Skip to content
Instavar
Join UsBlogTools

Privacy Policy

Last updated: March 20, 2026

Instavar Pte. Ltd. ("Instavar", "we", "us", or "our") operates the website at instavar.com (the "Site") and the Studio video creation platform at instavar.com/studio (the "Service"). This Privacy Policy explains what personal data we collect, why we use it, who we share it with, and the choices available to you.

1. Information We Collect

1.1 Marketing Website Visitors

When you visit our marketing website, we may collect:

  • Analytics data — anonymised IP address, pages viewed, and interaction events via Google Analytics 4. This data is only collected after you consent via our cookie settings.
  • Error and performance telemetry — JavaScript errors, stack traces, and web-vitals diagnostics via Sentry and Vercel Speed Insights, processed under our legitimate interest in keeping the site secure and reliable.

1.2 Registered Users (Studio)

When you create and use a Studio account, we collect and store:

  • Email address, display name, and avatar supplied through Clerk authentication
  • Organisation and workspace membership details
  • Chat messages, job briefs, URLs, and uploaded assets
  • Generated video artifacts, thumbnails, captions, and review history
  • Operational metadata such as timestamps, job status, and audit logs

1.3 Connected Social Accounts

When you connect a social media account for publishing, we store the encrypted tokens and metadata needed to publish on your behalf. Supported platforms may include LinkedIn, X, Threads, Instagram, TikTok, YouTube, Facebook, Rednote, and Lemon8. Tokens are encrypted at rest and can be revoked at any time from Studio.

2. How We Use Your Information

We use personal data to:

  • Provide authentication, workspaces, review flows, and publishing tools
  • Process video generation jobs and deliver generated outputs
  • Publish content on your instructions to connected social platforms
  • Respond to support, security, abuse, and legal requests
  • Diagnose outages, prevent misuse, and improve service reliability
  • Maintain compliance records, including consent and DSAR logs

3. Lawful Basis for Processing (UK GDPR / EU GDPR)

We rely on the following lawful bases:

  • Contract performance — account creation, workspace management, video generation, review, and publishing
  • Consent — analytics cookies and any future optional tracking that we clearly present as consent-based
  • Legitimate interests — security, abuse prevention, error monitoring, performance diagnostics, and product operations
  • Legal obligation — compliance with court orders, regulatory obligations, and data-subject rights handling

4. Data Sharing & Sub-Processors

We share personal data only with vendors and platforms needed to run the Service:

  • Clerk — authentication and user management
  • Neon — Postgres database hosting in Singapore
  • Cloudflare R2 — media and artifact storage
  • Inngest — workflow orchestration
  • Sentry — application error monitoring
  • Google — optional website analytics via GA4
  • Vercel — hosting and web performance diagnostics
  • Connected social platforms — only when you ask us to publish content on your behalf

We maintain processor agreements where appropriate and use contractual safeguards, including standard contractual clauses or equivalent transfer mechanisms, when data moves outside the country where it was collected.

5. International Data Transfers

Our primary application database is hosted in Singapore. Some processors operate from the United States or other jurisdictions, so your personal data may be transferred internationally. Where required, we use contractual safeguards such as the EU Standard Contractual Clauses or UK transfer addendum and assess the transfer against the sensitivity of the data involved.

6. Data Retention

We retain data for as long as needed to operate the Service and meet legal requirements. Current operational targets are:

  • Account data — while the account is active and during any deletion grace period
  • Soft-deleted accounts — queued for hard deletion after 30 days unless a legal hold or unresolved workspace transfer blocks deletion
  • Review links — deleted 30 days after they expire
  • Revoked OAuth tokens — deleted after 7 days
  • Job artifacts — reviewed for deletion once they become stale under the retention program
  • Consent and DSAR records — retained for audit and compliance evidence

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of your data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data
  • Portability — receive your data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — withdraw consent at any time without affecting prior processing

To exercise these rights, contact us at legal@instavar.com or use the data export and account deletion features in your Studio account settings.

Singapore residents may request access to and correction of personal data under the PDPA. California residents may request access, correction, and deletion as applicable under California privacy law. We do not sell personal information or share it for cross-context behavioural advertising.

8. Cookies

We use cookies and similar technologies as described in our Cookie Policy. You can manage your analytics cookie preferences at any time using the floating "Cookie settings" control available throughout the site.

9. Children's Privacy

Our Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at legal@instavar.com.

10. Security

We implement technical and organisational measures appropriate to the risk, including encrypted storage of connected-account tokens, HTTPS and HSTS enforcement, content security policy controls, signed webhook verification, access controls, and audit logging for sensitive account actions.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Where required, we will also notify affected account holders by email or in-product notice.

12. Contact Us

If you have questions about this Privacy Policy, please contact us:

  • Email: legal@instavar.com
  • Post: Instavar Pte. Ltd., JTC LaunchPad @ one-north, 67 Ayer Rajah Crescent, #02-14, Singapore 139950

We have not designated a separate public Data Protection Officer contact. Privacy and regulatory enquiries should be sent to the legal contact above.

Singapore Office

JTC LaunchPad @ one-north

67 Ayer Rajah Crescent, #02-14

Singapore 139950

© 2025 Instavar. All rights reserved.

Stories in Seconds, Connections That Last

BlogToolsCareers|PrivacyTermsCookies

UK Office

Geovation Fourth Floor, Sutton Yard

65 Goswell Rd

London, Greater London

United Kingdom, EC1V 7EN