Privacy Policy
Last updated: Nov 10, 2025
1. Who we are and how to contact us
This Privacy Policy explains how Create Mate Ltd ("Create Mate", "we", "us", "our") collects, uses, shares, and safeguards personal information in connection with the Create Mate Platform(the "Platform"), including our website and creator/industry consoles.
- Legal entity & address: Create Mate Ltd, 16 Winterbrook, Wallingford, Oxfordshire, OX10 9EF, UK.
- Privacy contact: [email protected]
- Company number: 16811796 (England & Wales)
- ICO registration number: [INSERT ICO REGISTRATION NUMBER]
- EU Representative (GDPR Art. 27): [INSERT EU REPRESENTATIVE DETAILS]
This Policy covers users of our two consoles: (i) Creators (who find and participate in campaigns), and (ii) Industry (labels, artists, agencies who list/host campaigns). If you do not agree with this Policy, please do not use the Platform.
2. Scope and legal framework
We operate from the UK and comply with UK GDPR and the Data Protection Act 2018, and—where applicable—EU GDPR (for EU users),CCPA/CPRA (California), and the Australian Privacy Act. Where local law requires additional rights or disclosures, see theJurisdiction-Specific Addendum at Section 16.
3. Categories of data we collect
3.1 Information you provide to us
- Account & profile (Creators): name, email, phone, social handles (e.g., TikTok/Instagram), country, payout account identifiers (e.g., Stripe-connected account ID), profile photo (optional).
- Account & profile (Industry): name, company, company type, role/title, email, phone, billing preferences, VAT/ABN/Tax IDs (where applicable).
- Campaign data (Industry): campaign briefs, budgets, assets (artwork, links, usage rights statements).
- Submissions (Creators): links to videos, captions, analytics screenshots (if requested), and any communications relating to approvals.
- Verifications (if enabled): age/identity confirmations via third-party services (we prefer processors so we don't store IDs directly).
- Support, surveys, research: content in emails, forms, in-product feedback.
3.2 Information collected automatically
- Device & technical: IP address, device type, OS, browser, language, time zone, session identifiers, user and device IDs, diagnostic logs.
- Usage: sign-in events, role type, page views, button clicks, error events, approvals/payout actions.
- Location (approximate): inferred from IP or billing region for compliance, payout routing, and service availability.
We do not use non-essential tracking cookies at launch. If this changes, we will update this Policy and present consent flows before any non-essential tracking begins.
3.3 Information from third parties
- Social login: when you connect or log in via TikTok/Instagram, we receive certain account identifiers and public profile details as permitted by you and those platforms.
- Payments: we receive limited payment/payout metadata from our payment processors (e.g., transaction IDs, payout status).
- Vendors: infrastructure, analytics, communications, and anti-fraud providers may supply metadata necessary to operate the Platform.
- Public sources: we may reference publicly available information to verify campaign claims or to enforce our terms.
4. Why we use your data (purposes & legal bases)
| Purpose | Legal Basis |
|---|---|
| Provide the Platform (accounts, consoles, campaign matching, submissions, approvals, payouts) | Contract (Art. 6(1)(b) GDPR) |
| Payments to creators and invoicing to industry | Contract; Legal obligation (tax/AML) |
| Fraud prevention, security, abuse detection, and trust & safety | Legitimate interests; Legal obligation (where applicable) |
| Service improvement, diagnostics, and analytics (if/when enabled) | Legitimate interests; Consent where required |
| Communications about your account, changes to terms, incidents | Contract; Legal obligation |
| Marketing communications (if opted-in) | Consent |
| Legal claims, compliance, and recordkeeping | Legitimate interests; Legal obligation |
5. Payments and marketplace flow
- We use marketplace payouts (e.g., Stripe Connect Express) to route campaign funds to creators after approvals.
- Fee model (disclosed to users): For hosted campaigns, Industry pays Campaign Budget + 15% Create Mate fee (Stripe fees for creator payouts are absorbed within the Campaign Budget; creators see net after processor fees).
- We store payment identifiers and payout statuses, not raw card numbers.
- Payment processors: [INSERT PAYMENT PROCESSOR NAMES, e.g., STRIPE CONNECT EXPRESS].
6. How we share information
We share personal data with:
- Vendors/Processors: hosting, storage, infrastructure/CDN, security/anti-fraud, email/CRM, analytics (when enabled), and payment processing. Example categories include cloud hosting, email delivery, log management, monitoring, in-product messaging. Key vendors: [INSERT VENDOR LIST e.g., AWS/Cloudflare/Google Cloud, Email/CRM Provider, Analytics Provider].
- Campaign counterparties: creators' submitted content links and public handles may be visible to industry for approval and payment; industry brief details are visible to creators for participation.
- Corporate transactions: during mergers, acquisitions, or asset sales; we'll ensure appropriate safeguards.
- Legal & safety: to comply with law, enforce terms, investigate fraud or abuse, and protect rights, property, and safety.
We do not sell your personal information. Where required by CCPA/CPRA, we will honor "do not sell/share" signals if in the future any data would be deemed a "sale" or "share."
7. International data transfers
We may process data in the UK, EU/EEA, and other countries. Where transfers occur to jurisdictions without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) plus the UK Addendum, and implement technical/organizational measures. Our EU Representative is [INSERT EU REPRESENTATIVE DETAILS].
8. Data retention
- Account data: retained while your account is active.
- After deletion: we retain limited records for up to 2 years for fraud prevention, accounting, dispute resolution, and legal compliance, then delete or irreversibly anonymise.
- Financial/tax records: retained as required by law (typically 6–7 years).
- Logs & diagnostics: typically 12 months unless required longer for security or legal reasons.
9. Security
We implement appropriate technical and organizational measures, including: TLS in transit, encryption of sensitive data at rest, credential hashing (bcrypt/Argon2), role-based access control, access logging, least-privilege for staff, periodic security reviews and vulnerability scans, backups and tested restoration procedures, and an incident response plan. If a breach presents risk to users, we will notify relevant authorities and affected users in line with law (e.g., within 72 hours under GDPR where required).
10. Children & teens
The Platform is intended for users 18+ only. We do not knowingly collect personal data from minors. If we discover under-18 use, we will terminate the account and delete personal data where appropriate.
11. Your rights
Depending on your location, you may have the right to access, rectify, erase, restrict processing, object to processing, and data portability, as well as to withdraw consent (where used) and to lodge a complaint with a supervisory authority.
You can exercise these rights via:
- The Manage My Data area in your account (download data, delete account, manage connections and preferences), and/or
- Contacting [email protected] (we may need to verify identity).
We aim to respond within 30 days (or shorter where required).
12. Manage My Data (what you can do)
- Update profile (name, email, phone, country).
- Disconnect social logins (TikTok/Instagram).
- Download my data (JSON/CSV bundle of account/profile, submissions, payout statuses, consents).
- Delete my account (with clear explanation of limited post-deletion retention as above).
- Marketing preferences (opt-in/out where applicable).
13. Communications
We may send you service, security, legal, and transactional messages. Marketing communications require your opt-in (where applicable); you can opt out at any time.
14. Changes to this Policy
We may update this Policy from time to time. We will update the "Last updated" date and, where appropriate, provide notice in-product or by email. Your continued use after updates constitutes acceptance.
15. Contact
- Create Mate Ltd
- 16 Winterbrook, Wallingford, Oxfordshire, OX10 9EF, UK
- Email: [email protected]
16. Jurisdiction-Specific Addendum (summary)
- UK/EU: UK GDPR/EU GDPR rights apply. Supervisory authority: [INSERT UK ICO DETAILS / EU LEAD AUTHORITY IF DESIGNATED]. EU Representative: [INSERT EU REPRESENTATIVE DETAILS].
- California (CCPA/CPRA): we honor rights to know, delete, correct, and to opt-out of sale/share (not currently applicable). Sensitive personal information is handled only for the limited purposes allowed by law.
- Australia: Australian Privacy Act principles apply for AU users. Contact us for access/correction requests and complaints; we will respond promptly.
- Canada/NZ/other regions: we honor applicable local data rights and complaint routes; contact[email protected].