← Back

Privacy Policy

Last updated: May 15, 2026

This Privacy Policy explains how Rowstr FZ-LLC (“Rowstr”, “we”, “us”, or “our”), a company registered in the United Arab Emirates, collects, uses, stores, and protects personal data in connection with the Rowstr platform (“Service”). This policy is governed primarily by UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”) and complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK GDPR where they apply to our processing.

1. Our role under data-protection law

Rowstr operates a multi-tenant B2B platform. Our role under the UAE PDPL and the GDPR depends on the data being processed:

  • Controller — for personal data relating to the account owner, team members, and other authenticated users of the Service (account registration, billing data, support communications, authentication, security logs, and product analytics).
  • Processor — for personal data that an organization (our customer) uploads, generates, or processes in the Service relating to its talents, models, and third parties (collectively, “Customer Content”). The organization is the controller of that data. Our processing is governed by our Data Processing Agreement (DPA) at /dpa, which is automatically incorporated into the Terms of Service for every customer.

This Privacy Policy describes our practices as a controller. For our obligations as a processor, see the DPA.

2. Data we collect

2.1 Account data

Name, email address, profile image, password hash (when email/password is used), or the identifier returned by your federated identity provider (when magic-link or SSO is used). We never receive or store your federated provider password.

2.2 Organization data

Agency name, slug, logo, timezone, billing plan, team members and their roles, invitations issued and accepted.

2.3 Billing data

Billing email, country, VAT number (if applicable), invoice history, Stripe customer and subscription identifiers, last 4 digits and expiration of the payment card (held by Stripe). We do not store full card numbers or CVV.

2.4 Usage and technical data

IP address, browser type, device characteristics, pages visited, actions taken in the Service, error reports, and access logs. Captured for security, fraud detection, performance monitoring, and product analytics. Where this data is combined with an account, it is personal data under the GDPR and PDPL.

2.5 Two-factor authentication data

If you enable 2FA, we store the TOTP secret and a set of one-time backup codes, encrypted at rest. These are used solely to verify sign-in attempts.

2.6 Customer Content (we are processor)

Includes media files (images, videos), file metadata (filename, size, type, EXIF where present), model and talent profiles created in the Service, planning items, calendar events, chat messages and attachments, saved external links, comments, and notes. Our processing of Customer Content is governed by the DPA and not by this Policy.

3. Lawful bases for processing

We rely on the following lawful bases under GDPR Article 6 and the equivalent grounds under UAE PDPL Article 5:

  • Performance of a contract — to provide the Service you subscribed to, including account creation, authentication, billing, hosting, and support.
  • Legitimate interests — for security monitoring, abuse and fraud prevention, defending and pursuing legal claims, and product analytics in aggregated form. We balance these interests against your rights and freedoms; you have the right to object (see Section 12).
  • Consent — for non-essential cookies, optional marketing communications, and where required by local law. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation — to comply with applicable law-enforcement requests, financial record-keeping under UAE Commercial Transactions Law, sanctions screening, and tax law.

4. How we use your data

  • Service delivery. Provision your account, host your organization, authenticate sign-in, deliver in-app and transactional notifications, and enable collaboration.
  • Billing. Create your Stripe customer, process subscription payments, send invoices, and detect billing fraud.
  • Security. Detect suspicious activity, throttle abusive requests, investigate incidents, and enforce our Acceptable Use Policy.
  • Product improvement. Analyze aggregated usage, investigate bugs (we may capture stack traces that include your user ID), and improve features.
  • Communications. Send service announcements, security alerts, and changes to legal terms. Marketing emails are sent only with your consent and you can unsubscribe at any time.
  • Legal and compliance. Respond to lawful requests, enforce our Terms, defend our rights, and meet record-keeping obligations.

5. Sub-processors

We use a vetted set of sub-processors to operate the Service (infrastructure, storage, email delivery, payment processing, analytics, and AI). Each sub-processor is bound by a written contract with confidentiality and security obligations equivalent to those in our DPA. The current list, including each provider's purpose, processing location, and transfer mechanism, is available on written request to [email protected]. We give customers prior notice of new sub-processors and the right to object as set out in the DPA.

6. Third-party platform integrations (Meta / Instagram)

Customers can connect a model's Instagram Business or Creator account to Rowstr through Meta's “Login with Instagram” flow (Instagram Graph API). This integration is optional. When an organization chooses to connect an account, the following applies.

6.1 Permissions we request

  • instagram_business_basic — read the connected account's profile, media list, and basic metrics (followers, follows, media count). Used to populate the model's overview and to render their published feed inside Rowstr.
  • instagram_business_manage_messages — read direct messages sent to and received by the connected account. Used so the agency team can triage inbound DMs from a centralised inbox rather than logging into Instagram directly.
  • instagram_business_manage_comments — read and moderate comments on the connected account's posts and reels. Used so the agency team can respond to and hide comments from inside Rowstr.
  • instagram_business_manage_insights — read aggregated, anonymised insights about the connected account (reach, impressions, engagement, audience demographics). Used to build the analytics dashboards the agency uses to brief the model.

We do not request the instagram_business_content_publish permission and do not post on a connected account's behalf.

6.2 Data we receive from Meta

Through the permissions above we receive: the Instagram-scoped user identifier, username, display name, account type, profile picture, biography, website, follower and following counts, media count, the list of media items (image, video, carousel) with their captions, timestamps, like and comment counts, direct-message threads, comments, and account-level insights. Tokens issued by Meta are encrypted at rest with AES-256-GCM before being written to our database.

6.3 Purpose and lawful basis

Data received from Meta is Customer Content under this policy. Our customer (the agency) is the controller for that data and is responsible for its lawful basis under the GDPR / UAE PDPL, typically the legitimate interest of operating their business with the model's consent or the model's contract with the agency. Rowstr processes that data only on the customer's documented instructions, as set out in our DPA at /dpa.

6.4 Sharing with Meta

Calls made to the Instagram Graph API send the connected account's access token back to Meta to authenticate the request. We do not share Rowstr account data, billing data, or usage data with Meta. We do not sell or rent data obtained from Meta to any third party. We do not use Meta data to train AI models.

6.5 Retention

Tokens and the cached profile, media, message, comment, and insights data are kept while the integration is active. When an organization disconnects the integration (from inside Rowstr), when a user revokes the app from Instagram, when Meta notifies us of a deauthorisation, or when the organization is deleted, we delete the token immediately and remove the cached Meta data on a rolling basis within 30 days. See also Section 11 (Retention).

6.6 Revoking access and deleting your Meta data

You can revoke Rowstr's access to a connected Instagram account at any time, either:

  • From inside Rowstr — open the model's overview and click “Disconnect Instagram”. This deletes the token immediately and triggers deletion of the cached Meta data.
  • From Instagram or Facebook — open Settings → Apps and websites → Active, find Rowstr, and remove it. Meta will notify us via our deauthorisation callback, and we will delete the token and the cached Meta data on the same schedule as above.
  • By submitting a deletion request to [email protected], or through the public flow documented at /data-deletion.

7. Artificial intelligence features

Some features of the Service (for example, AI-generated content briefs) send the inputs you supply to a third-party large language model provider (currently OpenRouter, accessing Google Gemini models). The following applies:

  • We send only the inputs you submit to the feature (typically a short brief and metadata about the planning item) and not your full account history or media library.
  • Under our agreement with the provider, the data we send is not used to train or fine-tune models and is retained only for the period required to return a response and meet legal obligations of the provider.
  • AI outputs are drafts. You remain responsible for reviewing, editing, and using them in compliance with applicable law.
  • You can disable AI features for your organization in agency settings. AI features are gated to paid plans.

8. Cookies and similar technologies

We use first-party cookies and tokens that are strictly necessary to operate the Service (session management, CSRF protection, billing flow, load balancing). These do not require consent.

We use product analytics (PostHog, configured for first-party hosting and IP truncation) to understand how the Service is used. Where this analytics activity uses non-essential cookies or similar identifiers and you are subject to the EU ePrivacy Directive, we obtain your consent before setting them and you can withdraw it at any time from the in-app cookie preferences.

We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral profiling.

9. Adult content and age verification

Rowstr is designed for talent and content-agency workflows that may include adult content. The following rules apply and are enforced by our Terms of Service and Acceptable Use Policy:

  • The Service is restricted to users aged 18 or older. We do not knowingly collect personal data from anyone under 18.
  • Customers (agencies) must verify and warrant that every talent or model whose data they upload is at least 18 years old at the time of recording or capture, hold valid records of that verification, and retain them for at least the period required by applicable law (including U.S. 18 U.S.C. § 2257 record-keeping requirements where applicable).
  • Any content that depicts, describes, or facilitates the abuse or sexualization of minors is strictly prohibited. We report suspected child sexual abuse material (“CSAM”) to competent authorities and remove it without notice.
  • To report a suspected violation, contact [email protected]. We respond to credible reports without delay.

10. International data transfers

Rowstr is based in the United Arab Emirates and uses sub-processors located outside the UAE (notably in the EU, the United States, and the United Kingdom). Where personal data is transferred from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, the transfer is protected by Standard Contractual Clauses (SCCs) Module 2 or Module 3 (as appropriate), supplemented by additional safeguards described in our DPA. For transfers under the UAE PDPL, we rely on adequacy where available or on equivalent contractual and technical safeguards consistent with Article 23 PDPL.

11. Retention

Data categoryRetention period
Account data (active account)For the life of the account
Account data after account deletionDeleted from production within 30 days; from backups within 90 days
Customer Content (during subscription)As directed by the customer; see DPA
Customer Content after subscription endsAvailable for export for 30 days, then deleted from production within a further 30 days and from backups within 90 days
Billing and invoice records10 years (UAE Commercial Transactions Law)
Security and access logs12 months
Aggregated, anonymized analyticsIndefinite

12. Your rights

Under the UAE PDPL and, where applicable, the GDPR and UK GDPR, you have the right to:

  • Access — request a copy of personal data we hold.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion, subject to legal retention duties.
  • Restriction — request that we limit processing.
  • Portability — receive your data in a structured, commonly used, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — at any time, without affecting prior lawful processing.
  • Lodge a complaint — with the UAE Data Office, or, for EEA residents, with a supervisory authority in your country of residence.

If you are a model, talent, or other person whose data has been uploaded by an agency, please contact the agency directly to exercise your rights — they are the controller of that data. We will support the agency in responding within the required timeframe.

For all other requests, contact [email protected]. We respond within one month and may request identity verification before acting.

13. Security

We implement commercially reasonable technical and organizational measures designed to protect personal data, including encryption in transit (TLS 1.2+) and at rest, role-based access control, optional two-factor authentication, audit logging, and secrets isolation. A non-exhaustive description of our security program is available at /security. No system is fully secure; we encourage the use of strong passwords and 2FA.

14. Personal data breaches

If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the competent supervisory authority (the UAE Data Office, and, for breaches affecting EEA residents, the relevant EEA supervisory authority) without undue delay and, where feasible, no later than 72 hours after we become aware of it. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

15. Children's data

The Service is not directed at, and may not be used by, anyone under the age of 18. We do not knowingly collect personal data from minors. If we learn we have collected data from someone under 18, we will delete it and terminate the responsible account. See Section 9 for rules regarding talent data.

16. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email and through the Service at least 15 days before they take effect. The “Last updated” date above reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

17. Governing law

This Policy is governed by the laws of the United Arab Emirates and the UAE PDPL. Where you are located in the EEA, the UK, or Switzerland, the GDPR or UK GDPR (as applicable) governs our processing of your personal data in addition to the UAE PDPL.

18. Contact

Email: [email protected]
Trust & safety: [email protected]
Entity: Rowstr FZ-LLC, Dubai, United Arab Emirates