Privacy Policy
Effective Date: May 10, 2026
Data Controller: CreatorPass OÜ, registration number 17353719, Sepapaja tn 6, Harju County, Tallinn, Lasnamäe District, 15551, Estonia
Contact: legal@creatorpass.io
This Privacy Policy describes how CreatorPass OÜ ("we", "us", "our") collects, uses, and protects your personal information when you use our website and mobile application ("Services"). We are committed to protecting your privacy and ensuring transparency about our data practices.
1. Information We Collect
1.1 Information You Provide When You Create an Account
- Identity: name, email, phone number, password, profile photo (optional), bio, social-media handles you choose to link.
- For Brand accounts: the company name, registered seat, VAT identification number, signatory contact, billing email, and the brand category you operate in. Most of these flow from your Stripe Connect account (see 1.4 below).
- For Creator accounts: the publishing platform(s) you use, audience demographics, reach and engagement data, and analytics screenshots you upload to support that data.
- Content: photos, videos, posts, comments, and other content you upload to the Platform.
- Communications: messages sent through our platform, support tickets, and replies.
1.2 Information We Collect Through Stripe Connect (Paid Campaigns only)
When you participate in Paid Campaigns, our regulated payment service provider Stripe Connect collects the data needed to verify your identity, comply with anti-money-laundering law, and process payments. Specifically:
- For Creators (natural persons): legal name, residential address, country of tax residency, date of birth, identity document type and number, bank account / IBAN.
- For Creators acting as sole traders or entities: legal name, registered seat, business registration number, VAT identification number where applicable, country of tax residency, bank account / IBAN.
- For Brands: legal name, registered seat, VAT identification number, country of incorporation.
Stripe is the processor for this verification, acting under its own privacy policy. CreatorPass receives a verified data set from Stripe but does not receive the underlying identity-document images.
1.3 Information We Collect for Tax Reporting (DAC7) — Paid Campaigns only
Under EU Directive 2021/514 ("DAC7"), we are required as a digital platform operator to collect and report certain tax-related data on Creators who earn through paid campaigns. Specifically:
- Taxpayer Identification Number (TIN) and the EU Member State that issued it
- VAT identification number where applicable
- Date of birth (for natural persons)
- Business registration number (for entities)
- Quarterly aggregate of fees received and number of campaigns completed
See Section 5 below for how this is reported.
1.4 Information We Generate About You Automatically
- Account-management metadata: creation timestamps, last login, sessions, password resets.
- Device and connection data: device type, operating system, browser, unique device identifier, IP address, approximate location based on IP, cookies, log files.
- Usage data: features used, time spent, navigation patterns.
- Audit-trail data for e-signed Campaign Agreements: signatory name and email, signing IP, device/browser, timestamp, authentication method, document hash. Stored under our retention schedule (see Section 6).
- Off-platform-deal detection signals: automated pattern-matching on messages exchanged through the Platform to identify possible attempts to circumvent the Platform (regex match on contact details, behavioural signals like a match-but-no-conversion). Reviewed by our Trust & Safety team — never auto-actioned.
- Audience-authenticity audit results: if a Brand commissions an audit on a Creator's audience, the audit-result file is uploaded to the Platform and accessible to the parties.
2. How We Use Your Information
We process your personal data only for the purposes listed below and only on the lawful bases identified.
| Purpose | What this means | Lawful basis under GDPR Art. 6 |
|---|---|---|
| Service provision | Creating and operating your account; matching Creators with Brands; running campaigns. | Performance of contract — Art. 6(1)(b). |
| Communications about your campaigns | Notifications, status updates, dispute notices. | Performance of contract — Art. 6(1)(b). |
| Self-billed invoicing | Issuing invoices in the Creator's name to the Brand under self-billing mandate (Council Directive 2006/112/EC Art. 224). | Performance of contract + legal obligation — Art. 6(1)(b) and (c). |
| Payment processing | Routing the Brand's funds to the Creator via Stripe Connect; calculating and collecting our Platform Fee. | Performance of contract — Art. 6(1)(b). |
| KYC / anti-money-laundering | Identity verification by Stripe Connect at onboarding for paid campaigns. | Legal obligation — Art. 6(1)(c) (PSD2 + AMLD5). |
| DAC7 tax reporting | Annual reporting to the Estonian Tax and Customs Board, with onward exchange to other Member States, of the data listed in Section 1.3. | Legal obligation — Art. 6(1)(c) (Council Directive (EU) 2021/514). |
| Audit trail for e-signature | Recording how, when, and by whom each Campaign Agreement was signed; storing the audit-trail certificate alongside the agreement. | Performance of contract + legal obligation (commercial-archive requirements) — Art. 6(1)(b) and (c). |
| Document storage | Storing the signed Brand-Creator Campaign Agreement under access control; making it available to the parties on demand. | Performance of contract — Art. 6(1)(b). |
| Trust & safety | Detecting fraud, off-platform-deal circumvention, abuse, harassment; investigating reports; suspending or banning accounts where necessary. | Legitimate interest — Art. 6(1)(f); your fundamental rights and freedoms have been considered and we determine that platform safety prevails for these limited purposes. |
| Marketing communications | Sending product updates, newsletters, opportunities. | Consent — Art. 6(1)(a). You may withdraw at any time. |
| Analytics and product improvement | Understanding usage patterns, debugging, A/B testing. | Legitimate interest — Art. 6(1)(f). Aggregated and pseudonymised wherever possible. |
| Legal compliance | Responding to court orders, law-enforcement requests, regulatory inquiries. | Legal obligation — Art. 6(1)(c). |
Where the lawful basis is consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. To withdraw, contact legal@creatorpass.io or use the in-app toggle where available.
3. Sharing and Disclosure of Your Information
We share your personal data only with the recipients listed below, only for the purposes described, and only to the extent necessary.
| Who | What we share | Why |
|---|---|---|
| The other Party to a campaign (Brand or Creator) | The data appearing in the Campaign Agreement: legal name, address, VAT ID, fees, deliverables, signatory details. | To enable contracting between the parties. |
| Stripe Payments Europe, Ltd. (our payment service provider) | Account-onboarding data (KYC) and transaction data. | Payment processing and AML compliance. Stripe is regulated as a payment institution. |
| Estonian Tax and Customs Board (Maksu- ja Tolliamet) | The DAC7 data set listed in Section 1.3 — once a year, by 31 January, for the previous calendar year. | Compliance with Council Directive (EU) 2021/514 (DAC7). The MTA exchanges this data automatically with the tax authorities of other EU Member States. |
| Other EU Member States' tax authorities | The same DAC7 data set, exchanged automatically by the MTA. | Compliance with DAC7. |
| Sub-processors (hosting, email, analytics, customer support tools) | Limited operational data. | Service operation. We maintain a current sub-processor list available on request to legal@creatorpass.io. |
| Professional advisers (legal, tax, audit) | Specific data on a need-to-know basis under confidentiality. | To obtain advice or to defend / pursue legal claims. |
| Competent authorities | Data required by law or by a valid court order or regulatory request. | Legal obligation. |
What we do NOT do: we do not sell your personal data to third parties for marketing purposes; we do not share your contact details with marketers without your explicit consent; we do not publish or post the signed Campaign Agreement document anywhere outside the parties' authenticated accounts and our internal systems.
4. How We Protect Your Information
We implement appropriate technical and organisational measures to protect your personal information, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256) for all sensitive data including the DAC7 data set and the signed Campaign Agreements.
- Access controls: role-based access to internal admin tooling; principle of least privilege; mandatory two-factor authentication for staff with access to personal data.
- The signed Campaign Agreement document specifically is stored in a private object store (no public CDN; no public URLs); access by users is via short-lived signed URLs (15-minute TTL); access by internal staff is logged in an append-only audit table with mandatory justification.
- Off-platform sharing of agreements is forbidden: there is no "share by link" feature for the signed Agreement; users must download and forward themselves if they need to share with their accountant; we do not embed the document in emails or webhooks.
- Audit logging of all administrative and security-relevant actions.
- Regular security assessments and dependency-vulnerability monitoring.
- Personal-data breach notification: we notify affected users without undue delay, and the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) within 72 hours where the breach is likely to result in a risk to your rights and freedoms (Articles 33–34 GDPR).
No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.
5. How Long We Keep Your Information
Different categories of data are kept for different periods, based on the purpose and applicable legal requirements:
| Category | Retention period | Reason |
|---|---|---|
| Account information for active users | Duration of the account + 12 months after closure | To support reactivation and to handle late disputes. |
| Account information after final closure | Deleted within 12 months of closure unless retention required by law | GDPR data minimisation. |
| Signed Campaign Agreements + audit-trail certificates + self-billed invoices | 10 years from the end of the calendar year of issuance | This is the longest applicable VAT-archive period across the EU Member States we support (Estonia, Czech Republic, Slovakia, Hungary, Romania, Germany — Polish VAT requires 5 years; Austrian BAO requires 7; we apply the maximum). Required by national VAT law and by Article 247 of Council Directive 2006/112/EC. |
| DAC7 reportable data (TIN, addresses, aggregates) | 10 years under DAC7 record-keeping rules | Required by Council Directive (EU) 2021/514. |
| KYC verification data (Stripe-collected) | 5 years from the end of the business relationship | Required by AMLD5 (Directive (EU) 2018/843). |
| E-signature audit trail | Same as the underlying Agreement (10 years) | Evidential value. |
| Billing and accounting records | 7 years (Estonian Accounting Act) | Estonian tax law. |
| Trust & safety records (warnings, suspensions, bans) | 5 years from the action | Recurrence detection. |
| Marketing-consent records | Until consent is withdrawn + 12 months thereafter | To prove the lawfulness of past sends. |
| Server / access logs | 12 months | Security investigation. |
| Cookies | As listed in our cookie banner | Per category. |
When the retention period expires, we securely delete the data or irreversibly anonymise it.
6. Your Rights and Choices
Depending on your location, you may have the following rights regarding your personal information:
- Access: Request access to your personal information
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of your personal information
- Portability: Request a copy of your data in a portable format
- Objection: Object to processing of your information
- Restriction: Request restriction of processing
- Withdrawal: Withdraw consent where processing is based on consent
To exercise these rights, please contact us at legal@creatorpass.io.
6A. Specific rights you have under DAC7
Before we file the annual DAC7 report on you, we will send you a copy of exactly the data we will report. You have the right to:
- request correction of any inaccurate data before submission;
- receive a copy of what was reported about you;
- lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or the data-protection authority of your country of residence.
Note: DAC7 is a legal obligation under Council Directive (EU) 2021/514. We cannot refrain from filing the report, but we can correct it before filing or amend it after filing if errors are identified.
6B. Specific rights regarding your signed Campaign Agreement
You can download your own signed Campaign Agreements at any time from your authenticated account area. The document includes the audit-trail certificate. Even after account closure, you may request a copy by emailing legal@creatorpass.io; we will provide it for as long as we are required to retain it (see Section 5).
7. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to enhance your experience, analyze usage, and personalize content. You can manage your cookie preferences through your browser settings, but some features may not function properly if you disable cookies.
7A. Cookies and Tracking Technologies — Specific Disclosures
Where the existing Section 7 says we use cookies, this sub-section provides the specific disclosure required by Estonian Electronic Communications Act § 1031 and the ePrivacy Directive 2002/58/EC. We classify our cookies into:
- Strictly necessary (session, authentication, security): no consent required.
- Functional (preferences, language): consent required.
- Analytics (aggregated usage): consent required.
- Marketing (advertising attribution, retargeting): consent required and granular opt-in.
The cookie banner allows you to accept all, reject all-but-strictly-necessary, or fine-tune. You may revoke or change your choices at any time via the "Cookie preferences" link in the page footer.
8. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your information during such transfers, including standard contractual clauses and adequacy decisions.
9. Children's Privacy
Our Services are not intended for children under 18. We do not knowingly collect personal information from children under 18. For paid campaigns, every Creator must additionally warrant that they meet any higher applicable minimum age for the product category being promoted (for example, the legal drinking age in the country of publication for alcohol campaigns). If we become aware that we have collected information from a person under 18, we will promptly delete it and terminate the account.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on our website and updating the "Effective Date" at the top. Your continued use of our Services after such changes constitutes acceptance of the updated Privacy Policy.
11. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
CreatorPass OÜ
Registration number 17353719, Sepapaja tn 6, Harju County, Tallinn, Lasnamäe District, 15551, Estonia
Email: legal@creatorpass.io