Privacy policy

Creataly is a creator-business operating system for creator agencies, brands, and creators, operated by Creataly Ltd. Creataly acts as the data controller for personal data collected through this website and the Creataly platform under UK GDPR and the Data Protection Act 2018.

If you have a question about this policy or how we handle your data, contact us at hello@creataly.com.

Information you provide

• Account information: name, email, password, and authentication identifiers handled by Clerk.
• Workspace information: agency or brand name, role, team size, roster details, deal records, campaign briefs, payout preferences, and any content uploaded into Roster, Deals, Campaigns, Scheduler, Pay, and Insights.
• Demo, contact, and waitlist submissions: name, email, company, role, team size, current tools, and the message or workflow notes you share with us.
• Billing information: company name, billing address, VAT details, and tax identifiers. Payment card details are collected and processed directly by Stripe. Creataly does not store full card numbers on its servers.

Information collected automatically

• Product and analytics data: pages visited, modules used, session duration, referring source, and feature interactions.
• Advertising data: campaign source, conversion events, and remarketing identifiers from Google Ads.
• Device and connection information: IP address, browser type, operating system, device type, language, and approximate location.
• Cookies and local storage: authentication sessions, preference flags, and analytics identifiers. See our Cookie Notice for details.

Data from connected social accounts

Creators can optionally connect their social media accounts (Instagram today, with YouTube, TikTok, and Twitch to follow) so Creataly can display their audience metrics. When you connect Instagram via the Instagram API with Instagram Login, we receive and store only your Instagram user ID, username, account type, follower count, and profile picture URL, along with an access token that we keep encrypted. See the “Connected social accounts and platform data” section below for how this data is used and deleted.

Data from a connected WhatsApp Business number

Agencies and brands can optionally connect their own WhatsApp Business number through the WhatsApp Business Platform (Cloud API) so they can read and reply to customer conversations inside Creataly. When you connect a number, we receive and store the business phone number and its display name, and — for people who message that number — their WhatsApp ID (phone number), WhatsApp profile name, and the content and timestamps of the messages exchanged. We also store the access token issued for your WhatsApp Business Account, which we keep encrypted at rest. See the “WhatsApp Business messaging” section below for how this data is used and deleted.

Data you process through Creataly

When you use Creataly to manage creators, brands, deals, campaigns, or payouts, you may upload personal data about other people such as creator contact details, brand contacts, contract counterparties, or payee information. For that data, you are the controller and Creataly acts as your processor under a data processing addendum.

• Provide the service: account creation, workspace setup, module access, scheduling, payments, and customer support.
• Communicate with you: respond to demo and contact requests, send service notices, security alerts, and product updates.
• Improve the platform: analyse usage patterns to refine modules, performance, and onboarding.
• Marketing and growth: with consent where required, send relevant updates about Creataly modules, events, and case studies.
• Protect the service: detect fraud, abuse, and security incidents, and meet our legal and tax obligations.

Creataly does not sell your personal data to third parties. We do not use your data for automated decision-making that produces legal or similarly significant effects, and we do not train external AI models on your customer or workspace content.

• Contract: providing the platform and services you have signed up for.
• Legitimate interests: maintaining a secure, reliable, and improving service, and pursuing limited, relevant marketing.
• Consent: optional analytics, advertising cookies, and marketing emails where consent is required.
• Legal obligation: tax, accounting, anti-fraud, and other regulatory requirements.

We share personal data only with the processors that operate the service on our behalf. Each provider is bound by a written agreement with appropriate confidentiality and security obligations.

• Clerk: authentication, session management, and user identity.
• Stripe: subscription billing, checkout, and payment processing.
• Supabase: database hosting and storage for workspace data.
• Vercel: application hosting, deployment, and edge delivery.
• Google Analytics: site and product analytics, where consent is given.
• Google Ads: conversion tracking and remarketing for marketing campaigns, where consent is given.
• Meta Platforms: delivery of messages to and from connected WhatsApp Business numbers via the WhatsApp Business Platform (Cloud API).
• Email and support tooling: providers used to send transactional emails, respond to enquiries, and run scheduled communications.

Some providers may process data outside the United Kingdom or European Economic Area. Where that happens, we rely on UK and EU approved transfer mechanisms such as Standard Contractual Clauses and the UK International Data Transfer Addendum.

• Account and workspace data: for the lifetime of your subscription, plus 30 days after cancellation to allow recovery.
• Connected social account data and access tokens: kept until you disconnect the account or delete your workspace, and removed immediately when you disconnect.
• WhatsApp conversations, messages, and access tokens: retained while your WhatsApp Business number is connected, and deleted when you disconnect the number or delete your workspace.
• Billing and tax records: 7 years, in line with UK tax retention requirements.
• Demo, contact, and waitlist submissions: up to 24 months from the last interaction.
• Analytics and advertising data: in line with the relevant provider retention windows described in our Cookie Notice.
• Backups: rolling backups for disaster recovery, deleted on a regular cycle.

Where we are required by law to keep records for longer, or where data is necessary to defend a legal claim, we will retain it only for as long as that purpose requires.

Creataly uses essential cookies for authentication, session security, and basic site function, and uses analytics and advertising cookies where you have given consent. Our Cookie Notice explains each cookie, the provider, and how long it lasts, and how you can change your choices.

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data, subject to legal and contractual retention requirements.
• Restrict or object to processing in certain circumstances.
• Receive your data in a portable format.
• Withdraw consent for marketing or optional cookies at any time.

To exercise any of these rights, email hello@creataly.com. We aim to respond within 30 days. If you are not satisfied with our response, you can complain to the UK Information Commissioner's Office at ico.org.uk.

• All traffic between your browser and Creataly is encrypted in transit using TLS.
• Production infrastructure is hosted on Vercel and Supabase with restricted access and audit logging.
• Payments are handled by Stripe, which is PCI DSS Level 1 certified. Creataly never sees your full card number.
• Access to production systems is limited to a small number of staff and protected by single sign-on and multi-factor authentication.

Creataly is a business platform and is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this policy as Creataly evolves. Material changes will be communicated by email or by a notice on the website. The last updated date at the top of this page reflects the current version.

Creators may connect third-party social accounts to Creataly to display their audience metrics. Instagram is supported today, with YouTube, TikTok, and Twitch planned. Connecting is optional and is always initiated by you.

What we access and why

• We use the Instagram API with Instagram Login and request read-only access to your basic business profile (the instagram_business_basic permission).
• We receive and store your Instagram user ID, username, account type, follower count, and profile picture URL, together with an access token that we hold encrypted at rest.
• We use this data only to display your audience metrics and identity inside your Creataly dashboard and profile. We do not post on your behalf, read or send messages, access your media or comments, or use the data for advertising or to train AI models.

Disconnecting and deleting your platform data

• You can disconnect a connected account at any time from the “Connect your socials” section of your dashboard. Disconnecting immediately and permanently deletes the stored connection, its cached metrics, and the access token.
• Deleting your Creataly workspace or account removes all connected-account data along with it.
• To request deletion of platform data without using the in-app control, email hello@creataly.com and we will action your request within 30 days.

Our access to and use of Meta and Instagram data complies with the Meta Platform Terms and Developer Policies. We do not sell platform data, and we share it only with the infrastructure processors listed above that store it securely on our behalf.

Agencies and brands can connect their own WhatsApp Business number to Creataly through the official WhatsApp Business Platform (Cloud API) to read and reply to customer conversations inside the platform. Connecting is optional, always initiated by you, and each connected number is isolated to your workspace.

What we access and why

• We use the WhatsApp Business Platform with the whatsapp_business_messaging and whatsapp_business_management permissions to send and receive messages on your number and to read its profile and message templates.
• We receive and store the business phone number and display name, the WhatsApp ID (phone number), profile name, and the content and timestamps of messages for conversations on that number, together with the access token for your WhatsApp Business Account, which we hold encrypted at rest.
• We use this data only to show your WhatsApp conversations inside Creataly and to let your team reply to them. We do not use it for advertising or to train AI models.

Customer consent and opt-in

We enable replies to people who have messaged your WhatsApp Business number first, or whom you have added with their consent. Business-initiated messages sent outside WhatsApp's 24-hour customer service window use only message templates approved by WhatsApp. You remain responsible for having a lawful basis and any required consent to message your contacts, in line with WhatsApp's Business Messaging Policy.

Disconnecting and deleting your WhatsApp data

• You can disconnect your WhatsApp number at any time from Settings → Integrations. Disconnecting removes the stored connection and its encrypted access token.
• Deleting your Creataly workspace or account removes connected WhatsApp data, including stored conversations and messages.
• To request deletion of WhatsApp data without using the in-app control, email hello@creataly.com and we will action your request within 30 days.

Our access to and use of WhatsApp and other Meta data complies with the Meta Platform Terms, the WhatsApp Business Messaging Policy, and Meta's Developer Policies. We do not sell platform data, and we share it only with the infrastructure processors listed above that store it securely on our behalf.

Questions, requests, or complaints about this privacy policy can be sent to hello@creataly.com.