To address specific regional requirements and rights, please refer to the following supplements that form part of this Privacy Policy. In case of any conflict between the main Policy and the Regional Supplement, the supplement for your region will prevail for matters specific to that region.
1. EEA/UK Privacy Supplement (GDPR Compliance)
This supplement provides additional information required by the GDPR and local laws in European countries, including the United Kingdom.
Controller Contact: Creatopy Inc. is the data controller for Personal Data processed under this Policy reachable at privacy@creatopy.com.
Legal Bases & Detailed Purposes: We have outlined in Section 2 our legal bases under GDPR. You can find more details there. We will not process your data in new ways incompatible with those purposes without informing you and, if required, obtaining your consent.
Individual Rights under GDPR: In addition to the rights described in Section 5:
(a) You have the right to object to processing of your Personal Data where we are relying on legitimate interests (including profiling). If you object, we will stop processing unless we have compelling legitimate grounds or need to continue for legal claims.
(b) You have the right to object to direct marketing at any time. We will honor this (and as noted, we only send marketing with consent in the first place).
(c) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you (Section 9 describes that we currently do not engage in such processing).
(d) We will inform you if we intend to further process your Personal Data for a purpose other than that for which it was collected, and provide any relevant further information.
Data Transfers: As noted in Section 10, we use Standard Contractual Clauses or other safeguards for transfers outside the EEA. You can request a copy of the SCCs via our contact email.
Right to lodge a Complaint: If you believe our processing of your Personal Data infringes GDPR, you have the right to lodge a complaint with an EU Data Protection Authority. For example, in Romania we fall under the jurisdiction of the ANSPDCP (Romanian DPA), and elsewhere, you can contact the authority in your country. Our lead supervisory authority (if applicable) will be indicated here. Our lead supervisory authority is the Romanian Data Protection Authority (ANSPDCP), as our main EU office is based in Romania.
Representative: Creatopy SRL Trade Center Building, 28E Nufarului St, Oradea, Bihor County, RO 410583
EEA Data Subject Requests: We may ask for additional information to confirm your identity when you exercise your GDPR rights, and we will respond within one month unless the request is complex (in which case we can extend by two further months with notice).
User Experience & Support Interactions. To improve our services, we may process limited interaction data as follows:
(i) Analytics: With your consent, we use user experience analytics tools (e.g., heatmaps, session replays) to understand general navigation patterns. These tools are configured to mask or exclude personal data and do not support live monitoring. (ii) Live Chat: Chat conversations may be monitored or stored for support and quality assurance purposes. Processing is based on our legitimate interest or your consent, where required. (iii)Calls & Screen Sharing: Support sessions via video or screen sharing may be recorded only with your explicit consent. Participation is optional.
All data is handled securely, accessed only by authorized staff, and retained for limited periods. EU/EEA users have rights under GDPR, including access, rectification, and objection.
2. United States Privacy Supplement (State Laws)
This supplement addresses rights and disclosures under key U.S. state privacy laws (California, Virginia, Colorado, Connecticut, Utah, and others as they come into effect in 2025):
Categories of Personal Information (California Notice): In the past 12 months, we have collected the following categories of personal information (as defined by the CCPA/CPRA):
(a) Identifiers (real name, postal address, email, phone number, IP address, account name).
(b) Customer Records (payment information, billing address).
(c) Commercial Information (purchase history with us, subscription details).
(d) Internet or Network Activity (browsing history on our site, interactions with our app).
(e) Geolocation Data (approximate location from IP or device, if enabled).
(f) Professional or Employment Information (if you provide a business title or company).
(g) Inferences (profiled preferences for ads or product interests – used internally). We do not collect sensitive personal information as defined in CPRA except possibly account passwords or precise geolocation in app usage, and we do not use or disclose sensitive data for purposes other than those allowed by law (e.g., security, authentication).
Purposes and Sources: We collect these categories of information from the sources and for the purposes described in Sections 1 and 2 of the main Policy. (e.g., directly from users, through cookies, through service providers).
Improving Support While Respecting Your Privacy
To make your experience even better, some interactions may be monitored or saved to help us improve service quality:
(i) We may use User Experience Analytics technologies to better understand how visitors engage with our website. These tools help us identify usability issues and improve site functionality by analyzing general interaction patterns such as page navigation, clicks, and scrolling behavior. These technologies are configured to exclude or mask fields that may contain personal or sensitive information. They do not support live monitoring, and are only activated where legally required after you have given your consent. (ii) Chat Support: Conversations through live chat may be monitored and saved for quality assurance and to help us assist you more effectively. By using our chat features, you acknowledge and accept this practice. (iii) Calls & Screen Sharing: During support or onboarding sessions conducted via video call or screen sharing (e.g., Zoom), we may occasionally ask for permission to record the session. Your participation in any recording is entirely optional—we will always request your explicit consent in advance, and you are free to decline or leave the session at any time.
All recordings and session data are handled with care, stored securely, and accessed only by authorized team members when necessary and for limited durations.
Selling or Sharing: We do not sell personal information for money. We may “share” personal information (as defined by CPRA) with third parties for targeted advertising. Specifically, we may share Identifiers and Internet Activity (through cookies or pixels) with advertising networks to better reach you with relevant ads (if you have not opted out). Under Virginia/Colorado laws, this is considered processing for targeted advertising, which you have the right to opt out of (Section 5.6).
In the last 12 months, we have shared the following categories for cross-context behavioral advertising: Identifiers (online identifiers like cookie IDs) and Internet/Network Activity, with advertising partners like Google or Facebook. We have not knowingly sold or shared the personal information of minors under 16.
Consumer Rights (Multi-State): You have the rights as outlined in Section 5: to access, delete, correct, opt-out of sale/sharing/targeted advertising, and not be discriminated against for exercising these rights. California users also have the right to request information about financial incentives if we offer any (we currently do not offer programs that provide different prices or services in exchange for personal information beyond standard loyalty/referral programs; if we do, we will provide required notice and obtain opt-in consent).
Exercising Your Rights: California residents can use the methods in Section 5. We will confirm receipt of requests within 10 days and respond within 45 days (with extensions if necessary). For deletion requests, note that certain data may be retained as permitted by law (e.g., to complete transactions or for legal compliance). For opt-out requests, we will comply as soon as feasibly possible, and at most within 15 business days for California.
Appeals (VA/CO/CT): If we decline your request, our response will include instructions for how to appeal our decision within those states’ required timeline (usually within 45 days of our decision). If the appeal is denied, you may contact your state Attorney General.
Authorized Agent (CA): As noted, agents can submit requests on behalf of a consumer, but we will need proof of authorization and may require the consumer to verify identity directly.
Notice of Collection: This Policy serves as our notice at collection under CCPA. We have provided the categories, purposes, and whether we sell/share data.
Employee and B2B Data (CA): If you are a California-based employee, job applicant, contractor, or business contact, we may collect and use your personal information in accordance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). To understand your rights or request the applicable privacy notice, please contact us at privacy@creatopy.com.
Shine the Light (CA Civil Code §1798.83): We do not share personal information with third parties for their direct marketing purposes without consent.
California Minors (Online Content Removal): If you are a California resident under 18 and have an account, you can request removal of content you publicly posted on our Services by contacting us. We will then anonymize or remove content as required by CA law (note: this doesn’t ensure complete removal, especially if reposted by others).
Other State Laws: We also comply with other states like Nevada (where you can opt out of sale under NRS 603A by emailing us, though we do not sell info) and the new laws in states listed in the introduction that come into effect. We are monitoring emerging laws to ensure this Policy remains compliant.
For more information about our privacy practices or your rights, please contact us as provided above.
3. Brazil Privacy Supplement (LGPD Compliance)
In compliance with Brazil’s Lei Geral de Proteção de Dados (LGPD), this supplement outlines rights and information for users in Brazil:
Controller Information: For Brazilian users, Creatopy Inc. is the controller of your personal data. We may also have a local representative or affiliate in Brazil; if so, contact details will be provided here. Our primary contact for LGPD matters is privacy@creatopy.com.
Legal Bases under LGPD: LGPD provides several legal bases similar to GDPR (consent, contract, legal obligation, legitimate interest, etc.). The purposes and corresponding legal bases for processing your data are as described in Section 2. For instance:
(a) We rely on consent (Art. 7(I)) for sending marketing communications or using certain cookies (when required).
(b) We rely on contractual necessity (Art. 7(V)) to provide the Services you signed up for.
(c) We rely on legitimate interest (Art. 7(IX)) for improving our Services, preventing fraud, etc., but we ensure these do not override your fundamental rights.
(d) We may process data for legal obligations (Art. 7(II)) such as complying with tax law, and in certain cases for judicial procedures (Art. 7(VI)) if needed.
(e) If applicable, we might process data for the protection of credit (Art. 7(X)) though unlikely in our context.
(f) Vital interests and health bases likely do not apply to our normal operations, except in emergencies.
Your Rights under LGPD: Brazilian data subjects have the following rights (per Art. 18 of LGPD):
(a) Confirmation and Access: Right to confirmation of the existence of processing and access to your data.
(b) Correction: Right to request correction of incomplete, inaccurate, or out-of-date data.
(c) Anonymization, Blocking, Elimination: Right to request anonymization, blocking, or deletion of unnecessary or excessive data or data processed in non-compliance with LGPD.
(d) Portability: Right to data portability to another service or product provider, by means of an express request, in accordance with ANPD regulations (subject to commercial and industrial secrecy).
(e)Deletion of Consent-Based Data: Right to deletion of personal data processed with your consent, except where retention is required by law.
(f) Info on Sharing: Right to information about public and private entities with which we have shared data.
(g) Info on Consent Option: Right to information about the possibility of denying consent and the consequences of such denial. (We provide this whenever we ask for consent — e.g., if you don’t consent to marketing emails, you simply won’t receive them, with no impact on core services).
(h) Withdrawal of Consent: Right to revoke consent at any time. Once consent is withdrawn, we will cease processing the data for that purpose.
(i) Review of Automated Decisions: If we did any automated decision-making (which we currently do not, in terms of legal effects), you’d have the right to request a review of decisions that affect your interests.
You may exercise these rights by contacting us at privacy@creatopy.com. We will respond in accordance with LGPD and ANPD regulations, usually within 15 days of a verified request.
Data Transfers: As described in Section 10, when transferring data outside Brazil, we use mechanisms like Standard Contractual Clauses or other ANPD-approved methods. By using our services, you understand that your data may be transferred internationally. We ensure that the receiving country or entity provides an adequate level of protection as required by LGPD (Art. 33 and 34).
Enforcement and Contact: If you believe we have violated LGPD, you may file a complaint with Brazil’s National Data Protection Authority (ANPD). We encourage you to contact us first so we can address your concern.
Children’s Data (Brazil): We do not process personal data of children under 12 without specific parental consent (per LGPD’s definition and requirements for children’s data). As noted in Section 8, our services are not intended for those under 18 generally, which covers compliance in Brazil for minors.
User Experience Analytics
We may use User Experience Analytics technologies to better understand how users interact with our website. These tools help us improve site usability by analyzing general interaction data, such as page navigation and clicks. The technologies are configured to mask or exclude fields that may contain personal or sensitive data. In compliance with the Lei Geral de Proteção de Dados (LGPD), these tools are only activated with your consent, and are never used for live monitoring.
Data Protection Officer (Encarregado): Under LGPD, we have designated a person (or team) as our Encarregado (DPO). You can reach them at dpo@creatopy.com for any LGPD-related inquiries.
4. India Privacy Supplement (DPDP Act Compliance)
This supplement outlines how we comply with India’s Digital Personal Data Protection Act, 2023 (DPDP Act) for users in India:
Data Fiduciary: Creatopy Inc. acts as a “Data Fiduciary” for the personal data we process under this Policy, meaning we determine the purpose and means of processing your personal data.
Consent and Notice: The DPDP Act emphasizes consent and notice:
(a) We will provide a clear and easily understandable notice, such as this Privacy Policy, at or before the time we collect your personal data. This notice will specify: (i) What categories of personal data are being collected (e.g., name, contact information, online identifiers, usage data). (ii) Why we are collecting it – including purposes like service provision, user account management, personalization, security, legal compliance, and marketing (if applicable).
(b) The notice will be provided in: English, and Any of the Scheduled Languages of India (as listed in the Eighth Schedule of the Constitution), if reasonably necessary for better understanding by the Data Principal (e.g., where our services target users who primarily communicate in Hindi, Tamil, Bengali, etc.).
(c) We will only process your data for lawful purposes and in ways you would reasonably expect, consistent with the notice given.
(d) Consent: We will seek your consent before processing your personal data, unless another legal basis under DPDP Act applies (such as for performance of a contract, or compliance with law, etc., once such bases are clarified by the government). Consent will be: (i) Free, specific, informed, and unambiguous, signified by a clear affirmative action (similar to GDPR’s standard); (ii) We will inform you of how to withdraw consent as easily as it was given (e.g., by contacting privacy@creatopy.com); (iii) If we introduce a consent manager (an intermediary) as per DPDP, we will comply with its framework.
Data Principal Rights: Under the DPDP Act, Indian users (Data Principals) have rights such as:
(a) Right to Access: You can confirm if we are processing your data and request a summary of the data we have about you.
(b) Right to Correction and Erasure: You can request correction of inaccurate or misleading data, completion of incomplete data, and erasure of data that is no longer necessary for the purpose. If we correct or delete data that was shared with a third party, we will notify them if required.
(c) Right of Grievance Redressal: You can lodge a complaint at privacy@creatopy.com regarding data processing.
(d) Right to Nominate (Posthumous Rights): You may have the right to nominate another individual to exercise your rights in the event of your death or incapacity (once the law provides the mechanism for this).
(e) Withdrawal of Consent: As mentioned, you can withdraw consent at any time; after withdrawal, we will stop processing your data for the purposes for which consent was obtained.
We will respond to your requests within the timeframe specified by the DPDP Act or its rules (to be prescribed, currently expected to be within a reasonable time).
Grievance Redressal:
Grievance Officer: In accordance with Sec 14 of the DPDP Act, you can lodge a complaint at privacy@creatopy.com. Please include “Grievance – India DPDP” in the subject line for clarity. We will acknowledge receipt of your grievance within 24 hours and endeavor to resolve it within 15 days or as prescribed. If you are not satisfied with our response, you may approach India’s Data Protection Board (once established) for further redressal, as per the rules that will be notified.
Data Transfers: The Indian government will notify regions where data can be transferred. Until those are specified, we ensure a high standard of data protection for international transfers from India, similar to GDPR mechanisms (SCCs etc.), as explained in Section 10. We will update our practices to align with any specific whitelisting/blacklisting of countries or transfer conditions under DPDP rules.
Data Security and Breach Notification: We implement security safeguards per Section 7 of this Policy. In case of a personal data breach likely to cause harm to Data Principals, we will notify the Data Protection Board of India and possibly affected individuals as required by the DPDP Act (once notification obligations are clarified).
Children and Persons with Disabilities: The DPDP Act requires parental consent for processing data of children (under 18 in India), and places restrictions on tracking or targeted advertising directed at children. As noted, our Services are not intended for users under 18 globally, and definitely not for those under 18 in India without parental consent. We do not profile or track children specifically. For users with disabilities who may require guardians, we will work with verifiable guardianship consents in processing data, as needed.
Fair and Reasonable Processing: Even where specific rights or bases differ, we commit to processing personal data in a fair and reasonable manner that respects your privacy, as required by the DPDP Act.
By continuing to use Creatopy’s Services, you acknowledge that you have read and understood this Policy. If you disagree with any part of this Policy, please discontinue use of our Services or contact us to address your concerns.
Creatopy is dedicated to complying with evolving privacy laws and ensuring that your personal data is handled with care and respect across the globe. If you have any questions or need clarifications, reach out to us – we’re here to help.
