Privacy Policy

1. About This Policy

This Privacy Policy describes how VX Services, LLC ("VX Services," "we," "us," or "our"), operating through its vx ai labs division, collects, uses, stores, and protects information in connection with C.A.S.S. — Creators at Scale Systems (the "Platform"), accessible at manus.vaynerx.app. The Platform is a business-to-business tool made available exclusively to authorized personnel of VX Services, LLC and its affiliated organizations (collectively, "Authorized Organizations").

By accessing or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, you should not use the Platform.

2. Scope and Authorized Users

Access to the Platform is restricted to authorized personnel of Authorized Organizations. Authentication is performed via Facebook Login for Business. The Platform is not intended for, and does not knowingly collect information from, members of the general public or individuals under the age of 18. Because the Platform may be used in connection with alcohol, beverage, and spirits brand verticals, access is limited to individuals who are of legal drinking age in their jurisdiction and at least 18 years of age.

3. Information We Collect

3.1 Authentication and Account Data

When you sign in via Facebook Login for Business, we receive from Meta your verified name, email address (where provided by Meta), and a unique Meta account identifier. We store these in our database to maintain your session, associate your saved data with your account, and enforce access control. We do not receive or store your Facebook password, personal profile photo, personal posts, contacts, or any other Meta account data beyond what is described here.

3.2 Facebook and Meta Platform Data

When you connect a Facebook Page through Facebook Login for Business, we receive a Page Access Token issued by Meta. This token is stored exclusively on our servers and is never transmitted to your browser or any third party. We use this token solely to make authorized calls to the Meta Graph API on your behalf. The Platform requests the following Meta permissions, each used only for the specific purpose described:

• instagram_creator_marketplace_discovery — search Instagram creators via the Creator Marketplace API by keyword, username, location, follower range, age, gender, interests, audience device type, latest post activity, follower growth tier, and Reels interaction rate to identify relevant creators for brand partnership programs. Where Advanced Access has been granted, this permission also enables retrieval of per-creator performance insights (total followers, Reels interaction rate, Reels hook rate, engaged accounts, and reach).
• instagram_basic — read the authenticated user's own Instagram account information (username, account type, profile identifier) to associate their Instagram identity with their session and confirm account authorization status.
• instagram_business_basic — read basic business profile information (username, name, biography, follower count, profile picture) for Instagram Business and Creator accounts, used to verify creator account type and eligibility for partnership programs.
• facebook_creator_marketplace_discovery — search Facebook creators via the Creator Discovery API to surface cross-platform creator profiles, structured categories, brand partnership history, and audience city data.
• pages_show_list — retrieve the list of Facebook Pages managed by the authenticated user to allow selection of the correct Page for Creator Marketplace API authorization.
• pages_read_engagement — read basic engagement metadata for the connected Facebook Page to verify the Page Access Token and confirm the Page is properly authorized for Creator Marketplace API calls.
• pages_manage_metadata — read and manage Page-level metadata for the connected Facebook Page to support Page subscription management and ensure continued API access for creator discovery operations.
• business_management — access Business Manager assets associated with the authenticated user to expose business-owned Facebook Pages and Instagram accounts for use in creator discovery workflows.
• Instagram Public Content Access — access publicly available Instagram content (posts, profiles, hashtags) to enrich creator profiles with public post data and audience engagement signals.
• Page Public Content Access — access publicly available Facebook Page content to enrich creator profiles with public Page data and cross-platform presence information.

We do not access your personal Facebook profile, personal messages, friends list, personal posts, or any data beyond what is strictly required for the creator discovery function described in this Policy.

Creator profile data returned by the Meta API — including Instagram usernames, biographies, follower counts, geographic information, and audience insights — is sourced from Meta's systems and is subject to Meta's own data policies. We display this data within the Platform and, where you choose to save a creator to a program list, store a reference to that creator's identifier and associated metadata in our database.

3.3 User-Generated Content

We store program lists, client assignments, and creator shortlists that you create within the Platform. This data is associated with your account and is used solely to provide the Platform's core functionality.

3.4 Technical and Usage Data

We may automatically collect standard server log data, including IP addresses, browser type, operating system, referring URLs, and timestamps of requests. This data is used for security monitoring, debugging, and operational purposes. We do not use this data for behavioral advertising or sell it to third parties.

3.5 Cookies and Session Storage

The Platform uses a single, strictly necessary session cookie to maintain your authenticated session. This cookie is an HttpOnly, Secure, signed JSON Web Token (JWT) set by our server upon successful login. It is used solely to identify your session across requests and is deleted when you sign out or when the session expires. We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookies. No cookie data is shared with or accessible to Meta or any other third party. Because this cookie is strictly necessary for the Platform to function, it does not require separate consent under applicable privacy law; however, by using the Platform, you acknowledge its use as described here.

4. How We Use Your Information

We process the information described above for the following purposes:

• To authenticate you and maintain a secure session for the duration of your use of the Platform.
• To call the Meta Creator Marketplace API on your behalf and return creator discovery results to you within the Platform.
• To store and retrieve program lists, client assignments, and creator shortlists you create.
• To enforce access control and ensure only authorized domain users can access the Platform.
• To monitor for security incidents, investigate abuse, and maintain the integrity and availability of the Platform.
• To comply with applicable law, legal process, or enforceable governmental requests.

We do not use your information for advertising, behavioral profiling, or any purpose beyond what is described above. We do not sell, rent, or trade your personal information to any third party.

5. Legal Basis for Processing (GDPR)

To the extent the General Data Protection Regulation (EU) 2016/679 ("GDPR") or the UK GDPR applies to any user of the Platform, we rely on the following legal bases for processing personal data: (a) Legitimate interests — operating a secure, access-controlled business tool for authorized personnel of affiliated organizations; (b) Contract performance — providing the features you request when using the Platform; and (c) Legal obligation — complying with applicable law and regulatory requirements.

6. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), may provide you with certain rights regarding your personal information. Because the Platform is a business-to-business tool accessible only to employees of affiliated organizations, the personal information we process is primarily subject to the B2B exemption under the CCPA. Nonetheless, we honor the following rights on request: the right to know what personal information we have collected about you; the right to request deletion of your personal information; the right to correct inaccurate personal information; and the right not to be discriminated against for exercising these rights. To submit a request, contact us at the address in Section 11.

We do not sell personal information as defined under the CCPA, and we do not share personal information for cross-context behavioral advertising purposes.

7. Meta Platform Data — Specific Obligations

Our use of Meta Platform Data is governed by the Meta Platform Terms and Meta's Developer Policies, which take precedence over this Policy with respect to Meta Platform Data. In accordance with those terms:

• We process Meta Platform Data only for the purposes described in this Policy and as permitted by the permissions enumerated in Section 3.2.
• We do not transfer Meta Platform Data to data brokers, advertising networks, or any party for advertising or monetization purposes.
• We do not combine Meta Platform Data with data from other sources for purposes not described in this Policy.
• We retain Meta Platform Data only for as long as necessary to provide the Platform's functionality, and we delete it upon your request or upon disconnection of your Facebook Page.
• You may request deletion of all Meta Platform Data associated with your account at any time by contacting us at the address in Section 11 or by using the in-app deletion flow described in Section 11.

If you revoke the Platform's permissions via Facebook's privacy settings, Meta will send a data deletion request to our registered callback endpoint at https://manus.vaynerx.app/api/meta/data-deletion. Upon receipt of such a request, we will delete all Meta Platform Data associated with your account within 30 days. You can verify the status of your deletion request at manus.vaynerx.app/data-deletion-status using the confirmation code provided.

8. Data Security

We implement technical and organizational measures designed to protect your information against unauthorized access, disclosure, alteration, or destruction. Specific measures include: Facebook Page Access Tokens are stored server-side only and are never transmitted to client browsers; all Meta Graph API requests are signed with appsecret_proof (HMAC-SHA256) on every call; all communications between your browser and the Platform use TLS encryption (HTTPS); session tokens are signed JWTs stored in HttpOnly cookies; and access to the Platform is restricted to verified organizational domain accounts.

No security measure is perfect or impenetrable. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

9. Data Retention

We retain your account information and associated program lists for as long as your account is active or as needed to provide the Platform's services. If you request deletion of your account, we will delete or anonymize your personal information within 30 days, except where retention is required by applicable law, regulation, or legitimate business purposes (such as fraud prevention or legal proceedings). Facebook Page Access Tokens are deleted immediately upon disconnection of your Facebook Page from the Platform.

Shortlisted creator records are considered no longer necessary when: (a) you remove the creator from your shortlist; or (b) you delete your account. In either case, the associated creator data is deleted within 30 days of the triggering event. No Meta Platform Data is retained for more than 120 days after it is no longer necessary for the shortlisting purpose.

10. Third-Party Services

The Platform integrates with the following third-party services, each governed by their own privacy policies:

11. Your Rights and Data Deletion Requests

Depending on your jurisdiction, you may have the right to access, correct, delete, or restrict the processing of your personal information; the right to data portability; and the right to object to processing. To exercise any of these rights, or to request deletion of your account and all associated data, you may:

• In-app deletion: Navigate to Account Settings within the Platform and select "Delete Account." This will trigger deletion of all associated Platform Data within 30 days.
• By email: Submit a written request to [email protected]. We will respond within 30 days (or within the timeframe required by applicable law) and may need to verify your identity before processing your request.

12. Limitation of Liability

To the fullest extent permitted by applicable law, VX Services, LLC and its affiliates, officers, directors, employees, agents, and licensors shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of data, loss of revenue, or loss of business opportunity, arising out of or in connection with your use of the Platform or any data processed through it. Our total aggregate liability for any claim arising under or related to this Policy shall not exceed the greater of (a) the amount you paid to use the Platform in the twelve months preceding the claim, or (b) one hundred US dollars ($100).

Some jurisdictions do not allow the exclusion or limitation of certain damages, so the above limitations may not apply to you to the extent prohibited by law.

13. International Data Transfers

The Platform is operated from the United States. If you access the Platform from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. By using the Platform, you consent to such transfers. Where required by applicable law (including the GDPR), we ensure appropriate safeguards are in place for such transfers, including standard contractual clauses or other lawful transfer mechanisms.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this Policy periodically. Your continued use of the Platform after any changes constitutes your acceptance of the updated Policy.

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of New York, United States, without regard to its conflict of law provisions. Any disputes arising under this Policy shall be subject to the exclusive jurisdiction of the state and federal courts located in New York County, New York.

16. Contact

For questions, concerns, or requests related to this Privacy Policy, please contact: