decisions, does not deny anyone access, and does not compute personality / credit / eligibility scores.
Your rights: You can override the suggested rate at any time from your profile. Brands always see your final rate, not just our suggestion.
Appeal / manual review: If you disagree with how the rate was computed, email hello@qolab.in with subject “Pricing algorithm review”. Our Operations team manually reviews within 5 working days and adjusts if the dispute is valid.

Processors we share your data with

We do not sell your personal data to anyone. Ever. We share specific data with specific processors only as needed to run the platform. Each processor operates under a Data Processing Agreement (DPA) with us.

Supabase (USA / Singapore): Our database, authentication, and storage provider. Your profile, bookings, messages live here. SOC 2 Type II + ISO 27001 certified. Data hosted in Singapore (ap-southeast-1). Supabase privacy policy →
Razorpay Software Private Limited (India): Our payments processor for escrow, payouts, and invoicing under RBI's Payment Aggregator licence. Processes card/UPI/bank details under RBI data localisation rules. Razorpay privacy policy →
Resend (USA): Our transactional email provider. Stores minimal metadata (recipient address, timestamp, delivery status). Resend privacy policy →
Vercel (USA): Our application hosting and content delivery. Handles request routing, static asset caching, and basic server-access logs (IP, user-agent, URL). No personal data persisted beyond standard web-server logs. Vercel privacy policy →
Meta Platforms Inc. (USA): Provider of the Instagram Graph API. We receive your Instagram data from Meta under the permissions you authorise via OAuth. We do not send data back to Meta beyond standard API calls. Meta privacy policy → · Meta Platform Terms →
Other users on the platform: Creators' public profile (handle, categories, engagement, city, suggested rate) is visible to brands and agencies searching for bookings. Your email, phone, and messages are NEVER exposed to other users outside of a booking conversation you've accepted.
Legal authorities: When compelled by valid Indian legal process (court order, IT Act notice, tax notice), we disclose only what's strictly required and notify you where lawful. Our Nodal Officer handles 24/7 law-enforcement coordination per IT Rules, 2021.

Where we store your data

Your personal data is stored in Supabase's Singapore (ap-southeast-1) region. Under the DPDP Act, 2023, cross-border transfers are permitted to jurisdictions not restricted by the Central Government; Singapore is currently not restricted. For EU / UK residents, this transfer is protected by Supabase's Standard Contractual Clauses under GDPR.

Payment data (card numbers, UPI handles, bank accounts) is stored by Razorpay within India, under RBI-mandated data localisation. We never see or store payment credentials.

All data in transit: TLS 1.2+ encryption.
All data at rest in Supabase: AES-256 encryption.
Sensitive fields (e.g. Instagram access tokens): application-level encryption on top of Supabase's at-rest encryption.

Retention periods

Active accounts: For as long as you use Qolab. We consider an account inactive after 18 months of no login.
After account deletion: Non-legally-retained data is permanently deleted within 30 days of your deletion request (except data that must be retained by law — see below). Backup systems rotate out residual copies within 60 days.
Completed booking records: 7 years, to comply with the CGST Act 2017 (s. 35) and the Income-tax Act 1961 recordkeeping requirements. Pseudonymised where possible — your name replaced with a non-reversible identifier, only the transaction facts retained.
Instagram access tokens and cached insights: Purged within 7 days of Instagram disconnection or account deletion.
Chat messages tied to a booking: Retained while the booking is active + 90 days after completion for dispute review. Then anonymised (sender/recipient names replaced with role identifiers) or deleted.
Support correspondence: 3 years, for quality improvement and re-opened dispute handling.
Server logs (IP, user-agent, request trace): 90 days rolling, purely for security-incident investigation. Automatically aged out.
Waitlist signups (pre-launch): Until platform launch. Migrated into your real account if you sign up with the same email / Instagram handle; deleted if not.

Your rights as a Data Principal

Under Chapter 3 of the DPDP Act, 2023, you have clear rights over your personal data. Exercise any of them by emailing our Grievance Officer at hello@qolab.in with subject line “DPDP Privacy Request”.

Right to information and access(s. 11): a copy of your personal data, a summary of what's being processed, identities of processors.
Right to correction and erasure(s. 12): ask us to correct inaccurate data or delete what's no longer needed. See our Data Deletion page.
Right of grievance redressal (s. 13): complain to our Grievance Officer if something goes wrong.
Right to nominate(s. 14): appoint another person to exercise your rights on your behalf in case of death or incapacity. To nominate, send us a signed written request (email scan acceptable) with: your name + email on Qolab, nominee's full name + email + relationship to you, nominee's acceptance signature. We record the nomination against your account within 7 working days.
Right to withdraw consent (s. 6): revoke any consent you gave us at any time. See Withdrawing consent.

We will respond to a valid privacy request within 15 working days. For genuinely complex requests — e.g., very large data exports, cross-system deletion — we may take up to a maximum of 90 days, and we'll tell you as soon as we know.

Withdrawing your consent

You can withdraw any consent you gave us. The mechanism depends on what you're withdrawing:

All consent (delete account): Follow the process on our Data Deletion page — we'll purge your account and associated data within 30 days.
Instagram Graph API access only: Disconnect from your Qolab profile settings, or from Instagram → Settings → Apps and Websites → remove Qolab. On disconnect, your analytics stop syncing immediately and cached data is purged within 7 days.
Transactional email: Every email we send includes an unsubscribe link in the footer. Clicking it stops non-essential communication; you'll still receive booking-critical transactional emails (receipts, dispute notices) while your account is active.
Processing by specific processor: Contact hello@qolab.in with the specific processor and purpose. Note: some processing (e.g., Razorpay for completed bookings) is contractually and legally necessary and cannot be withdrawn mid-booking.

Withdrawing consent may limit or end your ability to use specific platform features (e.g., disconnecting Instagram means brands can't book you until you reconnect).

EU / UK residents (GDPR)

If you're in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and the UK GDPR apply in addition to the DPDP Act. You have the rights listed above, plus:

Right to data portability (Article 20) — receive your data in a structured, commonly-used, machine-readable format.
Right to object to processing (Article 21) — including processing based on our legitimate interests.
Right to lodge a complaint with your supervisory authority — e.g., the ICO in the UK.

Our legal bases for processing (GDPR Article 6) are consent for account creation and Instagram connection, contractual necessity for running bookings and payments, and legitimate interest for fraud prevention and security. Transfers from the EEA/UK to Supabase's Singapore region are protected by Standard Contractual Clauses.

Cookies and similar technologies

We use a minimal set of cookies: a secure session cookie to keep you signed in, a refresh cookie for silent session renewal, and a lightweight consent cookie that remembers your cookie choices. We do not use third-party advertising cookies, cross-site trackers, session replay, or device fingerprinting.

Full list and purposes on our Cookies page.

How we protect your data

TLS 1.2+ encryption in transit between your browser and our servers, and between our servers and processors.
AES-256 encryption at rest on the Supabase database. Sensitive fields (Instagram access tokens) additionally application-encrypted.
Row-Level Security (RLS) policies on every database table, enforced by Postgres — not just by application code.
Least-privilege access for our team. No team member routinely accesses individual user data; access is audited when disputes require it.
Mandatory 2FA for every team member's admin access.
Regular dependency updates and vulnerability scanning.
Secret rotation when any credential leaks.

Breach notification

If a breach impacts your data

Per the DPDP Rules, 2025, we will notify the Data Protection Board of India and all affected Data Principals without undue delay — typically within 72 hours of confirming the breach. Notices will include: what happened, what data was affected, containment steps taken, and what you can do to protect yourself. For EEA / UK residents, we meet the corresponding GDPR Article 33 and Article 34 obligations.

Children's data

Qolab is not for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has signed up, email us and we'll delete the account immediately. This aligns with the DPDP Act's enhanced protections for children's data and its prohibition on tracking and behavioural monitoring of minors.

Meta Platform Terms compliance

By using the Instagram Graph API via our integration, we are bound by and abide by:

Meta Platform Terms
Meta Developer Policies
Meta Privacy Policy (applies to data Meta processes)

Our use of data received from Meta is strictly limited to the purposes disclosed in this Privacy Policy and the permissions scope you consented to. We do not transfer Meta-sourced data to any third party except the processors listed above (Supabase for storage, Razorpay only for settlement-related metadata).

Changes to this policy

When we update this policy, we'll change the “Last updated” date at the top and, for material changes, email all active users at least 30 days before the new terms take effect. Continued use of the platform after that date means you accept the updated terms.

Grievance Officer + Nodal Officer

In line with the DPDP Rules, 2025, Consumer Protection (E-Commerce) Rules, 2020, and IT (Intermediary Guidelines) Rules, 2021, we've appointed named officers. As a stage-zero startup, the same person currently holds all three roles — which is permitted under those Rules — and we'll separate them as we scale.

Grievance Officer: Saurabh Nishad (Founder). Handles DPDP-related complaints + E-Commerce Rules grievances. Response commitment: 15 working days (up to 90 days for complex cases).
Nodal Contact Person: Saurabh Nishad. 24/7 coordination with Indian law-enforcement per IT Rules, 2021 — email the same address with subject "LAW ENFORCEMENT — URGENT" for priority routing.
Chief Compliance Officer: Saurabh Nishad. Responsible for overall IT Rules compliance and due diligence.
Email: hello@qolab.in
WhatsApp: +91 95800 88540
Postal address: Unit 101, 139/88, Oxford Towers, HAL Old Airport Road, Kodihalli, Bengaluru – 560008, Karnataka, India

Every grievance we receive gets an automatic ticket ID on acknowledgement. If you're not satisfied with our resolution, you may escalate to the Data Protection Board of India under the DPDP Act, 2023.