Creative Scale

Privacy Policy

Effective Date: February 7, 2026

Last Updated: February 7, 2026

Creative Scale LLC ("Creative Scale," "we," "us," or "our") is a limited liability company organized under the laws of the State of Florida. We operate a two-sided UGC (user-generated content) marketplace platform accessible at https://thecreativescale.com (the "Website") and through any associated applications, services, tools, and features (collectively, the "Platform" or "Services"). Our Platform connects brands, including ecommerce companies running Meta Ads, with content creators of any follower count for the production and distribution of user-generated content.

This Privacy Policy ("Policy") describes how Creative Scale collects, uses, discloses, retains, and protects your personal information when you visit our Website, create an account, use our Platform, or otherwise interact with our Services. This Policy applies to all users of the Platform, including content creators ("Creators"), brands and advertisers ("Brands"), visitors to the Website, and any other individuals whose personal information we process in connection with the Services.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the collection, use, disclosure, and processing of your personal information as described in this Privacy Policy. If you do not agree with the practices described herein, you must immediately discontinue use of the Platform and contact us to request deletion of any personal information we may have collected. Your continued use of the Platform following any updates or modifications to this Policy constitutes your acceptance of such changes.

This Privacy Policy should be read in conjunction with our Terms of Service, which govern your use of the Platform. Capitalized terms used but not defined in this Policy have the meanings assigned to them in the Terms of Service.

1. Introduction

Creative Scale LLC is a Florida limited liability company that operates a two-sided marketplace platform designed to connect ecommerce brands running Meta (Facebook and Instagram) advertising campaigns with content creators who produce user-generated content. Our Platform facilitates the discovery, matching, collaboration, and payment processes between Brands and Creators.

This Privacy Policy applies to all personal information collected through the Website at https://thecreativescale.com, the Platform and its features, any mobile applications we may offer, email and other electronic communications sent through or in connection with the Platform, and any other services, tools, or features provided by Creative Scale that reference or link to this Policy.

We are committed to protecting the privacy and security of your personal information. We process personal data in accordance with applicable privacy and data protection laws, including but not limited to the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Children's Online Privacy Protection Act ("COPPA"), the Florida Information Protection Act, and other applicable state, federal, and international privacy laws.

For purposes of the GDPR and similar data protection laws, Creative Scale LLC is the data controller responsible for determining the purposes and means of processing your personal data. Our contact information for data protection inquiries is provided in Section 18 of this Policy.

2. Information We Collect

We collect various categories of information in connection with the Platform. The types and amount of information we collect depend on how you interact with our Services, whether you register as a Creator or a Brand, and the features you use. Below is a comprehensive description of the information we collect, organized by source and category.

2.1 Personal Information Provided by You

When you register for an account, join a waitlist, submit an inquiry, or otherwise interact with the Platform, you may voluntarily provide us with personal information. The specific information we collect varies depending on whether you register as a Creator or a Brand.

Information collected from Creators:

  • Full legal name (first and last name)
  • Email address
  • Phone number
  • Instagram profile URL
  • TikTok profile URL
  • TikTok Shop status (whether you participate in TikTok Shop)
  • Monthly UGC earnings estimate (self-reported income range from content creation activities)

Information collected from Brands:

  • Full legal name of the primary contact (first and last name)
  • Business email address
  • Phone number
  • Website URL
  • Instagram handle
  • Estimated monthly revenue (self-reported revenue range)
  • Meta Ads status (whether you currently run Meta advertising campaigns)

You may also provide additional personal information when you communicate with us via email, submit support requests, participate in surveys or promotions, post content or comments on the Platform, or otherwise voluntarily disclose information to us. Any information you choose to make publicly available on the Platform, such as profile details visible to other users, may be viewed by other Platform users in accordance with our information sharing practices described in Section 5.

2.2 Information Collected Automatically

When you access or use the Platform, we automatically collect certain technical and usage information through cookies, server logs, and similar technologies. This information helps us maintain the security and functionality of the Platform, analyze usage patterns, and improve your experience.

Automatically collected information includes:

  • IP address (Internet Protocol address), which may be used to approximate your general geographic location
  • User agent string, which identifies the software (browser and operating system) making requests to our servers
  • Browser type and version (e.g., Chrome, Safari, Firefox, and their respective versions)
  • Operating system and version (e.g., Windows, macOS, iOS, Android)
  • Device type and characteristics (e.g., desktop, mobile, tablet, screen resolution)
  • Pages and content viewed on the Platform, including the order and duration of page visits
  • Referring URLs and exit pages (the website you visited before and after our Platform)
  • Date and time stamps of each interaction with the Platform
  • Session duration and frequency of visits
  • Click-stream data and interaction patterns within the Platform
  • Language preferences and time zone settings

We use Vercel Analytics to collect and analyze certain usage data. Vercel Analytics is a privacy-focused analytics service provided by Vercel Inc. that collects aggregated performance and usage metrics. For more information about how Vercel processes data, please refer to Section 6 of this Policy.

2.3 Payment Information

Payment processing on the Platform is handled by our third-party payment processor, Stripe, Inc. ("Stripe"). When you make or receive payments through the Platform, Stripe collects and processes your payment information directly. This may include credit card numbers, debit card numbers, bank account details, billing address, and other financial information necessary to complete transactions.

Creative Scale does NOT directly collect, store, or have access to your full credit card numbers, debit card numbers, or complete bank account details. We receive only limited transaction information from Stripe, which may include the last four digits of your payment method, the card brand (e.g., Visa, Mastercard), transaction amounts, transaction dates, payment status (e.g., succeeded, failed, pending), and a unique transaction identifier. This limited information is used for record-keeping, dispute resolution, customer support, and compliance with financial reporting obligations.

Stripe is a PCI DSS Level 1 certified payment processor, which is the highest level of certification available in the payments industry. Stripe's collection, use, and disclosure of your payment information is governed by Stripe's own privacy policy and terms of service. We encourage you to review Stripe's privacy policy at https://stripe.com/privacy before providing your payment information.

2.4 Information from Third Parties

We may receive information about you from third-party sources, which we may combine with other information we collect about you. Third-party sources of information include:

  • Social media platforms: When you link your Instagram or TikTok accounts to the Platform, or when we access publicly available profile information from these platforms, we may receive profile data such as your username, display name, profile photo, follower count, engagement metrics, and content performance data.
  • Meta (Facebook/Instagram) Ads integration: When Brands connect their Meta Ads accounts to the Platform, we may receive advertising performance data, campaign metrics, audience insights, and other information related to their advertising activities. This data is used to facilitate matching between Brands and Creators and to improve Platform functionality.
  • Stripe: We receive transaction confirmations, payment status updates, and limited account information from Stripe in connection with payment processing on the Platform.
  • Publicly available sources: We may collect information from publicly available databases, public social media profiles, and other publicly accessible sources to verify information provided by users or to supplement our records.

We process information received from third parties in accordance with this Privacy Policy and in compliance with any additional restrictions or obligations imposed by the third-party source.

3. How We Use Your Information

We use the personal information we collect for the purposes described below. In each case, we process your information only to the extent necessary for the stated purpose and in compliance with applicable law.

  • Service Provision and Platform Operation: To provide, maintain, and operate the Platform, including creating and managing your account, enabling communication between Brands and Creators, facilitating content collaboration, and delivering the core features and functionality of our Services.
  • Account Management and Authentication: To verify your identity, authenticate your account, manage account settings and preferences, and maintain the security of your account.
  • Payment Processing: To facilitate and process payments between Brands and Creators through our payment processor Stripe, including calculating fees, generating invoices, processing refunds, and maintaining transaction records for financial reporting and tax compliance.
  • Matching Brands with Creators: To analyze Creator profiles, capabilities, audience demographics, content style, and other relevant factors to recommend suitable Creator-Brand pairings, and to provide Brands with tools to discover and evaluate Creators for their campaigns.
  • Communications: To send you transactional communications, including account confirmations, payment receipts, project updates, and security alerts. With your consent or where otherwise permitted by law, we may also send you marketing communications about new features, promotions, or opportunities on the Platform. You may opt out of marketing communications at any time by following the unsubscribe instructions in the communication or by contacting us at legal@creativescale.co.
  • Analytics and Platform Improvement: To analyze usage patterns and trends, measure the effectiveness of Platform features, conduct research and development, identify areas for improvement, and enhance the overall user experience. We use Vercel Analytics for this purpose.
  • Fraud Prevention and Security: To detect, investigate, and prevent fraudulent activity, unauthorized access, and other illegal or harmful activities on the Platform. This includes monitoring for suspicious behavior, verifying user identities, and implementing security measures to protect users and the Platform.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests, including tax reporting obligations, financial record-keeping requirements, and responding to subpoenas or court orders.
  • Enforcing Our Terms: To enforce our Terms of Service, this Privacy Policy, and other agreements, including investigating potential violations, resolving disputes between users, and taking appropriate action against users who violate our policies.
  • Aggregate and Anonymized Analysis: To create aggregated, anonymized, or de-identified data sets for research, statistical analysis, business intelligence, and industry benchmarking purposes. Aggregated and de-identified data is not considered personal information and may be used for any lawful purpose.
  • Customer Support: To respond to your questions, requests, and complaints, and to provide technical support and assistance in connection with the Platform.
  • Personalization: To personalize your experience on the Platform, including tailoring content, recommendations, and communications based on your preferences, activity, and interactions with the Platform.

We will not use your personal information for purposes that are materially different from those described in this Privacy Policy without first providing you with notice and, where required by law, obtaining your consent.

5. Information Sharing and Disclosure

We take your privacy seriously and do not sell your personal information to third parties. We share your personal information only in the circumstances described below and only to the extent necessary for the purposes outlined in this Policy.

5.1 With Other Platform Users

The Platform is designed to facilitate connections between Brands and Creators. As a result, certain information you provide may be visible to other users of the Platform in accordance with the Platform's functionality:

  • Creator Profiles: If you register as a Creator, your profile information (which may include your name, social media URLs, content portfolio, and other information you choose to include in your profile) may be visible to Brands who are searching for Creators on the Platform. You have control over certain aspects of your profile visibility through your account settings.
  • Brand Campaign Information: If you register as a Brand, certain information about your campaigns (such as campaign briefs, content requirements, compensation offers, and brand details) may be visible to Creators who are matched with your campaign or who are browsing available opportunities on the Platform.
  • Communication Records: Messages exchanged between Brands and Creators through the Platform's messaging features are accessible to both parties in the conversation. Creative Scale may access these communications for purposes of customer support, dispute resolution, platform safety, and enforcement of our Terms of Service.

We encourage all users to exercise discretion when sharing personal information on the Platform and to review their profile settings to understand what information is visible to other users.

5.2 With Service Providers

We share personal information with trusted third-party service providers who perform services on our behalf. These service providers are contractually obligated to use your personal information only for the purposes for which we disclose it to them and to maintain the confidentiality and security of your data. Our key service providers include:

  • Supabase, Inc.: We use Supabase as our database infrastructure and authentication provider. Supabase hosts our PostgreSQL database, which stores user account information, profile data, and Platform records. Supabase processes personal data including names, email addresses, phone numbers, social media URLs, and other information you provide to the Platform.
  • Stripe, Inc.: We use Stripe as our payment processing provider. Stripe processes payments between Brands and Creators, including collecting and processing credit card information, bank account details, and other financial data. Stripe is PCI DSS Level 1 compliant. We share limited user identification information with Stripe as necessary to facilitate payment processing.
  • Vercel Inc.: We use Vercel for hosting our Website and Platform, and for analytics services. Vercel Analytics collects usage and performance data, including page views, session information, device characteristics, and general location data. Vercel processes this data to provide us with aggregated analytics insights.
  • Meta Platforms, Inc.: We integrate with Meta's advertising platform to enable Brands to connect their Meta Ads accounts and for advertising campaign management purposes. We may share or receive data with Meta as necessary to provide advertising-related features on the Platform.

We may also share personal information with other service providers, such as email service providers, cloud storage providers, customer support tools, and other technology partners, as necessary to provide and improve the Platform.

5.4 In Business Transfers

Your personal information may be transferred, disclosed, or otherwise processed in connection with, or during negotiations of, any merger, acquisition, sale of all or a portion of our assets, joint venture, consolidation, reorganization, financing, bankruptcy, dissolution, or similar business transaction involving Creative Scale. In such events, we will use reasonable efforts to ensure that the acquiring entity or successor is bound by privacy commitments substantially consistent with those set forth in this Privacy Policy.

If a business transfer results in a material change to the way your personal information is processed, you will be notified via the email address associated with your account and/or by a prominent notice on the Platform prior to the change becoming effective. You will be given the opportunity to exercise any applicable rights regarding your personal information, including the right to request deletion, before your data is transferred to the acquiring entity.

5.6 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified data with third parties for purposes such as industry analysis, market research, demographic profiling, platform usage benchmarking, and other business purposes. This data does not identify any individual user and cannot reasonably be used to re-identify any individual. We maintain technical and organizational safeguards to prevent the re-identification of de-identified data, and we contractually prohibit recipients of such data from attempting to re-identify individuals from the data.

6. Third-Party Services

The Platform relies on several third-party services to provide its functionality. Each of these services has its own privacy policy and data handling practices. We encourage you to review these policies to understand how your information is processed by each provider. Below is a detailed description of each third-party service we use, the data we share with or collect through each service, and links to their respective privacy policies.

Supabase, Inc. - Database and Authentication Infrastructure:

  • Purpose: Supabase provides our cloud-hosted PostgreSQL database and user authentication services. All Platform data, including user accounts, profiles, and transaction records, is stored in Supabase's infrastructure.
  • Data Processed: Full name, email address, phone number, social media URLs/handles, website URLs, business revenue estimates, UGC earnings estimates, TikTok Shop status, Meta Ads status, IP addresses, timestamps, and other information submitted through the Platform.
  • Privacy Policy: https://supabase.com/privacy

Stripe, Inc. - Payment Processing:

  • Purpose: Stripe handles all payment processing on the Platform, including collecting payment method details, processing transactions between Brands and Creators, and managing payouts.
  • Data Processed: Payment card numbers, bank account details, billing address, transaction amounts, transaction history, and identity verification information as required by applicable regulations. Stripe is PCI DSS Level 1 compliant, the highest level of security certification in the payment industry.
  • Privacy Policy: https://stripe.com/privacy

Vercel Inc. - Hosting and Analytics:

  • Purpose: Vercel provides website and application hosting for the Platform, as well as analytics services (Vercel Analytics) that help us understand Platform usage and performance.
  • Data Processed: IP addresses (anonymized for analytics), user agent strings, page view data, session information, performance metrics, device type, browser type, operating system, geographic location (country/region level), referral sources, and page load timing data.
  • Privacy Policy: https://vercel.com/legal/privacy-policy

Meta Platforms, Inc. - Advertising Integration:

  • Purpose: We integrate with Meta's advertising platform to enable Brands to connect their Meta Ads accounts, manage advertising campaigns, and access advertising performance data through the Platform.
  • Data Processed: Advertising account identifiers, campaign performance metrics, audience targeting parameters, ad creative identifiers, and engagement data. When Brands connect their Meta Ads accounts, data flows between Meta and the Platform as authorized by the Brand.
  • Privacy Policy: https://www.facebook.com/privacy/policy/

Please note that when you interact with these third-party services through our Platform, your use of those services is governed by their respective privacy policies and terms of service. Creative Scale is not responsible for the privacy practices or data handling of third-party service providers, and we encourage you to review their privacy policies independently. If you have questions about how a specific third-party service processes your data, please contact that service provider directly.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your interactions with the Platform. This section explains what cookies are, how we use them, and how you can manage your cookie preferences.

7.1 What Are Cookies

Cookies are small text files that are placed on your device (computer, smartphone, or tablet) when you visit a website. Cookies are widely used by website operators to make websites function more efficiently, to provide reporting information, and to enable certain features. Cookies set by the website operator are called "first-party cookies," while cookies set by parties other than the website operator are called "third-party cookies." Third-party cookies enable features or functionality provided by third parties, such as analytics, interactive content, and advertising.

In addition to cookies, we may use other similar technologies such as web beacons (also known as pixel tags or clear GIFs), local storage, and session storage to collect and store information about your interactions with the Platform.

7.2 Types of Cookies We Use

We use the following categories of cookies on the Platform:

Essential/Necessary Cookies: These cookies are strictly necessary for the operation of the Platform. They enable core functionality such as user authentication, session management, security features (including CSRF protection), and load balancing. Without these cookies, the Platform cannot function properly. These cookies do not require your consent as they are essential to the provision of the services you have requested.

  • Session cookies that maintain your authenticated state as you navigate the Platform
  • Security cookies that help detect and prevent fraudulent activity and protect against unauthorized access
  • Load balancing cookies that ensure optimal performance and availability of the Platform

Analytics Cookies: These cookies help us understand how users interact with the Platform by collecting and reporting information about usage patterns. We use Vercel Analytics, which collects aggregated, privacy-focused analytics data. Analytics cookies help us identify which pages and features are most popular, how users navigate the Platform, and where users encounter issues.

  • Vercel Analytics cookies that track page views, session duration, and Platform performance metrics
  • Usage pattern cookies that help us understand how different features of the Platform are used

Functional Cookies: These cookies enable enhanced functionality and personalization on the Platform. They may be set by us or by third-party providers whose services we have integrated into the Platform.

  • Preference cookies that remember your settings and choices (such as language, region, or display preferences)
  • Feature cookies that remember which features you have used or interacted with

7.3 How to Manage Cookies

Most web browsers allow you to control cookies through their settings. You can typically find cookie settings in the "Options," "Settings," "Preferences," or "Privacy" menu of your browser. The following links provide instructions for managing cookies in commonly used browsers:

  • Google Chrome: chrome://settings/cookies
  • Mozilla Firefox: about:preferences#privacy
  • Apple Safari: Preferences > Privacy
  • Microsoft Edge: edge://settings/privacy

Please note that if you choose to disable or delete cookies, some features of the Platform may not function properly, and your user experience may be degraded. Disabling essential cookies may prevent you from accessing certain functionality or require you to re-authenticate each time you visit the Platform. Disabling analytics cookies will prevent us from collecting usage data about your sessions but will not affect the core functionality of the Platform.

You may also opt out of certain third-party cookies by visiting the Network Advertising Initiative opt-out page at https://optout.networkadvertising.org/ or the Digital Advertising Alliance opt-out page at https://optout.aboutads.info/.

7.4 Do Not Track and Global Privacy Control Signals

Some web browsers offer a "Do Not Track" ("DNT") signal that transmits a preference not to be tracked to the websites you visit. Because there is no widely accepted standard for how to interpret DNT signals, we describe our current response to DNT signals in Section 16 of this Policy.

We recognize and honor Global Privacy Control ("GPC") signals as a valid opt-out request under applicable laws, including the CCPA/CPRA. When we detect a GPC signal from your browser, we will treat it as a request to opt out of the sale or sharing of your personal information, to the extent applicable. For more information about GPC, visit https://globalprivacycontrol.org/.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, and in accordance with our legal obligations, contractual requirements, and legitimate business interests. The specific retention periods we apply are as follows:

  • Account Data (including profile information, contact details, social media URLs/handles, and account settings): Retained for the duration of your active account plus three (3) years following account closure or deletion. The post-closure retention period allows us to address any outstanding issues, disputes, or legal obligations that may arise after account termination.
  • Transaction Records (including payment history, invoices, payout records, and related financial data): Retained for seven (7) years from the date of the transaction. This retention period is necessary to comply with applicable tax laws, financial reporting requirements, and accounting standards, including obligations under the Internal Revenue Code and applicable state tax regulations.
  • Usage Logs (including IP addresses, user agent strings, page view data, session data, and other automatically collected information): Retained for two (2) years from the date of collection. After this period, usage logs are either permanently deleted or anonymized such that they can no longer be associated with an individual user.
  • Marketing Data (including marketing preferences, email engagement data, and communication history): Retained until you opt out of marketing communications, plus thirty (30) days to process the opt-out request and ensure you are removed from all marketing lists and systems. If you have opted in to receive marketing communications, your marketing preferences are retained for the duration of your consent.
  • Waitlist Data (including name, email, and any other information submitted through waitlist registration forms): Retained until the Platform launches and your account is converted to a full account, or for a maximum of two (2) years from the date of submission, whichever occurs first. If you do not convert your waitlist registration to a full account within two years, your waitlist data will be deleted.

Upon your request, we will delete your personal information in accordance with applicable law, subject to certain exceptions. We may retain personal information even after a deletion request where retention is necessary to comply with legal obligations (such as tax record-keeping requirements), to resolve disputes, to enforce our agreements, to establish or defend legal claims, or to fulfill any other legitimate business purpose. In such cases, we will inform you of the specific basis for continued retention.

As an alternative to deletion, we may anonymize your personal information so that it can no longer be used to identify you. Anonymized data is no longer considered personal information and may be retained and used for any lawful purpose, including aggregate analytics, research, and business intelligence.

We conduct periodic reviews of the personal data we hold to ensure that data is not retained longer than necessary for the purposes described in this Policy. When personal data is no longer needed, it is securely deleted or anonymized using industry-standard methods.

9. Data Security

We implement and maintain a comprehensive set of technical, administrative, and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, destruction, loss, and misuse. Our security program is designed to be commensurate with the sensitivity of the personal information we process and the risks to which it may be exposed.

Our security measures include, but are not limited to, the following:

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS/SSL) protocols. This ensures that personal information cannot be intercepted or read by unauthorized parties during transmission.
  • Encryption at Rest: Personal information stored in our databases and backup systems is encrypted at rest using industry-standard encryption algorithms. Our database provider, Supabase, implements AES-256 encryption for data at rest.
  • Access Controls: We implement role-based access controls (RBAC) based on the principle of least privilege. Only authorized personnel with a legitimate business need are granted access to personal information, and access levels are assigned based on job function and responsibility. Access permissions are reviewed regularly and revoked promptly when no longer needed.
  • Authentication and Authorization: We use secure authentication mechanisms, including multi-factor authentication for administrative access to systems that process personal information. Session management controls are implemented to prevent unauthorized session hijacking or replay attacks.
  • Regular Security Assessments: We conduct periodic security assessments, including vulnerability scanning, code reviews, and penetration testing, to identify and remediate potential security weaknesses in our systems and applications.
  • Incident Response Procedures: We maintain a documented incident response plan that outlines procedures for detecting, reporting, investigating, containing, and remediating security incidents. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and applicable regulatory authorities in accordance with applicable law and within the timeframes required by GDPR, CCPA/CPRA, and other applicable data breach notification laws.
  • Employee Training: All employees and contractors with access to personal information receive regular training on data protection best practices, security awareness, and their obligations under applicable privacy laws.
  • Vendor Security: We evaluate the security practices of our third-party service providers before engaging them and require them to maintain appropriate security measures through contractual obligations, including data processing agreements.
  • Network Security: We employ firewalls, intrusion detection systems, and other network security measures to protect our infrastructure from external threats.

Despite our efforts to protect your personal information, no method of transmission over the Internet and no method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal information. The security of your information also depends on you. You are responsible for maintaining the confidentiality of your account credentials, including your password, and for restricting access to your account. You should notify us immediately at legal@creativescale.co if you become aware of any unauthorized access to or use of your account.

In the event that we become aware of a security breach that results in the unauthorized access, disclosure, or destruction of personal information, we will promptly investigate the incident and take appropriate remedial measures. We will notify affected individuals and applicable regulatory authorities in accordance with applicable law.

10. Your Privacy Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, you are entitled to certain rights under the General Data Protection Regulation (GDPR) and applicable national implementing legislation. These rights are subject to certain conditions and exceptions as set forth in the GDPR. Below is a description of each right and how you may exercise it.

  • Right of Access (Article 15 GDPR): You have the right to request confirmation as to whether we process your personal data, and if so, to obtain a copy of your personal data along with supplementary information about how your data is processed, the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the envisaged retention period, and your rights regarding the data.
  • Right to Rectification (Article 16 GDPR): You have the right to request the correction of inaccurate personal data and to have incomplete personal data completed, including by providing a supplementary statement.
  • Right to Erasure / Right to Be Forgotten (Article 17 GDPR): You have the right to request the deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent (and no other legal basis applies), where you object to processing and there are no overriding legitimate grounds, where the data has been unlawfully processed, or where deletion is required to comply with a legal obligation. This right is not absolute and is subject to exceptions, including where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defense of legal claims, or for reasons of public interest.
  • Right to Data Portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance, where the processing is based on your consent or a contract and is carried out by automated means.
  • Right to Restriction of Processing (Article 18 GDPR): You have the right to request the restriction of processing of your personal data in certain circumstances, including where you contest the accuracy of the data (for a period enabling us to verify accuracy), where processing is unlawful but you oppose erasure, where we no longer need the data but you need it for legal claims, or where you have objected to processing pending verification of whether our legitimate grounds override yours.
  • Right to Object (Article 21 GDPR): You have the right to object to the processing of your personal data based on our legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing your data for that purpose immediately. Where you object to processing based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
  • Rights Related to Automated Decision-Making and Profiling (Article 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless such processing is necessary for the performance of a contract, authorized by applicable law, or based on your explicit consent. Where we engage in automated decision-making, we will implement suitable safeguards, including the right to obtain human intervention, to express your point of view, and to contest the decision.
  • Right to Withdraw Consent (Article 7(3) GDPR): Where we rely on your consent as the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
  • Right to Lodge a Complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement if you consider that our processing of your personal data infringes the GDPR. A list of EEA supervisory authorities and their contact information is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

To exercise any of the rights described above, please submit a request by emailing us at legal@creativescale.co with the subject line "GDPR Data Subject Request." We will respond to your request within thirty (30) days of receipt. If we require additional time to fulfill your request (up to an additional sixty (60) days for complex or numerous requests), we will notify you of the extension and the reasons for the delay within the initial thirty-day period.

To protect your privacy and security, we may need to verify your identity before fulfilling your request. Identity verification may involve confirming information we already have on file about you, such as your email address, name, or account details. We will not fulfill a request if we are unable to verify your identity to a reasonable degree of certainty.

We will provide our response to your request free of charge. However, if your requests are manifestly unfounded or excessive (in particular because of their repetitive character), we may charge a reasonable fee based on administrative costs or refuse to act on the request, in accordance with Article 12(5) GDPR.

11. Your Privacy Rights Under CCPA/CPRA

If you are a California resident, you have certain rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"). This section describes your rights and how to exercise them. For purposes of this section, "personal information" has the meaning given in the CCPA/CPRA.

  • Right to Know (Cal. Civ. Code § 1798.100, 1798.110, 1798.115): You have the right to request that we disclose the following information about our collection and use of your personal information over the preceding twelve (12) months: (a) the categories of personal information we have collected about you; (b) the categories of sources from which the personal information was collected; (c) the business or commercial purpose for collecting, selling, or sharing the personal information; (d) the categories of third parties to whom we have disclosed the personal information; and (e) the specific pieces of personal information we have collected about you.
  • Right to Delete (Cal. Civ. Code § 1798.105): You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions. We may deny your deletion request if retaining the information is necessary for us or our service providers to complete a transaction, provide a good or service you requested, fulfill the terms of a written warranty or product recall, ensure security and integrity, debug and repair errors, exercise free speech or another legal right, comply with the California Electronic Communications Privacy Act, engage in public or peer-reviewed scientific, historical, or statistical research in the public interest, enable solely internal uses reasonably aligned with your expectations, or comply with a legal obligation.
  • Right to Correct (Cal. Civ. Code § 1798.106): You have the right to request that we correct inaccurate personal information that we maintain about you, taking into account the nature of the personal information and the purposes of the processing.
  • Right to Opt-Out of Sale or Sharing (Cal. Civ. Code § 1798.120, 1798.135): You have the right to direct us not to sell or share your personal information to third parties. Creative Scale does NOT sell your personal information to third parties, and we do not share your personal information for cross-context behavioral advertising purposes as defined under the CCPA/CPRA. Because we do not engage in these practices, there is no need for you to submit an opt-out request. If our practices change in the future, we will update this Policy and provide a "Do Not Sell or Share My Personal Information" link as required by law.
  • Right to Non-Discrimination (Cal. Civ. Code § 1798.125): You have the right not to receive discriminatory treatment for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices or rates, provide you a different level or quality of goods or services, or suggest that you will receive a different price, rate, level, or quality of goods or services because you exercised a privacy right.
  • Authorized Agent Requests: You may designate an authorized agent to submit privacy requests on your behalf. To designate an authorized agent, you must provide the agent with written permission signed by you, and the agent must submit proof of authorization along with the privacy request. We may also require you to verify your own identity directly with us before we fulfill a request submitted by an authorized agent. If you use an authorized agent registered with the California Secretary of State, we may request a copy of the agent's registration as additional verification.

To exercise your rights under the CCPA/CPRA, please submit a verifiable consumer request by emailing us at legal@creativescale.co with the subject line "CCPA Privacy Request." You may also exercise your rights by contacting us through the methods described in Section 18 of this Policy.

Verification: Upon receiving a request, we will verify your identity to ensure we are responding to the correct individual. We may ask you to provide information that matches information we already have on file, such as your email address, full name, and account information. The level of verification required will depend on the type of request and the sensitivity of the information involved. For requests to know categories of personal information, we will verify your identity to a reasonable degree of certainty. For requests to know specific pieces of personal information or to delete personal information, we will verify your identity to a reasonably high degree of certainty.

Response Timeframe: We will acknowledge receipt of your request within ten (10) business days and will respond to your verified request within forty-five (45) calendar days of receipt. If we require additional time (up to an additional forty-five (45) calendar days), we will notify you of the extension and the reason for it. We will provide responses to your requests free of charge for the first two (2) requests you submit within any twelve (12) month period. For additional requests within the same twelve-month period, we may charge a reasonable fee based on the administrative cost of fulfilling the request, or we may decline to act on the request, provided we notify you of the reason.

12. California-Specific Disclosures

In accordance with the CCPA/CPRA, this section provides specific disclosures about the categories of personal information we have collected, used, and disclosed in the preceding twelve (12) months.

Categories of Personal Information Collected:

  • Identifiers: Full name, email address, phone number, Instagram URL, TikTok URL, Instagram handle, website URL, IP address, and account identifiers.
  • Commercial Information: Transaction records, payment history, products or services purchased or considered (including campaign participation and content orders), and purchasing tendencies.
  • Internet or Other Electronic Network Activity Information: Browsing history on the Platform, search history, information regarding interactions with the Platform, user agent strings, browser type and version, operating system, device type, session duration, pages visited, referring URLs, and click-stream data.
  • Professional or Employment-Related Information: UGC earnings estimates, monthly revenue estimates, TikTok Shop participation status, Meta Ads usage status, and other information related to your business or professional activities on the Platform.
  • Inferences: Profiles created by analyzing user data to reflect preferences, characteristics, behavior, attitudes, abilities, and aptitudes, including Creator-Brand matching scores, content quality assessments, and engagement predictions.

Sources of Personal Information:

  • Directly from you when you register for an account, complete your profile, submit forms, or otherwise interact with the Platform
  • Automatically through your use of the Platform via cookies, server logs, and analytics tools
  • From third-party sources, including social media platforms (Instagram, TikTok), Meta Ads platform, Stripe (payment data), and publicly available sources

Business or Commercial Purposes for Collection:

  • Providing, maintaining, and improving the Platform and Services
  • Processing transactions and facilitating payments between Brands and Creators
  • Matching Brands with suitable Creators based on profile data, content quality, and other relevant factors
  • Communicating with you about your account, transactions, and Platform updates
  • Analyzing Platform usage to improve features and user experience
  • Detecting and preventing fraud, security incidents, and other harmful activities
  • Complying with legal obligations, including tax reporting and financial record-keeping
  • Marketing and promoting our Services (with your consent where required)

Categories of Third Parties with Whom Personal Information Is Shared:

  • Other Platform users (Creators and Brands) as necessary for Platform functionality
  • Service providers (Supabase, Stripe, Vercel, Meta) as described in Section 6
  • Legal and regulatory authorities when required by law
  • Professional advisors (attorneys, accountants, auditors) as necessary
  • Potential acquirers or successors in connection with business transfers

"Do Not Sell or Share" Statement: Creative Scale does NOT sell personal information to third parties as defined under the CCPA/CPRA. We do NOT share personal information for cross-context behavioral advertising purposes. We have not sold or shared personal information in the preceding twelve (12) months.

Financial Incentive Programs: Creative Scale does not currently offer any financial incentive programs (as defined under the CCPA/CPRA) that involve the collection of personal information. If we introduce such programs in the future, we will provide a separate notice describing the material terms of the program, including the categories of personal information collected and the value of the data.

"Shine the Light" (Cal. Civ. Code § 1798.83): Under California's "Shine the Light" law, California residents who have an established business relationship with us may request information about whether we have disclosed personal information to third parties for their direct marketing purposes during the preceding calendar year. We do not disclose personal information to third parties for their own direct marketing purposes. If you have questions about this practice, please contact us at legal@creativescale.co.

13. Nevada-Specific Rights

If you are a Nevada resident, you have the right under Nevada Senate Bill 220 (NRS 603A.340 et seq.) to request that we do not sell your "covered information" (as defined under Nevada law) to third parties. "Covered information" includes your first and last name, home or business address, email address, phone number, Social Security Number, and any identifier that can be used to contact you electronically.

Creative Scale does not currently sell your covered information as defined under Nevada law. However, if you are a Nevada resident and wish to submit an opt-out request, or if you have any questions about our data practices as they relate to Nevada law, you may contact us at legal@creativescale.co with the subject line "Nevada Privacy Request."

Upon receiving a verified request, we will respond within sixty (60) days. We may take an additional thirty (30) days to respond if reasonably necessary, provided we notify you of the extension within the initial sixty-day period. We will not charge you a fee for submitting or processing your request.

14. Children's Privacy

The Platform is designed for and directed to users who are at least eighteen (18) years of age. The Platform is a commercial marketplace for business transactions between Brands and Creators, and it is not intended for use by individuals under the age of eighteen (18). By using the Platform, you represent and warrant that you are at least eighteen (18) years of age.

We do not knowingly collect, solicit, or maintain personal information from anyone under the age of eighteen (18). We do not knowingly allow individuals under the age of eighteen (18) to register for accounts, post content, or otherwise participate in the Platform's services. In compliance with the Children's Online Privacy Protection Act ("COPPA") and similar laws, we do not knowingly collect personal information from children under the age of thirteen (13).

If we discover or are notified that we have inadvertently collected personal information from an individual under the age of eighteen (18), we will take the following steps promptly:

  • Immediately suspend or terminate the associated account to prevent further data collection
  • Delete all personal information associated with the minor's account from our active databases within a commercially reasonable timeframe, and direct our service providers to do the same
  • Where the individual is under thirteen (13) years of age, notify the parent or legal guardian (if contact information is available) that personal information was collected and has been deleted
  • Document the incident and review our age verification procedures to prevent future occurrences

If you are a parent or legal guardian and believe that your child under the age of eighteen (18) has provided personal information to Creative Scale, please contact us immediately at legal@creativescale.co with the subject line "Children's Privacy Concern." We will promptly investigate and take appropriate action to delete any personal information that was collected from the minor.

If you are under eighteen (18) years of age, do not attempt to register for the Platform, do not provide any personal information to us, and please ask your parent or legal guardian for assistance.

15. International Data Transfers

Creative Scale LLC is based in the United States of America, and our Platform infrastructure, including our servers and databases, is primarily located in the United States. When you use the Platform, your personal information is transferred to and processed in the United States, regardless of the country in which you reside. The data protection laws of the United States may differ from those of your country of residence and may not provide the same level of protection for your personal data.

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we take appropriate steps to ensure that your personal data receives an adequate level of protection when transferred to the United States. These safeguards include:

  • Standard Contractual Clauses (SCCs): For transfers of personal data from the EEA to the United States, we rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism. We incorporate these clauses into our agreements with service providers and other data recipients located outside the EEA to ensure appropriate safeguards are in place.
  • UK Addendum to SCCs: For transfers of personal data from the United Kingdom to the United States, we rely on the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum"), as issued by the UK Information Commissioner's Office (ICO) under Section 119A of the UK Data Protection Act 2018.
  • Supplementary Measures: Where necessary, we implement supplementary technical and organizational measures to ensure the effectiveness of the transfer mechanisms, including encryption, pseudonymization, access controls, and contractual commitments regarding government access to data.
  • Data Processing Agreements: We enter into data processing agreements with our third-party service providers that include appropriate data protection obligations, including requirements regarding the security, confidentiality, and processing of personal data.

You may request a copy of the Standard Contractual Clauses or other safeguards we use by contacting us at legal@creativescale.co.

By using the Platform, you acknowledge and consent to the transfer, processing, and storage of your personal information in the United States and other countries where our service providers operate. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Policy and applicable data protection laws.

16. Do Not Track Signals

"Do Not Track" ("DNT") is a privacy preference that you can set in most web browsers. When you enable DNT, your browser sends a special signal to websites, analytics services, advertising networks, plug-in providers, and other web services you encounter while browsing, requesting that they stop tracking your activity.

As of the effective date of this Privacy Policy, there is no universally accepted standard for how companies should respond to DNT signals. Because no such standard has been adopted, Creative Scale does not currently alter its data collection and use practices in response to DNT signals from your browser. If a uniform standard for responding to DNT signals is established in the future, we will re-evaluate our practices and update this Policy accordingly.

However, we do recognize and honor Global Privacy Control ("GPC") signals as a valid opt-out mechanism under applicable laws, including the CCPA/CPRA. If your browser or device transmits a GPC signal, we will treat that signal as a valid request to opt out of the sale or sharing of your personal information (to the extent applicable under the CCPA/CPRA) and to limit the use of your sensitive personal information. Creative Scale does not sell personal information, but we honor GPC signals as an expression of your privacy preferences. For more information about GPC and how to enable it, visit https://globalprivacycontrol.org/.

Regardless of DNT or GPC signals, you can manage cookies and tracking technologies through your browser settings as described in Section 7.3 of this Policy.

17. Changes to This Privacy Policy

We reserve the right to update, modify, or revise this Privacy Policy at any time, in our sole discretion, to reflect changes in our information practices, the Platform's features, applicable laws and regulations, or for other operational, legal, or regulatory reasons.

When we make changes to this Privacy Policy, we will update the "Last Updated" date at the top of this Policy. If we make material changes that significantly affect the way we collect, use, or disclose your personal information, we will provide you with prominent notice prior to the changes taking effect. Material changes may be communicated through one or more of the following methods:

  • Sending an email notification to the email address associated with your account
  • Displaying a prominent notice or banner on the Platform prior to and/or following the change
  • Providing an in-app notification when you next log in to the Platform
  • Posting the updated Privacy Policy on our Website with a clear indication of the changes made

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal information. Your continued use of the Platform after any modifications to this Privacy Policy constitutes your acknowledgment of the modifications and your agreement to be bound by the updated Policy.

If you do not agree with the updated Privacy Policy, you must stop using the Platform and may request deletion of your personal information by contacting us at legal@creativescale.co. Your continued use of the Platform following the posting of changes constitutes your acceptance of such changes.

For significant changes that materially alter your rights or our obligations, we will, where required by applicable law (including the GDPR), seek your affirmative consent before applying the new terms to your personal information. Non-material changes, such as typographical corrections, formatting adjustments, or clarifications that do not alter the substance of our practices, may be made without prior notice.

18. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy, our data practices, or your personal information, or if you wish to exercise any of your privacy rights, please contact us using the information below:

  • Email: legal@creativescale.co
  • Mailing Address: Creative Scale LLC, [Address on file with the Florida Division of Corporations]

When contacting us, please use the following subject line conventions to help us route your inquiry to the appropriate team and ensure a timely response:

  • For GDPR-related requests: "GDPR Data Subject Request"
  • For CCPA/CPRA-related requests: "CCPA Privacy Request"
  • For Nevada privacy requests: "Nevada Privacy Request"
  • For children's privacy concerns: "Children's Privacy Concern"
  • For data breach inquiries: "Data Security Inquiry"
  • For general privacy questions: "Privacy Policy Inquiry"
  • For data deletion requests: "Data Deletion Request"
  • For data access requests: "Data Access Request"

We will acknowledge receipt of your inquiry within five (5) business days and endeavor to provide a substantive response within thirty (30) calendar days of receipt. If your request is complex or requires additional investigation, we may extend the response period as permitted by applicable law, and we will notify you of any extension and the reasons for it.

For data protection inquiries specifically related to the GDPR, you may also have the right to lodge a complaint with your local supervisory authority. A list of EEA data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en. For UK residents, you may contact the Information Commissioner's Office (ICO) at https://ico.org.uk/.

We are committed to resolving any complaints or concerns you may have about our data practices. If you are not satisfied with our response to your inquiry, we encourage you to contact us again so that we can work together to reach a satisfactory resolution. We take every privacy concern seriously and will make reasonable efforts to address your issue promptly and fairly.

© 2026 Creative Scale. All rights reserved.