Data Processing

This page provides a technical and legal summary of how CreatifyHQ processes personal data, as required by applicable data protection laws including GDPR, UK GDPR, CCPA, and PIPEDA. For full details on what data we collect and your rights, see our Privacy Policy.

1. Controller and Processor Roles

CreatifyHQ as Data Controller

When you create a CreatifyHQ account, we are the data controller for your personal information. This means we determine the purposes for which your data is processed and the means by which that processing occurs. Specifically, we control:

• Account registration and authentication data
• Subscription and billing data (Stripe Customer IDs, plan status)
• Email notifications and marketing preferences
• Platform usage analytics and feature adoption data
• Error logs and security data

CreatifyHQ as Data Processor

When you instruct CreatifyHQ to publish content on your behalf to connected social media platforms, we act as a data processor operating under your direct instruction. In this capacity, we:

• Transmit your content to the social platforms you direct us to publish to
• Store your OAuth tokens as your authorised agent for platform access
• Retrieve performance metrics from platforms on your behalf

As a data processor in this context, we process your social media data only in accordance with your instructions (the "publish" action you initiate) and these Terms and our Data Processing Agreement.

2. Legal Basis for Processing

Processing Activity	Legal Basis (GDPR Art. 6)
Account registration, authentication, content generation, publishing	Art. 6(1)(b) — Performance of a contract
Payment processing, subscription management	Art. 6(1)(b) — Performance of a contract
Voice / personality profile training from uploaded samples	Art. 6(1)(a) — Explicit consent
Transactional emails (verification, password reset, billing alerts)	Art. 6(1)(b) — Performance of a contract
Platform analytics and feature usage measurement	Art. 6(1)(f) — Legitimate interests (product improvement)
Security monitoring, fraud detection, abuse prevention	Art. 6(1)(f) — Legitimate interests (security)
Marketing emails (optional newsletter, product announcements)	Art. 6(1)(a) — Consent (opt-in required)
Retention of billing records after account deletion	Art. 6(1)(c) — Legal obligation (financial regulation)

3. Sub-processors

We engage the following sub-processors who may process personal data on our behalf. All sub-processors are bound by Data Processing Agreements (DPAs) and appropriate transfer safeguards where applicable.

Sub-processor	Location	Purpose	Transfer Safeguard
Railway	US	Cloud infrastructure, database hosting, all services	SCCs
Stripe	US	Payment processing, subscription management	EU-US DPF / SCCs
SendGrid (Twilio)	US	Transactional email delivery	SCCs
OpenAI	US	AI content generation (GPT-4o)	SCCs
Anthropic	US	AI content refinement (Claude)	SCCs
Zernio	TBC	Social media publishing API	DPA in place
Google (Analytics)	US	Anonymised marketing site analytics	EU-US DPF / SCCs

We will notify users of any material changes to our sub-processor list with at least 30 days' notice via email and this page.

4. Data Flows

Content Generation Flow

1. User submits a prompt via the Create page in the browser
2. Frontend sends encrypted HTTPS request to the CreatifyHQ API Gateway
3. API Gateway verifies the JWT token and checks plan usage limits
4. Request is forwarded to the AI Service (Python/FastAPI)
5. AI Service constructs a personalised prompt using the user's voice profile and sends it to OpenAI's API via HTTPS
6. OpenAI returns generated content; AI Service cleans and formats it
7. Formatted content is returned to the browser and stored in the Content Service database

Publishing Flow

1. User clicks "Publish Now" or triggers a scheduled post
2. Publisher Service retrieves the content and the user's Zernio Profile Key from the Connections Service
3. Publisher Service sends the post text and platform target to Zernio's API via HTTPS
4. Zernio delivers the post to the connected social platform
5. Success/failure status is returned and stored; notification email sent if enabled

5. Technical Security Measures

• TLS 1.3 encryption for all data in transit between browsers, our services, and third-party APIs
• AES-256 encryption at rest for sensitive data including OAuth tokens, API keys, and profile credentials stored in our databases
• bcrypt password hashing (cost factor ≥ 12) — passwords are never stored in readable form
• JWT authentication with short token expiry for all authenticated API requests
• Rate limiting on all API gateway endpoints to prevent brute-force attacks and denial-of-service
• Input sanitisation and parameterised queries across all services to prevent SQL injection and XSS
• Private networking between all microservices on Railway — databases are not publicly accessible
• Least-privilege access — each microservice only has database access to the tables it requires
• Secrets management — all API keys and secrets are stored as environment variables, never hardcoded in source code

6. Organisational Security Measures

• Access control — only authorised personnel have access to production systems and databases
• Separation of duties — production access is separated from development environments
• Secure coding practices — code is reviewed before deployment; no secrets in version control
• Incident response plan — documented procedures for detecting, containing, and reporting data breaches
• Vendor due diligence — all sub-processors are evaluated for security practices before engagement
• Data minimisation — we collect only the data necessary to provide the Service

7. Data Breach Response

In the event of a personal data breach:

1. We will identify and contain the breach as quickly as possible
2. We will assess the risk and scope of affected data
3. For breaches likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority (e.g., ICO, DPC) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
4. Where the breach is likely to result in a high risk to individuals, we will notify affected users directly without undue delay — and in any case within 72 hours
5. We will document all breaches in our internal breach register, regardless of whether notification was required

8. Data Subject Rights

You may exercise any of the following rights at any time by contacting [email protected]:

• Right of access (Art. 15): Request a copy of all personal data we hold about you
• Right to rectification (Art. 16): Correct inaccurate or incomplete personal data (also available via Settings → Profile)
• Right to erasure (Art. 17): Request deletion of your personal data — see our Data Deletion page
• Right to restriction of processing (Art. 18): Request that we limit how we process your data in certain circumstances
• Right to data portability (Art. 20): Receive your data in a machine-readable JSON format
• Right to object (Art. 21): Object to processing based on legitimate interests (e.g., analytics)
• Rights related to automated decision-making (Art. 22): We do not make solely automated decisions with significant legal effects on individuals

We respond to all data subject requests within 30 days. We may request verification of your identity before fulfilling a request.

9. Data Processing Agreements

Enterprise customers who require a formal Data Processing Agreement (DPA) — for example, to meet their own GDPR compliance obligations as data controllers — may request one by contacting [email protected].

Our DPA includes:

• Scope and duration of processing
• Nature and purpose of processing
• Type of personal data and categories of data subjects
• Obligations and rights of the controller
• Sub-processor list with appropriate safeguards
• Standard Contractual Clauses (SCCs) for international transfers where applicable

We will provide a completed DPA within 5 business days of request.

10. Contact

Data protection enquiries: [email protected]