Last updated: February 8, 2026
Privacy Policy
This Privacy Policy explains how Creators' Toolkit collects, uses, stores, and protects your personal data. It applies to all users worldwide.
1. Data Controller
Creators' Toolkit ("we", "us", "our") is the data controller responsible for your personal data. For questions or requests regarding your data, contact our privacy team at hello@creators-toolkit.com.
2. Data We Collect
2.1 Data You Provide
- Account information: Email address and password (stored hashed. We never see your plain-text password)
- Payment information: Processed and stored by Stripe. We do not store credit card numbers, CVVs, or full payment details on our servers. We only store your Stripe customer ID.
- Content: Prompts you create, images you generate, projects you organize
- Support requests: Messages and information you submit when contacting support
2.2 Data Collected Automatically
- Usage data: Credit balance, transaction history, subscription tier, generation history
- Technical data: IP address (for rate limiting and security), user agent (stored only in audit logs)
- Analytics: Anonymized page views on our marketing site via Google Analytics (only with your explicit consent via our cookie banner)
2.3 Data We Do NOT Collect
- We do not use advertising cookies or tracking pixels
- We do not collect social media profiles, behavioral data, or biometric data
- We do not sell, rent, or share your personal data with advertisers or data brokers
- We do not collect precise geolocation data
3. How We Use Your Data
| Purpose | Categories of Data | Legal Basis (GDPR) |
|---|---|---|
| Provide and operate the Service | Account info, content, usage data | Contract performance |
| Process payments and manage subscriptions | Email, Stripe customer ID | Contract performance |
| Send transactional emails (receipts, subscription changes) | Email address | Contract performance |
| Rate limiting and abuse prevention | IP address, user ID | Legitimate interest |
| Error monitoring and debugging | Sanitized technical data (no PII) | Legitimate interest |
| Website analytics (marketing site only) | Anonymized page views | Consent |
4. Third-Party Service Providers
We use the following service providers to operate the Platform. Each processes data only as necessary to provide their service. We do not sell data to any third party.
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account data, content, images | United States |
| Stripe | Payment processing | Email, payment method, purchase history | United States |
| Google (Gemini AI) | AI image generation | Prompts and reference images (temporarily, during generation only) | United States |
| Vercel | Website hosting | Standard web server logs | United States / Global CDN |
| Inngest | Background job processing | User IDs, job metadata | United States |
| Resend | Transactional email delivery | Email address, email content | United States |
| Sentry | Error monitoring | Error logs, sanitized user IDs (no PII) | United States |
| Upstash | Rate limiting | User IDs, IP addresses (temporary, auto-expiring) | United States |
| Google Analytics | Marketing site analytics | Anonymized page views (only with consent) | United States |
We do not use your prompts or generated images to train AI models. Google Gemini processes your prompts solely to generate images and does not retain them for model training.
5. Data Retention
- Account data: Retained until you delete your account
- Generated images: Stored until you delete them or delete your account
- Payment records: Retained for 7 years after the transaction for tax and legal compliance (anonymized after account deletion)
- Rate limiting data: Auto-expires within minutes (TTL-based)
- Error logs: Retained for 90 days
- Audit logs: Retained for 7 years (legal compliance)
6. Your Rights
Regardless of where you live, we provide the following rights to all users:
- Access: Request a copy of all personal data we hold about you
- Portability: Export your data in a machine-readable format (available in Account Settings)
- Rectification: Correct inaccurate personal data
- Erasure: Delete your account and all associated data (available in Account Settings)
- Restrict processing: Request we limit how we use your data
- Object: Object to processing based on legitimate interest
- Withdraw consent: Withdraw consent for optional processing (e.g., analytics cookies) at any time
- Non-discrimination: We will not deny service, charge different prices, or provide a different quality of service because you exercised your privacy rights
To exercise any of these rights, use the self-service options in your Account Settings or email hello@creators-toolkit.com. We will respond within 30 days (or within the timeframe required by your local law, if shorter).
7. Account Deletion
When you delete your account, we immediately and permanently remove:
- Your authentication credentials and profile
- All generated images from our storage
- All prompts, projects, and saved content
- Credit balance and transaction history
- Support requests
We retain the following for legal compliance:
- Stripe records: Anonymized (email replaced, name removed) but transaction history preserved for tax obligations (7 years)
- Deletion audit log: Minimal record proving we fulfilled the deletion request
8. Data Security
We protect your data with:
- Encryption in transit (TLS/HTTPS) and at rest
- Row Level Security (RLS) ensuring you can only access your own data
- Authentication required on all API endpoints
- Rate limiting to prevent abuse
- PII masking in error logs (emails hashed, no raw personal data in logs)
- Input validation and sanitization on all user inputs
While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security and are not liable for breaches beyond our reasonable control.
9. International Data Transfers
Your data is processed primarily in the United States, where most of our service providers operate. If you are located outside the United States, your data will be transferred to and processed in the United States and potentially other countries where our service providers maintain infrastructure.
We ensure appropriate safeguards for international transfers, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Reliance on service providers' compliance with applicable data protection frameworks
- Contractual obligations requiring service providers to protect your data
10. Cookies & Consent
We use minimal cookies. When you first visit our site, you will see a cookie consent banner that lets you choose which optional cookies to accept. Your choice is saved and respected across visits.
- Essential cookies: Authentication and session management (always active, required for the Service to function)
- Preference cookies: Theme preference, dark/light mode (always active)
- Analytics cookies: Google Analytics on our marketing site (only with your explicit consent)
You can change your cookie preferences at any time via the cookie settings in our site footer, or by adjusting your browser settings. For full details, see our Cookie Policy.
We honor Global Privacy Control (GPC) signals and other recognized opt-out preference signals sent by your browser. If we detect a GPC signal, we treat it as a valid opt-out of optional data collection.
11. Children's Privacy
The Service is not intended for users under 18. We do not knowingly collect data from minors. If we learn we have collected data from a user under 18, we will promptly delete it. If you believe a minor has provided us with personal data, contact us at hello@creators-toolkit.com.
12. "Do Not Sell or Share" Disclosure
We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
For California residents: Under the CCPA/CPRA, "sale" includes sharing data for monetary or other valuable consideration. We do not engage in any such activity. You have the right to opt out of the sale or sharing of personal information. However, since we don't sell or share, no action is needed on your part.
13. Region-Specific Privacy Rights
13.1 European Economic Area & United Kingdom (GDPR / UK GDPR)
If you are located in the EEA or UK, you have the rights described in Section 6 above, plus:
- The right to lodge a complaint with your local data protection authority. Our primary supervisory authority is the State Data Protection Inspectorate (SDPI) of Lithuania (vdai.lrv.lt). Other examples: ICO in the UK, CNIL in France, BfDI in Germany
- Data processing is based on the legal bases described in Section 3
- International transfers are protected by Standard Contractual Clauses
13.2 California (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to know: What categories of personal information we collect, use, disclose, and sell
- Right to delete: Request deletion of your personal information
- Right to correct: Request correction of inaccurate personal information
- Right to opt-out: Opt out of the sale or sharing of personal information (we do not sell or share, see Section 12)
- Right to limit use of sensitive data: We do not collect sensitive personal information as defined by CCPA
- No discrimination: We will not discriminate against you for exercising your rights
Categories of data collected in the past 12 months: Identifiers (email), commercial information (purchase history), internet activity (usage logs), and content you provide (prompts, images). See Section 2 for full details.
13.3 Brazil (LGPD)
If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados, including:
- Confirmation of the existence of processing
- Access to your data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary data
- Data portability
- Information about third parties with whom data is shared
- Revocation of consent
13.4 Canada (PIPEDA)
If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act, including:
- Right to access your personal information
- Right to correct inaccurate data
- Right to withdraw consent for non-essential data processing
- Right to file a complaint with the Office of the Privacy Commissioner of Canada
13.5 Other US States (Virginia, Colorado, Connecticut, Texas, and others)
If you reside in a US state with applicable privacy legislation, you generally have the right to access, correct, delete, and port your personal data, and to opt out of targeted advertising, profiling, and the sale of personal data. We do not engage in targeted advertising, profiling for automated decisions, or data sales. Contact us to exercise any rights specific to your state.
13.6 Australia, Japan, South Korea, and Other Jurisdictions
We respect privacy rights under all applicable laws. If your jurisdiction provides additional privacy rights not specifically listed above, contact us and we will accommodate your request in accordance with applicable law.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
15. Contact
For privacy-related questions, requests, or complaints:
- Email: hello@creators-toolkit.com
- Website: creators-toolkit.com
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.