Every byte, accounted for.
When a creator’s photo lands in Idukki, we know exactly where it sleeps, who can wake it, and who’s allowed to ask for it back. Below: our GDPR role as processor, the rights you and your customers can exercise, who else in the supply chain touches the data, and how to delete it on demand.
Last updated · January 2026
- 01
Creator posts
#yourbrand · IG
- 02
AES-256 at rest
UK region · ringfenced
- 03
Rights cleared
consent · audit row
- 04
Delete on demand
< 30 days · DSR portal
Our role under GDPR
Data processor
For the UGC + content you publish through us
When you connect your social channels, run a hashtag campaign or ingest reviews, Idukki acts as a data processor. You, the brand, are the data controller. We only process this data on your documented instructions and per our Data Processing Agreement.
Data controller
For your Idukki account itself
When you sign up, log in, get billed or contact support, Idukki is the data controller for that account-level personal data. Our processing here is governed by our Privacy Policy.
What we process
As processor (for you)
- UGC posts, captions, hashtags, comments (from public sources you connect)
- Creator handles and avatar URLs
- Rights-request conversation logs
- Email addresses of customers who submit UGC via your QR portal or photobooth
- IP address + user-agent of widget viewers (for analytics + bot filtering)
- Event-funnel data (view → click → cart → purchase), keyed by anonymised cookie ID
As controller (about you)
- Account holder name + email
- Company name + billing address
- Login credentials (passwords are bcrypt-hashed)
- IP + user-agent of dashboard sign-ins
- Payment method tokens (held by Stripe, not Idukki)
We do not sell personal data. We do not train AI models on customer content. We do not use your data to enrich any other product or service.
Your rights as a data subject
Anyone whose personal data Idukki holds can exercise the following rights at any time. Email privacy@idukki.io and we’ll respond within 30 days (usually 72 hours).
Right of access
Request a copy of every piece of personal data we hold about you.
Right to rectification
Have inaccurate or incomplete personal data corrected.
Right to erasure
Ask us to delete personal data, also known as the right to be forgotten.
Right to data portability
Receive your data in a structured, commonly used, machine-readable format (JSON).
Right to restrict
Limit the processing of your data in certain circumstances.
Right to object
Object to processing based on legitimate interests or direct marketing.
You also have the right to lodge a complaint with your supervisory authority, in the UK, that is the ICO. We’d ask you to talk to us first, but we’ll never get in the way of you exercising that right.
Sub-processors
The vendors below process personal data on our behalf. Each is bound by a written agreement that mirrors our own GDPR obligations. We notify customers at least 30 days before adding or replacing any sub-processor.
| Vendor | Region | Purpose |
|---|---|---|
| Amazon Web Services (AWS) | UK (London) | Application hosting, object storage, queueing |
| Cloudflare | Global (with EU isolation) | CDN, edge runtime, DDoS protection |
| Postmark | EU | Transactional email delivery |
| Stripe | EU + US (SCC-covered) | Billing + payment processing |
| Sentry | EU (Frankfurt) | Application error monitoring |
| PostHog Cloud EU | EU | Product analytics (EU-hosted) |
| Twilio / SendGrid | EU + US (SCC-covered) | SMS + transactional channels |
| OpenAI (Enterprise, no-train) | US (SCC-covered, no training) | Caption + alt-text + tagging inference |
Subscribe to sub-processor updates at privacy@idukki.io.
International transfers
Our production environment is hosted in the UK (AWS London). Some sub-processors are based in the US. Where data leaves the UK or the EEA, we rely on the European Commission’s Standard Contractual Clauses (2021/914) and the UK Addendum, as well as supplementary technical and organisational measures, encryption in transit and at rest, no-train commitments, audit rights and breach notification timelines tighter than the regulation requires.
For customers on our Enterprise plan, we offer UK data residency: all data, including derived AI embeddings, stays inside the UK at all times.
Retention + deletion
- Active accounts, we keep your data for as long as your account is active.
- Closed accounts, we delete or anonymise within 90 days of closure. You can also request immediate deletion.
- UGC + rights records, kept for the duration of your subscription, then exported to you on request and deleted.
- Logs + backups, application logs purged after 90 days, encrypted backups rolled off after 30 days.
- Legal hold, where law requires (e.g. invoices, tax records), we retain only what’s necessary.
Security measures
- TLS 1.3 in transit, AES-256 at rest
- SOC 2 Type II in audit (target Q3 2026)
- ISO 27001-aligned controls (certification on roadmap H2)
- Pen-tested quarterly by Cure53
- Bug bounty program with HackerOne
- Role-based access control + audit logs on every admin action
- Encrypted database backups, retained 30 days, geo-redundant
- Mandatory MFA for all employees + vendor access
Data Processing Agreement
Our DPA is pre-signed by Idukki and incorporated into every customer agreement. It includes the updated Standard Contractual Clauses (Modules 2 and 3) and the UK Addendum. No negotiation needed for the standard terms.
Contact our DPO
Talk to a human, typically the same day.
Idukki’s Data Protection Officer can be reached at dpo@idukki.io for any GDPR question, data subject request, breach report or audit. We respond within 72 hours, usually faster.
Stop renting six tools. Ship one.
Spin up your first widget in 4 minutes. Migrate from Bazaarvoice, EmbedSocial, Tolstoy or Videowise in a day. Your CFO will love us. Your CRO already does.
- No credit card
- Cancel anytime
- SOC 2 + GDPR
