Privacy Policy

Last updated: February 9, 2026

1. Introduction

Welcome to Creatr.ai ("we," "our," or "us"), operated by Creatr.ai Inc. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, share, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

This policy applies to all users of Creatr.ai regardless of location. Additional rights may apply based on your jurisdiction (see Sections 14-16).

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, date of birth, and profile preferences (content vibe, platform selections, creator goals)
  • Age Verification Data: Date of birth, collected to verify you meet our minimum age requirement (16+) and to comply with applicable child protection laws
  • User-Generated Input: Text prompts you enter for content generation, creator profile settings, and content preferences
  • Communications: Messages you send to our support team at support@creatr.ai

2.2 Information Collected Automatically

  • Usage Data: Features used, content generated (post ideas, captions, hashtags), boost consumption, and weekly usage counts per feature category
  • Device Information: Device type, operating system version, and app version (collected for compatibility and update delivery)
  • Subscription Data: Subscription tier, billing period, and boost balance. Payment details (credit card numbers, billing addresses) are processed exclusively by Apple App Store or Google Play Store and are never received or stored by us

2.3 Photo Data

Important: Please read this section carefully.

  • Photo Access: We access photos from your device only when you explicitly grant permission and select specific photos for analysis
  • Photo Transmission: When you use the Photo Scan feature, your selected photos are temporarily encoded (as base64 data) and transmitted via encrypted connection (TLS/HTTPS) to our secure server infrastructure (Supabase), which forwards them to Google's Gemini AI service for visual analysis
  • What AI Receives: The AI receives the full visual content of your selected photo along with a structured prompt requesting content analysis (mood, composition, suggested platforms, and caption ideas)
  • No Permanent Storage: Photos are not permanently stored on our servers. They are held in processing memory only for the duration of the AI analysis (typically seconds) and are automatically cleared after processing completes
  • Google's Processing: Photos processed by Google Gemini are subject to Google's Cloud Data Processing Addendum. Google does not use data submitted through the paid Gemini API to train its foundation models
  • Content Moderation: Before AI processing, your photos are screened for sensitive content (adult material, violence, PII such as IDs or credit cards, medical information, and credentials). If sensitive content is detected, the photo is blocked from further processing and you are notified

2.4 Photo Location Metadata (Android)

  • On Android devices, our app requests the ACCESS_MEDIA_LOCATION permission, which may provide access to geographic location metadata embedded in your photos (EXIF data)
  • This metadata, if present, may be included when photos are transmitted for AI analysis
  • We do not separately collect, store, or use location data for any purpose beyond the photo analysis session
  • You can disable this permission in your device settings at any time

2.5 Information We Do Not Collect

  • We do not collect precise GPS location data
  • We do not access your contacts, calendar, microphone, or camera (only photo library)
  • We do not collect health or biometric data
  • We do not use cookies or web tracking technologies in the mobile app (see our Cookie Policy for the website)

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following lawful bases under GDPR Article 6:

  • Consent (Article 6(1)(a)): Photo processing and AI analysis (you consent each time you select a photo for scanning), marketing communications, and optional analytics. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal
  • Contract Performance (Article 6(1)(b)): Account creation and management, subscription and billing management, content generation service delivery, boost system operation, and customer support
  • Legitimate Interest (Article 6(1)(f)): Service security and fraud prevention, service improvement through aggregated and anonymized usage analysis, and enforcing our Terms of Service. We balance these interests against your rights and have determined our processing does not override your fundamental rights
  • Legal Obligation (Article 6(1)(c)): Age verification, tax and financial record-keeping, and responding to lawful government requests

4. How We Use Your Information

  • Content Generation: Analyze your photos and process your text prompts to create personalized social media post ideas, captions, and hashtags
  • Service Provision: Operate and maintain all features of the Creatr.ai platform, including boost allocation, subscription management, and content library
  • Personalization: Customize content recommendations based on your selected vibe, platforms, and creator profile
  • Account Management: Manage your subscription tier, boost balance, and account settings
  • Communication: Send transactional notifications (subscription reminders, account updates) and, with your consent, marketing communications
  • Safety: Screen content for harmful material through our content moderation system
  • Service Improvement: Analyze aggregated, anonymized usage patterns to improve features and user experience. We do not use your individual data to train AI models
  • Legal Compliance: Comply with applicable laws, regulations, and legal processes

5. AI Processing Transparency

5.1 AI Models Used

  • Free & Pro tiers: Google Gemini 2.0 Flash — a fast, efficient AI model for generating post ideas, captions, and hashtags
  • Pro+ tier: Google Gemini 2.0 Flash-Exp — a more capable model providing higher-quality, more nuanced content generation with Deep Scan support

5.2 What Data the AI Receives

  • Photo Scan: Your selected photo (full visual content as encoded image data) plus a structured analysis prompt
  • Text Prompt: The text you type in the Text Prompt feature, combined with your creator preferences (vibe, platforms, goals)
  • Auto Ideas & Throwback: Text descriptions generated from previous analyses, combined with your preferences

5.3 Data Flow

Your data follows this path during AI processing:

  1. You select a photo or enter a text prompt in the app
  2. Content moderation checks are performed
  3. Data is transmitted via encrypted HTTPS to our Supabase edge function (authenticated with your session token)
  4. The edge function forwards the request to Google Gemini API with safety filters enabled
  5. Google Gemini processes the request and returns generated content
  6. Results are returned to you in the app and saved to your content library
  7. Temporary processing data (including photo data) is cleared from memory

5.4 AI Safety Settings

We apply Google's safety filters at the "BLOCK_MEDIUM_AND_ABOVE" level for harassment, hate speech, sexually explicit content, and dangerous content. Content that exceeds these thresholds is blocked from generation.

5.5 Automated Decision-Making

Our AI generates content suggestions automatically based on your inputs. These suggestions do not constitute decisions that produce legal effects or similarly significantly affect you. You always retain full control over whether to use, edit, or discard any generated content. If you have concerns about automated processing, you may contact us at privacy@creatr.ai.

6. Information Sharing and Disclosure

6.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not share your personal information for cross-context behavioral advertising.

6.2 Service Providers (Sub-Processors)

We share information with the following trusted third-party service providers who process data on our behalf:

  • Supabase (USA): Database hosting, user authentication, and secure data storage. Receives: account data, generated content, usage records, subscription status. Purpose: core infrastructure and data storage
  • Google Gemini AI (USA): AI content generation. Receives: photo image data, text prompts, creator preferences. Purpose: generating post ideas, captions, and hashtags. Google's processing is governed by the Google Cloud Data Processing Addendum
  • RevenueCat (USA): Subscription management and purchase receipt validation. Receives: anonymous user ID and purchase receipts. Purpose: managing subscription entitlements and verifying purchases
  • Apple App Store / Google Play Store: Payment processing and app distribution. Processes payments directly; we do not receive or store your payment card details
  • Expo/EAS (USA): App build and over-the-air update delivery. Receives: device type and app version. Purpose: delivering compatible app updates

6.3 Future Advertising Partners

We may in the future integrate advertising services (such as AppLovin) to offer rewarded video ads. If and when activated, this section will be updated to disclose the specific advertising partner, the data shared with them, and your opt-out options. We will notify you of any such change before activation.

6.4 Legal Requirements

We may disclose your information if required to do so by law, court order, subpoena, or other legal process, or if we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.5 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or prominent notice in the app before your data is transferred and becomes subject to a different privacy policy.

7. Data Security

  • Encryption in Transit: All data transmitted between your device, our servers, and third-party services is encrypted using TLS/HTTPS
  • Encryption at Rest: Data stored in our Supabase database is encrypted at rest
  • Access Controls: Server access is restricted through authentication tokens and role-based access controls
  • Secure Token Storage: Authentication tokens are stored using platform-specific secure storage (iOS Keychain / Android Keystore) on your device
  • API Key Protection: Third-party API keys (e.g., Gemini) are stored in server-side secrets and never exposed to client devices
  • Session Management: Sessions use JWT tokens with automatic refresh and corruption detection

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

8. Data Retention

  • Account Data: Retained while your account is active and for 30 days after account deletion to allow recovery
  • Generated Content: Stored until you delete individual items or close your account
  • Usage Data: Retained for up to 12 months for service operation (e.g., weekly usage tracking), then anonymized or deleted
  • Photo Data: Not stored on our servers; held in processing memory only during active AI analysis (typically seconds)
  • Subscription Records: Retained for the duration required by tax and financial record-keeping laws (typically 7 years for financial records)
  • Deleted Accounts: All personal data deleted within 30 days of account closure, except where retention is required by law

9. Your Rights and Choices

9.1 Universal Rights (All Users)

  • Access: View and download all your personal data via the in-app data export feature (Profile > Export Data)
  • Correction: Update your account information and preferences at any time in the app
  • Deletion: Delete your account and all associated data (Profile > Delete Account). Data is removed within 30 days
  • Data Export: Export all your data in JSON format at no cost via the in-app export feature
  • Photo Permissions: Revoke photo access at any time through your device's system settings
  • Notifications: Manage notification preferences in your device settings

9.2 How to Exercise Your Rights

Most rights can be exercised directly in the app. For requests that cannot be handled in-app, contact us at privacy@creatr.ai. We will respond to verified requests within 30 days (or sooner where required by law).

10. Children's Privacy

10.1 Age Requirement

Creatr.ai is intended for users aged 16 and older. We do not knowingly collect personal information from children under 16.

10.2 Age Verification

All users must provide their date of birth during registration. Users who indicate they are under 16 are blocked from creating an account. We use a neutral age gate that does not reveal the minimum age requirement to prevent coached entries.

10.3 Parental Notice

If you are a parent or guardian and believe your child under 16 has provided personal information to us without your consent, please contact us immediately at privacy@creatr.ai. We will promptly delete all personal information associated with that account, terminate the account, and notify you of the actions taken.

10.4 Teen-Specific Protections

  • We do not serve targeted advertising to users under 18
  • We do not use personal data of users under 18 for profiling or behavioral analysis beyond what is necessary to provide the service
  • Content moderation is applied to all generated content to filter inappropriate material

11. International Data Transfers

Your personal data may be transferred to and processed in the United States, where our service providers are located. Specifically:

  • Supabase: Data stored and processed in the United States
  • Google Gemini AI: Data processed in the United States
  • RevenueCat: Data processed in the United States

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
  • EU-US Data Privacy Framework certifications where applicable
  • Supplementary measures as recommended by the EDPB where necessary

Copies of the relevant transfer safeguards are available upon request at privacy@creatr.ai.

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify relevant supervisory authorities within 72 hours of becoming aware of the breach, where required by GDPR
  • Notify affected users without undue delay via email to your registered address
  • For high-severity breaches, additionally notify through in-app notification
  • Provide details of the nature of the breach, likely consequences, and measures taken or proposed to address it
  • Comply with all applicable state breach notification laws (which may have shorter notification timelines)

13. Cookie Policy

Our mobile application does not use cookies or similar tracking technologies. Our website (creatrai.app) uses essential cookies for site functionality. For details on website cookies, please see our Cookie Policy.

14. California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

14.1 Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.

14.2 Categories of Personal Information Collected

  • Identifiers: Name, email address, date of birth, anonymous user IDs
  • Commercial Information: Subscription tier, purchase history, boost balance
  • Internet/Electronic Activity: App usage data, feature usage counts, device type and OS
  • Audio/Visual Information: Photos you select for AI analysis (not permanently stored)
  • Inferences: Content preferences derived from your selections (vibe, platforms, creator goals)

14.3 Right to Delete

You may request deletion of your personal information. You can do this directly in the app (Profile > Delete Account) or by contacting privacy@creatr.ai.

14.4 Right to Opt-Out of Sale/Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. If this changes in the future, we will provide a "Do Not Sell or Share My Personal Information" link and mechanism.

14.5 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights.

14.6 Authorized Agent

You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authorization.

14.7 Financial Incentive Disclosure

Our rewarded ad feature (when available) offers users virtual boosts in exchange for watching advertisements. This constitutes a financial incentive program. The value of the incentive is reasonably related to the value of the data (ad engagement metrics) provided to our advertising partner. You may opt out of this program at any time by simply not engaging with rewarded ads.

15. European Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights under GDPR:

  • Right of Access (Article 15): Request a copy of your personal data
  • Right to Rectification (Article 16): Correct inaccurate personal data
  • Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing (Article 18): Restrict how we process your data in certain circumstances
  • Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format (JSON via our in-app export)
  • Right to Object (Article 21): Object to processing based on legitimate interest
  • Right Regarding Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing that produce legal effects. Our AI content suggestions are non-binding recommendations that do not produce legal effects
  • Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
  • Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority

To exercise these rights, contact privacy@creatr.ai. We will respond within 30 days.

16. EU AI Act Transparency Disclosures

In compliance with the EU AI Act transparency obligations:

  • All content generated by Creatr.ai is produced by artificial intelligence (Google Gemini models)
  • AI-generated content is clearly labeled within the app as "AI-generated"
  • The AI system analyzes visual and textual inputs to produce content suggestions; it does not make autonomous decisions affecting your rights
  • The AI models are provided by Google and are not trained on your personal data
  • You retain full control over whether to use, modify, or discard any AI-generated content

17. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by:

  • Sending an email to your registered address
  • Displaying a prominent notice in the app
  • Updating the "Last updated" date at the top of this page

For material changes affecting how we process your data, we will provide at least 30 days' notice before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account before the effective date.

18. Contact Us

If you have questions about this privacy policy, our data practices, or wish to exercise your rights, please contact us:

  • Privacy Inquiries: privacy@creatr.ai
  • General Support: support@creatr.ai
  • Legal: legal@creatr.ai
  • Address: Creatr.ai Inc., [TODO - Add Business Address]

For GDPR inquiries, our designated point of contact for data protection matters is reachable at privacy@creatr.ai. We will respond to all verified data subject requests within 30 days.