Privacy Policy
Last updated: May 6, 2026 · Version: 1.0
This privacy notice describes how CreatorHive (hereinafter “we”, “Data Controller”) processes the personal data of users of the SaaS service available at creatorhive.app, in compliance with Regulation (EU) 2016/679 (“GDPR”) and Italian Legislative Decree 196/2003 (as amended by Legislative Decree 101/2018).
1. Data Controller
- Company name: [INSERT COMPANY NAME]
- Registered office: [INSERT REGISTERED OFFICE]
- VAT / Tax code: [INSERT VAT]
- Privacy contact email: privacy@creatorhive.app
A formal Data Protection Officer (DPO) under Article 37 GDPR has not been appointed because CreatorHive does not fall within the cases of mandatory appointment. The internal data protection contact can be reached at the email address above.
2. Categories of data processed
We process the following categories of personal data:
- Identification and contact data: username, email, optionally first name, last name, date of birth, address (if provided by the user).
- Authentication data: password (stored as a non-reversible bcrypt hash), optional two-factor authentication secret (Fernet-encrypted), backup codes (one-way hashed).
- Professional profile data: bio, business email, content categories, games (for creators).
- Session and usage data: IP addresses (partially masked in generic logs), device type, access logs and logs of relevant actions.
- Data related to connected social channels (for creators): channel name, platform identifier, aggregated statistics retrieved via OAuth authorized by the user. OAuth tokens are encrypted and never exposed to the user or third parties.
- Data related to sponsorships: contractual references, deliverables, statistics screenshots, campaign values.
3. Purposes and legal basis of processing
| Purpose | Legal basis (GDPR) |
|---|---|
| Provision of the SaaS service (registration, account management, sponsorships, statistics) | Performance of a contract — Art. 6(1)(b) |
| Security, anti-fraud, abuse prevention, access logs | Legitimate interest — Art. 6(1)(f) |
| Tax and accounting compliance | Legal obligation — Art. 6(1)(c) |
| Possible direct marketing communications | Express and revocable consent — Art. 6(1)(a) (currently not active) |
4. Recipients of data and providers (Art. 28 GDPR)
Data may be processed by third-party service providers acting as Data Processors. All providers are bound by a Data Processing Addendum.
| Provider | Role | Region | Non-EU transfer |
|---|---|---|---|
| Cloudflare | Frontend hosting, CDN, R2 (media storage), email routing | Global / R2 EU | SCC 2021/914 |
| Fly.io | Backend API hosting | Frankfurt (EU) | SCC if US fallback |
| Neon | Managed PostgreSQL database | EU | SCC where applicable |
| Upstash / redis.io | Managed Redis (cache, sessions, rate limit) | EU | SCC where applicable |
| Resend | Transactional email delivery | EU | SCC where applicable |
| Social platform APIs (YouTube, Instagram, Twitch, TikTok) | Statistics sync authorized by the user via OAuth | US | The user consents directly with the provider during the OAuth flow |
The updated list is available on request at privacy@creatorhive.app.
5. Transfers outside the EU
Some of our providers (Cloudflare, possible US fallbacks) may process data outside the European Economic Area. In such cases, the transfer is governed by the Standard Contractual Clauses adopted by the European Commission with Decision 2021/914 (“SCCs”), as provided by Article 46 GDPR and in compliance with the Schrems II ruling.
6. Retention period
| Category of data | Retention |
|---|---|
| Account data | Duration of the contract + 30-day grace period after deletion request |
| After account deletion | Pseudonymized username and email kept for audit trail and contractual evidence (Art. 17(3)(b)/(e)). All other personal data is deleted or anonymized |
| Generic logs (REQUEST) | 60 days |
| Security and audit logs | 24 months (in compliance with Italian Data Protection Authority Decision of 27/11/2008) |
| Notifications | 90 days from delivery (then archived or deleted) |
| OAuth tokens | Deleted 30 days after expiration if no refresh succeeds |
| Sponsorships and content | For the duration of the contractual relationship + tax obligations (10 years for invoicing) |
7. Data subject rights (Art. 15-22 GDPR)
You can exercise the following rights at any time:
- Right of access (Art. 15) — obtain a copy of your personal data. Available self-service in your account settings (“Export my data”) or by request to privacy@creatorhive.app.
- Right to rectification (Art. 16) — correct inaccurate data.
- Right to erasure / right to be forgotten (Art. 17) — available self-service in settings (“Delete account”) with a 30-day grace period during which you can cancel the request.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — covered by the same export function.
- Right to object (Art. 21).
- Right to withdraw consent at any time, where processing is based on consent (e.g. marketing, once activated).
To exercise rights not covered by self-service functions, write to privacy@creatorhive.app. We will respond within one month, except for justified extensions under Art. 12(3) GDPR.
8. Right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority. In Italy: Italian Data Protection Authority — Garante per la Protezione dei Dati Personali.
9. Security measures
We adopt technical and organizational measures appropriate to the nature of the data processed, including:
- Passwords protected with bcrypt (cost factor 12).
- Two-factor authentication mandatory for roles with administrative privileges.
- Encryption in transit (TLS 1.2+) and encryption at rest for sensitive data (Fernet on OAuth tokens, MFA secrets, multi-tenant database URLs).
- Multi-tenant segregation at the database and application level.
- Rate limiting, brute-force protection, HTTP security headers (CSP, HSTS, X-Frame-Options).
- Automatic cleanup of sessions, logs, screenshots and expired tokens.
- Internal incident response procedure with notification to the Italian Data Protection Authority within 72 hours under Art. 33 GDPR.
10. Minimum age
The service is not directed at children under 16. During registration, the user confirms being at least 16 years old.
11. Changes to this notice
We reserve the right to update this notice. Substantial changes (new processing, new provider, significant retention change) are notified to registered users, who will be required to re-accept the new version on their next login. The version history is maintained internally.
12. Contact
For any questions regarding the processing of your personal data: privacy@creatorhive.app.