CREAV SUB-PROCESSOR LIST Last Updated: May 22, 2026
UPCOMING CHANGES (effective June 21, 2026): The following sub-processors were added on May 22, 2026. Per our 30-day notice policy, they become effective June 21, 2026. Existing customers may object by emailing privacy@creav.io before that date. - Coconut Video (USA) — Video processing (see §6) - Google Maps Platform — Location search (see §5)
This page lists the third-party sub-processors that creavio, Inc. engages to help operate the Platform. We post material changes here at least 30 days before they take effect.
1. INFRASTRUCTURE - Cloudflare, Inc. (San Francisco, CA, USA) — Hosting, CDN, DNS, WAF, D1 database, R2 object storage, KV, Workers, Pages. Primary data location: United States (global edge).
2. PAYMENTS - Stripe, Inc. (San Francisco, CA, USA) — Subscription billing, checkout, invoice payments, connected accounts. PCI DSS Level 1 certified. Card data is never stored on creavio systems.
3. MESSAGING - Resend, Inc. (USA) — Transactional and marketing email delivery, webhook events for deliverability analytics. - Telnyx, Inc. (Chicago, IL, USA) — SMS and MMS delivery.
4. AI SUB-PROCESSORS - Anthropic, PBC (San Francisco, CA, USA) — AI-backed features: copy generation, SEO optimizer, AI Insert, canvas AI refine. Processed under Anthropic's enterprise data terms; prompts and responses are not used to train foundation models. - OpenAI, L.L.C. (San Francisco, CA, USA) — AI processing for select administrative tooling. Processed under OpenAI's API data terms (no training on API data).
5. SEARCH + ANALYTICS - DataForSEO (USA) — Keyword research, SERP and ranking data for the SEO suite. Only aggregate query strings are shared; no personal data. - Google LLC (Mountain View, CA, USA) — Google Search Console and Google Analytics 4 data import when a Creator opts in; Google OAuth for sign-in; Google Maps Platform Places API for location search in Studio profiles (sends user-entered search queries and associated IP/request metadata; no location data is stored by creavio). (3) Platform Analytics: creavio uses GA4 for its own platform analytics and advertising attribution on creav.io and app.creav.io. Creators who configure GA4 on their canvas sites are data controllers for their own analytics — creavio is not responsible for Creator-configured tracking.
6. VIDEO PROCESSING - Coconut Video (USA) — Video transcoding, thumbnail generation, and HLS packaging. Coconut receives source media files for processing and temporarily stores source and output files during active jobs (cleared within 48 hours of job completion). Final processed files are delivered to Cloudflare R2. Coconut Video does not use uploaded content for training or any purpose other than fulfilling the processing job.
7. SOCIAL, ADVERTISING & BUSINESS PLATFORMS (ACTIVATION-GATED) The sub-processors below receive data only when a Creator (or, on the Agency tier, an authorized Agency acting on behalf of a brand) explicitly connects an account through the Platform. Data shared is limited to what is necessary to publish content, manage advertising, or read analytics for the connected account, including via the platform's business and advertising APIs (for example, Meta System Users / Business Manager and platform advertising APIs): - Meta Platforms, Inc. (Facebook, Instagram, Threads; including Meta Business and Marketing/Ads APIs) - Pinterest, Inc. - LinkedIn Corporation - TikTok Pte. Ltd. (including TikTok for Business) - X Corp. - Google LLC — Google Ads (campaign management and reporting for connected ad accounts)
Agency-tier note: When an Agency connects a brand's account, the data shared flows under the brand's workspace, and the Agency is responsible for the brand's authorization (see the Agency Services Addendum at creav.io/legal/agency-terms).
8. MONITORING + ERROR TRACKING - Sentry (Functional Software, Inc., San Francisco, CA, USA) — Client and server error telemetry. Scrubbed of request bodies and auth tokens.
9. CHANGES Material changes to this list will be announced at least 30 days in advance to the email address on each account and published here. To object to a new sub-processor, email privacy@creav.io before the effective date.
paints so dark-mode
users don't see a white flash. Allowed by CSP via a sha256 hash in
svelte.config.js script-src — if you edit anything in this block
(including whitespace), the CSP hash will change and CSP will block
the new script. Update svelte.config.js with the hash from the
browser console's CSP violation message.
-->
%sveltekit.body%