Privacy Policy
Last Updated: 23 June 2026
This Privacy Policy explains how Content Rewards Inc, a Delaware corporation with its principal place of business in Beverly Hills, California ("Content Rewards," "CR," "we," "us"), collects, uses, shares, and protects personal data when you use the Content Rewards Platform, which runs inside Whop.
This policy controls on privacy questions over the Creator Terms and Brand Terms.
1. Who This Applies To; Strict 18+
The Platform is for users 18 and older only. We do not knowingly collect personal data from anyone under 18, including with parental consent. If we learn we have collected data from someone under 18, we delete it.
2. Definitions
Defined terms used here (Submission, Clip, Draft, Validation Window, Available Balance, Verified, Premium, Discover, Bot Score, Cycle, Deliverable) have the meanings given in the Creator Terms and Brand Terms.
3. Data We Collect
3.1 Account and identity data — name, email address, phone number (collected for SMS verification via Twilio), account credentials managed through Whop, and business verification details for Brands.
3.2 Connected social account data (OAuth) — not yet live; forthcoming. OAuth account-connection is not live at launch and is coming soon. When OAuth account-connection launches, and if you choose to connect a social account, we will collect the read-only data described in Section 4. Until then, we do not collect connected social account data.
3.3 Submission and Campaign data — Clip URLs, Drafts, Pre-post Review chat, view and engagement metrics, approval/rejection status, and appeal content.
3.4 Fraud and device data — Bot Score inputs and signals, and technical/usage signals used to detect fraud.
3.5 Support and communications — messages you send to support and related metadata.
3.6 Usage and analytics — how you interact with the Platform.
4. Connected Social Accounts (OAuth) — Forthcoming (Not Yet Live)
OAuth account-connection is not live at launch and is coming soon. The descriptions in this Section explain how the feature will work when it launches and apply only if you choose to connect a social account at that time. When live, the connection will be read-only. We will use it to verify that you own a post and to read public post analytics. We will not post on your behalf.
4.1 Platforms and account requirements (when OAuth launches).
- Instagram — Professional/Business or Creator account only.
- TikTok.
- YouTube.
- X.
- Facebook — required, with no grace period.
4.2 Scopes / fields we will read (when OAuth launches; read-only, per connected platform, where the platform exposes them):
- Confirmation that you own the connected account/post (post ownership verification).
- Public post analytics: views and engagement.
- Post metadata.
- Platform-provided audience demographics, where the platform exposes them.
4.3 Token storage and revocation (when OAuth launches). When the feature is live, tokens will be stored server-side. You will be able to revoke a connection at any time at the source platform or on your Linked Accounts page. Revoking will stop tracking and payouts for that platform, and CR will invalidate the token within 24 hours.
4.4 Retention (when OAuth launches). Once the feature is live, connected-account analytics will be retained for as long as needed to operate Campaigns, verify views, handle disputes, and meet legal/tax obligations, after which they will be deleted or de-identified. (We will not collect or retain OAuth data beyond these read-only fields, and there is no "future" or planned collection beyond what is listed here.)
5. How We Use Data
We use personal data to: operate the Platform and Campaigns; verify post ownership and views; calculate and make payouts; run fraud detection and the Bot Score; provide support; meet tax, sanctions, and other legal obligations; and improve and secure the Platform.
6. Bot Score — Fraud-Risk Profiling (Human-Reviewed)
6.1 What it is. The Bot Score is a fraud-risk score from 0–100, powered by May Software Inc (a third-party processor, may.inc). It combines 100+ flag signals with a reinforcement-learning model trained on 130M+ monthly snapshots.
6.2 The logic, in plain terms. The model assesses signals associated with a Submission and the connected account to estimate the likelihood that views or engagement are non-genuine.
6.3 How it is used (signal to human review, not an automated decision). The Bot Score is a signal that informs manual review by the Brand or a CR moderator. It does not, by itself, automatically reject a Submission or otherwise produce a legal or similarly significant effect through solely-automated means. A higher score may surface a Submission for closer human attention, but a person makes the final approval/rejection call. Because no decision is based solely on automated processing, the solely-automated decision-making rules of GDPR Article 22 are not engaged by the Bot Score as currently operated.
6.4 Lawful basis. We process Bot Score data to operate the Platform and prevent fraud, relying on the performance of our contract with you and on our legitimate interests in protecting Brands and honest Creators, balanced against your rights.
6.5 Your rights. Your general data rights described in Section 9 (including access, correction, objection, and complaint to a supervisory authority) apply to Bot Score processing. If you disagree with a moderation outcome, you may raise it through the appeal process in the Creator Terms, where it is handled by a person.
7. Service Providers / Processors We Share Data With
We share personal data with service providers that process it on our behalf, including:
- Whop — platform, login, money movement, withdrawals, communities.
- May Software Inc — Bot Score / fraud detection (may.inc).
- Convex — application data/backend.
- Neon — database.
- ClickHouse — analytics database.
- Intercom — support messaging.
- Resend — transactional email.
- Twilio — SMS verification (this is why we collect your phone number).
- Sendblue — messaging.
- Attio — CRM.
- PostHog — product analytics.
- ElevenLabs — voice/audio processing.
We also share with the social platforms you connect (Instagram, TikTok, YouTube, X, Facebook) to the extent needed to operate the OAuth connection, and with tax, legal, and sanctions-screening providers and authorities as required.
CR maintains a data processing agreement with each service provider that processes personal data on CR's behalf, and maintains a current list of sub-processors available on request at legal@contentrewards.com.
8. International Transfers
Personal data may be processed in the United States and other countries. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for transfers out of the EU/UK. Where personal data is transferred out of the EEA or UK, CR relies on the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary safeguards as appropriate.
9. Your Privacy Rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data, to object to processing, and to withdraw consent. EU/UK users may lodge a complaint with a data-protection supervisory authority. To exercise rights, contact us at the address in Section 13. We will not retaliate for exercising these rights.
U.S. state residents. If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or another state with comprehensive privacy legislation, you may have additional rights, including the right to know what personal information is collected, used, shared, or sold; the right to delete personal information held by us and, by extension, our service providers; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; and the right to non-discrimination for exercising your privacy rights.
California residents (CCPA/CPRA). Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, you have specific rights regarding your personal information. We do not currently sell personal information as defined by the CCPA. If our practices change in the future, we will update this Privacy Policy and provide you with the opportunity to opt out in accordance with applicable law.
EEA, UK, and Swiss residents. If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under the GDPR and UK GDPR, including the right to contest decisions made solely by automated means under Article 22 of the GDPR. You also have the right to lodge a complaint with your local data-protection authority if you believe your rights have been violated.
Brazilian residents (LGPD). If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including confirmation of data processing, access, correction, anonymization, portability, deletion, and information about shared data, as well as the right to request a review of decisions made solely based on automated processing.
How to exercise your rights. To exercise any of these rights, contact us at legal@contentrewards.com or at the address in Section 13. We will respond within the timeframe required by applicable law (typically 30–45 days). We may need to verify your identity before processing your request, and we do not sell personal information as defined by applicable U.S. state privacy laws.
10. Data Retention
We keep personal data only as long as needed for the purposes above or as required by law (for example, tax records). Drafts and Pre-post Review chat are retained as evidence even if a Campaign is deleted (see the Creator and Brand Terms). We then delete or de-identify data.
11. Security
CR uses commercially reasonable administrative, technical, and organizational safeguards, including encryption of data in transit (TLS) and access controls. No method of transmission or storage is completely secure, and CR cannot guarantee absolute security.
12. Cookies and Tracking
We and our analytics providers (such as PostHog) use cookies and similar technologies to operate and improve the Platform. You can manage cookies through your browser and, where offered, through our cookie controls.
13. Contact; Changes
13.1 Contact: legal@contentrewards.com, or by mail at Content Rewards Inc., 12055 Summit Circle, Beverly Hills, CA 90210, USA. For EU/EEA and UK data-protection purposes, CR can be contacted at legal@contentrewards.com, and CR will designate and publish an Article 27 representative where it is required to do so.
13.2 Changes. We may update this Privacy Policy. Material changes are notified through the Platform or by email; the "Last updated" date reflects the current version.
Content Rewards Inc — a Delaware corporation · HQ: Beverly Hills, California · Last updated 23 June 2026