Privacy Policy

This Privacy Policy explains how [ COMPANY NAME ] (the "Company", "we", "us"), a company organised under Danish law and acting as data controller, collects, uses, shares and protects personal data when you use the Creou website, application or API (the "Service").

We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Danish Data Protection Act (Databeskyttelsesloven). For users in the United States we also describe rights available under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and other applicable U.S. state privacy laws.

1. Data controller

The data controller is [ COMPANY NAME ], registered in Denmark. Contact details are published on our website. If we appoint a Data Protection Officer ("DPO"), their contact information will be set out here.

2. Categories of personal data we process

Account data — name, email address, password hash, authentication identifiers (e.g. Google sign-in subject).
Profile data — display name, optional avatar image, role, team membership.
User Content — files (images, video, audio) you upload as references; prompts and parameters you submit; outputs generated by the Service. These may contain personal data of you or others.
Usage data — generation logs, credit ledger entries, error events, IP address, user agent, device hints, coarse location derived from IP.
Payment data — billing history, transaction identifiers, receipts. Card data is processed directly by Stripe; we do not receive or store full card numbers.
Communications — emails or support messages you send us, takedown / DMCA notices.

3. Purposes of processing and legal bases

Provide the Service (account, generations, billing, support) — performance of a contract (GDPR Art. 6(1)(b)).
Security, fraud prevention, abuse detection — legitimate interests in keeping the Service secure and lawful (GDPR Art. 6(1)(f)).
Compliance with legal obligations (tax, accounting, response to lawful authority requests, takedown laws including the U.S. TAKE IT DOWN Act) — Art. 6(1)(c).
Service improvement and analytics — legitimate interests, balanced against your rights; we minimise the data used and avoid using sensitive content for analytics.
Marketing communications, if any — your consent (Art. 6(1)(a)), which you can withdraw at any time.

4. AI processing of User Content

When you submit a prompt or reference asset, we transmit it to the relevant generative-AI provider so it can return an output. Reference assets that contain images of people are personal data and may, in some cases, contain biometric information. By submitting such content, you confirm under our Terms of Service that you have the legal right to do so. We do not use your User Content to train our own foundation models without your separate opt-in.

5. Recipients and processors

We share personal data with the following categories of recipients, each under a written data-processing agreement where required:

BytePlus Pte. Ltd. (Singapore), an affiliate of ByteDance, which provides the underlying Seedance and related generative-video models. Reference assets you upload (which may include images of real people) and prompts are transmitted to BytePlus for processing. BytePlus's terms apply to its processing.
Supabase Inc. for authentication, database and object storage (EU region where available).
Stripe, Inc. for payment processing.
Sentry / Functional Software, Inc. for error monitoring.
Cloud hosting (e.g. Vercel) for application delivery.
Government and law-enforcement bodies, where legally required.

6. International data transfers

Some recipients are located outside the European Economic Area, including in Singapore (BytePlus), the United States (Stripe, Sentry, Vercel) and other jurisdictions. Where required, transfers are protected by appropriate safeguards, including the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and supplementary technical and organisational measures. You can request a copy of the safeguards applicable to a specific transfer by contacting us.

7. Retention

We retain personal data only as long as necessary for the purposes described above:

Account & profile — until you delete your account, plus a short reconciliation window for backups.
User Content — until you delete it from the Service or delete your account.
Billing records — for the period required by Danish accounting law (currently five years from the end of the financial year).
Logs and security data — typically up to 12 months, longer where needed to investigate incidents or comply with legal obligations.

8. Your rights

Subject to GDPR you have the right to (a) access your personal data, (b) rectify inaccurate data, (c) erase data ("right to be forgotten"), (d) restrict or object to processing, (e) data portability, (f) withdraw consent at any time where processing is based on consent, and (g) lodge a complaint with the Danish Data Protection Authority, Datatilsynet (datatilsynet.dk).

You can exercise most of these rights directly from your account settings (data export and account deletion). For any other request, contact us using the contact details on our website. We respond within 30 days or as required by law.

U.S. residents. Depending on your state, you may have rights to know, access, delete, correct, opt out of "sale" or "sharing" of personal information, limit use of sensitive personal information, and to be free from discrimination for exercising those rights. We do not "sell" personal information for monetary consideration. To exercise these rights, use the same in-product controls or contact us.

9. Children

The Service is not directed to children under 18. We do not knowingly process personal data of children under 13 in violation of applicable law. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Cookies

We use a small number of strictly-necessary cookies (e.g. authentication and CSRF). We do not use advertising cookies. Where additional cookies become necessary, we will request your consent in line with the ePrivacy rules transposed into Danish law.

11. Security

We implement industry-standard technical and organisational measures to protect personal data, including encryption in transit, access controls, audit logging and isolation of administrator surfaces. No system is perfectly secure; we cannot guarantee absolute security.

12. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or by email.

13. Contact

Questions or requests can be sent to [ COMPANY NAME ] at the contact address published on our website.

2. Categories of personal data we process

Account data — name, email address, password hash, authentication identifiers (e.g. Google sign-in subject).

Profile data — display name, optional avatar image, role, team membership.

User Content — files (images, video, audio) you upload as references; prompts and parameters you submit; outputs generated by the Service. These may contain personal data of you or others.

Usage data — generation logs, credit ledger entries, error events, IP address, user agent, device hints, coarse location derived from IP.

Payment data — billing history, transaction identifiers, receipts. Card data is processed directly by Stripe; we do not receive or store full card numbers.

Communications — emails or support messages you send us, takedown / DMCA notices.

3. Purposes of processing and legal bases

Provide the Service (account, generations, billing, support) — performance of a contract (GDPR Art. 6(1)(b)).

Security, fraud prevention, abuse detection — legitimate interests in keeping the Service secure and lawful (GDPR Art. 6(1)(f)).

Compliance with legal obligations (tax, accounting, response to lawful authority requests, takedown laws including the U.S. TAKE IT DOWN Act) — Art. 6(1)(c).

Service improvement and analytics — legitimate interests, balanced against your rights; we minimise the data used and avoid using sensitive content for analytics.

Marketing communications, if any — your consent (Art. 6(1)(a)), which you can withdraw at any time.

4. AI processing of User Content

5. Recipients and processors

We share personal data with the following categories of recipients, each under a written data-processing agreement where required:

BytePlus Pte. Ltd. (Singapore), an affiliate of ByteDance, which provides the underlying Seedance and related generative-video models. Reference assets you upload (which may include images of real people) and prompts are transmitted to BytePlus for processing. BytePlus's terms apply to its processing.

Supabase Inc. for authentication, database and object storage (EU region where available).

Stripe, Inc. for payment processing.

Sentry / Functional Software, Inc. for error monitoring.

Cloud hosting (e.g. Vercel) for application delivery.

Government and law-enforcement bodies, where legally required.

6. International data transfers

7. Retention

We retain personal data only as long as necessary for the purposes described above:

Account & profile — until you delete your account, plus a short reconciliation window for backups.

User Content — until you delete it from the Service or delete your account.

Billing records — for the period required by Danish accounting law (currently five years from the end of the financial year).

Logs and security data — typically up to 12 months, longer where needed to investigate incidents or comply with legal obligations.

8. Your rights

Privacy Policy.

1. Data controller

2. Categories of personal data we process

3. Purposes of processing and legal bases

4. AI processing of User Content

5. Recipients and processors

6. International data transfers

7. Retention

8. Your rights

9. Children

10. Cookies

11. Security

12. Changes

13. Contact

Privacy Policy.

1. Data controller

2. Categories of personal data we process

3. Purposes of processing and legal bases

4. AI processing of User Content

5. Recipients and processors

6. International data transfers

7. Retention

8. Your rights

9. Children

10. Cookies

11. Security

12. Changes

13. Contact