This Privacy Policy describes how creavio, Inc. ("creavio," "we," "us," "our") collects, uses, shares, and protects information when you use our platform and services.
1. INFORMATION WE COLLECT 1.1. Information You Provide Directly. When you create an account or use the Platform, we collect: your name, email address, password, payment information (processed by Stripe), business name and details, and any other information you choose to provide. 1.2. Information Collected Automatically. When you access the Platform, we automatically collect: IP address, device type and operating system, browser type and version, pages visited and features used, and usage analytics. 1.3. User-Uploaded Content. Creators upload content to the Platform including: photographs, videos, graphics, contracts and documents, and other files related to their creative business. 1.4. Client Data. Creators store information about their clients on the Platform, including: client names, email addresses, phone numbers, mailing addresses, booking details, payment history, and communications.
2. HOW WE USE INFORMATION We use information we collect to: (a) Operate, maintain, and improve the Platform; (b) Process payments and manage subscriptions; (c) Send transactional communications (account confirmations, invoices, booking notifications, contract delivery); (d) Send product updates and marketing communications (with opt-out); (e) Analyze usage patterns to improve features and user experience; (f) Comply with legal obligations and enforce our Terms of Service; (g) Detect, prevent, and address fraud, abuse, and security issues.
3. LAWFUL BASIS FOR PROCESSING (GDPR) For users in the European Economic Area (EEA) and United Kingdom, we process personal data on the following legal bases: (a) Contract Performance. Processing necessary to provide you with the Platform services you signed up for. (b) Legitimate Interests. Processing for analytics, security, fraud prevention, and service improvement, where our interests do not override your rights. (c) Consent. Processing based on your explicit consent, such as marketing communications. You may withdraw consent at any time. (d) Legal Obligation. Processing required to comply with applicable laws, regulations, or legal proceedings.
4. INFORMATION SHARING & SUB-PROCESSORS We do not sell personal information. We share information with the following service providers (sub-processors) as necessary to operate the Platform: (a) Cloudflare, Inc. (San Francisco, CA) — Infrastructure, hosting, CDN, database (D1), file storage (R2), and DNS; (b) Stripe, Inc. (San Francisco, CA) — Payment processing and subscription billing (PCI DSS Level 1); (c) Resend, Inc. — Transactional and marketing email delivery; (d) Telnyx, Inc. — SMS and MMS message delivery; (e) Anthropic, PBC (San Francisco, CA) — AI processing for features including copy generation, the SEO optimizer, and AI Insert. Prompts and generated responses are processed under Anthropic's enterprise data terms and are not used to train foundation models; (f) OpenAI, L.L.C. (San Francisco, CA) — AI processing for select administrative tooling. Processed under OpenAI's API data terms (no training on API data); (g) DataForSEO — Keyword research and SERP data used by the SEO suite. Only aggregate query strings are shared; no personal data; (h) Google LLC (Mountain View, CA, USA) — (1) Google Analytics 4 ("GA4"): We use GA4 to collect analytics data about how visitors interact with creav.io and app.creav.io. GA4 receives your IP address, browser/device information, pages visited, and usage events. Under the California Consumer Privacy Act (CCPA/CPRA), this constitutes "sharing" personal information with a third party for cross-context behavioral advertising purposes, which triggers the disclosures in Section 6.3 below. (2) Google Search Console: data import when a Creator opts in by connecting their property. (3) Google OAuth for sign-in; (i) Meta Platforms / Pinterest / LinkedIn / TikTok / X / Google Ads — Only when a Creator (or an authorized Agency acting on a brand's behalf) connects a social, advertising, or business account through the Platform. Data shared is limited to what is necessary to publish content, manage advertising, or read analytics for that account, including via the platform's business and advertising APIs. A current, canonical sub-processor list is published at creav.io/legal/subprocessors. We will notify Creators of material sub-processor changes at least 30 days before they take effect. We may also disclose information when required by law, legal process, or government request, or to protect the rights, safety, or property of creavio, our users, or the public.
5. CREATOR CLIENT DATA 5.1. Creators are the Data Controllers for all client data they collect and store on the Platform (client names, emails, phone numbers, addresses, booking details, contracts, invoices, photos, and other information). 5.2. creavio is the Data Processor, processing client data on behalf of Creators as defined under GDPR Article 28. 5.3. Creators are solely responsible for their own privacy practices with their clients, including obtaining appropriate consent for data collection and use. 5.4. For details on how we process client data on behalf of Creators, see our Data Processing Addendum. 5.5. Agency-Managed Workspaces. Some workspaces on the Platform are operated by an agency on behalf of a brand or business under creavio's Agency tier. Where a workspace is agency-managed, the agency's authorized personnel can access that workspace's data through an audited, revocable session, and the agency (and/or the brand) — not creavio — is the data controller responsible for that data and for the privacy notices and consents owed to the brand's customers and contacts. creavio processes such data only on the agency's instructions. If you are a brand or a brand's customer and have questions about an agency-managed workspace, contact the agency that manages it; you may also reach us at privacy@creav.io.
6. YOUR RIGHTS 6.1. All Users. Regardless of your location, you have the right to: access your personal data, correct inaccurate data, request deletion of your data, request a portable copy of your data (data export), and manage your data through Settings > Data & Privacy in your dashboard. 6.2. EEA and UK Users. In addition, you have the right to: restrict processing of your data, object to processing based on legitimate interests, withdraw consent at any time (without affecting prior processing), and lodge a complaint with your local supervisory authority. 6.3. California Users. Under the California Consumer Privacy Act (CCPA), you have the right to: know what personal information we collect and how it is used, request deletion of your personal information, opt out of the sale of personal information (we do not sell personal information), and not be discriminated against for exercising your privacy rights. 6.4. DO NOT SELL OR SHARE MY PERSONAL INFORMATION (CALIFORNIA). Under the California Consumer Privacy Act (CCPA) as amended by CPRA, "sharing" personal information includes disclosing it to third parties for cross-context behavioral advertising — even without payment. Because creavio uses Google Analytics 4, which receives identifiers (IP address, device ID, cookies) that may be used for advertising purposes, California residents have the right to opt out of this sharing.
To opt out: (a) Use the "Do Not Sell or Share" link in the footer of creav.io, or (b) enable the Global Privacy Control (GPC) signal in your browser — creavio honors GPC signals automatically and will disable GA4 data collection for your session when GPC is detected, or (c) email privacy@creav.io with subject line "Do Not Sell or Share."
creavio does NOT sell personal information for money. creavio does NOT share personal information for targeted advertising beyond GA4 analytics. We do not share data with data brokers.
6.5. GLOBAL PRIVACY CONTROL (GPC). If your browser transmits a Global Privacy Control signal (navigator.globalPrivacyControl = true), creavio will treat it as a valid opt-out of the sharing of your personal information for cross-context behavioral advertising, consistent with California law. When GPC is detected, Google Analytics 4 will be disabled for your session. Essential cookies (authentication, security) are not affected.
6.6. How to Exercise Your Rights. You may exercise your rights by emailing privacy@creav.io or using the Settings > Data & Privacy section in your dashboard.
7. DATA RETENTION (a) Account Data. Retained for the duration of your account plus 30 days after account deletion. (b) Legal Records. DMCA notices, contract signatures, and payment records are retained for 7 years per legal requirements. (c) Email Logs. Retained for 90 days. (d) Analytics Data. Retained for 12 months. (e) Backups. Purged within 30 days of deletion.
8. COOKIES & TRACKING 8.1. Essential. Authentication session token (stored in localStorage) and portal session cookie (HttpOnly). These are required for the Platform to function. 8.2. Analytics. Anonymous usage data to understand how the Platform is used and to improve features. 8.3. Analytics and Advertising Cookies. We use Google Analytics 4 (GA4), which sets analytics cookies (_ga, _gid) that may be used to inform advertising. You may opt out via the consent banner or at creav.io/privacy-choices. 8.4. How to Control Cookies. You can manage cookies through your browser settings. Disabling essential cookies may prevent you from using the Platform.
9. DATA SECURITY We implement appropriate technical and organizational measures to protect your data, including: (a) Encryption in transit (TLS) and at rest; (b) Tenant data isolation (all queries scoped to your account); (c) Regular security monitoring and logging; (d) PBKDF2 password hashing with 100,000 iterations; (e) AES-256-GCM encryption for sensitive data such as contract signatures; (f) Role-based access controls and secure file storage.
10. INTERNATIONAL DATA TRANSFERS Data is processed in the United States and other countries where Cloudflare operates infrastructure. For transfers of personal data from the EEA or United Kingdom, we rely on Standard Contractual Clauses as approved by the European Commission to ensure adequate protection of your data.
11. CHILDREN'S PRIVACY creavio is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we discover that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact privacy@creav.io.
12. CHANGES TO THIS POLICY We may update this Privacy Policy from time to time. Material changes will be communicated via email and in-platform notification at least 30 days before the effective date. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
paints so dark-mode
users don't see a white flash. Allowed by CSP via a sha256 hash in
svelte.config.js script-src — if you edit anything in this block
(including whitespace), the CSP hash will change and CSP will block
the new script. Update svelte.config.js with the hash from the
browser console's CSP violation message.
-->
%sveltekit.body%