Effective: Upon first publication on sponsr.ge.
Controller: SponsR LLC (შპს სპონსრ), a Georgian limited liability company, identification code 405853820, registered address: Tbilisi, Saburtalo District, Demetre Tavdadebuli Street N38g, Apartment 115 (Block 5), Georgia ("SponsR", "we", "our").
This Privacy Policy explains what personal data we process about you, for what purposes, on what legal grounds, who we share it with, how long we keep it, and what rights you have. It applies to the SponsR mobile application, the sponsr.ge website, and related services (collectively — the "Platform").
This Policy constitutes an integral part of SponsR's Terms of Service (Terms & Conditions). Terms used here without definition have the meanings given in the Terms of Service. Personal data is processed in accordance with the Law of Georgia "On Personal Data Protection".
1. What data we process
1.1 Data you provide to us
- Registration and account data: email address, password (stored only as a cryptographic hash — never in plain text), telephone number (confirmed by SMS code), date of birth, first and last name, preferred language, role (Creator or Client), profile photo, biography, and, where requested in accordance with the Terms of Service (§3.1), a personal identification number. Some of this information is provided at account creation, the rest during profile completion (onboarding).
- Creator profile data: social media account links, follower counts, portfolio information, service categories, and location (country, city).
- Client profile data: company name, identification code, and contact information.
- Campaign and order data: campaign descriptions, offers, order terms, delivered materials, ratings and reviews, and promo-code use.
- Platform chat communication: messages and files exchanged between Creators and Clients, as well as with the support service.
- Payout details (Creators): beneficiary first and last name, personal identification number, bank account (IBAN), and address. These details are typically collected when you add a payout method; a personal identification number may also be requested at registration in accordance with the Terms of Service (§3.1). The personal identification number and IBAN are stored encrypted.
- Verification data: where verification is required under the Terms of Service (§3.2), we may request and process identity confirmation, a selfie, company data, and KYC/AML information.
Mandatory and voluntary data. Registration and account data, order data, and — for Creators receiving payouts — payout and identification data are necessary for entering into and performing the contract, and in part (KYC/AML, tax and accounting records) are required by law; without them we cannot provide the relevant service. Providing other data (e.g., profile photo, biography, connected social media accounts) is voluntary, and declining to provide it does not restrict your use of the Platform's core functions.
1.2 Data collected automatically
- Technical data on device and usage: device model, operating system and version, app version, IP address, language, time zone, push-notification tokens, and error reports.
- Activity records (logs): timestamps of actions performed on the Platform; electronic logs of orders, payments, and legal-document acceptance (including IP address and software identifier at the moment of acceptance).
- Local storage: the mobile application stores a session token and your preference settings on your device. The sponsr.ge website uses only strictly necessary cookies (see the Cookie Policy).
We do not currently use third-party advertising trackers or product-analytics SDKs on the Platform.
1.3 Data received from third parties
- Payment provider (PSP). When payment transactions are performed, the PSP provides us with the transaction status and related metadata. Full payment card numbers never reach SponsR.
- Sign-in providers. If you sign in with Google or Apple, the provider shares with us a unique identifier, a verified email address, and a name. We do not receive your password.
- Connected social media accounts. If you choose to confirm your follower numbers by connecting your social media account (e.g., Instagram, YouTube), the platform shares with us, on the basis of your authorization, your account identifier, handle, follower/subscriber count, and basic public profile information. Access tokens are stored encrypted, used only to refresh these figures, and deleted when you disconnect the account.
1.4 Data we do not knowingly collect
We do not deliberately collect special-category data (health, biometric, religious, political, or other sensitive data). If you voluntarily publish such information in your profile or content, you are responsible for making it public.
2. Purposes and legal grounds of processing
We process your personal data for the following purposes, which include the purposes set out in §4.1 of the Terms of Service:
| Purpose | Legal ground |
|---|---|
| Creating and administering the account | Performance of a contract |
| Verification and identification | Performance of a contract; legal obligation |
| Performance of KYC/AML procedures | Legal obligation |
| Administration of transactions (orders, payments, payouts) | Performance of a contract; legal obligation (tax and accounting records) |
| Prevention of fraud, abuse, and security risks | Legitimate interest; legal obligation |
| User support and dispute review (mediation) | Performance of a contract; legitimate interest |
| Operation, improvement, and analytics of the Platform | Legitimate interest |
| Direct marketing (newsletter, promotions) | Consent (you may withdraw it at any time) |
| Fulfillment of legal obligations and legal protection | Legal obligation; legitimate interest |
Where we rely on legitimate interest, the important legitimate interests we pursue are: the security of the Platform and its users, the prevention of fraud and abuse, the establishment and defense of legal claims, and ensuring the quality and reliability of the service.
Direct marketing. We send marketing communications only with your prior consent. We do not currently send marketing communications. If we introduce them, every marketing message will contain an opt-out mechanism in the same channel through which it was received; you may also withdraw consent at any time in the app or by writing to privacy@sponsr.ge. We will stop marketing processing no later than 7 working days after your request, free of charge. Withdrawing marketing consent does not affect service messages you need to receive (e.g., security notices and order updates).
We do not use your personal data for materially different purposes without informing you in advance and, where the law so requires, obtaining your consent.
We do not sell your personal data and do not transfer it to third parties for their own marketing purposes. We do not use your personal data or content to train artificial-intelligence models.
3. Who we share data with
3.1 Service providers
In accordance with §4.3 of the Terms of Service, we use third-party service providers who process data on our behalf and only within the scope of their functional needs:
- PSP / payment providers — payment processing, holding of funds in a special transactional account, and payouts. We share with the payment provider the order amounts and, when a payout is initiated, the Creator's payout details (beneficiary name, IBAN, personal identification number, address).
- Cloud hosting and infrastructure services — hosting of servers, databases, and backups.
- Real-time communication delivery service — technical delivery of Platform chat messages.
- Push-notification delivery service — delivery of notifications to your device.
- SMS and email delivery services — delivery of verification codes and notifications.
- Security and fraud-prevention systems.
- User support tools.
- Identification and verification providers — where verification procedures are applied.
- Analytics services — where used (not currently used).
A current list of providers in these categories is available on request at privacy@sponsr.ge.
3.2 Other users
The Platform operates by Creators and Clients seeing certain information about each other: the public profile (name/handle, photo, biography, portfolio, ratings), and, within an order, the order terms, chat correspondence, and delivered materials. Other users independently bear responsibility for the data they receive.
3.3 Authorized bodies
We may disclose data where required by Georgian legislation — on the basis of a request from a court, the personal data protection supervisory authority, the Revenue Service, the National Bank, law-enforcement, or another authorized body — or where necessary to establish, exercise, or defend legal claims.
3.4 Corporate transactions
In the event of a merger, acquisition, or transfer of business assets, data may be transferred to the counterparty with the protections of this Policy preserved, of which we will notify you in advance.
4. International data transfers
The Platform's primary infrastructure is located in Georgia and/or the European Union. Where data is transferred to another state, we do so only on the grounds provided by the Law of Georgia "On Personal Data Protection": to states recognized as providing an adequate level of data protection, or on another ground provided by law (including an appropriate data-transfer agreement concluded in accordance with the procedure established by law, or your consent). Certain technical service providers (e.g., push-notification delivery) may process limited technical data (e.g., device push tokens and notification content) outside this perimeter; we minimize the personal data contained in such flows.
5. How long we keep data
| Data category | Retention period |
|---|---|
| Account and profile data | While the account is active, plus up to 24 months after closure (where you request deletion, the 30-day rule in Section 10 applies) |
| Order-related chat correspondence | 5 years after the order closes (evidence and dispute purposes) |
| Order, payment, and accounting records | 6 years after the order closes (tax legislation requirement) |
| Verification and KYC/AML records | 5 years after the relationship ends |
| Payout details (IBAN, personal number) | 5 years after the account closes |
| Support communications | 3 years after closure |
| Server and security logs | 12 months |
| Deletion and audit records | 5 years after deletion is finalized |
| Consent records (proof) | Until withdrawal of consent, plus 3 years |
After expiry of the period, data is deleted or irreversibly anonymized. Where a record falls under several categories, the longest period applies.
6. Your rights
Under the Law of Georgia "On Personal Data Protection" you have the right, free of charge:
- to obtain information on what data we process about you and to receive a copy;
- to request the correction of inaccurate or incomplete data;
- to request the deletion or termination of processing of data, except where retention or processing is required by law or another ground provided by law applies;
- to request the restriction (blocking) of processing in cases defined by law;
- to data portability — to receive data processed by automated means on the basis of your consent or a contract in a structured, machine-readable format, where technically feasible;
- to request that we stop processing based on legitimate interest — we will comply unless an overriding ground provided by law applies;
- to withdraw consent at any time (this does not affect the lawfulness of prior processing);
- not to be subject to a solely automated decision that produces legal or similarly significant effects for you;
- to lodge a complaint with the personal data protection supervisory authority of Georgia (see Section 13).
To exercise your rights: write to privacy@sponsr.ge (account deletion is also available directly in the app — see Section 10). We will respond within 10 working days; where the law permits, this period may be extended once by no more than 10 further working days, of which we will inform you. To protect you, we may need to verify your identity before fulfilling a request.
Some rights are subject to limits: we cannot delete data whose retention is required by law (e.g., accounting or KYC/AML records) or which is necessary for the protection of legal claims. In case of refusal, we will explain the reason.
7. Automated decision-making
We do not currently make decisions based solely on automated processing that produce legal or similarly significant effects for you. The Platform's standard automatic mechanisms defined by the Terms of Service (e.g., automatic release of funds after the expiry of the 48-hour period, automatic cancellation of an order after the deadline and grace period expire) are predefined contractual rules to which both parties have agreed in advance; before such a mechanism takes effect, the user may open a dispute (mediation) or contact the support service within the period defined by the Terms of Service.
8. Security
We take reasonable technical and organizational measures to protect data, including: encryption of data in transit (TLS); encrypted storage of sensitive fields (e.g., IBAN, personal identification number); password hashing; staff access control; and separation of production and test environments.
Nevertheless, data transmission over the internet cannot be fully secure and SponsR cannot guarantee absolute security (Terms of Service §4.4). If a personal-data breach occurs, we will notify the supervisory authority within 72 hours of identifying the incident, unless the incident is unlikely to cause significant harm or threat; where there is a high probability of significant harm, we will also inform affected users without undue delay.
9. Minors
In accordance with §2.2 of the Terms of Service: persons under 16 are not admitted to the Platform; Creators aged 16–17 may use the Platform only with the confirmed consent of a parent or legal guardian; a Client (natural person) must be at least 18 years old. Until the parental-consent confirmation mechanism is available, in practice the Platform requires all users to have reached the age of majority during profile completion.
We do not knowingly process the data of persons under 16. If you believe that such a person has provided us with data, write to privacy@sponsr.ge and we will delete it.
10. Account deletion
You may request deletion of your account at any time in the app (Profile → Delete account) or by writing to privacy@sponsr.ge.
Upon a deletion request, a 30-day waiting period begins, during which you may cancel the deletion by signing back in. After the period expires:
- your identifying data is irreversibly pseudonymized (replaced with non-identifying values);
- connected social media accounts and push tokens are deleted;
- data whose retention is required by law (accounting, KYC/AML, audit records) is retained for the periods set out in Section 5 and then deleted;
- order-related chat correspondence remains available to the other party of the order without your identifying data, for the period set out in Section 5.
11. Cookies
The sponsr.ge website uses only strictly necessary cookies (session, security, language preference). Detailed information is provided in the Cookie Policy, which is a separate document. The mobile application does not use browser cookies.
12. Changes to the Policy
We may update this Policy from time to time. In the event of a material change, we will notify you in the app or by email before the change takes effect. The current version is always available on the Platform.
13. Contact
Privacy matters: privacy@sponsr.ge
General: support@sponsr.ge
Legal: legal@sponsr.ge
Address: SponsR LLC (შპს სპონსრ), Tbilisi, Saburtalo District, Demetre Tavdadebuli Street N38g, Apartment 115 (Block 5), Georgia. Identification code: 405853820.
Supervisory authority: the personal data protection supervisory authority of Georgia — from 2 March 2026, the State Audit Office of Georgia (sao.gov.ge), to which the functions of the Personal Data Protection Service were transferred.