Creo
Back

Privacy Policy

We are Creo Collective Ltd, Dryden Enterprise Centre, Dryden Street, NG1 0FQ (referred to herein as “we”, “us” or “our”, as the context requires).

Creo Collective Ltd (“Creo”, “we”, “us”, or “our”) is committed to protecting your privacy and being transparent about how we handle your personal data. This policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, web application, and related services (collectively, the “Services”). Please read this policy carefully. By using the Services, you agree to the practices described below. If you disagree, please discontinue use of the Services.

Creo Collective Ltd is the data controller responsible for your personal information. If you have any questions about this policy or how your data is used, you can contact our privacy team at team@creoofficial.com.

We do not have a mandatory Data Protection Officer under UK GDPR, but all privacy matters are handled by our internal team.

1. Information We Collect

The information we gather about you may be collected directly from you or from third-party online sources. Information we gather about our users comprises but may not be limited to:

1.1 Information You Provide

  • Account & Profile Data: Name, username, email, phone, password, biography, location, professional details, portfolio folders, or other profile fields you choose to show.
  • Content & Communications: Projects, images, videos, documents, comments, feedback, and other user-generated content shared on Creo.
  • Payment & Billing: When you buy, sell, or subscribe through Creo, your payment details (such as card number and CVC) are collected and processed directly by our payment provider (Stripe). Creo does not store your full payment card information. We receive limited payment information from Stripe (such as a payment method type, the last four digits of your card, card brand, country, and transaction details) to verify payments, detect fraud, and comply with legal and regulatory obligations.

We also maintain transaction history and, where required, collect tax-related information (such as tax identifiers and residency information) to comply with reporting obligations (including, where applicable, DAC7 and HMRC requirements).

  • Support & Surveys: Information you provide when contacting support, reporting issues, responding to surveys, or participating in beta programs.

1.2 Information Collected Automatically

  • Usage Data: Pages viewed, tabs selected, timestamps, feature engagement, referral URLs, and crash diagnostics.
  • Device Data: Device type, operating system, browser type, IP address, language, and app version.
  • Cookies & Similar Technologies: Session identifiers, authentication tokens, preferences, analytics metrics, and security logs.

1.3 Information From Third Parties

  • Authentication Providers: If you sign in with Apple, Google, or similar, we receive profile basics and identifiers.
  • Analytics & Advertising Partners: Aggregated performance insights or campaign attribution.
  • Payment Processors: Transaction confirmations, fraud signals, and dispute metadata.
  • Integration Partners: Information that you authorise us to receive from tools linked to Creo (e.g., collaboration or storage services).

1.4 Your Responsibility to Keep Data Updated

Please ensure the personal information you provide is accurate and up to date. You can update your information through your account settings or by contacting us at team@creoofficial.com.

2. How We Use Information

We use personal data to operate, maintain, improve, and enhance the Services and protect Creo. This includes:

2.1 Account Management & Service Delivery

Creating and managing your account, authenticating logins, verifying identities, securing accounts, and operating, maintaining, and enhancing the Services.

2.2 Payments & Financial Transactions

Processing payments, subscriptions, payouts, invoices, and other financial transactions. Payment card details (such as card number and CVC) are collected and processed directly by our payment provider (Stripe). Creo does not store your full payment card information. We receive limited payment metadata (such as payment method type, the last four digits of your card, card brand, country, and transaction details) to verify payments, detect fraud, and support customer service.

2.3 Platform Features & Communication

Facilitating connections between Project Owners and Creatives, including matching, collaboration, and project management. Enabling communications between members through messages, invitations, comments, and notifications. Personalising experiences by recommending relevant projects, collaborators, jobs and content. Publishing and displaying profiles, portfolios, and projects to make them discoverable by potential clients, collaborators, and employers. Enabling search, filtering, and discovery features to help users find relevant opportunities and connections. Processing job applications, hiring positions, and recruitment workflows. Generating and sharing profile links, QR codes, and other shareable content.

2.4 Verification & Trust

Verifying user identities and professional credentials, and displaying verification status and professional information to other users. Enabling social connections, following relationships, and networking features, and supporting sharing of profiles, projects, and content within and outside the platform. Displaying social metrics and engagement information. Collecting, displaying, and managing ratings and reviews between users, and calculating and displaying aggregate ratings and feedback to help users make informed decisions.

2.5 Content Moderation & Safety

Reviewing and moderating user-generated content to enforce community guidelines and platform safety. Detecting and preventing spam, abuse, inappropriate content, and misuse of the platform. Sending transactional notifications, service announcements, and important administrative updates. Providing customer support, troubleshooting issues, and responding to inquiries.

2.6 Analytics & Improvement

Conducting analytics, monitoring usage trends, and improving performance and user experience. Providing users with insights about their profile and content performance where applicable. Running research activities, surveys, user testing, or beta features with your consent where required.

2.7 Compliance & Safety

Enforcing our Terms of Use, preventing misuse, protecting users, and ensuring platform safety, including fraud prevention and trust & safety reviews. Complying with legal obligations, responding to lawful requests, and maintaining regulatory reporting. Where applicable, this may include maintaining transaction records and collecting tax-related information (such as tax identifiers and residency information) to satisfy reporting obligations, including DAC7/HMRC requirements.

We may use personal data for additional purposes consistent with this Privacy Policy and applicable law as we develop new features or address legal and operational needs. If we materially change how we use personal data, we will notify you as described in the "Changes to This Policy" section.

3. Legal Basis for Processing

3.1 Performance of a Contract

We process your data to provide the Services you request and to perform our agreement with you. This includes creating and managing your account, enabling profile and portfolio publication and discovery, facilitating messaging and collaboration, processing purchases, subscriptions, payouts, and invoices, and facilitating connections between Project Owners and Creatives.

3.2 Legitimate Interests

We process data to pursue legitimate interests that are not overridden by your rights and freedoms. These include:

  • Operating, maintaining, and improving Creo (including analytics and performance monitoring).
  • Promoting creator portfolios and discoverability within the platform.
  • Marketing and product communications (where permitted by law).
  • Trust & safety, fraud prevention, abuse and spam detection, and platform security (online and physical).
  • Establishing, exercising, or defending legal claims.
  • Personalising content and recommendations.
  • Enhancing website and app performance.

3.3 Consent

We rely on consent where required by law, for example:

  • Certain marketing communications (you can withdraw consent anytime via unsubscribe links or notification settings).
  • Optional features that use device permissions or additional data categories.
  • Research, user testing, or beta programs where consent is appropriate.
  • Processing special categories of personal data, unless we process data that has been manifestly made public by you, based on your contract with us, or otherwise permitted by law.

You can withdraw consent at any time by contacting us at team@creoofficial.com. Withdrawing consent does not affect processing carried out before withdrawal.

3.4 Legal Obligations

We process data to comply with laws and regulatory requirements, including maintaining transaction records, responding to lawful requests, and meeting tax and reporting obligations (which may include DAC7/HMRC reporting where applicable).

4. Information We Share

We share personal information only as necessary to provide the Services and as described below:

Service Providers

We share information with third-party service providers who perform services on our behalf, including:

  • Payment processing (Stripe)
  • Analytics and hosting providers
  • Customer support and communication tools
  • Authentication providers (Apple, Google, etc.)

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

Tax & Regulatory Authorities

We may share information with tax and regulatory authorities (including HMRC and for DAC7 reporting) when required by law or to comply with reporting obligations.

Shared / Third-Party Data

Data processed on behalf of or in collaboration with other organisations (such as universities or brands) may require joint-controller or processor arrangements. In such cases, we will ensure appropriate data protection agreements are in place.

Joint Controllers

From time to time, we may engage in collaborative programmes or initiatives with third-party organisations, including but not limited to universities, educational institutions, or brand partners, where both parties jointly determine the purposes and means of processing personal data. In such circumstances, the parties will act as Joint Controllers within the meaning of Article 26 of the UK GDPR.

Where a Joint Controller arrangement is in place, we will ensure that a clear and transparent allocation of responsibilities is established between the parties, including (but not limited to) obligations relating to data subject rights, transparency, and security. The essence of such arrangements will be made available to you upon request, and you will be informed of the primary contact point for exercising your rights.

Public Information

Information you choose to make public on Creo (such as your profile, portfolio, projects, and public posts) is visible to other users and may be accessible through search engines and shared via links or QR codes. You control what information is public through your privacy settings.

Anonymised and Aggregated Data

We may share anonymised or aggregated data that does not identify you individually with third parties for analytics, research, business intelligence, or other purposes. This may include statistical information about usage patterns, trends, or demographics. Because this data is anonymised, it cannot be used to identify you.

Legal Requirements

We may disclose information when required by law, to respond to legal process, to enforce our Terms of Use, to protect the rights, property, or safety of Creo or our users, or to comply with regulatory obligations.

With Your Consent

We may share information with third parties when you have given us explicit consent to do so, such as when you enable integrations with third-party services.

We will not sell or rent your personal information to other organisations.

5. Children's Privacy

Our Services are intended for users aged 18 or over. We do not knowingly collect or process personal data from individuals under 18. If we become aware that we have collected personal data from a minor without appropriate consent, we will delete it immediately.

If we learn that a child provided information without parental consent, we will delete it. Parents or guardians may contact team@creoofficial.com for assistance.

6. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services, or integrate with third-party tools and platforms. These third-party services operate independently and have their own privacy policies and terms of service. We are not responsible for the privacy practices or content of these third-party services. We encourage you to review their privacy policies before providing any personal information. Your interactions with third-party services are subject to their terms and privacy policies, not this Privacy Policy.

7. Security, Training, & Staff Responsibilities

We use appropriate technical and organisational measures to protect personal data, including industry-standard encryption, access controls, and monitoring. We maintain internal policies and procedures addressing information security, access management, data handling, and incident response. We provide staff with data protection guidance appropriate to their roles and require adherence to confidentiality and security obligations. We review our security practices periodically and work with service providers that implement reasonable safeguards.

7.1 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected users without undue delay.

8. Location of Data Storage

Your personal data is stored and processed using Supabase, our cloud database and hosting provider. Your data is stored in the region selected by Creo based on your location (primarily UK/EU). Some of our service providers may store data in other jurisdictions as described in Section 10 (International Data Transfers). When data is transferred outside the UK and EEA, we implement appropriate safeguards as outlined in Section 10.

9. Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve our platform. For detailed information about the types of cookies we use, why we use them, and how you can manage your preferences, please see our full Cookie Policy at: www.creo.com/cookies

10. International Data Transfers

The data that we collect from you may be transferred to, and stored at, a destination outside the UK and the European Economic Area ("EEA"), where the laws on processing personal data may be less stringent than in your country.

We will ensure that, upon any such transfers, at least one of the following safeguards is implemented:

  • use appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses and supplementary measures, to protect personal data according to applicable law;
  • transferring your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
  • entering into specific contractual terms which have been approved by the ICO or the European Commission.

11. Data Retention

We retain personal information for as long as we require for the purposes for which it is processed or as is otherwise required by applicable law. Our retention periods will vary depending on the type of data involved, but, generally, we will refer to these criteria in order to determine retention period:

  • Account data: Retained while your account is active and for a reasonable period after closure
  • Financial/transaction records: Retained for 7 years to comply with tax and accounting obligations
  • Marketing consent: Retained until withdrawn
  • Support communications: Retained for 3 years after the last interaction
  • Whether we have a statutory or contractual need to retain the data;
  • Whether the data is necessary to provide our services;
  • Whether data may be required to make-/defend against claims, subject to the limitation period.

12. Your Rights

Under the UK General Data Protection Regulation (GDPR), you are entitled to certain rights in relation to our handling of your personal data, as described below:

  • Request access to your personal data that we hold about you (commonly known as a “data subject access request” or DSAR). This enables you to receive a copy of the personal data we hold about you or are otherwise processing;
  • The right to obtain without undue delay the rectification of inaccurate personal data concerning you, including the right to have incomplete personal data completed e.g. by means of providing a supplementary statement. This enables you to have any incomplete or inaccurate data we hold about you corrected. We may need to verify the accuracy of the new data you provide to us;
  • Restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data where the data is wrongfully processed but should not be erased for a reason listed in Article 18 (1) GDPR;
  • Right to erasure ('right to be forgotten'). This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it, except for information where a contract or legitimate interest continues to exist (e.g. to pursue claims);
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third-party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms;
  • You may exercise your right of data portability in a common, machine-readable form by obtaining your data.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have processed your personal data unlawfully. You can contact the ICO at ico.org.uk.

Where another mechanism is not provided, you can exercise the rights at any time by contacting us at team@creoofficial.com.

12.1 Exercising Your Rights

We will respond to your requests within one month of receipt. If your request is complex or we receive multiple requests, we may extend this period by up to two additional months and will inform you of the extension. We may need to verify your identity before processing certain requests.

12.2 Identity Verification

To protect your privacy, we may need to verify your identity before processing certain requests, particularly for access or deletion requests. This helps ensure we only disclose or modify data belonging to the requesting individual. Where another mechanism is not provided, you can exercise the rights at any time by contacting us at team@creoofficial.com.

13. Business Transfers

If Creo undergoes a merger, acquisition, restructuring, or asset sale, personal data may be transferred as part of that transaction, subject to this Privacy Policy.

14. Automated Decision-Making & Profiling

14.1 Use of Automated Processing

We use certain automated processes, including artificial intelligence (“AI”), machine learning models, and algorithmic systems, in order to support the operation, optimisation, personalisation, and safety of the Services. Such automated processing assists with service delivery but does not replace human decision-making for actions that produce legal or similarly significant effects on users.

14.2 Categories of Automated Processing

The automated systems we use may include the following:

(a) Matching and Recommendation Systems: Automated analysis of user profile information, stated skills, project preferences, behavioural signals, and historical activity to (i) recommend potential projects or collaborators; (ii) surface relevant creative opportunities; and (iii) personalise discovery feeds, search results, and content presentation.

(b) Profiling and Categorisation: Automated generation of inferred data—such as predicted skills, categories, tags, or suitability indicators—based on user activity, portfolio content, engagement patterns, and other signals. Such inferences are used to support search functionality, discovery mechanisms, and platform optimisation.

(c) Moderation and Trust & Safety Systems: Automated flagging of user-generated content or behaviours that may indicate spam, fraud, abusive conduct, security threats, or violations of our Terms of Use or Community Guidelines. These systems may prioritise items for subsequent human review.

14.3 No Solely Automated Decisions Producing Legal or Significant Effects

We do not carry out decision-making based solely on automated processing that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 of the UK GDPR. Automated processes are used to assist in ranking, recommending, or flagging information but do not make binding determinations regarding your legal rights, access to essential services, or any comparable significant matters.

All enforcement actions with potential material effects on users are subject to human oversight and final determination.

14.4 Human Involvement

Where automated systems identify content, accounts, or behaviours that may require intervention, such matters are reviewed by our authorised personnel, who assess the context, accuracy, and proportionality before taking any action. Human review is incorporated into all processes where an outcome may affect the availability of your account or limit your use of the Services.

14.5 Legal Basis

To the extent that automated processing constitutes “profiling” under the UK GDPR, we rely on the following legal bases:

  • Performance of a contract—for processing necessary to provide personalised features, recommendations, and service optimisation integral to account functionality;
  • Legitimate interests—for fraud detection, security monitoring, platform safety, analytics, and system improvement, provided such interests are not overridden by your rights and freedoms;
  • Consent—where required by law for optional personalisation or experimental features that rely on additional data categories.

14.6 Your Rights in Relation to Automated Processing

Subject to applicable law, you have the following rights:

  • The right to obtain meaningful information about the logic involved in automated decision-making or profiling, to the extent such disclosure does not prejudice our intellectual property, trade secrets, or system integrity;
  • The right to object to certain types of profiling or automated processing carried out on the basis of legitimate interests;
  • The right to request human intervention, express your point of view, or contest any decision that you believe has been made based solely on automated processing;
  • The right to opt-out of specific personalised features where such an option is made available.

Requests relating to these rights may be submitted at any time by contacting us at team@creoofficial.com. We may need to verify your identity before responding.

15. Changes to Policy

We may update this Privacy Policy occasionally. The “Effective Date” reflects the latest version. Significant changes will be communicated via email, in-app notice, or prominent banner. Continued use after the update constitutes acceptance.

Contact Us

For questions, requests, or complaints, contact: Creo Team

Email: team@creoofficial.com

Address: Creo, Dryden Enterprise Centre, Dryden Street, NG1 0FQ

Last updated: 12/8/2025