Privacy Policy
Introduction and Commitment
At Creativate Technologies GmbH, we are committed to respecting your privacy and protecting your personal data in accordance with the General Data Protection Regulation (GDPR), the European Union's Artificial Intelligence Act (AI Act), and internationally recognized standards for digital ethics.
Our website and services can generally be accessed without providing personal data. However, the use of certain features may require the processing of personal information. In such cases, and where no other legal basis applies, we will seek your explicit consent before processing your data.
Please be aware that the transmission of data over the Internet may present security vulnerabilities. While we implement appropriate measures to protect your data, no method of transmission is entirely secure.
Data Controller and Contact Information
The data controller is:
Creativate Technologies GmbH
Lahnstraße 65, 60326 Frankfurt am Main, Germany
Represented by its Managing Director, Leonardo Bornhäußer.
If you have any questions regarding this Privacy Policy or the way we process your personal data, you can contact us at:
- Email: contact@creativate.tech
- Data Protection Officer: privacy@creativate.tech
Glossary of Key Terms
The following terms are used throughout this Privacy Policy. They are defined to ensure clarity and consistency in accordance with the GDPR, the AI Act, and applicable international standards:
- AI Lifecycle — All stages in the development, deployment, monitoring, and decommissioning of an AI system, relevant for governance and documentation.
- Accountability — A core principle of GDPR and AI governance requiring organizations to implement appropriate measures and be able to demonstrate compliance.
- Algorithmic Accountability — The obligation to explain, justify, and document the behavior and outcomes of algorithmic systems, especially high-risk or impactful decisions.
- Anonymization — Irreversible processing of data to ensure individuals can no longer be identified, directly or indirectly.
- Artificial Intelligence System (AI System) — A system that uses computational logic, statistics, machine learning, or other techniques to generate outputs such as predictions, recommendations, or decisions.
- Audit Trail — A chronological record of data access and processing activities that allows for transparency, traceability, and accountability.
- Automated Decision-Making — A decision made solely through automated processing, without human intervention, that significantly affects the individual.
- Automated Monitoring — Use of systems (including AI) to automatically detect anomalies, behaviors, or risks related to data usage or user activity.
- Consent — Any freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal data.
- Data Controller — The natural or legal person that determines the purposes and means of processing personal data.
- Data Governance — The set of policies, processes, and roles that ensure the responsible use, accuracy, security, and compliance of data across the organization.
- Data Minimization — The principle that personal data collected must be adequate, relevant, and limited to what is necessary.
- Data Processor — A third party that processes personal data on behalf of the controller under a formal agreement.
- Data Protection Impact Assessment (DPIA) — A process used to identify and minimize data protection risks for high-risk processing operations.
- Data Subject — The individual whose personal data is being processed.
- Data Subject Rights — Rights granted to individuals under GDPR, such as access, rectification, erasure, restriction, objection, portability, and not being subject to automated decisions.
- Explicit Consent — A clear and affirmative agreement that leaves no room for doubt, often required for special categories of personal data.
- Fairness (in AI) — The requirement to avoid unjustified bias or discrimination in AI systems, particularly in high-risk contexts.
- Foundation Model — A type of general-purpose AI model trained on broad data at scale and capable of being adapted for various tasks.
- General-Purpose AI (GPAI) — AI systems intended for multiple purposes, including those not explicitly planned by the provider.
- High-Risk AI System — Under the EU AI Act, an AI system that poses significant risks to the rights or safety of individuals.
- Human Oversight — A requirement that certain AI decisions must include meaningful human involvement and the ability to override or contest them.
- Input Data — The data provided to an AI system to generate output. This may include personal or business-related information input by users.
- Lawful Basis (Legal Basis) — The justification required under GDPR to process personal data (e.g., consent, contract, legal obligation, legitimate interest).
- Output Data (AI-Generated Output) — Content, recommendations, or results produced by an AI system based on input data, which may or may not contain personal data.
- Personal Data — Any information relating to an identified or identifiable natural person, including names, contact details, identifiers, IP addresses, and behavioral or usage data.
- Privacy by Design and by Default — A legal requirement under the GDPR that privacy is embedded into systems from the outset and that only necessary data is processed.
- Processing — Any operation performed on personal data, whether automated or not, such as collection, storage, access, modification, use, disclosure, transfer, or deletion.
- Profiling — Automated processing of personal data to analyze or predict aspects such as performance, preferences, behavior, or location.
- Pseudonymization — Processing personal data so that it can no longer be attributed to a specific data subject without additional information.
- Purpose Limitation — The principle that personal data must be collected for specified, explicit, and legitimate purposes and not further processed in an incompatible manner.
- Risk-Based Approach — A core principle under the AI Act and GDPR requiring organizations to assess the likelihood and severity of harm and tailor safeguards accordingly.
- Standard Contractual Clauses (SCCs) — Pre-approved legal agreements used to lawfully transfer personal data outside the EEA.
- Supervisory Authority — The national body responsible for enforcing data protection law in a specific EU member state (e.g., BfDI in Germany, CNIL in France).
- Synthetic Data — Data artificially generated to resemble real-world information but not directly linked to any identifiable individual.
- Training Data — Datasets used to develop or improve AI models, which may include personal data or anonymized information.
- Transparency Obligation — The obligation to provide clear and accessible information to data subjects about how their personal data is used, including in the context of AI.
Data Collection on Our Platform
We collect data through the following means:
- Information you provide directly, such as when you fill out contact forms, register an account, create business plans, decisions, or scenarios, or interact with us through any other channel.
- Technical data collected automatically by our systems, including your browser type and version, operating system, IP address, access times, and browsing behavior.
Categories of Data Collected
Depending on how you interact with our platform, Creativate Technologies GmbH may collect and process the following categories of personal and project-related data:
- Identity and Contact Information: First and last name, email address, phone number, country of residence, professional role, and organization name.
- Account and Authentication Data: Username, encrypted password, login credentials, account preferences, and authentication tokens.
- Technical and Device Data: IP address, browser type and version, operating system, device type, language preferences, screen resolution, time zone, and access timestamps.
- Usage and Interaction Data: Navigation behavior, session duration, pages visited, feature usage, error logs, clicks, scrolls, and actions performed within the platform.
- AI Interaction and Business Content: Inputs provided to our AI systems, generated outputs, drafts, recommendations, and structured or freeform content entered into Creativate's planning and decision tools (e.g., business descriptions, financial assumptions, team structures, decision scenarios). This may include information about third parties (e.g., collaborators or investors), which you submit under your responsibility.
- Communication Data: Messages sent via contact forms, support tickets, surveys, or email correspondence with our team.
- Payment and Billing Information: Invoicing details such as billing address, VAT number, and transaction metadata. Sensitive payment data is processed securely by our payment provider and never stored directly by Creativate.
- Third-Party Integration Data: Data exchanged with connected services (e.g., HubSpot, OpenAI, Anthropic) in accordance with their APIs and your permissions.
- Cookie and Tracking Data: Information collected through cookies and similar technologies as detailed in our Cookie Policy, including referral URLs, campaign tags, and on-site behavior.
- Geolocation Data: Approximate geographic location derived from your IP address to adapt content, settings, or for legal compliance purposes.
- Debug and Diagnostic Data: Information captured automatically in the event of a technical error or failure, such as crash logs and system activity.
- Social Login Data (if used): If you register or sign in using a social media account, we may receive profile information such as your name, email, and profile image from the provider.
We do not intentionally collect sensitive personal data (such as health data, biometric identifiers, religious beliefs, or criminal records), nor do we knowingly collect data from children under 16 years of age.
Legal Basis and Purposes of Processing
We process your personal data only when we have a valid legal basis, as required by the GDPR and, where applicable, the EU AI Act.
1. Contract Performance (Art. 6(1)(b) GDPR)
We process your personal data to enter into and fulfill contractual obligations, including:
- Creating, managing, and maintaining your user account
- Providing access to Creativate's AI-powered tools (cNode, AI Playbook, Creativate AI Studio)
- Delivering platform features and services you have requested
- Authenticating your identity and managing secure sessions
- Responding to your service-related inquiries and support requests
2. Legal Obligation (Art. 6(1)(c) GDPR)
We process your data to comply with obligations under EU or national law, including:
- Fulfilling legal requirements in tax, accounting, commerce, and consumer protection
- Maintaining appropriate technical and organizational security measures
- Complying with data protection laws, including responding to data subject rights requests
- Keeping records of consent and opt-out requests in accordance with ePrivacy and GDPR
- Logging AI model behavior, decision outputs, and human oversight interactions (as required under the AI Act)
- Responding to valid legal requests from public authorities or courts
3. Legitimate Interest (Art. 6(1)(f) GDPR)
We may process your personal data where necessary for our legitimate business purposes, provided they do not override your fundamental rights and freedoms:
- Ensuring platform security, preventing misuse, and protecting against fraud
- Monitoring and optimizing the performance, stability, and usability of the platform
- Debugging errors and resolving technical issues
- Analyzing user behavior and platform engagement for service improvement
- Improving the relevance, accuracy, and robustness of AI-generated outputs (using pseudonymized or aggregated data)
- Conducting internal audits and compliance reviews
- Managing contractual relationships with vendors and sub-processors
- Enforcing our Terms of Use and protecting our legal interests
You may object to processing based on legitimate interests at any time, in accordance with Article 21 GDPR.
4. Consent (Art. 6(1)(a) GDPR)
In certain cases, we will request your explicit and informed consent before processing your data:
- Sending you marketing or promotional communications
- Using non-essential cookies and tracking technologies (see our Cookie Policy)
- Allowing you to participate in surveys, product testing, or user research
- Processing your personal data to personalize AI-generated outputs or retain them for future use
You can withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing carried out before the withdrawal.
Profiling and Automated Decision-Making
As part of our service offering, Creativate may use profiling and automated decision-making systems to support the generation of business plans, risk scores, and strategic recommendations tailored to your context.
We implement safeguards to ensure transparency, accuracy, and fairness in all profiling and automated processing. Where required, we apply:
- Human review or intervention in critical decision flows
- Logging and documentation of AI outputs
- Measures to reduce bias and discriminatory outcomes
- Clear user interfaces identifying when AI is being used
In accordance with Article 22 of the GDPR and the AI Act, you have the right:
- Not to be subject to a decision based solely on automated processing which produces legal effects or similarly significant impacts
- To obtain human intervention
- To express your point of view and contest the decision
- To receive an explanation of the logic involved
If you believe an automated process has significantly affected you, contact us at: privacy@creativate.tech
Data Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, and in accordance with applicable legal, contractual, or regulatory obligations. Retention periods vary depending on the category of data and the nature of our relationship with you.
| Data Category | Retention Period |
|---|---|
| Account data | Duration of the account + 30 days grace period |
| Business Content | Duration of subscription + 30 days grace period |
| AI interaction logs | Up to 24 months, then anonymized or deleted |
| Payment and billing data | As required by tax law (typically 10 years in Germany) |
| Cookie and tracking data | Maximum 13 months |
| Communication data | Up to 36 months after last interaction |
| Debug and diagnostic logs | Up to 12 months |
Third-Party Processing
We use carefully selected third-party service providers to operate our platform. Each provider acts under a Data Processing Agreement (DPA) and, where applicable, Standard Contractual Clauses (SCCs) for international data transfers.
Infrastructure and Hosting
| Service | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure: EC2 for backend API hosting, S3 + CloudFront for frontend delivery, Route 53 for DNS, ACM for certificates | EU (Frankfurt, eu-central-1) |
| PostgreSQL + TimescaleDB | Relational database for application data (self-hosted on AWS EC2) | EU (Frankfurt) |
| Redis | Session management, caching, and task queue (self-hosted on AWS EC2) | EU (Frankfurt) |
| MinIO | S3-compatible object storage for files and media (self-hosted on AWS EC2) | EU (Frankfurt) |
AI Service Providers
| Service | Purpose | Data Location | Transfer Safeguards |
|---|---|---|---|
| Anthropic (Claude) | Primary AI language model for intelligent analysis and content generation | US | SCCs in place |
| OpenAI (GPT) | Secondary AI language model for text generation and business plan processing | US | SCCs in place |
| Google AI (Gemini) | Tertiary AI language model for supplementary AI capabilities | US | SCCs in place |
| HuggingFace | Machine learning model hosting and inference | EU/US | SCCs in place |
Business Tools
| Service | Purpose | Data Location |
|---|---|---|
| HubSpot CRM | Customer relationship management and communications | EU (Germany) |
Monitoring and Operations
| Service | Purpose | Data Location |
|---|---|---|
| Grafana + Loki + Prometheus | System monitoring, logging, and performance analytics (self-hosted) | EU (Germany) |
All AI service providers process data only for the purpose of generating responses to your specific requests. We do not permit AI providers to use your data for model training purposes. Each provider acts in accordance with their own privacy policy and our DPA agreements.
For more information on individual providers:
- AWS: https://aws.amazon.com/privacy/
- Anthropic: https://www.anthropic.com/privacy
- OpenAI: https://openai.com/policies/privacy-policy
- HubSpot: https://legal.hubspot.com/privacy-policy
International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. For all international data transfers, we ensure an adequate level of data protection through:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- Data Processing Agreements (DPAs) with each provider
- Technical and organizational safeguards including encryption in transit and at rest
Where applicable, we also rely on adequacy decisions issued by the European Commission under Article 45 GDPR.
Your Rights as a Data Subject
Under the GDPR, you have the following rights regarding your personal data:
- Right of access — You can request confirmation as to whether we process your personal data and obtain a copy of the data we hold about you.
- Right to rectification and erasure — You may request the correction of inaccurate data or the deletion of your data ("right to be forgotten") when legally applicable.
- Right to withdraw consent — Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.
- Right to data portability — You can request to receive your data in a structured, commonly used, and machine-readable format.
- Right to object — You may object to certain types of processing, including profiling and automated decision-making, particularly where based on legitimate interests.
- Right to restriction of processing — You may request restriction of processing under certain conditions.
- Right to an explanation — Where decisions are made using AI or automated processing, you have the right to receive meaningful information about the logic involved.
- Right to lodge a complaint — You have the right to file a complaint with the competent supervisory authority.
Competent supervisory authority:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
https://datenschutz.hessen.de
How to exercise your rights:
Contact us at privacy@creativate.tech. We may request proof of identity. We will respond within one month (extendable by two additional months for complex requests per Article 12 GDPR).
Contacting the Data Protection Officer (DPO)
If you have any questions regarding this Privacy Policy, or if you wish to exercise your data protection rights, you may contact our Data Protection Officer directly at:
Email: privacy@creativate.tech
The DPO is available to assist you with matters relating to the protection of your personal data and the lawful use of our platform.
Data Security
We implement strong technical and organizational measures to safeguard your personal data against unauthorized access, loss, or misuse:
- SSL/TLS encryption to secure data in transit across all communications and user sessions
- Encryption at rest for all stored personal data and business content
- Role-Based Access Control (RBAC) to ensure that only authorized personnel can access specific categories of data
- Logging, internal audits, and vulnerability testing to proactively detect and address risks
- Data breach response procedures, including mandatory notification to authorities and users within 72 hours as required by GDPR
- Regular security assessments and penetration testing
- Network segmentation and firewall rules to isolate services
These measures are reviewed and updated regularly to align with industry best practices and regulatory standards.
Cookies and Tracking Technologies
We use cookies and similar technologies on our platform to enhance your experience and ensure optimal functionality. For complete details, please refer to our dedicated Cookie Policy.
Cookies used on our platform fall into the following categories:
- Strictly necessary cookies — Required for the proper functioning of the site; cannot be disabled
- Analytics cookies — Help us understand how users interact with the platform, to improve usability and performance
- Personalization cookies — Store settings and preferences to optimize your individual experience
- Marketing cookies — Used for retargeting or promotional communications (only with your consent)
You can manage your cookie preferences via the cookie banner on first visit, or update them at any time via the "Cookie Settings" link in the website footer.
AI-Specific Provisions
Creativate integrates artificial intelligence into its platform in compliance with the EU Artificial Intelligence Act (AI Act) and applicable ethical standards. We implement the following core safeguards:
- AI systems are classified according to their risk level based on their purpose and potential impact
- Meaningful human oversight is built into all critical AI-driven processes
- Users are clearly informed when they are interacting with or receiving outputs from an AI system
- The logic and functioning of algorithms are documented and can be explained upon request
- Regular assessments are conducted to detect and address bias, unfair outcomes, or performance degradation
- Users have the right to object to certain types of AI processing and to request a human alternative
For a complete overview of our AI governance practices, please refer to our dedicated AI Transparency Notice.
Privacy Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or technological developments. In the event of significant changes, we will notify you by appropriate means (email, platform notifications, or banners) before the changes take effect.
The most recent version of this Privacy Policy is always available on our website.
We encourage you to review this page periodically to stay informed about how we protect your personal data.
Effective Date: May 2025
Last Updated: February 2026
Creativate Technologies GmbH
Version 2.0.0