Instavar Privacy Policy

Last updated: June 5, 2026

Antiphishing Pte. Ltd. (trading as Instavar) operates Instavar ("Instavar", "we", "us", or "our"), including the website at instavar.com (the "Site") and the Studio video creation platform at instavar.com/studio (the "Service"). This Privacy Policy explains what personal data we collect, why we use it, who we share it with, and the choices available to you.

1. Information We Collect

1.1 Marketing Website Visitors

When you visit our marketing website, we may collect:

  • Analytics data - anonymised IP address, pages viewed, and interaction events via Google Analytics 4. This data is only collected after you consent via our cookie settings.
  • Error and performance telemetry - JavaScript errors, stack traces, and web-vitals diagnostics via Sentry and Vercel Speed Insights, processed under our legitimate interest in keeping the site secure and reliable.

1.2 Registered Users (Studio)

When you create and use a Studio account, we collect and store:

  • Email address, display name, and avatar supplied through Clerk authentication
  • Organisation and workspace membership details
  • Chat messages, job briefs, URLs, and uploaded assets
  • Generated video artifacts, thumbnails, captions, and review history
  • Operational metadata such as timestamps, job status, review decisions, disclosure confirmations, audit logs, and safety or abuse records created through the Service

1.3 Connected Social Accounts

When you connect a social media account for publishing, we store the encrypted tokens and metadata needed to act on your instructions for currently supported API-connected channels such as LinkedIn, X, Threads, Instagram, TikTok, YouTube, and Facebook. Some planned or manual-only channels, such as RedNote or Lemon8, may appear in product-planning or policy materials before a live publishing API integration exists. Tokens are encrypted at rest and can be revoked at any time from Studio.

2. How We Use Your Information

We use personal data to:

  • Provide authentication, workspaces, review flows, and publishing tools
  • Process video generation jobs and deliver generated outputs
  • Publish content on your instructions to connected social platforms
  • Apply disclosure, safety, rights-management, and deletion controls to review, export, and publishing workflows
  • Respond to support, security, abuse, and legal requests
  • Diagnose outages, prevent misuse, and improve service reliability
  • Maintain compliance records, including consent and DSAR logs

3. Lawful Basis for Processing (UK GDPR / EU GDPR)

We rely on the following lawful bases:

  • Contract performance - account creation, workspace management, video generation, review, and publishing
  • Consent - analytics cookies and any future optional tracking that we clearly present as consent-based
  • Legitimate interests - security, abuse prevention, error monitoring, performance diagnostics, and product operations
  • Legal obligation - compliance with court orders, regulatory obligations, and data-subject rights handling

4. Data Sharing & Sub-Processors

We share personal data only with vendors and platforms needed to run the Service:

  • Clerk - authentication and user management
  • Neon - Postgres database hosting in Singapore
  • Cloudflare R2 - media and artifact storage
  • Anthropic - Studio chat and workflow assistance
  • Inngest - workflow orchestration
  • AWS Lambda - serverless video rendering
  • RunPod - text-to-speech narration generation
  • Sentry - application error monitoring
  • Google - optional website analytics via GA4
  • Vercel - hosting and web performance diagnostics
  • Connected social platforms - only when you ask us to publish content on your behalf

These processors may receive the prompts, scripts, assets, destination details, and operational metadata needed to deliver the feature you asked us to run. Depending on the processor and destination, the relationship may be governed by vendor terms, online addenda, and transfer documents. Where a cross-border transfer mechanism applies, the transfer may rely on the mechanism described in the relevant vendor agreement or another lawful basis available for that transfer.

5. International Data Transfers

Our primary application database is hosted in Singapore. Some processors operate from the United States or other jurisdictions, so your personal data may be transferred internationally. The safeguard used for a given transfer depends on the vendor relationship and the destination and may include a data privacy framework participation, standard contractual clauses, a UK addendum or IDTA, or another lawful transfer basis. The exact mechanism can differ across processors and jurisdictions.

6. Data Retention

We retain data for as long as needed to operate the Service and meet legal requirements. Current operational targets are:

  • Account data - while the account is active and during any deletion grace period
  • Soft-deleted accounts - queued for hard deletion after 30 days unless a legal hold or unresolved workspace transfer blocks deletion
  • Review links - marked expired when the review window closes and deleted under retention 30 days later
  • Revoked OAuth tokens - deleted after 7 days
  • Job artifacts - non-current artifacts are reviewed for deletion once they become stale and pass legal-hold, publish-history, and dependency checks
  • Consent and DSAR records - retained for audit and compliance evidence

6.1 Social Media Posts Published on Your Behalf

When you delete your account, we make a best-effort attempt to delete any content that was published to supported third-party social platforms on your behalf. However, we cannot guarantee deletion of content already published to third-party platforms because:

  • Platform APIs may reject deletion requests, return errors, or be temporarily unavailable at the time of account deletion
  • Some platforms do not offer a programmatic deletion endpoint for all content types
  • We may intentionally stop the automated deletion flow if a legal hold, safety restriction, unresolved provider limitation, or required manual follow-up means the record should not be purged yet
  • OAuth tokens are revoked or scrubbed during the deletion process, after which we can no longer act on your behalf

If any published posts cannot be deleted automatically, you can remove them directly from the relevant social media platform using your own account. We log deletion attempts and any required manual follow-up so support or legal operations can help with posts that remain after account deletion.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access - request a copy of your data
  • Rectification - correct inaccurate data
  • Erasure - request deletion of your data
  • Portability - receive your data in a machine-readable format
  • Restriction - limit how we process your data
  • Objection - object to processing based on legitimate interest
  • Withdraw consent - withdraw consent at any time without affecting prior processing

To exercise these rights, contact us at legal@instavar.com, use the data export feature in Studio, or follow the account deletion process described on our Data Deletion page.

Singapore residents may request access to and correction of personal data under the PDPA. California residents may request access, correction, and deletion as applicable under California privacy law. We do not sell personal information or share it for cross-context behavioural advertising.

Where applicable, you may also complain to the Singapore PDPC, the UK ICO, or another competent data protection authority in the place where you live or work.

8. Cookies

We use cookies and similar technologies as described in our Cookie Policy. You can manage your analytics cookie preferences at any time using the "Cookie Settings" link in the site footer.

9. Children's Privacy

Our Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at legal@instavar.com.

10. Security

We implement technical and organisational measures appropriate to the risk, including encrypted storage of connected-account tokens, HTTPS and HSTS enforcement, content security policy controls, signed webhook verification, access controls, and audit logging for sensitive account actions.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Where required, we will also notify affected account holders by email or in-product notice.

12. Data Protection Officer

We have appointed a Data Protection Officer. For privacy and data protection enquiries, including requests to exercise your rights under the GDPR or PDPA, please contact:

13. Contact Us

For general legal enquiries or to exercise your data subject rights:

  • Email: legal@instavar.com
  • Post: Antiphishing Pte. Ltd. (trading as Instavar), JTC LaunchPad @ one-north, 67 Ayer Rajah Crescent, #02-14, Singapore 139950
  • ICO registration: C1901031 (verify on the ICO register)