Privacy Policy

Flit — heyflit.com & haiku.heyflit.com

Operated by Summit Paycom Private Limited, Bengaluru, India

Effective date: January 10, 2026
Last updated: March 15, 2026

1. Introduction

This Privacy Policy explains how Flit collects, uses, shares, stores, and protects information when you use heyflit.com, haiku.heyflit.com, our mobile and web applications, and any related services (together, the “Platform”).

The Platform connects two kinds of users:

Brands and agencies — businesses and their team members who use Flit to discover, contract, and pay creators, and to manage campaigns through Haiku.
Creators — influencers and content creators who receive briefs, sign agreements, and get paid through Flit.

This Policy applies to anyone who visits our websites, creates an account, connects a social media account, or otherwise uses the Platform. By using the Platform, you agree to the practices described here. If you do not agree, please do not use the Platform.

This Policy is drafted to comply with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), and to meet the data-use and disclosure requirements imposed by the platforms we integrate with, including Meta Platforms, Inc. (Facebook/Instagram), Google LLC (YouTube), LinkedIn Corporation, and X Corp. (Twitter/X) (each a “Connected Platform”).

2. Information We Collect

2.1 Information you give us directly

Category	Examples
Account & identity	Name, email, phone number, role (brand/agency/creator), company name and GSTIN (for brands)
Financial & tax information	Bank account details, UPI ID, PAN, GSTIN, and other information required to process payouts, deduct TDS, and generate GST-compliant invoices
Contract & deal information	Campaign briefs, deliverables, rates, contract terms, e-signatures, and communication tied to a specific deal
Support communications	Messages you send to our support team

We collect financial and KYC information directly because Flit, not a third-party payment aggregator, performs payout processing, TDS deduction, and GST compliance for transactions on the Platform. This information is held under the security and access controls described in Section 6.

2.2 Information from connecting your social media accounts

Flit integrates with Instagram and Facebook (Meta Platforms, Inc.), YouTube (Google LLC), LinkedIn (LinkedIn Corporation), and Twitter/X (X Corp.). If you choose to connect any of these accounts to Flit, we request your permission to access:

Basic profile information — your name, profile picture, and the handle/channel you connect, used to verify that you are the genuine owner of the account being engaged for a campaign.
Content and insights data — metrics on posts, videos, or content you publish in connection with a brand deal (such as reach, impressions, likes, comments, and views), used to (a) generate performance reports for the brand you’re working with, and (b) confirm that a contracted deliverable (e.g., a sponsored post or video going live) has actually been published, which can trigger the corresponding payment milestone.

We only request the specific permissions needed for these purposes, and only at the scope each platform’s developer policies and review process approve for our app. We do not access your private messages, contacts, or content unrelated to a campaign on Flit.

You are in control of these connections. You can disconnect any linked account from Flit at any time from Account Settings → Connected Accounts —, or directly through that platform’s own account settings (e.g., Facebook/Instagram “Apps and Websites,” Google account permissions, LinkedIn data settings, or X connected apps). Disconnecting stops any further data collection from that platform. You may also request deletion of previously collected data under Section 8.

2.3 Information collected automatically

When you visit our websites or use the Platform, we automatically collect technical information such as IP address, browser type, device identifiers, operating system, and usage data (pages visited, features used, timestamps), typically through cookies or similar technologies. See Section 7 for details on cookies.

2.4 Information from other sources

We may receive information from:

Payment and banking partners, to confirm whether a payout succeeded or failed.
Identity verification providers, where used to validate KYC documents.
The brand or agency you work with on a deal, such as a brief or contract they create involving you.

3. How We Use Your Information

We use the information described above to:

Create and manage your account and authenticate your identity.
Facilitate contracts, briefs, and agreements between brands and creators.
Process payments, including UPI/bank transfers, TDS deduction, and GST invoice generation.
Verify that a creator genuinely owns the social media account or channel associated with a deal.
Generate campaign performance reports for brands, using post/content metrics tied to a specific deal.
Detect whether a contracted deliverable has been completed, to release the associated payment.
Provide customer support and respond to inquiries.
Maintain the security, integrity, and proper functioning of the Platform.
Comply with applicable law, including tax, accounting, and financial recordkeeping obligations.
Improve the Platform based on aggregated, de-identified usage patterns.

We do not use data obtained from any Connected Platform for advertising, to build user profiles outside the context of a creator’s Flit campaigns, or for any purpose unrelated to facilitating brand–creator collaborations on Flit.

4. Legal Basis for Processing (DPDP Act, 2023)

Under the DPDP Act, we process your personal data on the following grounds:

Consent — for optional features, such as connecting a social media account, or receiving marketing communications.
Performance of a contract — to process payments, generate invoices, and fulfill obligations under brand–creator agreements facilitated through the Platform.
Legal obligation — to comply with tax law (TDS, GST), accounting standards, and other statutory requirements applicable in India.

Where we rely on your consent, you may withdraw it at any time, as described in Section 8. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal, and may limit your ability to use certain features (for example, you cannot receive performance reports from a platform you’ve disconnected).

5. How We Share Your Information

We do not sell your personal data. We share information only as follows:

Recipient	Purpose	What’s shared
Brands/creators you contract with	To fulfill a deal you’ve entered into on the Platform	Contact details, deliverables, performance metrics relevant to that specific deal
Payment processing partners and banks	To execute payouts	Bank/UPI details, transaction amounts
Tax and compliance service providers	TDS filing, GST invoicing, statutory compliance	Financial and identity information required for filings
Cloud hosting and infrastructure providers	To run and secure the Platform	Data necessary to host and operate the service
Connected Platforms (Meta, Google/YouTube, LinkedIn, X)	Only as a function of you connecting your account — we send API requests to retrieve the data described in Section 2.2	Authentication tokens and the specific data scopes you authorized
Government or regulatory authorities	Where legally required (e.g., tax authorities, law enforcement with valid legal process)	As required by the specific request
Successors, in a merger or acquisition	Business continuity	Data would transfer subject to the same protections in this Policy

We require all third-party service providers who process data on our behalf to maintain confidentiality and use the data only for the purpose we’ve engaged them for.

6. Data Security

We use industry-standard safeguards to protect your information, including:

Encryption of data in transit (TLS/SSL) and at rest for sensitive fields such as bank details and PAN.
Role-based access controls, so only personnel who need financial or KYC data to do their jobs (e.g., compliance, finance) can access it.
Regular review of access logs for sensitive data categories.

No system is completely secure, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required under the DPDP Act.

7. Cookies and Similar Technologies

Our websites and Platform use cookies and similar technologies to:

Keep you logged in and remember your preferences.
Understand how the Platform is used, to improve it.
Where applicable, measure the effectiveness of our own marketing.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of the Platform, such as staying logged in.

8. Your Rights

Under the DPDP Act, and consistent with the access our Connected Platforms require us to provide, you have the right to:

Access the personal data we hold about you.
Correct or update inaccurate or incomplete data.
Withdraw consent for any processing based on consent (e.g., disconnect a linked social media account, opt out of marketing emails).
Request erasure of your personal data, including data obtained via a Connected Platform, subject to our right/obligation to retain certain records (see Section 9).
Nominate another individual to exercise your rights on your behalf in the event of death or incapacity.
File a complaint with our Grievance Officer (Section 11), and, if unresolved, with the Data Protection Board of India.

To exercise any of these rights, including requesting deletion of data we’ve received from a Connected Platform, contact our Grievance Officer or use Account Settings → Privacy — . We will respond within the timeframe required by applicable law.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy:

Financial, tax, and transaction records (bank details, PAN, GST invoices, TDS records): retained for eight (8) years, in line with statutory recordkeeping requirements under Indian tax and company law.
Connected Platform content and insights data (Instagram, YouTube, LinkedIn, Twitter/X): retained only for as long as needed to generate the relevant campaign report, and deleted or anonymized once the campaign closes out, unless you’ve separately consented to longer retention or law requires otherwise.
Account information: retained while your account is active, and for a reasonable period after closure to handle disputes, legal claims, or regulatory requirements.

Once retention periods lapse, we securely delete or irreversibly anonymize the data.

10. Children’s Privacy

The Platform is intended for business use by adults. We do not knowingly collect personal data from individuals under 18. If we learn that we have inadvertently collected such data, we will delete it promptly.

11. Grievance Officer

In accordance with the DPDP Act, 2023, you may contact our Grievance Officer for any questions, concerns, or complaints about this Policy or our data practices:

Grievance Officer: Mouna Poovaiah
Email: grievance@flit.in
Address: Summit Paycom Private Limited, Bengaluru, Karnataka, India

We aim to acknowledge complaints promptly and resolve them within the timeframe prescribed under applicable law.

12. International Data Transfers

Our service providers (such as cloud hosting infrastructure) may process data outside India. Where this occurs, we take reasonable steps to ensure such providers offer a comparable level of protection to that required under the DPDP Act.

13. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, the Platform, or applicable law (including changes required by the policies of any Connected Platform). We will update the “Last updated” date above, and for material changes, we will provide additional notice (such as an in-app notification or email) before the changes take effect.

14. Contact Us

For general questions about this Policy: support@flit.in
For data protection requests and complaints: see Section 11

This Policy is intended to be read together with Flit’s Terms of Service and any platform-specific terms (e.g., Haiku Terms of Use).