Last updated:25/07/2025
This Privacy Policy describes how Burst Platform ApS (“Burst”, “we”, “us”, “our”) collects, uses, discloses and protects personal data when you use our website, platform and related services, including when you connect your Facebook and Instagram accounts to Burst. It also explains your rights and how to exercise them. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.
Depending on the context, we act either as a data controller or as a data processor on behalf of our business customers. Where we act as processor, the brand is the data controller and our Data Processing Agreement applies.
This policy covers:
Account means a unique account created for you to access our Service or parts of our Service. Affiliate means any entity that controls, is controlled by, or is under common control with Burst Platform ApS. Company (referred to as “the Company”, “we”, “us” or “our”) refers to Burst Platform ApS. Cookies are small files placed on your device by a website. Country refers to Denmark. Device means any device that can access the Service such as a computer, mobile phone or tablet. Personal Data is any information relating to an identified or identifiable natural person. Service refers to the Website, the platform, dashboards, APIs and any related features. Service Provider means any natural or legal person who processes data on behalf of the Company. Usage Data is data collected automatically, generated by your use of the Service or from the Service infrastructure itself (for example, the duration of a page visit). Website refers to Burst, accessible at burstcreators.com. You means the individual accessing or using the Service, or the company or other legal entity on behalf of which such individual is accessing or using the Service.
4.1 Data you provide to us • Account data: name, email address, password, company, role. • Billing data: company name, VAT/CVR number, address, invoicing contacts, payment method (processed by our payment provider; we do not store full card numbers). • Communications: support messages, emails, calls, feedback, survey responses. • Campaign data: creative briefs, product information, creator lists, pricing, deliverables. • Contracts and legal agreements: signatures, terms acceptance, dates. 4.2 Data collected automatically (Usage Data) • IP address, browser type and version, device identifiers, operating system, referring URLs, pages visited, time and date of visit, time spent on pages, clickstream data, error logs. • When using a mobile device: device type, OS, unique device ID, mobile browser type, approximate location (based on IP), app version. 4.3 Cookies and similar technologies We use cookies, web beacons, pixels and similar technologies to provide, secure, analyze and improve our Service. Cookies may be session cookies (deleted when you close your browser) or persistent cookies (stored until they expire or you delete them). See section 15 (Cookies) for more detail.
When you choose to connect your Facebook/Instagram account or ad account to Burst, we may access certain data through Meta’s APIs. The permissions we request and how we use them are described below. Permissions we request for review: a) instagram_branded_content_ads_brand What we access: IDs of eligible creator posts, post metadata required to run branded content/Creator Ads (e.g. media ID, caption, status), and the ability to authorize or stop branded content ads on your behalf. Why: To allow brands to boost creator posts (Creator Ads / Branded Content Ads) directly from Burst, and to retrieve delivery status and high-level performance for those ads. How we use it: We list the creator posts you (or your creators) have made eligible for promotion, create the ads, and display performance data within our reporting UI. We do not publish organic content on your behalf via this permission. b) ads_read What we access: read-only ad account insights and metrics such as spend, impressions, reach, clicks, CTR, CPC, CPM, video views, and other standard Ads Insights fields required for reporting. Why: To power performance reporting for Creator Ads and campaigns you run and track inside Burst. How we use it: We only read reporting data; we do not modify your ads or ad accounts using this permission. We do not sell the data we obtain from Meta, and we do not use it to build independent profiles unrelated to the services you have asked us to provide. How to revoke access: You can remove Burst’s access at any time in Facebook Settings - Business Integrations or Instagram Settings - Security - Apps and Websites. See section 11 for what happens when you revoke access or request deletion.
Contract performance (Art. 6(1)(b)) • To create and manage your account. • To deliver platform functionality, including Creator Ads/Branded Content Ads and reporting. • To provide support, onboarding and implementation. • To manage billing and subscriptions. Legitimate interests (Art. 6(1)(f)) • To secure and protect the Service (fraud prevention, abuse detection, incident response). • To improve and develop the Service (analytics, product research). • To enforce our terms and defend legal claims. • To contact you with relevant platform updates if you are an existing customer or user. Consent (Art. 6(1)(a)) • Where required for specific marketing communications. • Where you choose to connect external accounts and grant specific permissions to us. You can withdraw consent at any time. Legal obligations (Art. 6(1)(c)) • To comply with tax, accounting and other statutory requirements. • To respond to lawful requests from public authorities.
We may share personal data with: • Service Providers / sub-processors: cloud hosting, analytics, logging, email delivery, payment processors, customer support tools and similar. These providers are bound by confidentiality and data processing agreements. • Business partners (on your instruction): for example, brands, agencies or creators collaborating with you in the platform. • Affiliates: entities under common control with Burst, subject to this policy. • Professional advisors: lawyers, auditors, insurers, where necessary. • Authorities: where required by law or to protect rights, safety or property. • In connection with a business transaction: merger, acquisition, financing or sale of assets. You will be notified if your personal data becomes subject to a different privacy policy. We do not sell personal data.
Your data may be transferred to and processed outside the EEA/UK. Where this happens, we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs) or other appropriate safeguards. You can contact us for more information on the specific safeguards used.
We keep personal data only as long as necessary for the purposes described in this policy or as required by law. Typical retention periods: • Account and profile data: for the lifetime of your account, and up to 30 days after deletion or disconnection, unless a longer period is required by law or to resolve disputes. • Meta-sourced data (facebook/instagram via the permissions above): for the lifetime of your account or until you revoke access, and then deleted within 30 days (unless legally required to retain). • Billing and transactional records: minimum 5 years (or as required by accounting/tax law). • Support communications: up to 3 years after resolution, unless longer required. • Logs and security data: typically 12 months, unless needed longer for security or legal purposes. • Aggregated or anonymised analytics may be retained indefinitely (cannot be linked back to you).
Subject to applicable law, you may have the right to: • Access your personal data and receive a copy. • Rectify inaccurate or incomplete data. • Delete your data (right to erasure). • Restrict processing. • Object to processing based on legitimate interests or direct marketing. • Data portability. • Withdraw consent where processing is based on consent. • Lodge a complaint with your local supervisory authority (in Denmark: Datatilsynet, datatilsynet.dk). To exercise your rights, email louis@burstcreators.com. We may need to verify your identity before responding.
You can revoke our access at any time: Facebook: Settings & Privacy - Settings - Business Integrations Instagram: Settings Security - Apps and Websites You can also request deletion at burstcreators.com/data-deletion (or by emailing us). When you revoke access or request deletion, we will delete Meta-sourced personal data within 30 days, unless legal obligations require longer retention. If you are using Burst under a brand’s account, please also contact your brand admin as they may be the controller for your data.
We implement technical and organizational measures to protect personal data, including encryption in transit and at rest (where appropriate), access controls, least-privilege principles, logging and monitoring, regular backups, and vendor due diligence. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
Our Service is not directed to children under 13, and we do not knowingly collect personal data from anyone under 13. If you are a parent or guardian and believe your child has provided personal data to us, please contact us so we can delete it. If we rely on consent and local law requires parental consent, we will request it.
We do not engage in automated decision-making that produces legal or similarly significant effects on individuals. If this changes, we will update this policy and provide you with the required information.
We use both session and persistent cookies for: • Necessary / essential purposes (authentication, security, fraud prevention) • Functionality (remembering preferences, language, login status) • Analytics and product improvement You can control cookies through your browser settings. If you disable cookies, parts of the Service may not function properly. For more detail, please refer to our Cookies Policy (link or section).
Our Service may contain links to third-party websites and services. We are not responsible for their content or privacy practices. We encourage you to read their privacy policies.
We may update this Privacy Policy from time to time. We will post the new version on this page, update the “Last updated” date, and, where appropriate, notify you by email or via the Service before changes take effect. Please review this Policy periodically.
If you are in the EEA/UK and believe we have not handled your personal data correctly, you can lodge a complaint with your local supervisory authority. In Denmark: Datatilsynet (www.datatilsynet.dk). .
We use vetted sub-processors to deliver the Service (e.g., cloud hosting, analytics, email, payments, logging). We maintain a list of sub-processors in our Data Processing Agreement or on a dedicated webpage. We will notify customers of material changes to that list as required.
Prøv Burst og oplev hvordan performance-baseret influencer marketing er en game-changer