ACreatyMoat

Privacy Policy

Effective date: 2026-04-17

This Privacy Policy explains what data CreatyMoat collects, how we use it, and your rights regarding that data. CreatyMoat is designed with privacy and security as first-class concerns.

1. What We Collect

Account data

  • Email address, full name
  • Business name, niche, country, city, language
  • Contact email and WhatsApp (optional)
  • Payment method data — handled entirely by Stripe; we never store card details

Social media data (via official OAuth)

  • Access tokens for Instagram / TikTok, encrypted at rest
  • Page/profile IDs, follower counts, engagement metrics
  • Public posts, captions, and comments from your accounts
  • DMs received on your connected accounts (to enable auto-replies)

Extracted brand context

  • Services, locations, taglines extracted from your public posts and website
  • Names of people mentioned in your captions (for content continuity)
  • URLs of your own images (never downloaded, never analyzed with face recognition)

We do not perform facial recognition or gather biometric data. Image categorization is based solely on caption text, not pixel content.

2. How We Use Your Data

  • Deliver the Service: generate, schedule, and publish content
  • AI training: we do not train third-party AI models on your data. Claude (Anthropic) is our LLM; per their API terms, your prompts are not used to train their models.
  • Improve our system: aggregated, anonymized usage data helps us improve agent quality
  • Communication: transactional emails (welcome, approval-ready, escalations, receipts) and product updates
  • Security & fraud: detect abuse, rate-limit, investigate incidents

3. Who We Share Data With

Sub-processors we rely on:

  • Supabase — database hosting (EU/US regions)
  • Anthropic (Claude) — LLM for content generation
  • Apify — public social media scraping for brand context
  • Stripe — payment processing
  • Resend — transactional email delivery
  • Meta / TikTok — official APIs for posting and DM handling
  • Sentry — error monitoring (optional)

We do not sell your data. We do not share it with advertisers. We only share when required by law or with your explicit consent.

4. Data Retention

  • Account data retained while your subscription is active.
  • After cancellation: up to 90 days for backups, then permanently deleted.
  • Published posts remain on your social accounts under your control.
  • You can request immediate deletion by emailing privacy@creatymoat.com.

5. Your Rights

Depending on your jurisdiction (US, EU, UK, Canada, Australia, UAE, KSA, and others) you have the right to:

  • Access data we hold about you
  • Correct inaccurate data
  • Delete your account and data
  • Export your data in a portable format
  • Withdraw consent to optional data uses
  • Object to automated decision-making

Email privacy@creatymoat.com for any of these requests. We aim to respond within 30 days.

6. Security

  • TLS encryption for all data in transit
  • Access tokens encrypted at rest (AES-256-CBC)
  • Row-Level Security (RLS) on our Postgres database
  • Service-role keys rotated regularly; least-privilege access
  • No credit card data stored on our servers (Stripe-only)

7. International Transfers

Our sub-processors operate servers in the US and EU. Transfers are covered by appropriate legal mechanisms (SCCs for EU, DPA agreements globally). If you are in the EU/UK, you can request our sub-processor list.

8. Children

The Service is not intended for users under 18. We do not knowingly collect data from minors.

9. Cookies

We use a minimal cookie set: authentication (Supabase session), language preference, and CSRF protection during OAuth flows. No advertising cookies, no third-party tracking pixels.

10. Changes

We may update this Policy from time to time. Material changes will be notified via email at least 14 days before taking effect.

11. Contact

Privacy questions: privacy@creatymoat.com

This Policy is a template and should be reviewed by legal counsel before production use.