Data & Compliance

Creatoro is committed to responsible data handling and compliance with applicable data protection laws across the jurisdictions in which we operate. This page documents our compliance posture under the GDPR (European Union), CCPA (California), the Digital Personal Data Protection Act 2023 (India), and Meta's Platform Policies.

For privacy-related questions, contact our Data Protection Officer at dpo@creatoro.io.

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) applies to our processing of your personal data. We act as a data controller for the personal data you provide to us, and as a data processor for the Instagram data we access on your behalf via the Meta Graph API.

Legal Basis for Processing: We rely on the following legal bases to process your personal data:

Contract performance (Article 6(1)(b)): Processing your account data, Instagram data, and billing information is necessary to deliver the services you have contracted with us.

Legitimate interests (Article 6(1)(f)): We process usage data and system logs to maintain platform security, debug issues, and improve our services, where these interests are not overridden by your rights.

Legal obligation (Article 6(1)(c)): We retain billing records as required by applicable financial law.

EU User Rights: As an EEA or UK user, you have the right to access, rectify, erase, restrict, and port your personal data, as well as the right to object to certain types of processing. You also have the right to lodge a complaint with your local supervisory authority.

International Data Transfers: Your data may be processed on servers outside the EEA (including India and the United States, where our cloud providers operate). Where applicable, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs), to ensure adequate protection.

Data Protection Officer: Contact our DPO at dpo@creatoro.io for any GDPR-related requests or inquiries.

If you are a California resident, the California Consumer Privacy Act (CCPA) and its amendment, the CPRA, may grant you additional rights with respect to your personal information.

No Sale of Personal Information: Creatoro does not sell your personal information to any third party, as defined under the CCPA. We do not share your data for cross-context behavioural advertising.

Your California Rights: You have the right to know what personal information we collect and how it is used; the right to delete your personal information (subject to certain exceptions); the right to correct inaccurate personal information; and the right to non-discrimination for exercising your privacy rights.

To exercise these rights, submit a request to privacy@creatoro.io. We will verify your identity before processing your request and respond within 45 days (extendable by an additional 45 days when reasonably necessary).

Creatoro is an Indian company and complies with the Digital Personal Data Protection (DPDP) Act, 2023. Under the DPDP Act, we act as a Data Fiduciary for the personal data of our users.

Consent: We obtain your consent to process your personal data at the time of account registration and when you connect your Instagram account. You may withdraw consent at any time by deleting your account, though withdrawal may affect your ability to use the platform.

Data Principal Rights: As a data principal under the DPDP Act, you have the right to access information about your personal data we hold, the right to correct or erase your personal data, and the right to grieve against our data processing decisions. Requests may be submitted to privacy@creatoro.io.

Data Localisation: We are monitoring the implementation of data localisation requirements under the DPDP Act and will update our infrastructure accordingly as regulations are finalised by the Indian government.

Grievance Officer: In accordance with applicable Indian law, our Grievance Officer can be reached at dpo@creatoro.io. We will acknowledge complaints within 24 hours and resolve them within 30 days.

Creatoro integrates with Instagram exclusively through the official Meta Graph API. We are committed to full compliance with Meta's Platform Terms and Developer Policies.

Approved API use only: We access Instagram data only through Meta-approved API endpoints and only with user permissions explicitly granted through the standard OAuth authorisation flow. We do not use any unofficial or undocumented APIs.

No scraping:Creatoro does not scrape Instagram or any other Meta platform. All data is obtained via the Graph API in compliance with Meta's terms.

Minimal permissions:We request only the Instagram API permissions strictly necessary to deliver the features you enable. We do not request permissions in excess of our product's functionality.

Data use restrictions: Instagram data accessed through the API is used solely to provide the Creatoro service to the user who authorised that access. It is not aggregated for sale, shared with third parties, or used for advertising targeting.

User automation compliance:Our automation features (DM replies, comment responses) are designed to operate within Instagram's messaging limits and automation guidelines. Users are responsible for configuring automations in a manner that complies with Meta's Community Standards and anti-spam policies.

We use the following sub-processors to deliver the Creatoro service. Each sub-processor is bound by a data processing agreement and is required to implement appropriate technical and organisational security measures:

Meta Platforms, Inc.(USA) — Instagram Graph API access for account data, DM and comment automation, and analytics. Subject to Meta's Data Processing Terms.

DodoPayments— Payment processing and subscription billing. Subject to DodoPayments' Data Processing Agreement.

Cloud Hosting Provider — PostgreSQL database hosting and compute infrastructure for the Creatoro application. All data is encrypted at rest and in transit.

Cloudflare, Inc.(USA) — Media file storage via Cloudflare R2 and DDoS/CDN protection. Subject to Cloudflare's GDPR Data Processing Addendum.

Upstash, Inc.(USA) — Managed Redis for session caching and API rate limiting. Subject to Upstash's Data Processing Agreement.

We will update this list when we add or remove sub-processors and will notify affected users of material changes.

We implement the following technical and organisational measures to protect personal data:

Encryption in transit: All data transmitted between your browser and our servers, and between our servers and sub-processors, is encrypted using TLS 1.2 or higher.

Encryption at rest: Database storage and object storage are encrypted at rest using AES-256 encryption provided by our cloud infrastructure.

Access controls: Access to production systems and personal data is restricted to authorised personnel on a need-to-know basis. All access is authenticated with multi-factor authentication and is logged.

Vulnerability management: We perform regular dependency updates and security reviews of our codebase. Critical vulnerabilities are patched on a priority basis.

Incident response: We maintain an internal incident response procedure to detect, contain, and remediate security incidents promptly.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required under the GDPR or other applicable law.

Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, including information about the nature of the breach, the data affected, likely consequences, and the measures taken or proposed.

To report a potential security issue or data breach, contact us immediately at dpo@creatoro.io.

We retain personal data only for as long as necessary for the stated purposes:

Account data (name, email): Retained for the lifetime of your account; deleted within 30 days of account closure.

Instagram data (profile, posts, DMs, analytics): Retained while your Instagram account is connected; deleted within 14 days of disconnection or account closure.

Billing and payment records: Retained for 7 years as required under Indian financial and tax regulations.

Usage logs and system logs: Retained for up to 12 months, after which they are purged or irreversibly anonymised.

Support communications: Retained for up to 3 years from the date of last contact.

Following the expiry of a retention period, data is securely deleted or anonymised in accordance with our data disposal procedures.

For all data protection, privacy compliance, and regulatory inquiries, contact:

Data Protection Officer
Email: dpo@creatoro.io

For general privacy requests: privacy@creatoro.io

We aim to respond to all data protection inquiries within 5 business days and to complete all subject access requests within 30 days (or as required by applicable law).