← Back to Home
📄 Legal Document

Privacy Policy

We take your privacy seriously. This policy explains exactly what data we collect, why we collect it, and how you can control it.

Effective: May 1, 2026 Last updated: April 9, 2026 Applies to: CreatifyHQ SaaS Platform
Section 1

Who We Are

CreatifyHQ ("we", "us", "our") is an AI-powered social media content creation, scheduling, and publishing platform. Our service is operated and delivered through app.creatifyhq.com.

This Privacy Policy governs the collection, use, storage, and disclosure of personal information when you use the CreatifyHQ platform, including our website at creatifyhq.com, our web application, and all related services.

📬 Data Controller

CreatifyHQ is the data controller for all personal information collected through our platform. For all privacy-related inquiries, contact us at privacy@creatifyhq.com.

Section 2

What Data We Collect

We collect the following categories of data when you use CreatifyHQ:

2.1 Account & Profile Data

  • Full name — provided at registration
  • Email address — used for login, billing, and communications
  • Password — stored as a one-way bcrypt hash (we never store your plain-text password)
  • Profile preferences — notification settings, appearance preferences, and dashboard customizations you choose

2.2 Content You Create

  • Generated posts and drafts — content you create using our AI tools
  • Writing samples (Voice Training) — past posts you upload to train your personal AI writing voice
  • Content prompts and topics — the inputs you provide when generating content
  • Scheduled posts — timing, platform targets, and content

2.3 Social Platform Connections

  • OAuth tokens — access credentials for connected social accounts (encrypted at rest)
  • Platform profile identifiers — social account IDs and usernames
  • Post performance data — engagement metrics returned by connected platforms (likes, shares, comments)

2.4 Billing & Subscription Data

  • Subscription plan — which tier (Starter, Pro, Business, Enterprise) you're on
  • Billing status — active, trialing, cancelled, past due
  • Stripe Customer ID — a reference ID for your Stripe record (no raw card data is stored by us)

2.5 Usage & Technical Data

  • Feature usage — which features you use and how often (posts generated, platforms published to)
  • IP address — for security and fraud prevention
  • Browser/device type — for debugging and compatibility
  • Error logs — technical crash data to help us fix bugs
Section 3

How We Use Your Data

Purpose Data Used Legal Basis
Provide the Service — authenticate you, generate AI content, schedule and publish posts Account data, content data, social connections Contract performance
Billing & Subscriptions — process payments, manage plan limits, send invoices Email, Stripe Customer ID, subscription status Contract performance
AI Voice Personalization — train your personal writing style from uploaded samples Writing samples you explicitly upload Explicit consent
Communications — send account emails, trial reminders, publish confirmations Email address, notification preferences Contract + Legitimate interest
Security & Fraud Prevention — detect abuse, protect accounts IP address, usage data, device data Legitimate interest
Platform Improvement — fix bugs, improve AI quality, optimise features Anonymised usage and error data Legitimate interest
Legal Compliance — comply with applicable laws and respond to legal requests Any data relevant to the legal obligation Legal obligation
✅ Our Commitment

We do not sell your personal data. We do not use your data for advertising. We do not share your data with any party except those listed in Section 10 of this policy.

Section 4

AI Processing of Your Content

CreatifyHQ uses artificial intelligence to generate content on your behalf. Understanding how this works is important.

4.1 How AI Processes Your Inputs

When you generate content, your prompt, selected topic, platform, and voice profile are sent to our AI providers (OpenAI GPT-4o and/or Anthropic Claude). These providers process your input and return generated text. Your data is transmitted over encrypted HTTPS connections.

4.2 Voice / Personality Training Data

If you use the Voice Cloning feature and upload writing samples, those samples are:

  • Analysed by our AI pipeline to extract writing patterns, tone markers, and vocabulary preferences
  • Stored in our database as a structured personality profile (not as raw text after analysis)
  • Never shared with other users or used to train third-party AI models
  • Deleted when you delete your account (see Section 11)

4.3 OpenAI's Data Practices

Content you generate is processed by OpenAI. OpenAI does not use API-submitted data to train their models by default. For details, see OpenAI's API Data Usage Policy.

4.4 Anthropic's Data Practices

Some refinement and analysis features use Anthropic's Claude API. Anthropic does not use API-submitted data to train their models. For details, see Anthropic's Privacy Policy.

4.5 AI Content Ownership

All content generated by the AI using your prompts and voice profile belongs to you. CreatifyHQ asserts no ownership, copyright, or licence over content you generate on the platform. You are solely responsible for the content you choose to publish.

Section 5

Social Platform Data (Zernio)

CreatifyHQ uses Zernio to publish content to your connected social media accounts. Zernio is a social media publishing API that acts as our sub-processor for social platform delivery.

5.1 What Data Goes to Zernio

  • The post text, hashtags, and media URLs you choose to publish
  • Your Zernio Profile Key (a secure token, not your social platform password)
  • The target platform and scheduled datetime (if scheduling)

5.2 What Zernio Does NOT Receive

  • Your CreatifyHQ password
  • Your payment information
  • Your AI-generated drafts that you do not choose to publish
  • Your voice training data or personality profile

5.3 Direct OAuth Platform Connections

For platforms connected directly via OAuth (where available), we store only the access token and refresh token, encrypted using AES-256. We never store your social media username or password. You can disconnect any platform at any time from Dashboard → Connections.

⚠️ Important

Disconnecting a social account from CreatifyHQ revokes our access but does not delete your posts that have already been published to that platform. To remove published posts, you must do so directly on the social platform.

Section 6

Payment Data (Stripe)

All payment processing is handled by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. CreatifyHQ never sees, receives, or stores your raw credit card number, CVV, or full card details.

What we store:

  • Your Stripe Customer ID — a reference number that lets us look up your subscription
  • Your subscription plan and status — so we know which features to unlock for you
  • Your billing email — same as your account email

Stripe stores your payment method details on their secure, encrypted servers under their own Privacy Policy. By subscribing, you also agree to Stripe's terms.

You can update or cancel your payment method at any time via Dashboard → Settings → Billing → Manage.

Section 7

Email Communications (SendGrid)

We send transactional and product emails using SendGrid by Twilio. The emails we send include:

  • Account emails: email verification, password reset, welcome email
  • Billing emails: subscription confirmation, trial expiry reminders (Day 10, Day 13), payment receipts
  • Publish notifications: post successfully published, post failed to publish (if enabled in Settings)

You can control which notification types you receive in Dashboard → Settings → Notifications.

We do not send marketing or promotional emails without your explicit opt-in consent. Any marketing emails include an unsubscribe link as required by law (CAN-SPAM, GDPR).

SendGrid processes your email address according to their own Privacy Policy.

Section 8

Cookies & Tracking

CreatifyHQ uses a minimal set of cookies and browser storage. We do not use advertising cookies or cross-site tracking.

Name / Type Purpose Duration Deletable?
creatify_auth (localStorage) Stores your JWT session token so you stay logged in Until you log out or clear browser storage Yes — log out clears this
creatify_*_prefs (localStorage) Stores UI preferences (appearance, notification settings) Persistent until cleared Yes — clear browser storage
Google Analytics cookies Aggregated, anonymised site usage statistics on creatifyhq.com marketing site only Up to 2 years (GA standard) Yes — via cookie consent banner
Tawk.to chat cookies Live support chat on marketing site only Session + persistent IDs Yes — via cookie consent banner

Our cookie consent banner on the marketing website allows you to accept or decline non-essential cookies. You can also control cookies through your browser settings at any time.

Section 9

Data Storage & Retention

9.1 Where Your Data is Stored

All CreatifyHQ data is stored on Railway infrastructure. Railway's servers are located in the United States. If you are located outside the US, your data is transferred to the US for processing and storage (see Section 13 on international transfers).

9.2 How Long We Keep Your Data

Data Type Retention Period
Account data (name, email, profile) Kept until account is deleted. Purged within 30 days of deletion request.
Generated content & library Kept until you delete it or delete your account.
Voice / personality profile Kept until you retrain, delete training data, or delete your account.
Social platform tokens Kept until you disconnect the platform or delete your account.
Billing records Kept for 7 years as required by financial regulations, even after account deletion.
Error logs & technical data 30 days rolling window.
Analytics data Aggregated data kept indefinitely. Raw event data kept 90 days.
Section 10

Data Sharing & Third Parties

We share your data only with the following sub-processors, and only to the extent necessary to provide the service:

Provider Purpose Data Shared
OpenAI AI content generation (GPT-4o) Your content prompts, voice profile context
Anthropic AI content refinement (Claude) Content drafts you request to refine or analyse
Zernio Social media publishing Post content you choose to publish, platform tokens
Stripe Payment processing Email, subscription details (no card data stored by us)
SendGrid (Twilio) Transactional email delivery Email address, name (for personalisation in emails)
Railway Cloud infrastructure hosting All data (encrypted at rest and in transit)
Google Analytics Marketing site analytics (creatifyhq.com only) Anonymised page view and session data
📌 No Sale of Data

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes, ever.

10.1 Legal Disclosure

We may disclose your information if required to do so by law, court order, or governmental authority. We will notify you of such a request unless prohibited by law from doing so.

10.2 Business Transfers

If CreatifyHQ is acquired by or merged with another company, your data may be transferred as part of that transaction. We will notify you via email at least 30 days before any such transfer and give you the opportunity to delete your account.

Section 11

Your Rights & Choices

Depending on your location, you have a variety of rights regarding your personal data. CreatifyHQ honours these rights for all users regardless of geography.

🔍 Right to Access

You can request a copy of all personal data we hold about you. Email privacy@creatifyhq.com with the subject line "Data Access Request". We will respond within 30 days.

✏️ Right to Correction

You can update your name and email address at any time in Dashboard → Settings → Profile.

🗑️ Right to Deletion ("Right to Be Forgotten")

You can permanently delete your account and all associated data at any time:

  1. Go to Dashboard → Settings → Security
  2. Scroll to the "Danger Zone" section
  3. Click Delete Account and confirm

This will delete your account, all generated content, voice profiles, and social connections within 30 days. Note: billing records are retained for 7 years as required by law (see Section 9.2).

🚫 Right to Object / Restrict Processing

You can disconnect social platforms, delete voice training data, or turn off notification emails at any time from your Settings page. If you wish to restrict AI processing of your content, contact us at privacy@creatifyhq.com.

📦 Right to Data Portability

You can request a machine-readable export of your content library and account data by emailing privacy@creatifyhq.com. We will deliver a JSON export within 30 days.

🇪🇺 EU/UK Residents — GDPR Rights

If you are in the EU or UK, you have additional rights under GDPR/UK GDPR, including the right to lodge a complaint with your local supervisory authority. For EU users, complaints can be filed with the relevant Data Protection Authority in your country of residence.

🇨🇦 Canadian Residents — PIPEDA

Canadian users have rights under PIPEDA. You may contact our privacy officer at privacy@creatifyhq.com or file a complaint with the Office of the Privacy Commissioner of Canada.

Section 12

Children's Privacy

CreatifyHQ is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16 years of age. If you believe a child under 16 has created an account, please contact us immediately at privacy@creatifyhq.com and we will delete the account and all associated data promptly.

Section 13

International Data Transfers

CreatifyHQ operates from servers in the United States. If you access our service from outside the US (including from the EU, UK, Canada, or Australia), your data will be transferred to and processed in the US.

For EU and UK users, we rely on the following safeguards for international transfers:

  • Standard Contractual Clauses (SCCs) — where our sub-processors are located outside the EEA
  • EU-US Data Privacy Framework — where applicable sub-processors are certified

By using CreatifyHQ, you consent to the transfer of your data to the United States under the protections described above.

Section 14

Security

We implement industry-standard technical and organisational measures to protect your data, including:

  • HTTPS/TLS encryption for all data in transit
  • AES-256 encryption for sensitive data at rest (OAuth tokens, passwords are bcrypt-hashed)
  • JWT authentication with short-lived tokens
  • Rate limiting on all API endpoints to prevent brute force attacks
  • Input sanitisation to prevent injection attacks
  • Railway's platform security — private networking between services, no public database exposure

Despite these measures, no system is 100% secure. In the event of a data breach that affects your personal data, we will notify you by email within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

Section 15

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send an email notification to all registered users at least 14 days before the change takes effect
  • Show an in-app notification on your dashboard

Your continued use of CreatifyHQ after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you may delete your account before the effective date.

Section 16

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Privacy Team — CreatifyHQ

We respond to all privacy requests within 5 business days. For formal data subject requests, we respond within 30 days as required by law.

📧 privacy@creatifyhq.com

You also have the right to lodge a complaint with a supervisory authority. EU residents can find their local DPA at edpb.europa.eu. UK residents can contact the ICO at ico.org.uk. Canadian residents can contact the OPC at priv.gc.ca.