Privacy Policy

1. Who we are

Creochi is a content workflow platform that assists creators and marketing teams in planning, producing, analyzing, and publishing video content. Creochi is operated by Dag&Dauw.

• Legal entity: Dag&Dauw
• Address: Dorpsakkers 1, 6027SJ Soerendonk, The Netherlands
• Chamber of Commerce (KVK): 56188110
• Privacy contact: [email protected]

We are the data controller for the personal data described in this privacy policy. Where we process data on behalf of our users through connected third-party platforms, we act as a data processor.

2. Data we collect

2.1 Account data

When you create a Creochi account, we collect:

• Full name
• Email address
• Company name (optional)
• Profile avatar (optional)
• Role within your organization

2.2 Waitlist and contact data

• Waitlist: email address, name, company name (optional)
• Contact form: name, email address, message

2.3 Data retrieved via third-party platform APIs

When you connect your social media accounts to Creochi, we retrieve data through official platform APIs. We access only the data categories that you explicitly authorize during the OAuth connection flow. Specifically, we may retrieve:

Profile information

• Public profile metadata: account name, username, profile identifier, and avatar image
• Page or business account information where applicable (page name, category)

Content and publishing data

• Published posts, videos, and stories created by the connected account
• Media metadata: captions, hashtags, publication timestamps, media type
• Comments and interactions on your own content

Performance and analytics data

• Content performance metrics: views, impressions, reach, engagement rate
• Audience demographics in aggregate form (age ranges, location, gender distribution)
• Follower growth and account-level statistics

Advertising data (where applicable)

• Ad campaign performance metrics: spend, impressions, clicks, conversions
• Ad creative metadata (not personal data of ad viewers)

Important: We do not access private messages, direct messages, or inbox content from any connected platform. We do not access friend lists, contact lists, or social graphs.

2.4 Technical data

• IP address (anonymized for analytics)
• Browser type and version
• Referring website
• Device type

3. How we use your data

We process data exclusively for the following functional purposes:

• Content workflow management: assisting your team in planning, creating, and scheduling content across channels
• Performance dashboards: displaying content analytics and audience insights in a unified view
• Campaign analysis: providing performance insights to support editorial and strategic decisions
• Content publishing: posting content to connected platforms on your behalf, always initiated by explicit user action
• AI-supported content workflows: generating content suggestions, subtitles, and summaries — always under user control and review
• Account management: authenticating your identity, managing your subscription, and providing customer support

We do not use your data for purposes beyond providing the Creochi service. We do not build user profiles for advertising, and we do not perform behavioral targeting.

4. What we do NOT do with your data

To be explicit about our data practices:

• We do not sell personal data or platform data to any third party
• We do not share data with third parties for their own marketing or advertising purposes
• We do not build shadow databases, data warehouses, or external data lakes with platform-sourced data
• We do not profile individuals beyond the scope of the connected platform's own analytics
• We do not combine data from different platforms to create cross-platform user profiles of individuals
• We do not enrich platform data with external data sources for profiling, lead generation, or targeting purposes
• We do not use platform data for training machine learning models on personal data
• We do not scrape or collect data through any means other than official APIs

5. Legal basis for processing (GDPR)

We process personal data under the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the Creochi service
• Consent (Art. 6(1)(a) GDPR): for connecting third-party platform accounts via OAuth, and for waitlist registration
• Legitimate interest (Art. 6(1)(f) GDPR): for website analytics and service improvement, balanced against your privacy rights

6. Data sharing

We share data only with the following categories of service providers, strictly necessary for operating Creochi:

• Hosting and infrastructure: Cloudflare (CDN and hosting), Supabase (database and authentication)
• Payment processing: Stripe (subscription billing)
• API connectivity: Nango (OAuth token management for social media connections)
• AI processing: Anthropic (content suggestions — no personal data is sent, only content text explicitly submitted by the user)

All sub-processors are contractually bound to process data only on our instructions and in compliance with GDPR. We do not share data with any party not listed above, except when legally required by a court order or regulatory authority.

Business and enterprise customers may request a Data Processing Agreement (DPA) by contacting [email protected].

7. Data retention

• Account data: retained for the duration of your active account. Deleted within 30 days of account deletion.
• Platform API data: cached locally for display purposes and refreshed periodically. Historical analytics data is retained for the duration of your subscription. All platform data is deleted within 30 days of disconnecting the platform or deleting your account.
• Waitlist data: retained until you create an account or request removal.
• Contact form data: retained for up to 12 months, then deleted.
• Technical/analytics data: aggregated and anonymized; raw data retained for a maximum of 90 days.
• Financial/billing data: invoices and payment records are retained for 7 years in accordance with Dutch fiscal obligations (Algemene wet inzake rijksbelastingen). Subscription records are retained for 5 years for civil liability purposes (Dutch Civil Code).

You may request immediate deletion of your data at any time (see section 9). Statutory retention obligations take precedence where applicable.

8. Security

We implement the following technical and organizational measures to protect your data:

• Encryption at rest: AES-256-GCM encryption for sensitive data (including chat messages and stored content)
• Encryption in transit: TLS 1.2+ (HTTPS) for all data transmission
• Authentication: OAuth 2.0 for all third-party platform connections — we never store your social media passwords
• Token security: OAuth access tokens and refresh tokens are stored encrypted and managed through a dedicated secure token service (Nango)
• Access control: role-based access within organizations; team members only see data for their assigned company
• Infrastructure: hosted on Cloudflare and Supabase with enterprise-grade security, automated backups, and monitoring
• Breach notification: in the event of a personal data breach, we will notify the Dutch Data Protection Authority within 72 hours as required by GDPR Art. 33, and affected users without undue delay where the breach poses a high risk to their rights (GDPR Art. 34)

9. Your rights

Under the GDPR and applicable data protection laws, you have the following rights:

• Right of access: request a copy of all personal data we hold about you
• Right to rectification: request correction of inaccurate data
• Right to erasure: request deletion of your personal data ("right to be forgotten")
• Right to data portability: request your data in a structured, machine-readable format
• Right to restrict processing: request that we limit how we use your data
• Right to object: object to processing based on legitimate interest
• Right to withdraw consent: withdraw consent at any time by disconnecting platform accounts or deleting your Creochi account

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

10. Cookies

Our website uses only functional cookies necessary for the service to operate:

• Theme preference: remembers your light/dark mode choice (local storage)
• Session authentication: securely identifies your logged-in session

We do not use tracking cookies, advertising cookies, or third-party cookies. We use Cloudflare Web Analytics for privacy-friendly website analytics, which does not use cookies or collect personal data.

11. Third-party platform policies

When you connect a third-party platform to Creochi, your use of that platform's data is also subject to their respective policies. We comply with the developer terms and data policies of all connected platforms:

• Meta Platform Terms (Facebook, Instagram)
• Google API Services User Data Policy (YouTube, Google Ads)
• LinkedIn API Terms of Use
• TikTok API Terms of Service
• Snap Kit Terms of Service

11.1 Google API Services — Limited Use Disclosure

Creochi's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google API data to provide and improve Creochi's user-facing features
• We do not transfer Google API data to third parties, except as necessary to provide the service, as required by law, or with explicit user consent
• We do not use Google API data for serving advertisements
• We do not allow humans to read Google API data, except with user consent, for security purposes, to comply with law, or when aggregated and anonymized for internal operations

12. International data transfers

Your data is primarily processed within the European Union. Where sub-processors are located outside the EU (e.g., Stripe, Anthropic), transfers are safeguarded by EU Standard Contractual Clauses (SCCs) or adequacy decisions.

13. Changes to this policy

We may update this privacy policy to reflect changes in our practices or legal requirements. For material changes, we will notify you via email or through the Platform. The "last updated" date at the top indicates the most recent revision.

14. Contact

For any questions, concerns, or requests regarding this privacy policy or your personal data:

• Email: [email protected]
• Address: Dag&Dauw, Dorpsakkers 1, 6027SJ Soerendonk, The Netherlands