NowRep

1. Introduction and scope

NowRep (“NowRep,” “we,” “us,” or “our”) provides a software-as-a-service platform that talent agencies and similar businesses use to manage their rosters, bookings, packages, billing, and portfolio sites (the “Service”). This Privacy Policy explains how we handle personal information when you use the Service.

In this policy:

“Customer” means a business that signs up for NowRep (typically a talent agency or representation business) and the people on that Customer’s team who use the Service on its behalf.
“Talent” means an individual whose profile, media, or related data a Customer manages inside the Service.
“Visitor” means anyone who browses our marketing website at nowrep.io.
“You” depends on context. Where it matters, we say which group we are talking about.

This policy covers:

our marketing website at nowrep.io,
the NowRep web application,
our internal APIs that power the application,
the Site API that syndicates Customer-curated data to portfolio websites our Customers operate under their own domains.

This policy does not cover:

Portfolio websites that our Customers operate under their own domains. The Customer designs, builds, deploys, hosts, and operates its portfolio website; NowRep’s role is to provide the data source through the Site API and (optionally) a reference template the Customer can choose to use. Where NowRep separately contracts with a Customer to build or help connect a portfolio website, the Customer still operates the resulting website and is the controller of the data published on it. Visitor-facing data the portfolio website collects is governed by the Customer’s own privacy notice, not this one.
Third-party services we link to or integrate with, except where we describe how we share data with them in §6.

If you are a Talent whose data appears in NowRep because an agency you work with uses the Service, please also read §10 (“Talent data, minors, and rights routing”). That section is written for you.

2. Our role: controller and processor

We act in two different roles depending on whose data we are handling.

We are a controller for personal data we collect and use for our own purposes. For example, your name and email when you sign up for an account, your billing information, the records we keep for security and fraud prevention, and any marketing we send you.

We are a processor for personal data our Customers upload, generate, or otherwise put into the Service about their Talent, clients, contacts, bookings, and business records. The Customer is the controller of that data. We handle it on the Customer’s behalf and under their instructions, as set out in our Data Processing Addendum (DPA).

A signed DPA is available on request for Customers on our Pro and Enterprise plans. Contact privacy@nowrep.io to request one.

3. What we collect

3a. Account and billing data (controller scope)

When you sign up and use NowRep as a Customer, we collect:

Identity and contact: your name, email address, and any profile details you choose to add.
Authentication: a hashed password and, if you enable it, multi-factor authentication factors. We never see your password in cleartext.
Account and workspace metadata: the agency name, branding, locale, team membership, and the role assigned to each team member.
Billing: subscription tier, seat count, and a customer/subscription identifier issued by our payment processor. Card data is held by our payment processor, not by us.
Login activity: sign-in times and the IP address of sign-in events, kept by our authentication provider for security and audit purposes.
Verification and password-reset tokens: short-lived tokens we generate to verify email addresses or reset passwords.
Bot-protection signals: when you sign in, sign up, or fill out our contact form, our captcha provider (see §6) checks that you are not a bot. The check sees your IP address, browser, and a challenge response.

3b. Talent and business data uploaded by Customers (processor scope)

Customers upload a wide range of data into NowRep to run their business. This typically includes:

Talent profile data: legal and preferred name, date of birth, place of birth, gender, pronouns, nationality, primary email and phone, website, biography, and free-text notes.
Talent profile images and portfolio media: profile photos, polaroid sets, headshots, portfolio images, and video uploads.
Measurements: height, weight, bust, waist, hips, shoe size, eye color, hair color, and similar physical attributes used in casting work.
Work preferences and skills: languages, special skills, work preferences, willingness to travel, and similar fields.
Contacts, social handles, and addresses: stored in the Talent’s profile or in the Customer’s directory.
Identity documents: passport, visa, or other legal documents that the Customer chooses to store against a Talent’s record. Customers may optionally protect sensitive documents with a per-document password.
Representation and management data: which staff member manages which Talent, contract start/end dates, archive status, and similar.
Availability calendars: dates a Talent is or is not available to work.
Notes: general, important, booking, billing, and other free-text notes the Customer writes about Talent, clients, or contacts.
Directory: the Customer’s clients, partner agencies, and other contacts, including company names, contact names, emails, phones, titles, addresses, and notes.
Bookings and events: events, locations, dates, client contacts, status, billable flags, and which Talent is booked on which event.
Packages: curated Talent packages the Customer assembles to send to clients, including the shareable-link route described in §11.
Invoices and payments: invoices and line items the Customer issues to its clients, including a snapshot of the client’s name, address, and tax identifier captured at the time the invoice was issued, plus exchange-rate data and payment records.
Generated artifacts: the PDFs and other documents NowRep generates on the Customer’s behalf, including ShowCards, MediaKits, branded invoice PDFs, and similar. Once generated and sent, invoice artifacts are immutable.

We do not control which fields a Customer chooses to fill in. We provide the fields; the Customer decides what to upload.

3c. Security, telemetry, and bug reports

To keep the Service secure and working, we collect:

Error and performance telemetry captured by our error-monitoring provider (see §6). This includes stack traces, the URL of the page where an error occurred, the browser and device involved, and an identifier for the user whose session experienced the error.
Bug reports that Customers submit through the in-app bug-report tool. A bug report includes the description the Customer wrote, contextual information (the page, the browser), and an optional screenshot the Customer chose to attach.
Activity log of actions taken inside the Customer’s account: who did what, when. This is a business audit feature for the Customer, and it is also part of how we investigate security incidents.

3d. Marketing and communications

If you contact us through our marketing website, we collect the contents of your message and your reply-to address so we can respond.

We do not run a marketing newsletter to Customers today. If we introduce one, we will update this policy and ask for your opt-in (or rely on a clearly disclosed opt-out where the law permits) before sending you marketing emails.

4. Where the data comes from

Most personal data in NowRep comes from one of three places:

Directly from you, when you sign up, fill out your profile, complete billing setup, or contact us.
From our Customers, when an agency uploads data about its Talent, clients, contacts, bookings, and business records.
From third-party services we integrate with on the Customer’s behalf. For example, video metadata returned by Vimeo or YouTube when a Customer embeds a video, or exchange-rate data from a public exchange-rate API (no personal data is sent to that API).

When the Talent Portal launches (see §10), Talents will also be able to log in directly and submit information to NowRep themselves. We will update this policy before that feature becomes generally available.

5. How we use the data

We use personal data for the following purposes. Where this policy is read under the GDPR or UK GDPR, the lawful basis is shown in brackets.

To provide the Service: running the application, storing data, generating PDFs, sending notifications, and syncing portfolio sites. [Performance of a contract.]
To authenticate and secure accounts: sign-in, MFA, password reset, bot protection, intrusion detection, and fraud prevention. [Performance of a contract; legitimate interests.]
To bill Customers: process subscription payments, issue invoices, and manage seats and tiers. [Performance of a contract; legal obligation for tax and accounting records.]
To support Customers: respond to bug reports, support requests, and direct inquiries. [Legitimate interests; performance of a contract.]
To monitor reliability and quality: error monitoring, performance tracing, and uptime checks. [Legitimate interests.]
To improve the Service: analyze aggregated usage patterns to find issues and prioritize improvements. We do not currently run third-party product analytics; if we do, we will say so here and update our cookie disclosures. [Legitimate interests; consent where applicable.]
To communicate with you: operational notifications about your account, security alerts, and policy updates. [Performance of a contract; legitimate interests.]
To comply with legal obligations: tax recordkeeping, response to lawful process, and similar. [Legal obligation.]

For Talent and business data we hold as a processor (§3b), we use it only to provide the Service to our Customer, under the Customer’s instructions and our DPA.

6. Sharing and subprocessors

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use it to train AI models for our own purposes or for any third party.

We share personal information only with:

Service providers we use to run NowRep (“subprocessors”). These vendors process data on our behalf under written contracts. The current subprocessor list is below; the maintained version is published at nowrep.io/subprocessors.
Authorities and legal counsel when we are required to by law or when we need to defend our legal rights.
Successors in the event of a merger, acquisition, or other corporate transaction. We will give you advance notice if your data will be transferred to a different controller.

Current subprocessors

Vendor	Purpose	Data categories	Hosting region
Supabase	Database, authentication, file storage, realtime, edge functions.	All categories described in §3.	United States
Stripe	Subscription payments, billing.	Customer name and email, billing address, card data (held by Stripe).	US and EU/UK regional
Resend	Transactional email (welcome, password reset, invitations, invoice sends).	Recipient email and message body.	US
Sentry	Error monitoring and performance tracing.	Stack traces, request URLs, user identifiers, browser and device metadata.	US
Cloudflare (Turnstile)	Bot and captcha checks on sign-in, sign-up, and the contact form.	IP address, user agent, challenge response.	Global edge
Fly.io	Application hosting.	All data in transit and at rest while the application is running.	United States
YouTube and Vimeo (oEmbed)	Embedding Customer-selected videos.	Embed metadata server-side. Viewer IP and cookies on playback through the embed.	Global
Frankfurter API	Daily exchange-rate refresh for multi-currency invoicing.	Currency codes only. No personal data.	Public open API

If a subprocessor changes or a new one is added, we update the subprocessors page and, where required, notify Customers in advance under our DPA.

7. International transfers

NowRep is operated from the United States. Some of our subprocessors host data in the United States and elsewhere, as shown in the table above.

For transfers of personal data out of the United Kingdom, the European Economic Area, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent Swiss safeguards. Several of our subprocessors are also certified under the EU-US Data Privacy Framework or its UK Extension; that does not by itself authorize NowRep’s transfers, but it supports the overall transfer chain.

NowRep itself is not certified under the EU-US Data Privacy Framework at this time. If that changes, we will update this section.

If you would like a copy of the safeguards we use for transfers from your region, please contact privacy@nowrep.io.

8. How long we keep data

We retain personal data only for as long as we need it for the purposes described in this policy or as required by law. The table below shows our current retention practice. The Customer is the controller of Talent and business data (§3b); the Customer’s own retention preferences may override the defaults below, and Customers may request earlier deletion at any time.

Category	Retention
Active account and Customer data	For the life of the subscription, plus 90 days after termination. After 90 days we delete the account and the data associated with it.
Talent records when an agency ends representation	Until the Customer initiates the talent profile cleanup process (see §10). The cleanup process includes a grace period followed by hard deletion of profile data, media, and notes. Sealed business records (including sent invoices, statements, and generated artifacts) are retained separately; see the next row.
Invoices, sent statements, and other immutable business records (“WORM” artifacts)	For the period required for tax, accounting, and audit purposes. Typically seven years or longer depending on jurisdiction. These records belong to the Customer (the agency) and are kept regardless of whether a Talent’s profile is later removed.
Sign-in and authentication logs	Approximately 12 months (the default of our authentication provider).
Error and performance telemetry (Sentry)	90 days (Sentry’s default rolling retention).
Activity log	Retained with the account for business audit purposes. Older entries may be moved to an archive store but are not aged out while the account is active.
Bug reports and bug-report screenshots	Retained with the account indefinitely. Customers may request deletion of specific bug reports at privacy@nowrep.io.
Marketing contact-form messages	Until we have responded and a reasonable period thereafter for follow-up, then deleted.
Backups	Backups are retained on a rolling schedule and overwritten in the normal course. Data you delete may persist in backups for a short period before it is overwritten.

Retention basis for invoices and immutable business records. We adopt a seven-year retention horizon for invoice PDFs, statements, and similar sent business artifacts as a conservative default that covers the longest practical statute of limitations on tax audit. Customers based outside the United States may be subject to longer retention obligations under their local law and remain responsible for compliance with those rules; on request, NowRep will retain a Customer’s WORM artifacts for a longer horizon to match the Customer’s own statutory obligations.

9. Security

We take security seriously. The Service uses:

Encryption in transit for all connections to NowRep, using current TLS.
Encryption at rest for the database and file storage maintained by our infrastructure provider.
Row-level security in the database. Data is scoped to the account it belongs to, and access is gated by the role assigned to each user inside that account.
Optional multi-factor authentication for Customer team members.
Optional per-document passwords for sensitive documents the Customer uploads.
Bot and captcha checks on sign-in, sign-up, and the contact form.
Immutable storage for generated invoice PDFs and similar business records once they are issued.
Telemetry scrubbing rules designed to keep payload contents out of our error-monitoring system, with named-field redaction.
Least-privilege role assignments for staff accessing production systems.

No system is perfectly secure. If we determine that personal data on the Service has been accessed by an unauthorized party in a way that creates a meaningful risk to data subjects, we will notify affected Customers without undue delay, and in any event within 72 hours of our confirmation of the breach, with the information we have at that time. Updates follow as we learn more.

If you believe you have found a security vulnerability in NowRep, please report it to security@nowrep.io. We do not publish a security.txt file; the email above is the canonical disclosure channel.

10. Talent data, minors, and rights routing

This section is for Talent, and for parents or guardians of Talent, whose data appears in NowRep because an agency you work with uses the Service. We are processing that data on the agency’s behalf. The agency is the controller, which means most of the choices about your data (what to upload, what to share, what to delete) are the agency’s to make and yours to discuss with them.

You can always email us at privacy@nowrep.io. If we receive a request that we can act on directly, we will. If your request is for the agency to act on (for example, removing your profile, correcting biographical detail, or withdrawing photos from publication), we will route the request to your agency, acknowledge receipt to you, and keep a record of the handling.

Minors

The talent industry routinely manages children and teenagers. NowRep is a business-to-business platform; we do not market the Service to children, and we are not designed for direct use by children. The agency that represents a child Talent is the controller of that child’s data and is responsible for parental or guardian consent in their jurisdiction, including under COPPA (US), GDPR Article 8 (EU), and equivalent rules elsewhere.

NowRep provides fields where the agency can record:

a Talent’s date of birth (from which the agency or NowRep can identify minor status),
a guardian or parent of record, including their relationship, contact email, contact phone, and reference to any signed consent the agency holds on file.

We do not require agencies to populate these fields, but we strongly recommend they do for Talent under the age of majority in their jurisdiction.

When our Talent Portal launches, agencies will choose per-Talent whether to enable a direct portal account. For minors, the agency must make that decision in accordance with applicable consent laws. We will update this policy before the Talent Portal becomes generally available so it accurately describes how we handle direct accounts for minors.

Sensitive identity documents

If an agency has uploaded your passport, visa, or other identity documents, those files are stored in our encrypted file storage with access scoped to the agency that holds your representation. The agency may also protect a document with a per-document password. We do not run identity verification on these documents and we do not share them with verification vendors. We strongly discourage agencies from uploading high-risk government identifiers such as US Social Security numbers or full payment-card numbers; NowRep is not designed for those identifiers.

Image rights

This policy is not the agreement that licenses your name, image, or likeness. That is a separate model release between you and your agency. What this policy covers is how we handle the photos and videos the agency uploads on your behalf:

We store the media in the agency’s account, scoped to the agency’s team.
We make it available to the agency in their workspace and to the people the agency chooses to share it with, for example clients who receive a shareable package link.
We make a curated subset of the media available to the agency’s portfolio website through the Site API, but only the items the agency chooses to syndicate. The agency operates the portfolio website; NowRep is the data source, not the publisher.
We include media in generated artifacts (ShowCards, MediaKits, branded invoice PDFs) when the agency creates one.
We do not license your media for our own marketing. We do not sell it. We do not use it to train AI models.

Digital replicas. NowRep does not, today, offer features that create, alter, or manipulate digital replicas of Talent. By “digital replica” we mean AI-generated or AI-altered likenesses derived from Talent images. If we introduce generative-image or digital-replica tooling in the future for our agency Customers, that tooling will be designed to require the consent that applies under the law governing the Talent’s work. For New York–based Talent, that includes the separate written consent required by the Fashion Workers Act with scope, purpose, rate of pay, and duration spelled out. Capturing and holding that consent is the agency’s and any client’s responsibility, not NowRep’s. We will update this policy before any such feature becomes generally available so this section reflects how it actually works.

Nude or sexually explicit imagery. NowRep is a business-to-business platform, not a publication service or a social network. We do not pre-screen, moderate, filter, or curate the imagery that an agency chooses to upload, store, or share on its Talent’s behalf. Some agencies legitimately represent Talent who have agreed in writing to artistic or commercial nudity, and the platform may be used to store and organize such imagery as part of the agency’s representation work.

Where nude or sexually explicit imagery is uploaded, shared, or republished through NowRep, responsibility for collecting the required consents (and for the decision to publish) sits with the agency and any client involved, not with NowRep. That includes the written-consent requirements under the New York Fashion Workers Act and equivalent rules elsewhere. NowRep is not the publisher of imagery uploaded by Customers and does not assume responsibility for verifying that any individual image was uploaded or shared with the consent required by law; that obligation rests with the Customer that controls the data.

If you believe imagery has been uploaded, shared, or used against your profile without your consent (whether nude, sexually explicit, AI-generated, or otherwise), contact privacy@nowrep.io. We will route the request to your agency and, where appropriate as a processor, suspend access to the relevant material while the agency resolves the consent question.

No retaliation

If you contact us at privacy@nowrep.io to exercise a right or ask a question about how your data is handled, we route the request to your agency to fulfill it, not to escalate it. We treat your request as a fulfillment task, not a complaint about the agency. New York’s Fashion Workers Act and equivalent laws elsewhere prohibit retaliation against Talent for exercising legal rights. If you believe you have been retaliated against, the regulators listed in §19 (including the New York State Department of Labor and the New York State Attorney General) can receive complaints directly.

When representation ends

When an agency ends representation of a Talent, we offer the agency a cleanup process that removes the Talent’s profile data, media, notes, and related records after a grace period. Business records (sent invoices, statements, and similar immutable artifacts that include your name) are kept by the agency for tax and audit purposes and are not removed by the cleanup process. If you have questions about a specific business record that mentions you, ask your former agency, or email us and we will route the question.

Rights summary

Depending on where you live, you have rights to access, correct, delete, restrict, port, or object to processing of your personal data, and to withdraw consent where we relied on it. To exercise rights:

If you are a NowRep Customer team member (an agency user), email privacy@nowrep.io from the email address on your account.
If you are Talent represented by an agency that uses NowRep, email privacy@nowrep.io and include (a) the name of the agency that represents or represented you and (b) something that supports that representation (for example, a recent agency email about you, a copy of a representation contract, or a recent booking record). We will acknowledge your email, forward your request to your agency, and CC you on the forward so you can see the handoff. You may also contact your agency directly: the agency is the controller of your profile data.

We do not charge for rights requests, except as the law allows for manifestly unfounded or repetitive requests. We may need to verify your identity before acting on a request.

11. Public-facing surfaces

A few parts of the Service make data visible outside the agency’s workspace. We want to be specific about each.

Portfolio sites. Some agencies operate a portfolio website that connects to NowRep through the Site API to consume Customer-curated data. The agency designs, builds, deploys, hosts, and operates the portfolio website under its own domain; NowRep provides the data source through the Site API and, optionally, a reference template the agency can choose to start from. The Site API is not publicly browsable; it is token-authenticated and meant for the agency’s own portfolio website to consume. NowRep does not operate the portfolio website. The portfolio website is governed by the agency’s own privacy notice.

Shareable package links. When an agency assembles a Talent package for a client, the agency can generate a shareable link. Anyone holding that link can view the package contents (Talent names, portfolio media, and the fields the agency included) and can submit feedback. The agency controls who receives the link.

Generated artifacts (ShowCards, MediaKits, invoice PDFs). Once an agency generates one of these and sends it to a recipient, the artifact is treated as immutable and is retained per §8. The agency controls who receives the artifact.

12. Your rights by jurisdiction

The rights below are summaries. The exact rights depend on where you live and the law that applies to your data. To exercise any of these rights, email privacy@nowrep.io.

European Economic Area, United Kingdom, and Switzerland

Under the GDPR, the UK GDPR, and the revised Swiss FADP, you have the right to:

access the personal data we hold about you,
have inaccurate data corrected,
request erasure of your data (“right to be forgotten”) where the law allows,
restrict or object to certain processing,
receive your data in a portable form,
withdraw consent where we relied on it,
lodge a complaint with your member-state supervisory authority. In the UK, that is the Information Commissioner’s Office (ICO).

NowRep does not currently have an establishment in the European Union and has not appointed an Article 27 representative. Our processing of EU-resident data is, at this stage, incidental rather than large-scale or focused on special categories, which we read as falling within the Article 27(2) exception. We will reassess and appoint a representative if our EU-resident customer base or processing profile changes materially. EU and EEA data subjects may contact us about data protection at privacy@nowrep.io in the meantime.

California, United States

Under the California Consumer Privacy Act, as amended by the CPRA, California residents have the right to:

know what personal information we collect, use, share, and retain (described in §3, §5, §6, and §8);
delete personal information, subject to exceptions;
correct inaccurate personal information;
opt out of selling and sharing. We do not sell personal information and we do not share it for cross-context behavioral advertising, so there is nothing to opt out of today;
limit the use of sensitive personal information (we explain the categories below);
non-discrimination for exercising rights;
designate an authorized agent to make a request on your behalf.

Categories of personal information collected (CCPA categories). The table below maps the personal information described in §3 to the statutory categories enumerated in California Civil Code § 1798.140(v). We do not sell or share any of these categories for cross-context behavioral advertising. Retention for each row is described in §8 and follows the row’s matching category there.

CCPA category	Do we collect it?	What it looks like in NowRep	Source
A. Identifiers (name, alias, postal address, online identifier, IP, email, account name, etc.)	Yes	Customer team-member names and emails; account IDs; IP addresses for sign-in and bot-protection checks; Talent legal and preferred names; Talent contact email and phone; client and contact identifiers in the directory.	§3a, §3b, §3c
B. § 1798.80(e) categories (name, signature, address, telephone, education, employment, financial information, medical / health information, etc.)	Yes (partial)	Names, telephone numbers, addresses; physical descriptions and measurements; representation status (employment-adjacent); billing-customer identifiers (financial). We do not collect medical or health records.	§3a, §3b
C. Protected classifications under California or federal law (age, race, color, ancestry, national origin, citizenship, religion, marital status, medical condition, sex, gender, gender identity, veteran/military status, etc.)	Yes (limited)	Date of birth (from which age and minor status can be inferred), gender, pronouns, nationality. We do not solicit race, religion, marital status, or medical condition. Customers may, on their own initiative, enter such information into free-text fields; we treat any such entries as covered here.	§3b
D. Commercial information (records of products or services purchased, obtained, or considered, etc.)	Yes	Subscription tier and seat history; invoices the Customer issues to its own clients (stored on the Customer’s behalf).	§3a, §3b
E. Biometric information	No	We do not collect biometric identifiers (fingerprints, faceprints, iris scans, voiceprints). Headshots and portfolio photos are stored for display, not for biometric identification.	n/a
F. Internet or other electronic network activity (browsing history, search history, interactions with a website or application)	Yes (limited)	Sign-in activity and IPs (authentication provider); error and performance telemetry captured by Sentry (URLs, browser, device); bug-report context.	§3a, §3c
G. Geolocation data	Yes (coarse only)	We do not collect precise geolocation. We do see IP-level (city/region-level) location through sign-in logs and bot-protection checks.	§3a
H. Sensory data (audio, electronic, visual, thermal, olfactory)	Yes (visual)	Talent profile photos, polaroids, portfolio images, and uploaded videos.	§3b
I. Professional or employment-related information	Yes	Representation relationship, manager assignments, work preferences, availability, contract dates, role permissions inside the Customer’s account.	§3a, §3b
J. Education information (FERPA non-public information)	No	We do not collect education records. A Customer may type education detail into a free-text bio or notes field; if so, we treat it under this row.	n/a
K. Inferences drawn from any of the above	No	We do not derive profiles, scores, or characteristic inferences from the information we hold.	n/a

Sensitive personal information (SPI) under § 1798.140(ae). The following SPI is or may be present in the Service:

SPI category	Where it appears	How we use it
Government-issued identifiers: passport, driver’s license, state ID	`talent_attributes.documents` when an agency Customer chooses to upload them	Stored on the Customer’s behalf for the Customer’s representation purposes only. Encrypted at rest, RLS-scoped, optional per-document password. We do not use SPI to infer characteristics about you.
Account log-in credentials	Hashed passwords, MFA factors	Authentication only.
Mail, email, or text-message content (where NowRep is not the intended recipient)	Free-text notes, bug-report descriptions, email content forwarded via integrations	Stored on the Customer’s behalf for their business purposes.
Racial or ethnic origin, religious beliefs, union membership	Not solicited. A Customer may enter such information into a free-text field on its own initiative.	If entered, treated as SPI for the purposes of this row. We do not use it for inference.
Precise geolocation	Not collected.	n/a
Genetic data, biometric identifiers used for unique identification, health, sex life, sexual orientation	Not collected.	n/a

California residents may limit the use of their SPI to what is necessary to provide the Service. We already limit our use of SPI in this way as a matter of policy. To exercise the right formally, email privacy@nowrep.io and we will record and honor the request.

Other US state laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other states with comprehensive consumer-privacy laws have similar rights: access, correction, deletion, portability, and opt-out for targeted advertising, sale, and significant profiling. We do not engage in targeted advertising, do not sell personal information, and do not run profiling that produces legal or similarly significant effects.

Canada

We comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access and correct your data, and you may complain to the Office of the Privacy Commissioner of Canada. Residents of Quebec, British Columbia, and Alberta have additional rights under their provincial laws.

Australia

We handle personal information in line with the Australian Privacy Principles under the Privacy Act 1988. You may complain to the Office of the Australian Information Commissioner (OAIC).

Other regions

If you are reading this from somewhere not listed and you believe local privacy law applies, please contact us. We will work in good faith to honor recognized rights.

13. Cookies and tracking

We use a small number of cookies and similar technologies to keep you signed in, remember your workspace, and protect against bots. We do not currently use third-party analytics or advertising cookies.

If we add third-party analytics in the future, we will:

update this section,
update our standalone Cookie Policy at nowrep.io/cookie-policy,
where required by law (for example, for visitors in the EEA and UK), present a consent banner before any non-essential cookie is set.

You can manage cookies through your browser settings at any time. Blocking essential cookies may prevent you from signing in or using parts of the Service.

14. Children’s data

The NowRep web application is intended for use by businesses and their authorized staff. We do not direct the Service to children, and we do not knowingly collect personal information from children to whom we provide the Service directly.

Talent data about minors is uploaded into the Service by our Customers (talent agencies). The Customer is the controller of that data and is responsible for parental or guardian consent. See §10 for how this works and what we ask agencies to do.

If you believe a child has provided us with personal information directly (for example, by creating a Customer account themselves), please contact privacy@nowrep.io and we will delete the account.

15. Automated decision-making and artificial intelligence

We do not currently use personal data to make automated decisions about you that produce legal effects or similarly significant effects. We do not use Customer data (including Talent media) to train AI models, either our own or any third party’s.

If we add automated decision-making or AI features that materially change this section, we will update it before those features go live.

16. Data breach notification

If we determine that a security incident has resulted in unauthorized access to personal data in the Service in a way that creates a meaningful risk to data subjects, we will notify affected Customers without undue delay and, in any event, within 72 hours of our confirmation of the incident. Notifications will include the information we have at the time and will be updated as we learn more.

Where we act as a controller (for example, breach of NowRep account data), we will also notify regulators and affected individuals as required by applicable law.

17. Changes to this policy

We may update this policy from time to time. When we do, we will change the “Last updated” date at the top of the policy and show an in-app banner or notice the next time you sign in, summarizing what changed so you can review it. For changes that materially affect your rights or how we handle your personal data, we will give Customers reasonable advance notice (typically by email or a prominent in-app banner) before the change takes effect. The current version always lives at nowrep.io/privacy-policy. Past versions are available on request.

18. Contact us

For privacy questions, requests, or concerns, contact us at:

Email: privacy@nowrep.io
Security: security@nowrep.io

NowRep does not publish a postal mailing address. If postal correspondence is required to satisfy a formal legal request, contact us at the email above and we will provide a current address.

Our internal team reviews and responds to privacy and data-protection inquiries sent to the email addresses above. We aim to acknowledge requests within a few business days and to resolve them within the timeframes required by applicable law.

Supervisory authorities

If you are in the European Economic Area, the United Kingdom, or Switzerland and you believe we have handled your personal data improperly, you have the right to lodge a complaint with your local supervisory authority. We encourage you to contact us first so we can try to resolve the issue.

19. Regulatory references

We have integrated the substantive disclosures required by the privacy laws we serve directly into §3 (what we collect), §5 (how we use it), §6 (sharing and subprocessors), §8 (retention), and §12 (rights by jurisdiction), including the CCPA / CPRA “Notice at Collection” categories and SPI disclosures. Rather than restating the same content in separate per-jurisdiction addenda, this section links to the official statutes and regulators so you can read the underlying rules in full:

California: CCPA / CPRA, California Consumer Privacy Act; enforcement: California Privacy Protection Agency.
Virginia: VCDPA, Virginia Consumer Data Protection Act; enforcement: Office of the Attorney General.
Colorado: CPA, Colorado Privacy Act; enforcement: Colorado Attorney General.
Connecticut: CTDPA, Connecticut Data Privacy Act; enforcement: Connecticut Attorney General.
Utah: UCPA, Utah Consumer Privacy Act; enforcement: Utah Attorney General.
Texas: TDPSA, Texas Data Privacy and Security Act; enforcement: Texas Attorney General.
Oregon: OCPA, Oregon Consumer Privacy Act; enforcement: Oregon Department of Justice.
United Kingdom: UK GDPR and Data Protection Act 2018; regulator: Information Commissioner’s Office (ICO).
European Union / EEA: GDPR (Regulation (EU) 2016/679); regulator: your member-state supervisory authority. The directory is at edpb.europa.eu.
Switzerland: Revised Federal Act on Data Protection (revFADP); regulator: Federal Data Protection and Information Commissioner (FDPIC).
Canada: PIPEDA; regulator: Office of the Privacy Commissioner of Canada. Quebec: Law 25 (Commission d’accès à l’information).
Australia: Privacy Act 1988 and Australian Privacy Principles; regulator: Office of the Australian Information Commissioner (OAIC).
New York:
- NY SHIELD Act and General Business Law § 899-aa: reasonable security safeguards for New York residents’ private information and breach-notification obligations when such information is exposed. Regulator: New York State Attorney General.
- New York Fashion Workers Act (S.9832-A / A.5631-E): a labor-law statute (not a privacy statute) whose provisions intersect with how Talent image data may be used and how related consents must be captured, including digital replicas, nude or sexually explicit imagery, deal memos, and anti-retaliation. NowRep’s processing posture is described in §10. Regulators and complaint routes: New York State Department of Labor, NY State Division of Human Rights, and NYC Commission on Human Rights for related harassment or discrimination matters.

If you are reading from a jurisdiction not listed here and you believe local law applies to our processing of your data, please email privacy@nowrep.io.

20. Definitions

“DPA” is the Data Processing Addendum: the contract we sign with Customers on Pro and Enterprise plans that covers our processing of personal data on their behalf.
“Site API” is the token-authenticated API we expose so that a Customer’s portfolio site can read the data the Customer has chosen to publish.
“Talent Portal” is a future feature that will let Talent log in directly. Not yet generally available.
“WORM artifact” is a generated business document (invoice PDF, statement) that, once sent, is stored immutably and retained for tax and audit purposes.

1. Introduction and scope

In this policy:

“Customer” means a business that signs up for NowRep (typically a talent agency or representation business) and the people on that Customer’s team who use the Service on its behalf.
“Talent” means an individual whose profile, media, or related data a Customer manages inside the Service.
“Visitor” means anyone who browses our marketing website at nowrep.io.
“You” depends on context. Where it matters, we say which group we are talking about.

This policy covers:

our marketing website at nowrep.io,
the NowRep web application,
our internal APIs that power the application,
the Site API that syndicates Customer-curated data to portfolio websites our Customers operate under their own domains.

This policy does not cover:

Portfolio websites that our Customers operate under their own domains. The Customer designs, builds, deploys, hosts, and operates its portfolio website; NowRep’s role is to provide the data source through the Site API and (optionally) a reference template the Customer can choose to use. Where NowRep separately contracts with a Customer to build or help connect a portfolio website, the Customer still operates the resulting website and is the controller of the data published on it. Visitor-facing data the portfolio website collects is governed by the Customer’s own privacy notice, not this one.
Third-party services we link to or integrate with, except where we describe how we share data with them in §6.

2. Our role: controller and processor

We act in two different roles depending on whose data we are handling.

A signed DPA is available on request for Customers on our Pro and Enterprise plans. Contact privacy@nowrep.io to request one.

3. What we collect

3a. Account and billing data (controller scope)

When you sign up and use NowRep as a Customer, we collect:

Identity and contact: your name, email address, and any profile details you choose to add.
Authentication: a hashed password and, if you enable it, multi-factor authentication factors. We never see your password in cleartext.
Account and workspace metadata: the agency name, branding, locale, team membership, and the role assigned to each team member.
Billing: subscription tier, seat count, and a customer/subscription identifier issued by our payment processor. Card data is held by our payment processor, not by us.
Login activity: sign-in times and the IP address of sign-in events, kept by our authentication provider for security and audit purposes.
Verification and password-reset tokens: short-lived tokens we generate to verify email addresses or reset passwords.
Bot-protection signals: when you sign in, sign up, or fill out our contact form, our captcha provider (see §6) checks that you are not a bot. The check sees your IP address, browser, and a challenge response.

3b. Talent and business data uploaded by Customers (processor scope)

Customers upload a wide range of data into NowRep to run their business. This typically includes:

Talent profile data: legal and preferred name, date of birth, place of birth, gender, pronouns, nationality, primary email and phone, website, biography, and free-text notes.
Talent profile images and portfolio media: profile photos, polaroid sets, headshots, portfolio images, and video uploads.
Measurements: height, weight, bust, waist, hips, shoe size, eye color, hair color, and similar physical attributes used in casting work.
Work preferences and skills: languages, special skills, work preferences, willingness to travel, and similar fields.
Contacts, social handles, and addresses: stored in the Talent’s profile or in the Customer’s directory.
Identity documents: passport, visa, or other legal documents that the Customer chooses to store against a Talent’s record. Customers may optionally protect sensitive documents with a per-document password.
Representation and management data: which staff member manages which Talent, contract start/end dates, archive status, and similar.
Availability calendars: dates a Talent is or is not available to work.
Notes: general, important, booking, billing, and other free-text notes the Customer writes about Talent, clients, or contacts.
Directory: the Customer’s clients, partner agencies, and other contacts, including company names, contact names, emails, phones, titles, addresses, and notes.
Bookings and events: events, locations, dates, client contacts, status, billable flags, and which Talent is booked on which event.
Packages: curated Talent packages the Customer assembles to send to clients, including the shareable-link route described in §11.
Invoices and payments: invoices and line items the Customer issues to its clients, including a snapshot of the client’s name, address, and tax identifier captured at the time the invoice was issued, plus exchange-rate data and payment records.
Generated artifacts: the PDFs and other documents NowRep generates on the Customer’s behalf, including ShowCards, MediaKits, branded invoice PDFs, and similar. Once generated and sent, invoice artifacts are immutable.

We do not control which fields a Customer chooses to fill in. We provide the fields; the Customer decides what to upload.

3c. Security, telemetry, and bug reports

To keep the Service secure and working, we collect:

Error and performance telemetry captured by our error-monitoring provider (see §6). This includes stack traces, the URL of the page where an error occurred, the browser and device involved, and an identifier for the user whose session experienced the error.
Bug reports that Customers submit through the in-app bug-report tool. A bug report includes the description the Customer wrote, contextual information (the page, the browser), and an optional screenshot the Customer chose to attach.
Activity log of actions taken inside the Customer’s account: who did what, when. This is a business audit feature for the Customer, and it is also part of how we investigate security incidents.

3d. Marketing and communications

If you contact us through our marketing website, we collect the contents of your message and your reply-to address so we can respond.

4. Where the data comes from

Most personal data in NowRep comes from one of three places:

Directly from you, when you sign up, fill out your profile, complete billing setup, or contact us.
From our Customers, when an agency uploads data about its Talent, clients, contacts, bookings, and business records.
From third-party services we integrate with on the Customer’s behalf. For example, video metadata returned by Vimeo or YouTube when a Customer embeds a video, or exchange-rate data from a public exchange-rate API (no personal data is sent to that API).

5. How we use the data

We use personal data for the following purposes. Where this policy is read under the GDPR or UK GDPR, the lawful basis is shown in brackets.

To provide the Service: running the application, storing data, generating PDFs, sending notifications, and syncing portfolio sites. [Performance of a contract.]
To authenticate and secure accounts: sign-in, MFA, password reset, bot protection, intrusion detection, and fraud prevention. [Performance of a contract; legitimate interests.]
To bill Customers: process subscription payments, issue invoices, and manage seats and tiers. [Performance of a contract; legal obligation for tax and accounting records.]
To support Customers: respond to bug reports, support requests, and direct inquiries. [Legitimate interests; performance of a contract.]
To monitor reliability and quality: error monitoring, performance tracing, and uptime checks. [Legitimate interests.]
To improve the Service: analyze aggregated usage patterns to find issues and prioritize improvements. We do not currently run third-party product analytics; if we do, we will say so here and update our cookie disclosures. [Legitimate interests; consent where applicable.]
To communicate with you: operational notifications about your account, security alerts, and policy updates. [Performance of a contract; legitimate interests.]
To comply with legal obligations: tax recordkeeping, response to lawful process, and similar. [Legal obligation.]

For Talent and business data we hold as a processor (§3b), we use it only to provide the Service to our Customer, under the Customer’s instructions and our DPA.

6. Sharing and subprocessors

We share personal information only with:

Service providers we use to run NowRep (“subprocessors”). These vendors process data on our behalf under written contracts. The current subprocessor list is below; the maintained version is published at nowrep.io/subprocessors.
Authorities and legal counsel when we are required to by law or when we need to defend our legal rights.
Successors in the event of a merger, acquisition, or other corporate transaction. We will give you advance notice if your data will be transferred to a different controller.

Current subprocessors

Vendor	Purpose	Data categories	Hosting region
Supabase	Database, authentication, file storage, realtime, edge functions.	All categories described in §3.	United States
Stripe	Subscription payments, billing.	Customer name and email, billing address, card data (held by Stripe).	US and EU/UK regional
Resend	Transactional email (welcome, password reset, invitations, invoice sends).	Recipient email and message body.	US
Sentry	Error monitoring and performance tracing.	Stack traces, request URLs, user identifiers, browser and device metadata.	US
Cloudflare (Turnstile)	Bot and captcha checks on sign-in, sign-up, and the contact form.	IP address, user agent, challenge response.	Global edge
Fly.io	Application hosting.	All data in transit and at rest while the application is running.	United States
YouTube and Vimeo (oEmbed)	Embedding Customer-selected videos.	Embed metadata server-side. Viewer IP and cookies on playback through the embed.	Global
Frankfurter API	Daily exchange-rate refresh for multi-currency invoicing.	Currency codes only. No personal data.	Public open API

If a subprocessor changes or a new one is added, we update the subprocessors page and, where required, notify Customers in advance under our DPA.

7. International transfers

NowRep is operated from the United States. Some of our subprocessors host data in the United States and elsewhere, as shown in the table above.

NowRep itself is not certified under the EU-US Data Privacy Framework at this time. If that changes, we will update this section.

If you would like a copy of the safeguards we use for transfers from your region, please contact privacy@nowrep.io.

8. How long we keep data

Category	Retention
Active account and Customer data	For the life of the subscription, plus 90 days after termination. After 90 days we delete the account and the data associated with it.
Talent records when an agency ends representation	Until the Customer initiates the talent profile cleanup process (see §10). The cleanup process includes a grace period followed by hard deletion of profile data, media, and notes. Sealed business records (including sent invoices, statements, and generated artifacts) are retained separately; see the next row.
Invoices, sent statements, and other immutable business records (“WORM” artifacts)	For the period required for tax, accounting, and audit purposes. Typically seven years or longer depending on jurisdiction. These records belong to the Customer (the agency) and are kept regardless of whether a Talent’s profile is later removed.
Sign-in and authentication logs	Approximately 12 months (the default of our authentication provider).
Error and performance telemetry (Sentry)	90 days (Sentry’s default rolling retention).
Activity log	Retained with the account for business audit purposes. Older entries may be moved to an archive store but are not aged out while the account is active.
Bug reports and bug-report screenshots	Retained with the account indefinitely. Customers may request deletion of specific bug reports at privacy@nowrep.io.
Marketing contact-form messages	Until we have responded and a reasonable period thereafter for follow-up, then deleted.
Backups	Backups are retained on a rolling schedule and overwritten in the normal course. Data you delete may persist in backups for a short period before it is overwritten.

9. Security

We take security seriously. The Service uses:

Encryption in transit for all connections to NowRep, using current TLS.
Encryption at rest for the database and file storage maintained by our infrastructure provider.
Row-level security in the database. Data is scoped to the account it belongs to, and access is gated by the role assigned to each user inside that account.
Optional multi-factor authentication for Customer team members.
Optional per-document passwords for sensitive documents the Customer uploads.
Bot and captcha checks on sign-in, sign-up, and the contact form.
Immutable storage for generated invoice PDFs and similar business records once they are issued.
Telemetry scrubbing rules designed to keep payload contents out of our error-monitoring system, with named-field redaction.
Least-privilege role assignments for staff accessing production systems.

If you believe you have found a security vulnerability in NowRep, please report it to security@nowrep.io. We do not publish a security.txt file; the email above is the canonical disclosure channel.

10. Talent data, minors, and rights routing

Minors

NowRep provides fields where the agency can record:

a Talent’s date of birth (from which the agency or NowRep can identify minor status),
a guardian or parent of record, including their relationship, contact email, contact phone, and reference to any signed consent the agency holds on file.

We do not require agencies to populate these fields, but we strongly recommend they do for Talent under the age of majority in their jurisdiction.

Sensitive identity documents

Image rights

We store the media in the agency’s account, scoped to the agency’s team.
We make it available to the agency in their workspace and to the people the agency chooses to share it with, for example clients who receive a shareable package link.
We make a curated subset of the media available to the agency’s portfolio website through the Site API, but only the items the agency chooses to syndicate. The agency operates the portfolio website; NowRep is the data source, not the publisher.
We include media in generated artifacts (ShowCards, MediaKits, branded invoice PDFs) when the agency creates one.
We do not license your media for our own marketing. We do not sell it. We do not use it to train AI models.

No retaliation

When representation ends

Rights summary

If you are a NowRep Customer team member (an agency user), email privacy@nowrep.io from the email address on your account.
If you are Talent represented by an agency that uses NowRep, email privacy@nowrep.io and include (a) the name of the agency that represents or represented you and (b) something that supports that representation (for example, a recent agency email about you, a copy of a representation contract, or a recent booking record). We will acknowledge your email, forward your request to your agency, and CC you on the forward so you can see the handoff. You may also contact your agency directly: the agency is the controller of your profile data.

We do not charge for rights requests, except as the law allows for manifestly unfounded or repetitive requests. We may need to verify your identity before acting on a request.

11. Public-facing surfaces

A few parts of the Service make data visible outside the agency’s workspace. We want to be specific about each.

12. Your rights by jurisdiction

The rights below are summaries. The exact rights depend on where you live and the law that applies to your data. To exercise any of these rights, email privacy@nowrep.io.

European Economic Area, United Kingdom, and Switzerland

Under the GDPR, the UK GDPR, and the revised Swiss FADP, you have the right to:

access the personal data we hold about you,
have inaccurate data corrected,
request erasure of your data (“right to be forgotten”) where the law allows,
restrict or object to certain processing,
receive your data in a portable form,
withdraw consent where we relied on it,
lodge a complaint with your member-state supervisory authority. In the UK, that is the Information Commissioner’s Office (ICO).

California, United States

Under the California Consumer Privacy Act, as amended by the CPRA, California residents have the right to:

know what personal information we collect, use, share, and retain (described in §3, §5, §6, and §8);
delete personal information, subject to exceptions;
correct inaccurate personal information;
opt out of selling and sharing. We do not sell personal information and we do not share it for cross-context behavioral advertising, so there is nothing to opt out of today;
limit the use of sensitive personal information (we explain the categories below);
non-discrimination for exercising rights;
designate an authorized agent to make a request on your behalf.

CCPA category	Do we collect it?	What it looks like in NowRep	Source
A. Identifiers (name, alias, postal address, online identifier, IP, email, account name, etc.)	Yes	Customer team-member names and emails; account IDs; IP addresses for sign-in and bot-protection checks; Talent legal and preferred names; Talent contact email and phone; client and contact identifiers in the directory.	§3a, §3b, §3c
B. § 1798.80(e) categories (name, signature, address, telephone, education, employment, financial information, medical / health information, etc.)	Yes (partial)	Names, telephone numbers, addresses; physical descriptions and measurements; representation status (employment-adjacent); billing-customer identifiers (financial). We do not collect medical or health records.	§3a, §3b
C. Protected classifications under California or federal law (age, race, color, ancestry, national origin, citizenship, religion, marital status, medical condition, sex, gender, gender identity, veteran/military status, etc.)	Yes (limited)	Date of birth (from which age and minor status can be inferred), gender, pronouns, nationality. We do not solicit race, religion, marital status, or medical condition. Customers may, on their own initiative, enter such information into free-text fields; we treat any such entries as covered here.	§3b
D. Commercial information (records of products or services purchased, obtained, or considered, etc.)	Yes	Subscription tier and seat history; invoices the Customer issues to its own clients (stored on the Customer’s behalf).	§3a, §3b
E. Biometric information	No	We do not collect biometric identifiers (fingerprints, faceprints, iris scans, voiceprints). Headshots and portfolio photos are stored for display, not for biometric identification.	n/a
F. Internet or other electronic network activity (browsing history, search history, interactions with a website or application)	Yes (limited)	Sign-in activity and IPs (authentication provider); error and performance telemetry captured by Sentry (URLs, browser, device); bug-report context.	§3a, §3c
G. Geolocation data	Yes (coarse only)	We do not collect precise geolocation. We do see IP-level (city/region-level) location through sign-in logs and bot-protection checks.	§3a
H. Sensory data (audio, electronic, visual, thermal, olfactory)	Yes (visual)	Talent profile photos, polaroids, portfolio images, and uploaded videos.	§3b
I. Professional or employment-related information	Yes	Representation relationship, manager assignments, work preferences, availability, contract dates, role permissions inside the Customer’s account.	§3a, §3b
J. Education information (FERPA non-public information)	No	We do not collect education records. A Customer may type education detail into a free-text bio or notes field; if so, we treat it under this row.	n/a
K. Inferences drawn from any of the above	No	We do not derive profiles, scores, or characteristic inferences from the information we hold.	n/a

Sensitive personal information (SPI) under § 1798.140(ae). The following SPI is or may be present in the Service:

SPI category	Where it appears	How we use it
Government-issued identifiers: passport, driver’s license, state ID	`talent_attributes.documents` when an agency Customer chooses to upload them	Stored on the Customer’s behalf for the Customer’s representation purposes only. Encrypted at rest, RLS-scoped, optional per-document password. We do not use SPI to infer characteristics about you.
Account log-in credentials	Hashed passwords, MFA factors	Authentication only.
Mail, email, or text-message content (where NowRep is not the intended recipient)	Free-text notes, bug-report descriptions, email content forwarded via integrations	Stored on the Customer’s behalf for their business purposes.
Racial or ethnic origin, religious beliefs, union membership	Not solicited. A Customer may enter such information into a free-text field on its own initiative.	If entered, treated as SPI for the purposes of this row. We do not use it for inference.
Precise geolocation	Not collected.	n/a
Genetic data, biometric identifiers used for unique identification, health, sex life, sexual orientation	Not collected.	n/a

Other US state laws

Canada

Australia

We handle personal information in line with the Australian Privacy Principles under the Privacy Act 1988. You may complain to the Office of the Australian Information Commissioner (OAIC).

Other regions

If you are reading this from somewhere not listed and you believe local privacy law applies, please contact us. We will work in good faith to honor recognized rights.

13. Cookies and tracking

If we add third-party analytics in the future, we will:

update this section,
update our standalone Cookie Policy at nowrep.io/cookie-policy,
where required by law (for example, for visitors in the EEA and UK), present a consent banner before any non-essential cookie is set.

You can manage cookies through your browser settings at any time. Blocking essential cookies may prevent you from signing in or using parts of the Service.

14. Children’s data

If you believe a child has provided us with personal information directly (for example, by creating a Customer account themselves), please contact privacy@nowrep.io and we will delete the account.

15. Automated decision-making and artificial intelligence

If we add automated decision-making or AI features that materially change this section, we will update it before those features go live.

16. Data breach notification

Where we act as a controller (for example, breach of NowRep account data), we will also notify regulators and affected individuals as required by applicable law.

17. Changes to this policy

18. Contact us

For privacy questions, requests, or concerns, contact us at:

Email: privacy@nowrep.io
Security: security@nowrep.io

NowRep does not publish a postal mailing address. If postal correspondence is required to satisfy a formal legal request, contact us at the email above and we will provide a current address.

Supervisory authorities

19. Regulatory references

California: CCPA / CPRA, California Consumer Privacy Act; enforcement: California Privacy Protection Agency.
Virginia: VCDPA, Virginia Consumer Data Protection Act; enforcement: Office of the Attorney General.
Colorado: CPA, Colorado Privacy Act; enforcement: Colorado Attorney General.
Connecticut: CTDPA, Connecticut Data Privacy Act; enforcement: Connecticut Attorney General.
Utah: UCPA, Utah Consumer Privacy Act; enforcement: Utah Attorney General.
Texas: TDPSA, Texas Data Privacy and Security Act; enforcement: Texas Attorney General.
Oregon: OCPA, Oregon Consumer Privacy Act; enforcement: Oregon Department of Justice.
United Kingdom: UK GDPR and Data Protection Act 2018; regulator: Information Commissioner’s Office (ICO).
European Union / EEA: GDPR (Regulation (EU) 2016/679); regulator: your member-state supervisory authority. The directory is at edpb.europa.eu.
Switzerland: Revised Federal Act on Data Protection (revFADP); regulator: Federal Data Protection and Information Commissioner (FDPIC).
Canada: PIPEDA; regulator: Office of the Privacy Commissioner of Canada. Quebec: Law 25 (Commission d’accès à l’information).
Australia: Privacy Act 1988 and Australian Privacy Principles; regulator: Office of the Australian Information Commissioner (OAIC).
New York:
- NY SHIELD Act and General Business Law § 899-aa: reasonable security safeguards for New York residents’ private information and breach-notification obligations when such information is exposed. Regulator: New York State Attorney General.
- New York Fashion Workers Act (S.9832-A / A.5631-E): a labor-law statute (not a privacy statute) whose provisions intersect with how Talent image data may be used and how related consents must be captured, including digital replicas, nude or sexually explicit imagery, deal memos, and anti-retaliation. NowRep’s processing posture is described in §10. Regulators and complaint routes: New York State Department of Labor, NY State Division of Human Rights, and NYC Commission on Human Rights for related harassment or discrimination matters.

If you are reading from a jurisdiction not listed here and you believe local law applies to our processing of your data, please email privacy@nowrep.io.

20. Definitions

“DPA” is the Data Processing Addendum: the contract we sign with Customers on Pro and Enterprise plans that covers our processing of personal data on their behalf.
“Site API” is the token-authenticated API we expose so that a Customer’s portfolio site can read the data the Customer has chosen to publish.
“Talent Portal” is a future feature that will let Talent log in directly. Not yet generally available.
“WORM artifact” is a generated business document (invoice PDF, statement) that, once sent, is stored immutably and retained for tax and audit purposes.

Privacy Policy

Our privacy policy and how we use your data

1. Introduction and scope

2. Our role: controller and processor

3. What we collect

3a. Account and billing data (controller scope)

3b. Talent and business data uploaded by Customers (processor scope)

3c. Security, telemetry, and bug reports

3d. Marketing and communications

4. Where the data comes from

5. How we use the data

6. Sharing and subprocessors

Current subprocessors

7. International transfers

8. How long we keep data

9. Security

10. Talent data, minors, and rights routing

Minors

Sensitive identity documents

Image rights

No retaliation

When representation ends

Rights summary

11. Public-facing surfaces

12. Your rights by jurisdiction

European Economic Area, United Kingdom, and Switzerland

California, United States

Other US state laws

Canada

Australia

Other regions

13. Cookies and tracking

14. Children’s data

15. Automated decision-making and artificial intelligence

16. Data breach notification

17. Changes to this policy

18. Contact us

Supervisory authorities

19. Regulatory references

20. Definitions

Privacy Policy

Our privacy policy and how we use your data

1. Introduction and scope

2. Our role: controller and processor

3. What we collect

3a. Account and billing data (controller scope)

3b. Talent and business data uploaded by Customers (processor scope)

3c. Security, telemetry, and bug reports

3d. Marketing and communications

4. Where the data comes from

5. How we use the data

6. Sharing and subprocessors

Current subprocessors

7. International transfers

8. How long we keep data

9. Security

10. Talent data, minors, and rights routing

Minors

Sensitive identity documents

Image rights

No retaliation

When representation ends

Rights summary

11. Public-facing surfaces

12. Your rights by jurisdiction

European Economic Area, United Kingdom, and Switzerland

California, United States

Other US state laws

Canada

Australia

Other regions

13. Cookies and tracking

14. Children’s data

15. Automated decision-making and artificial intelligence

16. Data breach notification

17. Changes to this policy

18. Contact us

Supervisory authorities

19. Regulatory references

20. Definitions