How we handle your data

AreaCreator (the Service) is operated by Tuber Thailand. For PDPA purposes we are the data controller of personal data you submit through the Service. You can contact us at areacreator.co@gmail.com.

We collect only what the Service needs to function:

• Account: email address (via Supabase Auth magic link or Google OAuth).
• Creator profile: display name, profile photo URL, country + province, city, languages, timezone, bio, social-media handles (Facebook / Instagram / TikTok), style tags, phone + LINE ID if you provide them.
• Submissions: clip URLs you enter to compete in an Arena, plus the organic-only affidavit timestamp.
• Scores: public view/like/share counts scraped from the platforms you posted on.
• Brand waitlist: company name, contact email, phone, LINE ID, and a short description of the challenge you want to run.
• Technical: cookies for your sign-in session and language preference; standard server logs for security and reliability.

• Operate the Service (contract with you) — to authenticate you, show your profile in the public directory when complete, accept submissions, compute leaderboards, and pay out Glory.
• Fairness checks (legitimate interest) — the §13.3 anomaly heuristics and verification of top scorers. See our Rules page.
• Brand outreach (consent) — we contact brand waitlist submitters by email when brand Arenas open.
• Security and troubleshooting (legitimate interest) — detect abuse, debug outages.

We do not sell your personal data. We share with these processors only as needed to run the Service:

• Supabase — database, authentication, file storage.
• Vercel — application hosting + scheduled jobs.
• Apify / similar scrapers — public metric collection from the clip URLs you submit.
• Google — when you sign in with Google OAuth.

Some of these providers store data outside Thailand. We rely on their published safeguards (DPAs, standard contractual clauses) to protect your data during transfer.

• Account + profile: until you delete the account.
• Submissions + scores: retained to preserve Arena history and payout records; anonymised or deleted on request where the law permits.
• Brand waitlist: up to 24 months after submission or until the brand asks to be removed.
• Server logs: up to 90 days.

Under Thailand's PDPA you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent where processing is consent-based. You may also lodge a complaint with the Office of the Personal Data Protection Committee.

To exercise any of these rights, email areacreator.co@gmail.com. We will respond within 30 days.

We use HTTPS in transit, managed-database encryption at rest via Supabase, and server-only access to administrative credentials. No system is perfectly secure; if we learn of a breach affecting your data we will notify you and the authorities as required by the PDPA.

The Service is not directed at users under 20 years old. If you are a minor, you must obtain consent from a parent or guardian before using the Service.

We may update this policy. Material changes will be announced on this page, and the "Last updated" date below will reflect the revision.