PRIVACY POLICY 

1. Who We Are and Scope

CreatorHero LLC (“CreatorHero,” “we,” “us,” or “our”) is the controller of Personal Data processed in connection with the website at https://www.creatorhero.com/ (including subdomains), our browser extension, desktop and mobile applications, and documentation (together, the “Services”), except where we process certain data you submit to the Services on your behalf as a processor/service provider, as described below.

The Services are intended for adults (18+ or the age of majority where you live, if higher) and are not directed to children. See the “Children” section (later in this Policy) for more information.

This Privacy Policy explains what Personal Data we collect, from whom, why we use it, with whom we share it, how long we keep it, and your privacy rights.

This Policy should be read together with our Terms and Conditions and Cookie Policy. Capitalized terms not defined here have the meanings given in the Terms and Conditions. In this Policy, ‘User Content’ refers to content and related data you upload, submit, or otherwise make available through the Services, and ‘Services Data’ refers to account- and service-related data stored or processed within the Services.

CONTACT INFORMATION

If you have any questions or concerns regarding this Policy or our data processing practices, please contact us at the address below or by email:

Owner and Data Controller:

CreatorHero LLC 
7345 W Sand Lake Rd, Ste 210 Office 4621, 
Orlando, FL 32819, USA

Email: contact@creatorhero.com

2. Personal Data We Collect and Sources

We collect Personal Data you provide directly, collected automatically when you use the Services (Trackers such as cookies, pixels, and SDKs, as defined in the Cookie Policy), and from service providers we rely on to operate core features (for example, payments, analytics, and support).

A. Data you provide to us

Account and Profile Data: name, email address, username, role or agency affiliation (if applicable), account settings and preferences.
Support and Contact Data: messages you send via email, forms, or chat (including attachments), issue descriptions, and related correspondence.
Content You Process via the Services (“User Content”): files, text, images, audio or video, links, and related metadata that you submit or transmit when using the Services (handled as set out in the Terms and Conditions).
Billing and Administrative Data (if applicable): plan selections, country, tax or VAT information, and invoice history.
Commercial Communications Preferences: opt-in or opt-out status for newsletters and promotions; unsubscribe choices; consent records where required.
Identity and age-verification data (only if needed): where needed to confirm eligibility or prevent fraud, we may request ID details or images and limited data (e.g., date of birth). We keep only the minimum necessary to perform the check and record the result. Any images collected are deleted promptly after verification, except where required by law or to establish, exercise, or defend legal claims, as described in the Retention section.

B. Data collected automatically when you use the Services

Usage Data: actions and events in the product (for example, log-ins, feature interactions, clicks, page views, timestamps), referral URLs, session duration, crash or error logs.
Device and Network Data: IP address, approximate location derived from IP, device identifiers, operating system, browser type and version, screen resolution, language, and time zone.
Trackers (cookies, pixels, SDK/mobile identifiers): consent choices, analytics/session identifiers, and similar information used for essential functionality and metrics. Details, purposes, and retention for each category are described in the Cookie Policy.

C. Data we receive from third parties to operate core features

Payments: tokenized payment details, transaction confirmations or declines, chargeback information, fraud-prevention signals (from our payment processor).
Support and Communications Tools: ticket metadata and delivery status (from our support or chat vendors).
Analytics and Performance: aggregated or pseudonymized metrics (from analytics or CDN vendors).

D. Data we do not seek to collect

Sensitive Personal Data (for example, health or biometric data) is not required to use the Services. This includes information entered into free-text fields, unless strictly necessary. Please do not include Sensitive Personal Data in support tickets or uploads. If you choose to provide it, we will process it only for the specific purpose you requested, and as permitted by law.
Children’s Data: we do not knowingly collect Personal Data from individuals under 18.

CreatorHero is the controller (and a “business” under certain U.S. state privacy laws) for Personal Data we process to operate the Services, such as account administration, billing, support, security, and service analytics. For User Content processed through the Services on your behalf, CreatorHero may act as a processor/service provider, as described in the Terms and Conditions and any applicable Data Processing Addendum (“DPA”). The DPA applies only to that processor-side processing of User Content; for other processing we control, this Privacy Policy applies.

3. Purposes and Legal Bases

We only process Personal Data for specific, explicit purposes. For each purpose below, we state the legal basis we rely on under GDPR.

Service delivery and account administration. Operating the Services, creating and managing accounts, authenticating log-ins, hosting and technically processing User Content (including necessary derivatives such as thumbnails or transcodes), remembering preferences, and providing dashboards. 
Legal basis: performance of a contract and, where contract does not strictly apply (e.g., trials or previews), legitimate interests in running and improving the Services.

Billing, payments, and collections. Processing payments and refunds, issuing invoices, handling chargebacks, and meeting tax and accounting duties.
Legal basis: performance of a contract and legal obligations (tax/accounting), plus legitimate interests in fraud prevention and collections.

Support and service communications. Responding to tickets and emails, and sending in-product or email notices about incidents, updates, and changes to terms.
Legal basis: performance of a contract and legitimate interests in maintaining service continuity.

Technical troubleshooting with limited account access. Only where strictly necessary to diagnose issues that cannot be resolved otherwise, as described in the Terms. Access is temporary and logged.
Legal basis: legitimate interests in ensuring reliability and security, and performance of a contract.

Security, fraud prevention, and enforcement. Protecting accounts and Content; detecting spam, abuse, and attacks; enforcing Acceptable Use.
Legal basis: legitimate interests in safeguarding the Services and Users, and legal obligations where applicable.

Analytics and service improvement. Measuring usage, diagnosing performance, planning capacity, and improving features.
Legal basis: legitimate interests in understanding and improving the Services.
We do not use analytics to make decisions that produce legal or similarly significant effects about you.
EEA/UK: consent for non-essential cookies/SDKs (managed via the consent banner).

Commercial communications (marketing). Sending newsletters, product updates, offers, and event invitations; managing preferences and unsubscribe choices.
Legal basis: legitimate interests where permitted by law (for example, B2B and existing-customer communications) and consent where required.
You can opt out at any time via the link in our emails or by contacting us.
EEA/UK: consent.

Integrations. Connecting to third-party services and exchanging data as configured by you.
Legal basis: performance of a contract (providing the integration you request) and legitimate interests in interoperability.

Compliance and legal duties. Keeping required records; responding to lawful requests; complying with sanctions/export rules; establishing, exercising, or defending legal claims; enforcing our Terms.
Legal basis: legal obligations and, where appropriate, legitimate interests.

Identity and age verification (only if needed). Confirming eligibility or preventing fraud when strictly necessary. We keep only the minimum required by law and for this purpose.
Legal basis: legitimate interests (platform integrity and fraud prevention) and legal obligations where applicable.

Automated decision-making and profiling. We do not use automated decision-making that produces legal or similarly significant effects about you. We may use light personalization to enhance your experience.
Legal basis: legitimate interests or consent where required.

4. Data Retention

We retain Personal Data only for as long as necessary for the purposes described in this Policy, and then delete it or irreversibly anonymize it. Where a legal obligation (for example, tax, accounting, or fraud prevention) or a litigation hold requires a longer period, we retain only the minimum necessary, restrict access, and apply appropriate safeguards.

In setting retention periods, we consider: (i) the type and sensitivity of the data; (ii) the purpose for which it was collected; (iii) how long it is needed to provide, maintain, and secure the Services; (iv) applicable statutory limitation periods; and (v) legal, tax, and regulatory requirements in relevant jurisdictions.

Certain Services Data may be deleted after periods of account inactivity as described in our Terms and Conditions. In general, a Creator Account may be considered inactive if it does not have an active, assigned License, and an Agency Account may be considered inactive if it does not have at least one active License associated with it. Subject to the exceptions below, Services Data associated with an inactive Creator Account may be deleted after three (3) months, and Services Data associated with an inactive Agency Account may be deleted after six (6) months, in each case measured from the date the applicable License became inactive. Where feasible, we provide advance notice prior to deletion and, upon request made before the applicable deletion deadline, we will provide an export of certain Services Data, subject to technical feasibility and applicable law. If an export is requested or provided but the applicable License is not reactivated, the deletion timeline remains unchanged and the Services Data will be deleted in accordance with the timelines above, subject to the exceptions below.

Notwithstanding the foregoing, we may retain certain information as required to comply with legal obligations (including tax and accounting requirements), to maintain security and prevent fraud, and to establish, exercise, or defend legal claims. If a legal hold applies when litigation, a claim, or an investigation is reasonably anticipated or pending, we will retain the relevant information for as long as required. In addition, to facilitate account reactivation or re-onboarding, we may retain certain account-related data and configurations for a limited period in a restricted-access archival state. Archived data is not available for active use in the Services and is protected by additional safeguards (for example, strict access controls and, where appropriate, encryption).

When we delete Personal Data or Content from our active systems, it is not available for restoration through the Services. However, copies may remain in encrypted backups for a limited period and will be overwritten in accordance with our backup retention schedule, unless retention is required for a legal obligation or legal hold, in which case access remains restricted and the data is not used for any other purpose.

Retention periods generally applicable to the Services are as follows:

Account and profile data (name, email, role, preferences): while the account is active and up to 24 months after closure, then deleted or anonymized. Certain Services Data may be deleted earlier in accordance with the inactivity and deletion approach above.

User Content stored in the Services: until you delete it or the account ends. After termination, we remove User Content from active systems within a commercially reasonable period, subject to the backup and archival practices described above.

Billing, invoices, and tax records: at least 7 years (or longer if local law requires it).

Support tickets and correspondence: up to 3 years after the ticket closes (and longer where needed to establish, exercise, or defend legal claims).

Security and audit logs: 12–24 months depending on log type (shorter for routine access logs; longer for security events and investigations).

Analytics identifiers: up to 24 months; de-identified aggregate metrics may be kept longer without identifying you.

Marketing preferences and suppression lists: retained as long as needed to honor your opt-out and comply with applicable marketing regulations.

Identity or age-verification data (only if needed): the minimum necessary to perform the verification and prevent fraud, and no longer than necessary, unless a longer period is required by law or to establish, exercise, or defend legal claims.

If our retention schedule changes, we will update this Policy. Where feasible and consistent with our obligations, we delete or anonymize data sooner than the maximum periods described above.

5. Sharing and Disclosure of Personal Data

We do not sell Personal Data.

We also do not “share” Personal Information for cross-context behavioral advertising as defined by the California CPRA. If that ever changes, we will update this Policy and provide required opt-out mechanisms in advance.

We disclose Personal Data only to:

Service providers (processors) under written contracts that require confidentiality, security, and use only on our documented instructions.

Integrations you enable. If you connect a Third-Party Service or direct us to transfer Content (for example, to a platform where you publish), we will exchange data with that service as you configure. Your use of those services is governed by their terms and policies.

Corporate transactions. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to continued protection consistent with this Policy and applicable law.

Legal and safety. Where we are required to comply with law, court orders, or lawful requests from authorities; to enforce our Terms; or to protect rights, safety, and security of users, the public, or CreatorHero.

We do not make User Content public through the Services except as you direct. We do not allow our service providers to use your Personal Data for their own independent marketing. Third-Party Services you enable may process data under their own terms and privacy policies.

6. International Data Transfers

CreatorHero LLC is based in the United States, and we may process Personal Data in the United States and in other countries where our service providers operate. These locations may have privacy laws that are different from those in your country and, in some cases, may not be deemed to provide an equivalent level of protection by your regulator.

When we transfer Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that is not subject to an adequacy decision, we implement appropriate safeguards as required by law, including:

EEA: the European Commission Standard Contractual Clauses (SCCs) (2021/914);
UK: the UK International Data Transfer Addendum or the UK Addendum to the EU SCCs;
Switzerland: SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC), adapted where required.

We may apply supplementary measures such as encryption, strict access controls, and data minimization. We require recipients to ensure equivalent protections for any onward transfers.

Where available and applicable, we may rely on an adequacy decision or other lawful transfer mechanism recognized under applicable data protection law.

We require our processors receiving Personal Data internationally to flow down equivalent protections, to process Personal Data only on our documented instructions, and not to engage sub-processors without appropriate contractual safeguards.

7. Security Measures

We maintain administrative, technical, and physical safeguards designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Controls include: encryption (where appropriate); role-based access with least-privilege and multi-factor authentication for administrative access; network segmentation and firewalls; logging and monitoring; vulnerability management and timely patching; secure development practices (code review, dependency management, secrets hygiene); employee confidentiality and security training; vendor due-diligence and contractual security obligations; business continuity and disaster-recovery planning; and a documented incident response process.

No security program is perfect, but we regularly review our controls and perform risk-based assessments to improve them.

8. Cookies and Tracking Technologies

We use cookies and similar technologies (such as pixels and mobile SDKs) to operate the Services and understand usage. We group these into:

Strictly necessary (security, authentication, core functionality): always active;
Analytics (usage, performance, diagnostics): consent where required;
Functional (preferences, enhancements): consent where required;
Marketing (CreatorHero outreach measurement): consent where required.

Non-essential cookies and trackers load only with your opt-in via our consent banner (EEA/UK). You can change choices anytime via the cookie preferences link. You may also block cookies in your browser or reset mobile identifiers; some features may not work without necessary cookies.

Details of each cookie category are provided in our Cookie Policy.

9. Service Providers and Subprocessors

We engage carefully selected service providers to support core operations (for example, hosting and cloud infrastructure, content delivery, analytics, payments, customer support, communications, security, and fraud prevention). These providers act as processors and are bound by written contracts requiring confidentiality, security, and processing only on our documented instructions. We require appropriate safeguards for international transfers.

10. Your Privacy Rights

You may exercise certain rights regarding your Personal Information. In particular, to the extent permitted by applicable law, you have:

Right to be informed. Clear information about our processing.

Right of access. Obtain confirmation whether we process your data and receive a copy, including key details (purposes, categories, recipients, retention, source, transfers, and safeguards).

Right to rectification. Have inaccurate or incomplete Personal Data corrected without undue delay.

Right to erasure. Ask us to delete your Personal Data in the circumstances set out in GDPR (e.g., no longer needed, withdrawn consent, unlawful processing). We may keep the minimum necessary where required by law or to establish, exercise, or defend legal claims.

Right to restriction. Request that we restrict processing (e.g., while accuracy is verified or if processing is unlawful and you oppose deletion). While restricted, we will store the data but not use it except as permitted by law.

Right to portability. Receive Personal Data you provided to us, in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible. Applies to data processed by automated means under consent or contract.

Right to object. Object at any time to processing based on legitimate interests, including profiling. We will stop unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for legal claims.

Right to withdraw consent. Where we rely on consent, you can withdraw it at any time. This does not affect processing carried out before withdrawal.

Right to lodge a complaint. You can complain to your local data protection authority. We encourage you to contact us first so we can address your concern quickly.

Right to non-discrimination. We will not deny services, charge different prices, or provide a different level or quality of services because you exercise your privacy rights.

Additional rights for California residents

If you are a California resident, and to the extent the CCPA/CPRA applies to our processing of your Personal Information, you may have rights including the right to know/access, delete, correct, and opt out of the sale or sharing of Personal Information, and the right to non-discrimination for exercising those rights.

How to exercise your rights. Email contact@creatorhero.com with your request and the email address associated with your account (or use the contact details above). We may request limited information to verify your identity (and, where permitted, proof of authorization for agent requests). Requests are free of charge and we will respond without undue delay, no later than one month under GDPR (extendable by up to two months for complex or numerous requests) and generally 45 days under applicable U.S. state laws (extendable as permitted). If we decline your request, we will explain why and how to appeal our decision where applicable. Where your Personal Data has been disclosed to recipients, we will notify them of any rectification, erasure, or restriction unless this proves impossible or involves disproportionate effort.

11. Children

The Services are intended for adults (18+ or the age of majority where you live, if higher) and are not directed to children. We do not knowingly collect Personal Data from anyone under 18. If you believe a minor has provided Personal Data, contact contact@creatorhero.com and we will delete it promptly.

12. Data Incident Notification

We maintain a documented incident response program. If we become aware of a data breach affecting Personal Data, we will investigate, mitigate, and notify affected individuals and relevant authorities as required by applicable law, taking into account the nature of the data, the risk of harm, and any measures we have taken to protect it. Where required, we will notify without undue delay and, when feasible, within the statutory timelines.

13. United States State Disclosures and Notice at Collection

This section supplements the Policy for residents of U.S. states with comprehensive privacy laws (including California). It serves as our “Notice at Collection.”

Categories collected: identifiers (e.g., name, email, IP address); commercial information (subscription selections and billing metadata); internet or network activity (usage, logs, device data); approximate geolocation derived from IP; professional or role information (e.g., agency affiliation); support communications; and, only if strictly necessary, limited sensitive information for identity or age verification (e.g., date of birth or ID image).

Sources: you; your devices and browsers; and service providers.

Purposes: operate and secure the Services; account administration; payments; support and service communications; analytics and improvement; legal compliance; fraud prevention; and marketing communications (you can opt out at any time).

Disclosure for business purposes: to service providers/processors and as otherwise described in “Sharing and Disclosure of Personal Data.”

Sale or sharing: we do not sell Personal Information and do not share it for cross-context behavioral advertising.

Use of sensitive Personal Information: only as necessary to perform the services you request, to maintain security and integrity, or as otherwise permitted by law.

Retention: see “Data Retention.”

Your U.S. rights: access, correction, deletion, portability, and the right to appeal our decision on a request. California residents also have the right to opt out of any sale or sharing (not currently practiced) and the right to non-discrimination. To exercise your rights or submit an appeal, email contact@creatorhero.com. We may verify your identity and will respond within the timeframes required by law (generally 45 days, extendable as permitted). You may authorize an agent to submit a request on your behalf as allowed by law. We do not offer financial incentives for Personal Information.

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated Policy with a new “Last Updated” date and provide notice of material changes (for example, by email or in-product message). Where required by law, we will request your consent to material changes. If you do not agree to the updated Policy, you should stop using the Services and, if applicable, cancel your subscription.

This Policy is designed to comply with multiple privacy laws.

Last updated: January 2026