Privacy Policy

Last updated: April 6, 2026

Antiphishing Pte. Ltd. (trading as Instavar) ("Instavar", "we", "us", or "our") operates the website at instavar.com (the "Site") and the Studio video creation platform at instavar.com/studio (the "Service"). This Privacy Policy explains what personal data we collect, why we use it, who we share it with, and the choices available to you.

1. Information We Collect

1.1 Marketing Website Visitors

When you visit our marketing website, we may collect:

  • Analytics data - anonymised IP address, pages viewed, and interaction events via Google Analytics 4. This data is only collected after you consent via our cookie settings.
  • Error and performance telemetry - JavaScript errors, stack traces, and web-vitals diagnostics via Sentry and Vercel Speed Insights, processed under our legitimate interest in keeping the site secure and reliable.

1.2 Registered Users (Studio)

When you create and use a Studio account, we collect and store:

  • Email address, display name, and avatar supplied through Clerk authentication
  • Organisation and workspace membership details
  • Chat messages, job briefs, URLs, and uploaded assets
  • Generated video artifacts, thumbnails, captions, and review history
  • Operational metadata such as timestamps, job status, and audit logs

1.3 Connected Social Accounts

When you connect a social media account for publishing, we store the encrypted tokens and metadata needed to publish on your behalf. Supported platforms may include LinkedIn, X, Threads, Instagram, TikTok, YouTube, Facebook, Rednote, and Lemon8. Tokens are encrypted at rest and can be revoked at any time from Studio.

2. How We Use Your Information

We use personal data to:

  • Provide authentication, workspaces, review flows, and publishing tools
  • Process video generation jobs and deliver generated outputs
  • Publish content on your instructions to connected social platforms
  • Respond to support, security, abuse, and legal requests
  • Diagnose outages, prevent misuse, and improve service reliability
  • Maintain compliance records, including consent and DSAR logs

3. Lawful Basis for Processing (UK GDPR / EU GDPR)

We rely on the following lawful bases:

  • Contract performance - account creation, workspace management, video generation, review, and publishing
  • Consent - analytics cookies and any future optional tracking that we clearly present as consent-based
  • Legitimate interests - security, abuse prevention, error monitoring, performance diagnostics, and product operations
  • Legal obligation - compliance with court orders, regulatory obligations, and data-subject rights handling

4. Data Sharing & Sub-Processors

We share personal data only with vendors and platforms needed to run the Service:

  • Clerk - authentication and user management
  • Neon - Postgres database hosting in Singapore
  • Cloudflare R2 - media and artifact storage
  • Inngest - workflow orchestration
  • AWS Lambda - serverless video rendering
  • RunPod - text-to-speech narration generation
  • Sentry - application error monitoring
  • Google - optional website analytics via GA4
  • Vercel - hosting and web performance diagnostics
  • Connected social platforms - only when you ask us to publish content on your behalf

We maintain processor agreements where appropriate and use contractual safeguards, including standard contractual clauses or equivalent transfer mechanisms, when data moves outside the country where it was collected.

5. International Data Transfers

Our primary application database is hosted in Singapore. Some processors operate from the United States or other jurisdictions, so your personal data may be transferred internationally. Where required, we use contractual safeguards such as the EU Standard Contractual Clauses or UK transfer addendum and assess the transfer against the sensitivity of the data involved.

6. Data Retention

We retain data for as long as needed to operate the Service and meet legal requirements. Current operational targets are:

  • Account data - while the account is active and during any deletion grace period
  • Soft-deleted accounts - queued for hard deletion after 30 days unless a legal hold or unresolved workspace transfer blocks deletion
  • Review links - deleted 30 days after they expire
  • Revoked OAuth tokens - deleted after 7 days
  • Job artifacts - reviewed for deletion once they become stale under the retention program
  • Consent and DSAR records - retained for audit and compliance evidence

6.1 Social Media Posts Published on Your Behalf

When you delete your account, we make a best-effort attempt to delete any content that was published to connected social media platforms on your behalf (e.g. LinkedIn posts). However, we cannot guarantee deletion of content already published to third-party platforms because:

  • Platform APIs may reject deletion requests, return errors, or be temporarily unavailable at the time of account deletion
  • Some platforms do not offer a programmatic deletion endpoint for all content types
  • OAuth tokens are revoked during the deletion process, after which we can no longer act on your behalf

If any published posts cannot be deleted automatically, you can remove them directly from the relevant social media platform using your own account. We log all deletion attempts so that our support team can assist you with any posts that remain after account deletion.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access - request a copy of your data
  • Rectification - correct inaccurate data
  • Erasure - request deletion of your data
  • Portability - receive your data in a machine-readable format
  • Restriction - limit how we process your data
  • Objection - object to processing based on legitimate interest
  • Withdraw consent - withdraw consent at any time without affecting prior processing

To exercise these rights, contact us at legal@instavar.com or use the data export and account deletion features in your Studio account settings.

Singapore residents may request access to and correction of personal data under the PDPA. California residents may request access, correction, and deletion as applicable under California privacy law. We do not sell personal information or share it for cross-context behavioural advertising.

8. Cookies

We use cookies and similar technologies as described in our Cookie Policy. You can manage your analytics cookie preferences at any time using the "Cookie Settings" link in the site footer.

9. Children's Privacy

Our Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at legal@instavar.com.

10. Security

We implement technical and organisational measures appropriate to the risk, including encrypted storage of connected-account tokens, HTTPS and HSTS enforcement, content security policy controls, signed webhook verification, access controls, and audit logging for sensitive account actions.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Where required, we will also notify affected account holders by email or in-product notice.

12. Data Protection Officer

We have appointed a Data Protection Officer. For privacy and data protection enquiries, including requests to exercise your rights under the GDPR or PDPA, please contact:

13. Contact Us

For general legal enquiries or to exercise your data subject rights:

  • Email: legal@instavar.com
  • Post: Antiphishing Pte. Ltd. (trading as Instavar), JTC LaunchPad @ one-north, 67 Ayer Rajah Crescent, #02-14, Singapore 139950
  • ICO registration: C1901031 (verify on the ICO register)