Privacy Policy

Pre-launch draft. This policy is an honest summary of how SutraOS handles data today. The ratified version will be reviewed by counsel and will supersede this draft before public launch. Design-partner accounts are protected by the same controls described here.

Who we are

SutraOS is operated by SutraOS Platforms Private Limited (Bengaluru, Karnataka, India) — the data fiduciary responsible for your personal data under India’s Digital Personal Data Protection Act, 2023. SutraOS is a three-party platform: brands, talent and ad agencies, and creators. This policy applies to all of them, plus visitors to our websites. Where a point applies to only one type of user, we say so.

1. Data we collect

From everyone: account basics (email, name, mobile) and standard service logs. Brands and agencies: organisation profile and business-verification (KYB) identifiers (CIN, GSTIN) and documents. Creators: profile, identity and tax artifacts (KYC — PAN, GSTIN where applicable, bank account for payouts), and campaign/contract data generated on the platform.

2. Connected accounts + platform data

With a creator’s explicit authorisation, connecting Google (YouTube) or Meta (Instagram/Facebook) lets us receive — only for the scopes granted — account/channel identity and engagement analytics (views, likes, comments) for content they choose to showcase. Google API Services Limited Use: SutraOS’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements; we do not use Google user data for advertising and do not sell it. Meta platform data is used solely to provide the features you authorise, per Meta’s Platform Terms and Developer Policies.

3. How we use it

To run the SutraOS platform for brands, agencies, and creators: matching and discovery, generating contracts, executing payments and TDS deduction, generating GST invoices, displaying a creator’s portfolio and verified reach to brands, and providing audit trails. We do not sell your data.

4. Sharing

Within a collaboration, relevant profile and campaign data is shared among the brand, agency, and creator party to that engagement. Compliance data (TDS deductions, GST invoices) is shared with the regulators required by law. KYC/KYB documents are processed by our accredited verification partner (currently Razorpay) solely to verify your identity. We also use service providers for payments, email, and infrastructure under confidentiality obligations.

5. Storage + encryption

Personally identifiable regulator-issued IDs (PAN, GSTIN, CIN, bank account details) are encrypted at rest with AES-256. Documents handled by KYC vendors are stored by the vendor under their certifications, not on SutraOS servers.

6. Your rights

You can export or delete your data at any time; creators can disconnect any connected social account, which revokes our ongoing access. Some records must be retained for the period required by Indian tax law (currently 6 years for transaction records); we surface this when you request deletion. See the Data Deletion page for how to request erasure.

7. Cookies + analytics

We use first-party cookies for authentication. We do not use third-party advertising trackers. Product analytics are aggregated and used to improve the platform.

8. Contact + grievances

Questions, concerns, or data requests: email privacy@sutraos.com (or hello@sutraos.com). For grievances under the Digital Personal Data Protection Act, 2023, write to our Grievance Officer at privacy@sutraos.com; the named officer and registered office address will be published in the counsel-ratified version of this policy.