Creator Privacy Policy

Modash OÜ (hereinafter Modash or we) is an Estonian company offering SaaS services at its influencer/creator marketing web platform found at, including services to influencers, agencies, creators (hereinafter creator or you) as provided in the Creator Terms of Service (hereinafter the service).

This Creator Privacy Policy applies to you if you have signed up to our services. We may unilaterally change the Creator Privacy Policy from time to time, especially in case of changes in the legal acts regulating processing and/or protection of personal data or in our own data processing practices. We will notify you of changes on our website. The latest version of the Creator Privacy Policy is always available on our website.


For a better understanding, we hereby explain some data protection terms used herein.

GDPR means the General Data Protection Regulation (EU) 2016/679), implementation of which started on 25 May 2018 and which is directly applicable in all European Union member states.

Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller means the entity that decides why and how the personal data is processed.

Processor means the entity which processes personal data on behalf of the controller.

1. Who is the data controller?

Modash OÜ

Registration code: 14434162
Address: Telliskivi 60a B-building, Tallinn, Estonia

2. The type of personal data we collect and process, purposes of use and lawful grounds

2.1. Creator is a natural person

We collect different type of information when you use our services. Most of the information is collected from you personally when you sign up for the use of the service (identification data) or specifically consent to certain usage (marketing data), some of the information is collected automatically upon your use of the service (invoicing data, usage data). We may also obtain information (incl personal data) from public sources, such as commercial/trade registers, the internet and from third parties, such as credit registers, for background and credit information analysis.

Identification data
- Name (first name and family name, business name in case of legal person)
- Date of birth (Business identifiers , e.g. ID code, VAT-ID, Tax-IDin case of legal person)
- AddressE-mail address
- Login data: username and password

The purposes of and legal basis for processing of the identification data:
- Creation and accessing of user account, registering a user, conclusion of service agreement (Creator Terms of Service). Legal basis for such use is contractual necessity (GDPR art 6 1(b)).
- Communication regarding the service, e.g. user support, exchange of information/helping with disputes between the creator and the brands. Legal basis for such use is contractual necessity (GDPR art 6 1(b)).
- Managing of our accounts, invoicing, debts. Legal basis for such use is usually our legitimate interest (GDPR art 6 1(f)), but in some cases it may also be our legal obligation (GDPR art 6(1)c)), e.g. to keep accounting base documents.

Invoicing data
- Creator´s bank IBAN/BIC/SWIFT code.
- Creator´s VAT registration number (if applicable)
- Information regarding the transactions between you and the brand completed via using our services, payments made to you, payments in process.

The purposes of and legal basis for processing of the invoicing data:
- Provision of services in accordance with the Creator Terms of Service. Legal basis for such use is contractual necessity (GDPR art 6 1(b)).
- Managing of our accounts and assets. Legal basis for such use is usually our legitimate interest (GDPR art 6 1(f)), but in some cases it may also be our legal obligation (GDPR art 6(1)c)), e.g. to keep accounting base documents.

Usage data
- Your login data
- IP addressData generated when using the service: invoices, notifications, confirmations
- Information about how you use our website
- Browse browsers and user´s device, browsing activity across different sites, pages or other content you view or interact with on the service, dates and times of the visit, access, or use of the service type and version
- Your preference settings.

The purposes of and legal basis for processing of the usage data:
- Provision of Services as stipulated by the Creator Terms of Service. Legal basis for such use contractual necessity (GDPR art 6 1(b)).
- Provision of service support. Legal basis for such use contractual necessity (GDPR art 6 1(b)).
- Making statistics and analyzing of user data (incl shortcomings) to maintain and develop our services. Legal basis for such use is our legitimate interest (GDPR art 6 1(f)).

Marketing data
- Data on whether you have consented to direct marketing and which kind of marketing (e.g. newsletter, offers from Modash or others)
- Data of your marketing channel preferences (e-mail, phone or both).

The purposes of and legal basis for processing of the marketing data:
- marketing of our services and products. Legal basis for such use is your consent (GDPR art 6 1(a)).

2.2. Creator is a legal entity

When our services are signed up and used by a legal entity (rather than a physical person) we still collect and process the same information as described under Section 2.1 but as it relates to a legal entity it will not qualify as the personal data, except for the name and contact data of the representative of the legal person.

Hence, in such case we process the personal data of the representative of the creator to communicate with it for provision of our services as agreed in the Creator Terms of Service. The legal basis for doing this is our legitimate interest (GDPR art 6 1(f)) – we need to communicate with the legal entity creator and if a person acts as representative of one, we assume that the legal entity creator has informed that person of appointing him/her as our contact person and therefore there is a balance of interest and we do not conflict with the interests, rights and freedoms of such representative. In case processing of the personal data is based on the legitimate interest, the data subject always has the right to object to such processing. If you do object, we will inform the creator asking to provide us with a new contact person or otherwise comment on your objection.

We may sometimes send to the representative of the creator (legal entity) direct marketing offers and messages in connection with representative´s work or area of ​​responsibility, for example, if the creator (legal entity) is using or has previously been using our services. Such activities related to direct marketing are also carried out on the basis of our legitimate interest. If you receive such direct marketing messages from us, you always have the right to refuse them by clicking on the opt-out link at the end of the message.

3. With whom may we share your data?

With Modash your personal data is accessible only to those employees who need the data to perform their work duties (on a so-called need-to-know basis). Outside Modash, we may share you data with the following persons under the following circumstances:

Persons providing services to us: Your data may be accessible by the persons providing services to us (data processors) and processing your data on our behalf and to the extent needed to perform such services. These include providers of website hosting, maintenance, invoicing, development, accounting, payment/banking services.

Public authorities and state institutions (e.g. police, courts, data protection authorities): we will only disclose your data when and to the extent we are legally obliged to do it.

Third parties in connection with legal processes: we may share or disclose your data, if it is necessary to (i) protect our property and rights (incl our service), (ii) enforce our contracts, (iii) defend ourselves against any third-party claims, (iv) protect ourselves, our service, our customers, users and visitors from fraudulent, abusive, or unlawful uses or activity.

Third parties in connection with corporate transactions: We may share your data with third parties in the context of (including for the preparation of) a corporate transaction, such as the sale of a company or its business/assets to another company. Also, in the context of the creation of a joint venture, merger or other reorganization.

As a rule, your personal data is processed in the European Economic Area (EEA). However, if there is a need to transfer the data out of EEA, we follow GDPR requirements regulating such transfers.

4. How long do we retain your data?

We retain your data for as long as necessary for the purposes of processing described in these privacy terms and to comply with any mandatory legislation: we will retain the user account data as long you are an active user and for 3 years after that; we are legally obliged to keep invoicing data and the documentation which it is based on for 7 years; we keep our backups for as long you are an active user and for 3 years after that; we keep usage data and communications between us for the statutory limitation period set for civil claims (3 years, 10 years in case of intentional breach) to be able to protect ourselves against any legal claims and to file legal claims for our protection.

In addition, we may process the data in an aggregated or anonymized format, for example for analysis and statistical purposes and to improve and develop our services.

5. What are your rights?

Right to access – you have the right to know which data we hold about you (if any).

Right to data rectification – you have the right to require corrections to your personal data in case they are inaccurate or incomplete.

Right to data deletion – you have the right under certain conditions to request the deletion of your personal data including in situations where the processing of your personal data is no longer necessary for the purposes for which it was collected, or if the processing of your personal data was based on your consent and you wish to withdraw your consent, and there are no other grounds for processing your personal data.

Right to restrict processing – you have the right under certain circumstances to forbid or restrict the processing of your personal data for a certain period (e.g. you have submitted an objection concerning data processing).

Right to object – You have the right to object to data processing which is based on our legitimate interest. Modash will stop processing your personal data upon such objection, unless we can demonstrate compelling legitimate grounds for the processing or processing is needed for the establishment, exercise, or defense of legal claims.

You also have the right to object at any time to processing of your personal data for direct marketing. Upon receiving such objection, we shall stop processing your personal data for direct marketing.

To exercise your rights, please send your respective inquiry to

We have the obligation to respond to your query within 30 days.

6. Security of your personal data  

Modash has established necessary legal, organisational, physical and technical security measures to protect your personal data. Some examples of the measures we use:

Physical measures – paper-based documents containing personal data are stored in locked rooms and cabinets to which only certain employees have access for fulfilling their job duties; data processing rooms and IT-systems are sufficiently protected against fire, overheating, water, current instability and power outages.

Technical measures – all employee work computers are protected with password protected screensavers when the employee leaves; it is ensured that the IT-system does not accept new login attempts and locks the username if certain number of access attempts has been exceeded; it is ensured that especially vulnerable systems (e.g. laptops, smartphones) are sufficiently protected (using encryption or other means).

Organisational means – all IT system users are assigned roles and profiles; it is ensured that access rights are deleted when the employee leaves Modash; it is ensured that there is no access from publicly used rooms to rooms where personal data is being processed.

In case we use external companies for providing services, which include data processing, we conclude data processing agreements with such service providers obligating them to: a) take appropriate measures to ensure confidentiality and security of the personal and ii) process personal data in accordance with the applicable legal requirements and the agreement between us.

7. The right to submit a complaint to a supervisory authority

Should you desire further information concerning your personal data or exercising your rights, you have the possibility to contact us at

If you believe that the processing of your personal data breaches the requirements of the GDPR, you have the right, without prejudice to any other administrative or judicial remedy, to file a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. In Estonia, the relevant supervisory authority is Data Protection Inspectorate (Andmekaitse Inspektsioon).