Data Protection Policy

1. Introduction

UPHORIA FZCO ("we", "us", "our"), operating the Cre8ify platform, is committed to protecting the privacy and personal data of all users. This Data Protection Policy explains how we collect, use, store, and protect your personal data when you use our platform, website (https://cre8ify.com), and mobile applications.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws in the jurisdictions where we operate.

2. Data Controller

The data controller responsible for the processing of your personal data is:

UPHORIA FZCO, Dubai Silicon Oasis, DDP, Building A2, Dubai, United Arab Emirates. Trade License: 141047 (DSOA).

For all data protection inquiries, you may contact our Data Protection Officer (DPO) at dpo@cre8ify.com or legal@cre8ify.com.

3. What Data We Collect

We collect and process the following categories of personal data:

3.1 Data You Provide Directly

Account data: Name, email address, password (hashed), profile picture, date of birth, and country of residence.

Profile data: Social media handles, portfolio links, bio, content categories, and language preferences.

Financial data: Payment information processed through Stripe, bank account details (IBAN, BIC, account holder name), and invoicing information.

Communication data: Messages sent through the platform chat, support inquiries, and feedback.

Content data: User-generated content (photos, videos, text) uploaded to the platform.

Affiliate data: Referral activity, referred users, commission history, and payout records.

3.2 Data Collected Automatically

Technical data: IP address, browser type and version, device type, operating system, and screen resolution.

Usage data: Pages visited, features used, click patterns, session duration, and referral sources.

Location data: Approximate location derived from IP address. For Golden Circle event features, precise GPS location may be collected with your explicit consent to verify event proximity and enable location-based event discovery. You may revoke location access at any time through your device settings.

Screen recordings and session replay data: We may record your interactions with the platform, including mouse movements, clicks, scrolls, taps, navigation paths, form interactions, and visual session replays. Screen recordings may contain personal data visible on-screen during your session (e.g., profile information, messages, or content you view). This data is collected to improve platform usability, analyze user behavior, and for commercial purposes as described in Sections 4 and 9 of this Policy.

3.3 Data From Third Parties

Social media data: Public profile information from connected social media accounts (Instagram, TikTok, YouTube) used for creator verification and analytics. This data is collected based on your explicit consent when you connect your social media accounts (Art. 6(1)(a) GDPR). You may disconnect at any time through your profile settings.

Payment processor data: Transaction status and confirmation data from Stripe.

4. How We Use Your Data

Service delivery: To create and manage your account, facilitate UGC orders, manage Golden Circle event collaborations, process payments, and administer the Affiliate Program.

Platform improvement: To analyze usage patterns, fix bugs, improve features, and enhance user experience.

Communication: To send service-related notifications, order updates, and respond to support requests.

Safety and security: To detect fraud, enforce our terms of service, and protect the platform and its users.

Legal compliance: To fulfill legal obligations, respond to legal requests, and establish or defend legal claims.

Marketing: To send promotional communications (only with your explicit consent, which you may withdraw at any time).

Analytics commercialization and data sharing: To analyze, aggregate, and prepare usage analytics data — including screen recordings, session replays, behavioral patterns, click data, and navigation paths — for the purpose of sharing, licensing, or selling such data and derived insights to third-party partners for market research, product development, UX benchmarking, academic research, advertising optimization, and other commercial purposes. This processing is carried out only with your explicit consent.

Algorithmic processing: To power platform features such as creator matching, content recommendations, and search ranking. These features use algorithmic assistance but do not constitute fully automated decision-making (see Section 6).

5. Legal Basis for Processing

Contract performance: Processing necessary to fulfill our contractual obligations to you (Art. 6(1)(b) GDPR).

Legitimate interest: Processing necessary for our legitimate business interests, such as fraud prevention, platform security, and internal analytics (Art. 6(1)(f) GDPR).

Consent: Processing based on your explicit consent, such as marketing communications, precise location data, and social media account connection (Art. 6(1)(a) GDPR).

Legal obligation: Processing required to comply with applicable laws and regulations, including tax record-keeping and anti-money laundering requirements (Art. 6(1)(c) GDPR).

Consent for data commercialization: The collection of screen recordings and the sharing, licensing, or sale of usage analytics data and screen recordings to third parties is based exclusively on your explicit, informed consent (Art. 6(1)(a) GDPR; Art. 5 UAE PDPL). You may withdraw this consent at any time (see Section 11).

6. Automated Decision-Making and Profiling

Cre8ify does not use fully automated decision-making processes that produce legal effects or similarly significant effects on users (Art. 22 GDPR). Certain platform features, such as creator matching, content recommendations, and search ranking, use algorithmic assistance (profiling), but all significant decisions (e.g., account approval, content review, payout approval) involve human oversight.

You have the right to object to profiling at any time by contacting us at legal@cre8ify.com.

7. Data Storage and Security

Your personal data is stored on secure servers provided by reputable cloud infrastructure providers. We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction, including encryption of data in transit (TLS/SSL), encryption at rest, secure authentication mechanisms, access controls, and regular security assessments.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

Personal account data: Deleted within 30 days of account deletion request.

Financial and transaction records: Retained for up to 5 years after the last transaction (UAE commercial law & tax regulations).

Affiliate commission and payout records: Retained for up to 5 years after the last payout.

Communication records: Retained for up to 1 year after account deletion for dispute resolution.

Server logs: Automatically deleted after 90 days.

Screen recordings and usage analytics data: Retained for up to 24 months from the date of collection. Anonymized or aggregated data may be retained indefinitely.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR), notify affected users without undue delay if the breach is likely to result in a high risk (Art. 34 GDPR), and document all breaches, including the facts, effects, and remedial actions taken.

9. Data Sharing and Third Parties

We may share your personal data with the following categories of recipients:

Payment processors: Stripe for payment processing and financial transactions.

Cloud service providers: For hosting, storage, and infrastructure services.

Analytics providers: For platform usage analysis and performance monitoring.

Communication providers: For email delivery and push notifications.

Other users: Profile information visible to Brands or Creators within the platform as necessary for collaboration.

Commercial data partners and third-party recipients: Subject to your explicit consent, we may share, license, or sell usage analytics data, behavioral insights, and screen recordings to third-party partners for commercial purposes. Such data may be shared in aggregated, anonymized, pseudonymized, or individually identifiable form. All third-party recipients are contractually obligated to handle received data in compliance with applicable data protection laws.

You may request a list of our current sub-processors and third-party data recipients at any time by contacting legal@cre8ify.com.

10. International Data Transfers

Your data may be transferred to and processed in countries outside of your country of residence, including the United Arab Emirates and other jurisdictions where our service providers operate. Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA) or UK Addendum, or other legally recognized transfer mechanisms.

11. Your Rights

Under applicable data protection laws, you have the following rights regarding your personal data:

Right of access, rectification, erasure, restriction, data portability, to object, and to withdraw consent.

Right to withdraw consent for data commercialization: You may withdraw your consent to the collection of screen recordings and the sharing or sale of usage analytics data at any time. Use the in-app consent settings, contact us at legal@cre8ify.com, or adjust your preferences via platform settings. Upon withdrawal, we will cease collecting screen recordings and stop sharing your identifiable usage data with third parties within 30 days.

To exercise any of these rights, please contact us at legal@cre8ify.com. We will respond to your request within one (1) month.

11.1 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights: Right to know, Right to delete, Right to opt-out of the sale or sharing of personal information, Right to non-discrimination, Right to correct, and Right to limit use of sensitive personal information.

12. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our services, analyze usage, and personalize your experience. For full details, please refer to our Cookie Policy.

13. Children's Privacy

Cre8ify is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such data promptly.

14. Changes to This Policy

We may update this Data Protection Policy from time to time. We will notify you of material changes via email or platform notification at least 14 days before the changes take effect.

15. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes applicable data protection laws, you have the right to lodge a complaint with a supervisory authority in your country of residence (EU users: national DPA; UK users: ICO; UAE users: UAE Data Office; California users: California Attorney General).

16. Contact

UPHORIA FZCO — Data Protection Officer, Dubai Silicon Oasis, DDP, Building A2, Dubai, United Arab Emirates.

Email: dpo@cre8ify.com / legal@cre8ify.com