Privacy policy

Creataly is a creator-business operating system for creator agencies, brands, and creators, operated by Creataly Ltd. Creataly acts as the data controller for personal data collected through this website and the Creataly platform under UK GDPR and the Data Protection Act 2018.

If you have a question about this policy or how we handle your data, contact us at hello@creataly.co.

Information you provide

• Account information: name, email, password, and authentication identifiers handled by Clerk.
• Workspace information: agency or brand name, role, team size, roster details, deal records, campaign briefs, payout preferences, and any content uploaded into Roster, Deals, Campaigns, Scheduler, Pay, and Insights.
• Demo, contact, and waitlist submissions: name, email, company, role, team size, current tools, and the message or workflow notes you share with us.
• Billing information: company name, billing address, VAT details, and tax identifiers. Payment card details are collected and processed directly by Stripe. Creataly does not store full card numbers on its servers.

Information collected automatically

• Product and analytics data: pages visited, modules used, session duration, referring source, and feature interactions.
• Advertising data: campaign source, conversion events, and remarketing identifiers from Google Ads.
• Device and connection information: IP address, browser type, operating system, device type, language, and approximate location.
• Cookies and local storage: authentication sessions, preference flags, and analytics identifiers. See our Cookie Notice for details.

Data from connected social accounts

Creators can optionally connect their social media accounts (Instagram today, with YouTube, TikTok, and Twitch to follow) so Creataly can display their audience metrics. When you connect Instagram via the Instagram API with Instagram Login, we receive and store only your Instagram user ID, username, account type, follower count, and profile picture URL, along with an access token that we keep encrypted. See the “Connected social accounts and platform data” section below for how this data is used and deleted.

Data you process through Creataly

When you use Creataly to manage creators, brands, deals, campaigns, or payouts, you may upload personal data about other people such as creator contact details, brand contacts, contract counterparties, or payee information. For that data, you are the controller and Creataly acts as your processor under a data processing addendum.

• Provide the service: account creation, workspace setup, module access, scheduling, payments, and customer support.
• Communicate with you: respond to demo and contact requests, send service notices, security alerts, and product updates.
• Improve the platform: analyse usage patterns to refine modules, performance, and onboarding.
• Marketing and growth: with consent where required, send relevant updates about Creataly modules, events, and case studies.
• Protect the service: detect fraud, abuse, and security incidents, and meet our legal and tax obligations.

Creataly does not sell your personal data to third parties. We do not use your data for automated decision-making that produces legal or similarly significant effects, and we do not train external AI models on your customer or workspace content.

• Contract: providing the platform and services you have signed up for.
• Legitimate interests: maintaining a secure, reliable, and improving service, and pursuing limited, relevant marketing.
• Consent: optional analytics, advertising cookies, and marketing emails where consent is required.
• Legal obligation: tax, accounting, anti-fraud, and other regulatory requirements.

We share personal data only with the processors that operate the service on our behalf. Each provider is bound by a written agreement with appropriate confidentiality and security obligations.

• Clerk: authentication, session management, and user identity.
• Stripe: subscription billing, checkout, and payment processing.
• Supabase: database hosting and storage for workspace data.
• Vercel: application hosting, deployment, and edge delivery.
• Google Analytics: site and product analytics, where consent is given.
• Google Ads: conversion tracking and remarketing for marketing campaigns, where consent is given.
• Email and support tooling: providers used to send transactional emails, respond to enquiries, and run scheduled communications.

Some providers may process data outside the United Kingdom or European Economic Area. Where that happens, we rely on UK and EU approved transfer mechanisms such as Standard Contractual Clauses and the UK International Data Transfer Addendum.

• Account and workspace data: for the lifetime of your subscription, plus 30 days after cancellation to allow recovery.
• Connected social account data and access tokens: kept until you disconnect the account or delete your workspace, and removed immediately when you disconnect.
• Billing and tax records: 7 years, in line with UK tax retention requirements.
• Demo, contact, and waitlist submissions: up to 24 months from the last interaction.
• Analytics and advertising data: in line with the relevant provider retention windows described in our Cookie Notice.
• Backups: rolling backups for disaster recovery, deleted on a regular cycle.

Where we are required by law to keep records for longer, or where data is necessary to defend a legal claim, we will retain it only for as long as that purpose requires.

Creataly uses essential cookies for authentication, session security, and basic site function, and uses analytics and advertising cookies where you have given consent. Our Cookie Notice explains each cookie, the provider, and how long it lasts, and how you can change your choices.

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data, subject to legal and contractual retention requirements.
• Restrict or object to processing in certain circumstances.
• Receive your data in a portable format.
• Withdraw consent for marketing or optional cookies at any time.

To exercise any of these rights, email hello@creataly.co. We aim to respond within 30 days. If you are not satisfied with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk.

• All traffic between your browser and Creataly is encrypted in transit using TLS.
• Production infrastructure is hosted on Vercel and Supabase with restricted access and audit logging.
• Payments are handled by Stripe, which is PCI DSS Level 1 certified. Creataly never sees your full card number.
• Access to production systems is limited to a small number of staff and protected by single sign-on and multi-factor authentication.

Creataly is a business platform and is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this policy as Creataly evolves. Material changes will be communicated by email or by a notice on the website. The last updated date at the top of this page reflects the current version.

Creators may connect third-party social accounts to Creataly to display their audience metrics. Instagram is supported today, with YouTube, TikTok, and Twitch planned. Connecting is optional and is always initiated by you.

What we access and why

• We use the Instagram API with Instagram Login and request read-only access to your basic business profile (the instagram_business_basic permission).
• We receive and store your Instagram user ID, username, account type, follower count, and profile picture URL, together with an access token that we hold encrypted at rest.
• We use this data only to display your audience metrics and identity inside your Creataly dashboard and profile. We do not post on your behalf, read or send messages, access your media or comments, or use the data for advertising or to train AI models.

Disconnecting and deleting your platform data

• You can disconnect a connected account at any time from the “Connect your socials” section of your dashboard. Disconnecting immediately and permanently deletes the stored connection, its cached metrics, and the access token.
• Deleting your Creataly workspace or account removes all connected-account data along with it.
• To request deletion of platform data without using the in-app control, email hello@creataly.co and we will action your request within 30 days.

Our access to and use of Meta and Instagram data complies with the Meta Platform Terms and Developer Policies. We do not sell platform data, and we share it only with the infrastructure processors listed above that store it securely on our behalf.

Questions, requests, or complaints about this privacy policy can be sent to hello@creataly.co.