Privacy Policy | Creative Scale

1. Introduction

Creative Scale LLC ("Creative Scale," "we," "us," or "our") is a limited liability company organized under the laws of the State of Florida, United States. We operate a two-sided marketplace platform at app.creativescale.co that connects content creators with brands for paid user-generated content (UGC) campaigns. Our users may be located anywhere in the world.

This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you access or use the Platform. It applies to all users, including Creators, Brands, and visitors, regardless of their location. By using the Platform, you agree to the practices described in this Policy. If you do not agree, you must discontinue use and contact us to request deletion of your data.

This Policy is designed to comply with applicable privacy laws including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), the General Data Protection Regulation (GDPR) for users in the European Economic Area, the Children's Online Privacy Protection Act (COPPA), and the data use requirements of third-party platforms including TikTok, Meta, Shopify, and Stripe. Where applicable law provides rights that exceed what is described here, those rights apply.

2. Information We Collect

2.1 Information You Provide Directly

From Creators:

Full legal name and display name
Email address
Phone number
Biography and content categories
Age range
Location (city, state/region, and country)
Shipping address (for product samples)
Social media handles and profile URLs
Bank account information (processed and stored exclusively by Stripe; we do not store raw bank data)
Tax identification information (processed and stored by Stripe as required by applicable law)

From Brands:

Business or brand name
Business email address
Phone number
Website URL
Instagram handle (optional)
Estimated monthly revenue (used for platform matching and qualification)
Payment method information (processed and stored exclusively by Stripe; we do not store raw card data)
Shopify store details (if connected)
Country or region of operation

2.2 TikTok Data (via TikTok Login Kit)

When a Creator connects their TikTok account to the Platform using TikTok's Login Kit API, we collect and store the following data retrieved from TikTok's API on the Creator's behalf:

open_id: TikTok's unique identifier for the user (used to link their TikTok account to their Platform account)
display_name: The Creator's TikTok username / display name
avatar_url: The Creator's TikTok profile picture URL
follower_count: Number of TikTok followers
following_count: Number of accounts the Creator follows on TikTok
likes_count: Total likes received on TikTok content
video_count: Total number of videos published on TikTok
Video list data: Title, description, duration, cover image URL, share URL, publish date, and engagement metrics (views, likes, comments, shares) for the Creator's recent public videos
OAuth access and refresh tokens: Encrypted and stored to maintain the TikTok connection and periodically refresh Creator statistics

How TikTok Data is Used: TikTok data is used solely to: (a) populate Creator profiles visible to Brands within the Platform; (b) calculate engagement metrics for brand-creator matching; and (c) display recent TikTok content so Brands can evaluate Creator fit for campaigns. TikTok data is not used for advertising targeting, is not sold to any third party, is not transferred to any platform other than as necessary to provide the Service, and is not exported outside the Platform.

TikTok Data Retention: TikTok data is retained while your TikTok account remains connected to the Platform. If you disconnect your TikTok account (via Platform settings or by revoking access in TikTok's app settings at tiktok.com/settings) or delete your Platform account, we will delete all TikTok-derived data from our systems within thirty (30) days.

TikTok Token Storage: OAuth access and refresh tokens are encrypted at rest using industry-standard encryption before storage and are used only to retrieve Creator profile data from TikTok's API. Tokens are refreshed automatically via our systems and can be revoked at any time.

TikTok Data Refresh: We run automated daily tasks to refresh TikTok statistics (follower count, engagement metrics, video data) to keep Creator profiles current. You may revoke this access at any time.

2.3 Meta and Instagram Data

Brands may voluntarily provide their Instagram handle as part of their brand profile. This information is stored as brand profile metadata and is used only to display brand context within the Platform.

Brands may connect their Meta Ads accounts to the Platform for campaign performance tracking. When connected, we access only the campaign performance data necessary to display metrics within the Platform. We do not store Meta Ads account credentials or access data beyond what is necessary for the stated purpose. Brands are solely responsible for their compliance with Meta's Platform Terms, Business Tools Terms, and applicable advertising laws.

2.4 Shopify Data

Brands may connect their Shopify stores via Shopify's OAuth integration. When connected, we may access and store:

Store name and domain
Product catalog information (names, descriptions, images, prices)
Order data (for commission attribution and campaign performance tracking)
Customer referral data (anonymized or pseudonymized for attribution purposes only)

Shopify data is used solely for campaign management, performance tracking, and commission attribution within the Platform. We comply with Shopify's Partner Program Agreement and API usage policies.

Data Processor Relationship: With respect to personal data of Shopify merchants' customers accessed via Shopify's API, Creative Scale acts as a data processor on behalf of the Brand (data controller). Creative Scale processes such customer data only as directed by the Brand and as necessary for campaign attribution and commission tracking. Brands are responsible for ensuring they have appropriate legal bases to share their customers' data with Creative Scale for these purposes, and for complying with applicable data protection laws regarding their customer data.

2.5 Payment Data

All payment processing is handled by Stripe, Inc., a PCI DSS Level 1 certified payment processor. We do not store, process, or have access to raw payment card numbers, full bank account numbers, or other sensitive financial data. We receive from Stripe only transaction metadata, including transaction IDs, amounts, statuses, and payout records, which we use to maintain payment records and audit trails within the Platform.

Creator payouts are disbursed through Stripe Connect. By connecting a bank account for payouts, Creators agree to Stripe's Connected Account Agreement. Stripe may collect and retain identity verification information (including government-issued identification) as required by applicable financial regulations including KYC/AML requirements. Stripe's privacy practices are governed by Stripe's Privacy Policy at stripe.com/privacy.

2.6 Automatically Collected Data

When you use the Platform, we automatically collect:

IP address and approximate geolocation (country/region level)
Browser type and version
Operating system and device type
Pages viewed and navigation paths within the Platform
Referring URLs
Session duration and timestamps
Clickstream data
Language preferences

We use Vercel Analytics for Platform performance monitoring. Vercel Analytics collects aggregated, anonymized usage data and does not use persistent cookies or track individual users across sessions. No personally identifiable information is transmitted to Vercel Analytics.

3. How We Use Your Information

We use the information we collect for the following purposes:

Account Management: To create, maintain, and authenticate your account.
Platform Operations: To facilitate Campaign creation, Creator applications, Brand approvals, Content delivery, and all related Platform functions.
Creator Profiles: To display Creator profiles (including TikTok data) to Brands for campaign matching and selection.
Payments: To process Brand payments, coordinate escrow via Stripe, and disburse Creator payouts.
Commission Tracking: To attribute sales to Creator campaigns via tracking links, discount codes, or platform integrations.
Communications: To send transactional emails (account notifications, payment confirmations, campaign updates, legal notices). We do not send marketing or promotional emails without your explicit opt-in consent. You may opt out of marketing communications at any time via the unsubscribe link in any marketing email or by contacting privacy@creativescale.co.
Platform Improvement: To analyze usage patterns, diagnose technical issues, and improve Platform features and performance.
Legal Compliance: To comply with applicable laws in relevant jurisdictions, respond to legal process, enforce our Terms of Service, and cooperate with law enforcement where required.
Fraud Prevention and Security: To detect, investigate, and prevent fraudulent transactions, identity fraud, abuse, and violations of our Terms.

Automated Decision-Making: The Platform uses algorithmic processes to display Creator profiles to relevant Brands based on content categories, follower count, engagement metrics, and campaign fit criteria. This process facilitates discovery but does not produce legally significant effects on individuals and does not constitute solely automated decision-making within the meaning of GDPR Article 22. Users may contact us at privacy@creativescale.co to request human review of any algorithmic outcomes that affect them.

4. How We Share Your Information

We do not sell your personal information. We do not share personal information for third-party advertising purposes. We share information only in the following circumstances:

Between Brands and Creators: Creator profile information (including TikTok username, follower count, videos, bio, and engagement metrics) is visible to Brands who use the Platform to browse and select Creators. Brand information (business name, campaign details, product information) is visible to Creators who apply to their Campaigns.
Stripe: We share necessary transaction data with Stripe, Inc. to process payments and payouts. Stripe operates as an independent data controller for payment-related data and is subject to its own privacy obligations.
TikTok: We transmit OAuth authentication tokens to TikTok's API to retrieve Creator profile data on the Creator's behalf. We do not share Creative Scale account data or user data with TikTok.
Shopify: We exchange data with Shopify via OAuth to support Brand campaign integrations as described in Section 2.4.
Meta: We may exchange campaign performance data with Meta's API on behalf of Brands who have connected their Meta accounts. We do not share Creator data with Meta.
Service Providers: We may share data with trusted third-party service providers (including cloud infrastructure, email delivery, and analytics providers) who process data on our behalf under written confidentiality and data processing obligations, and solely as necessary to provide their contracted services.
Legal Requirements: We may disclose your information if required by applicable law, court order, or government authority in any jurisdiction, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of Creative Scale, our users, or the public.
Business Transfers: In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred to the successor entity, subject to the same privacy protections described in this Policy.

5. Cookies and Tracking Technologies

The Platform uses essential cookies required for authentication, session management, and security (including CSRF protection for OAuth flows with TikTok and Shopify). These cookies are strictly necessary for the Platform to function and cannot be disabled without impairing core features including the ability to remain logged in.

We use Vercel Analytics for aggregated performance monitoring. No third-party advertising cookies, cross-site tracking cookies, or behavioral profiling technologies are used by Creative Scale. You may configure your browser to block or delete cookies, but doing so may impair certain Platform features.

Do Not Track: The Platform does not currently alter its data collection or use practices in response to "Do Not Track" signals from browsers. We make this disclosure as required by applicable law, including California's Online Privacy Protection Act (CalOPPA).

6. Data Retention

We retain your personal information for as long as your account is active or as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

Account data: Retained while your account is active. Deleted within ninety (90) days of a verified account deletion request, subject to legal retention obligations.
TikTok data: Deleted within thirty (30) days of disconnecting your TikTok account or deleting your Platform account.
Payment and transaction records: Retained for seven (7) years as required by U.S. tax laws and financial record-keeping regulations. International users may be subject to different retention requirements under local law.
Campaign data: Retained for the duration of the campaign plus three (3) years for dispute resolution, audit, and legal compliance purposes.
Server and access logs: Retained for up to ninety (90) days for security monitoring and technical diagnosis.
Legal hold: Data subject to a legal hold, litigation, or regulatory investigation will be retained until the matter is fully resolved.

7. Your Rights and Choices

7.1 All Users

Access: You may request a copy of the personal information we hold about you.
Correction: You may update or correct your account information at any time through your account settings or by contacting us.
Deletion: You may request deletion of your account and personal data by contacting privacy@creativescale.co. Note that we may retain certain information as required by law or for legitimate legal and business purposes (e.g., payment records, dispute resolution).
Portability: You may request a machine-readable export of your personal data that you have provided to us.
TikTok Disconnection: You may disconnect your TikTok account at any time from your Platform account settings. Upon disconnection, we will delete all TikTok-derived data from our systems within thirty (30) days. You may also revoke our app's access directly from TikTok's settings at tiktok.com/settings.
Marketing Opt-Out: You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting privacy@creativescale.co. Opting out does not affect transactional communications necessary to operate your account.

7.2 California Residents (CCPA/CPRA)

California residents have the right to: (a) know what personal information is collected, used, shared, or sold; (b) request deletion of personal information (subject to certain exceptions); (c) correct inaccurate personal information; (d) opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising); (e) limit the use and disclosure of sensitive personal information; and (f) non-discrimination for exercising these rights. To submit a CCPA/CPRA request, contact us at privacy@creativescale.co with "California Privacy Request" in the subject line. We will respond within forty-five (45) days.

7.3 European Economic Area and UK Users (GDPR/UK GDPR)

If you are located in the European Economic Area or United Kingdom, you have rights under the GDPR and UK GDPR including: (a) right of access; (b) right to rectification; (c) right to erasure ("right to be forgotten"); (d) right to restriction of processing; (e) right to data portability; (f) right to object to processing; and (g) right not to be subject to solely automated decision-making. Our lawful bases for processing are: (a) performance of a contract (to provide the Services); (b) compliance with a legal obligation; (c) our legitimate interests (fraud prevention, platform security, service improvement); or (d) your consent (for optional integrations such as TikTok and Shopify). Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing. To exercise GDPR rights, contact privacy@creativescale.co. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

8. Data Security

We implement industry-standard technical and organizational security measures to protect your personal information against unauthorized access, disclosure, alteration, and destruction. These measures include:

Encryption of sensitive data at rest, including all OAuth access and refresh tokens
HTTPS/TLS encryption for all data transmitted to and from the Platform
Secure, HTTP-only cookies with SameSite protection for session and CSRF protection
Role-based access controls limiting employee and system access to personal data on a need-to-know basis
Regular security monitoring, vulnerability assessments, and incident response procedures
Third-party service providers bound by data processing agreements with appropriate security obligations

No security system is impenetrable. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify affected users and applicable supervisory authorities within seventy-two (72) hours of becoming aware of the breach, as required by GDPR Article 33, and within the timeframes required by applicable U.S. state data breach notification laws. Notification to affected individuals will be made without undue delay where required by law.

9. Children's Privacy

The Platform is not directed at children under the age of thirteen (13). Users must be at least eighteen (18) years of age to enter into binding agreements and receive payment through the Platform. We do not knowingly collect personal information from children under the age of thirteen (13). If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will promptly delete such information. If you believe we have inadvertently collected information from a minor, please contact us at privacy@creativescale.co.

10. International Data Transfers

Creative Scale LLC is based in the United States, and your information is processed and stored on servers located in the United States. If you access the Platform from outside the United States, your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the European Economic Area or United Kingdom, we rely on appropriate legal transfer mechanisms for international data transfers, including Standard Contractual Clauses (SCCs) where required. By using the Platform, you acknowledge that your information will be transferred to the United States in accordance with applicable law.

11. Third-Party Links and Services

The Platform integrates with third-party services and may contain links to third-party websites. This Privacy Policy does not apply to any third-party platform, website, or service. We encourage you to review the privacy policies of any third-party service you use in connection with the Platform:

TikTok Privacy Policy: tiktok.com/legal/privacy-policy
Meta Privacy Policy: facebook.com/privacy/policy
Shopify Privacy Policy: shopify.com/legal/privacy
Stripe Privacy Policy: stripe.com/privacy
Vercel Privacy Policy: vercel.com/legal/privacy-policy

Creative Scale is not responsible for the privacy practices or content of any third-party platform.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. We will notify you of material changes by updating the "Last Updated" date at the top of this page and, where required by applicable law or where appropriate, by sending an email notification to your registered address or displaying a prominent notice within the Platform. Your continued use of the Platform after the effective date of any revision constitutes your acceptance of the updated Policy. For material changes affecting how we use previously collected data, we will seek your consent where required by law.

13. Contact Us

For privacy-related inquiries, data requests, or to exercise your rights under applicable law, please contact:

Creative Scale LLC — Privacy

Email: privacy@creativescale.co

General & Legal: legal@creativescale.co

Website: creativescale.co

We will acknowledge receipt of verifiable requests within ten (10) business days and respond fully within forty-five (45) days, or as otherwise required by applicable law. EEA users who are not satisfied with our response have the right to lodge a complaint with their national data protection supervisory authority.