By
Stella Manga Chesnay
Introduction and Commitment by Creativate Technologies GmbH
At Creativate Technologies GmbH, we are committed to respecting your privacy and protecting your personal data in accordance with the General Data Protection Regulation (GDPR), the European Union’s Artificial Intelligence Act (AI Act), and internationally recognized standards for digital ethics.
Our website and services can generally be accessed without providing personal data. However, the use of certain features may require the processing of personal information. In such cases, and where no other legal basis applies, we will seek your explicit consent before processing your data.
Please be aware that the transmission of data over the Internet may present security vulnerabilities. While we implement appropriate measures to protect your data, no method of transmission is entirely secure.
Data Controller and Contact Information
The data controller is Creativate Technologies GmbH, located at Agnes-Pockels-Bogen 1, 80992 Munich, Germany. The company is represented by its Managing Director, Leonardo Bornhäußer.
If you have any questions regarding this Privacy Policy or the way we process your personal data, you can contact us at:
Email: contact@creativate.tech
Glossary of Key Terms – GDPR & AI Act
The following terms are used throughout our accountability documentation. They are defined to ensure clarity and consistency in accordance with the General Data Protection Regulation (GDPR), the AI Act, and applicable international standards:
AI Lifecycle: All stages in the development, deployment, monitoring, and decommissioning of an AI system, relevant for governance and documentation.
Accountability: A core principle of GDPR and AI governance requiring organizations to implement appropriate measures and be able to demonstrate compliance.
Algorithmic Accountability: The obligation to explain, justify, and document the behavior and outcomes of algorithmic systems, especially high-risk or impactful decisions.
Anonymization: Irreversible processing of data to ensure individuals can no longer be identified, directly or indirectly.
Artificial Intelligence System (AI System): A system that uses computational logic, statistics, machine learning, or other techniques to generate outputs such as predictions, recommendations, or decisions.
Audit Trail: A chronological record of data access and processing activities that allows for transparency, traceability, and accountability.
Automated Decision-Making: A decision made solely through automated processing, without human intervention, that significantly affects the individual (e.g., access to services, credit scoring).
Automated Monitoring: Use of systems (including AI) to automatically detect anomalies, behaviors, or risks related to data usage or user activity.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal data.
Data Controller: The natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data.
Data Controller’s Representative: A legal or natural person established in the EU designated to represent a controller not established in the EU, under Article 27 GDPR.
Data Governance: The set of policies, processes, and roles that ensure the responsible use, accuracy, security, and compliance of data across the organization.
Data Minimization: The principle that personal data collected must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Data Processor: A third party that processes personal data on behalf of the controller under a formal agreement.
Data Protection Impact Assessment (DPIA): A process used to identify and minimize data protection risks for high-risk processing operations.
Data Subject: The individual whose personal data is being processed.
Data Subject Rights: Rights granted to individuals under GDPR, such as access, rectification, erasure, restriction, objection, portability, and not being subject to automated decisions.
Explicit Consent: A clear and affirmative agreement that leaves no room for doubt, often required for special categories of personal data or high-risk processing.
Fairness (in AI): The requirement to avoid unjustified bias or discrimination in AI systems, particularly in high-risk contexts such as credit scoring or recruitment.
Foundation Model: A type of general-purpose AI model trained on broad data at scale and capable of being adapted for various tasks.
General-Purpose AI (GPAI): AI systems intended for multiple purposes, including those not explicitly planned by the provider, such as large language models.
General-Purpose AI Model Provider: An entity that develops and distributes foundation models capable of serving multiple downstream uses, as defined under the AI Act.
High-Risk AI System: Under the EU AI Act, an AI system that poses significant risks to the rights or safety of individuals (e.g., affecting access to employment, finance, or healthcare).
High-Risk Processing: Processing likely to result in a high risk to the rights and freedoms of individuals, often requiring a DPIA.
Human Oversight: A requirement under the AI Act that certain AI decisions, especially high-risk ones, must include meaningful human involvement and the ability to override or contest them.
Input Data: The data provided to an AI system to generate output. This may include personal or business-related information input by users.
Joint Controller: Where two or more entities jointly determine the purposes and means of data processing and share responsibility for compliance.
Lawful Basis (Legal Basis): The justification required under GDPR to process personal data (e.g., consent, contract, legal obligation, legitimate interest, vital interest, public task).
Output Auditability: The ability to reconstruct and verify how a particular AI output was generated, including data lineage and logic applied.
Output Data (or AI-Generated Output): Content, recommendations, or results produced by an AI system based on input data, which may or may not contain personal data.
Personal Data: Any information relating to an identified or identifiable natural person, including names, contact details, identifiers, IP addresses, and behavioral or usage data.
Privacy by Design and by Default: A legal requirement under the GDPR that privacy is embedded into systems, services, and business processes from the outset and that only necessary data is processed.
Processing: Any operation performed on personal data, whether automated or not, such as collection, storage, access, modification, use, disclosure, transfer, or deletion.
Profiling: Automated processing of personal data to analyze or predict aspects such as performance, preferences, behavior, or location.
Pseudonymization: Processing personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information.
Purpose Limitation: The principle that personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Risk-Based Approach: A core principle under the AI Act and GDPR that requires organizations to assess the likelihood and severity of harm to individuals and tailor their safeguards accordingly.
Standard Contractual Clauses (SCCs): Pre-approved legal agreements used to lawfully transfer personal data outside the EEA.
Supervisory Authority: The national body responsible for enforcing data protection law in a specific EU member state (e.g., CNIL in France, BfDI in Germany).
Synthetic Data: Data artificially generated to resemble real-world information but not directly linked to any identifiable individual, used to train or test AI systems in a privacy-preserving manner.
Third Country: A country outside the European Economic Area (EEA), where special safeguards are required for data transfers.
Training Data: Datasets used to develop or improve AI models, which may include personal data or anonymized information.
Transparency Obligation: The obligation to provide clear and accessible information to data subjects about how their personal data is used, including in the context of AI.
User Interface (UI) Transparency: A design principle that ensures users clearly understand when and how they are interacting with an AI system and what data is being collected.
User Profiling: The creation of a digital profile based on user behavior or attributes to personalize services or target content.
Data Collection on Our Platform
We collect data through the following means:
Information you provide directly, such as when you fill out contact forms, register an account, or interact with us through any other channel.
Technical data collected automatically by our systems, including your browser type and version, operating system, IP address, access times, and browsing behavior.
Categories of Data Collected
Depending on how you interact with our platform, Creativate Technologies GmbH may collect and process the following categories of personal and project-related data:
Identity and Contact Information: First and last name, email address, phone number, country of residence, professional role, and organization name.
Account and Authentication Data: Username, encrypted password, login credentials, account preferences, and authentication tokens.
Technical and Device Data: IP address, browser type and version, operating system, device type, language preferences, screen resolution, time zone, and access timestamps.
Usage and Interaction Data: Navigation behavior, session duration, pages visited, feature usage, error logs, clicks, scrolls, and actions performed within the platform.
AI Interaction and Business Plan Content: Inputs provided to our AI systems, generated outputs, drafts, recommendations, and structured or freeform content entered into Creativate’s planning tools (e.g., business descriptions, financial assumptions, team structures). This may include information about third parties (e.g., collaborators or investors), which you submit under your responsibility.
Communication Data: Messages sent via contact forms, support tickets, surveys, or email correspondence with our team.
Payment and Billing Information: Invoicing details such as billing address, VAT number, and transaction metadata. Sensitive payment data is processed securely by our payment provider and never stored directly by Creativate.
Third-Party Integration Data: Data exchanged with connected services (e.g., HubSpot, Stripe, OpenAI) in accordance with their APIs and your permissions. This may include customer records, analytics, or CRM-related identifiers.
Cookie and Tracking Data: Information collected through cookies and similar technologies (e.g., pixels, local storage) as detailed in our [Cookie & Tracking Policy], including referral URLs, campaign tags, and on-site behavior.
Geolocation Data: Approximate geographic location derived from your IP address to adapt content, settings, or for legal compliance purposes.
Debug and Diagnostic Data: Information captured automatically in the event of a technical error or failure, such as crash logs and system activity.
Social Login Data (if used): If you register or sign in using a social media account, we may receive profile information such as your name, email, and profile image from the provider.
We do not intentionally collect sensitive personal data (such as health data, biometric identifiers, religious beliefs, or criminal records), nor do we knowingly collect data from children under 16 years of age.
Legal Basis and Purposes of Processing
We process your personal data only when we have a valid legal basis, as required by the General Data Protection Regulation (GDPR) and, where applicable, the EU Artificial Intelligence Act (AI Act). The following outlines the lawful grounds we rely on, along with the corresponding purposes:
1. Contract Performance
We process your personal data to enter into and fulfill contractual obligations, including:
Creating, managing, and maintaining your user account
Providing access to Creativate’s AI-powered business planning tools
Delivering platform features and services you have requested
Authenticating your identity and managing secure sessions
Responding to your service-related inquiries and support requests
2. Legal Obligation
We process your data to comply with obligations under EU or national law, including:
Fulfilling legal requirements in tax, accounting, commerce, and consumer protection
Maintaining appropriate technical and organizational security measures
Complying with data protection laws, including responding to data subject rights requests (access, deletion, objection, portability)
Keeping records of consent and opt-out requests in accordance with ePrivacy and GDPR
Logging AI model behavior, decision outputs, and human oversight interactions (as required under the AI Act)
Responding to valid legal requests from public authorities or courts
3. Legitimate Interest
We may process your personal data where necessary for our legitimate business purposes, provided they do not override your fundamental rights and freedoms. These include:
Ensuring platform security, preventing misuse, and protecting against fraud
Monitoring and optimizing the performance, stability, and usability of the platform
Debugging errors and resolving technical issues
Analyzing user behavior and platform engagement for service improvement
Delivering personalized onboarding flows, tooltips, and contextual support
Improving the relevance, accuracy, and robustness of AI-generated outputs (using pseudonymized or aggregated data)
Conducting internal audits and compliance reviews
Managing contractual relationships with vendors and sub-processors
Enforcing our Terms of Use and protecting our legal interests
Preparing for mergers, acquisitions, or other business continuity events
Maintaining documentation of AI outputs and audit trails for explainability and accountability
Re-engaging B2B users or prospects based on prior interactions (e.g., demos, trial accounts)
You may object to processing based on legitimate interests at any time, in accordance with Article 21 GDPR.
4. Consent
In certain cases, we will request your explicit and informed consent before processing your data. This applies when:
Sending you marketing or promotional communications
Using non-essential cookies and tracking technologies (see our [Cookie Policy])
Recording demo sessions or support calls (if applicable)
Allowing you to participate in surveys, product testing, or user research
Processing your personal data to personalize AI-generated outputs or retain them for future use
Retaining personal data beyond the original service period for R&D or improvement purposes
You can withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing carried out before the withdrawal.
Profiling and Automated Decision-Making
As part of our service offering, Creativate may use profiling and automated decision-making systems to support the generation of business plans, risk scores, and strategic recommendations tailored to your context.
We implement safeguards to ensure transparency, accuracy, and fairness in all profiling and automated processing. Where required, we apply:
Human review or intervention in critical decision flows
Logging and documentation of AI outputs
Measures to reduce bias and discriminatory outcomes
Clear user interfaces identifying when AI is being used
In accordance with Article 22 of the GDPR and the AI Act, you have the right:
Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant impacts
To obtain human intervention
To express your point of view and contest the decision
To receive an explanation of the logic involved
If you believe an automated process has significantly affected you and wish to contest or request human review, please contact us at: privacy@creativate.tech
Data Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, and in accordance with applicable legal, contractual, or regulatory obligations. Retention periods vary depending on the category of data and the nature of our relationship with you.
Below is an overview of our standard retention practices:
Category of Data | Standard Retention Period |
Identity and Contact Information | Retained for the duration of the user relationship + 2 years after account deletion or inactivity. |
Account and Authentication Data | Retained for the lifetime of the account; securely deleted upon account closure or after 2 years of inactivity. |
Technical and Device Data | Retained up to 12 months; extended if needed for security analysis or diagnostics. |
Usage and Interaction Data | Retained for up to 24 months for analytics and service improvement purposes. |
AI Interaction and Business Plan Content | Stored as long as the account is active; deleted upon closure or at the user's request. |
Communication Data | Retained for up to 3 years after last contact or interaction. |
Payment and Billing Information | Retained for 10 years to meet accounting and tax regulations. |
Third-Party Integration Data | Retained for the duration of the integration + 12 months after disconnection or account termination. |
Cookie and Tracking Data | Retained in accordance with cookie type; up to 13 months as outlined in our Cookie Policy. |
Geolocation Data | Retained for up to 6 months; anonymized or discarded thereafter. |
Debug and Diagnostic Data | Stored for up to 12 months or as needed for platform integrity and issue resolution. |
Social Login Data | Stored as long as the account is active; deleted when the user disconnects the social provider or closes the account. |
Third-Party Processing
We use services like Google Analytics, Framer, Hetzner Cloud, and Vercel, which collect and store data in accordance with their privacy policies. We have data processing agreements with each of these providers to ensure your data is protected.
Google Analytics: We use Google Analytics to analyze website usage. Data collected by Google Analytics is stored on servers in the United States. We have enabled IP anonymization to truncate your IP address within the EU or other EEA member states.
For more information, see Google's Privacy Policy.
Framer, Hetzner Cloud: Details on data collection and processing by Framer and Hetzner Cloud are specified in their respective privacy policies. We utilize these services to optimize our website and provide our online services.
OpenAI API: We use the OpenAI API under app.creativate.tech for processing and evaluating business plans. For details on data usage and protection by OpenAI, please refer to OpenAI’s Privacy Policy.
Directus CMS: Directus is used for content management and storage. More information is available in Directus’s Privacy Policy.
HubSpot CRM: HubSpot CRM is used for managing customer relationships and communications. See HubSpot’s Privacy Policy for more details.
Chaque fournisseur agit conformément à sa propre politique de confidentialité et aux accords de traitement (DPA) signés. Des clauses contractuelles types (SCC) sont mises en place pour les transferts hors EEE.
Your Rights as a Data Subject
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
Right of access: You can request confirmation as to whether we process your personal data and obtain a copy of the data we hold about you.
Right to rectification and erasure: You may request the correction of inaccurate data or the deletion of your data (“right to be forgotten”) when legally applicable.
Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
Right to data portability: You can request to receive your data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to object: You may object to certain types of processing, including profiling and automated decision-making, particularly where the processing is based on our legitimate interests.
Right to an explanation: Where decisions are made using AI or automated processing, you have the right to receive meaningful information about the logic involved and request human intervention.
Right to lodge a complaint: You have the right to file a complaint with the competent supervisory authority if you believe your data is being processed unlawfully.
How to exercise your rights
You can exercise your rights at any time by contacting us at privacy@creativate.tech. We may request proof of identity before processing your request. We will respond within one month from the date of receipt. In complex or high-volume cases, this deadline may be extended by up to two additional months, in accordance with Article 12 GDPR.
Contacting the Data Protection Officer (DPO)
If you have any questions regarding this Privacy Policy, or if you wish to exercise your data protection rights, you may contact our Data Protection Officer (DPO) directly at:
Email: privacy@creativate.tech
The DPO is available to assist you with matters relating to the protection of your personal data and the lawful use of our platform in accordance with GDPR and other applicable regulations.
Data Security
We implement strong technical and organizational measures to safeguard your personal data against unauthorized access, loss, or misuse. These include:
SSL/TLS encryption to secure data in transit across all communications and user sessions.
Role-Based Access Control (RBAC) to ensure that only authorized personnel can access specific categories of data.
Logging, internal audits, and vulnerability testing to proactively detect and address risks.
Data breach response procedures, including mandatory notification to authorities and users within 72 hours, as required by GDPR.
AI-powered fraud detection systems to monitor suspicious or abusive behaviors in real time.
These measures are reviewed and updated regularly to align with industry best practices and regulatory standards.
Cookies and Tracking Technologies
We use cookies and similar technologies on our platform to enhance your experience and ensure optimal functionality. These technologies serve the following purposes:
To enable core platform features, such as navigation, session security, and access to restricted areas
To measure usage and performance, including visitor counts, pages viewed, and engagement metrics (e.g., via Google Analytics)
To personalize your experience, such as remembering preferences, language settings, or interface behavior
To support marketing and communication efforts, where applicable and with your consent
Cookies used on our platform fall into the following categories:
Strictly necessary cookies – Required for the proper functioning of the site; cannot be disabled
Analytics cookies – Help us understand how users interact with the platform, to improve usability and performance
Personalization cookies – Store settings and preferences to optimize your individual experience
Marketing cookies – Used for retargeting or promotional communications (only with your consent)
Third-party cookies – Placed by external services such as Google, HubSpot, or OpenAI where integrations or embedded components are active
Cookie duration
Some cookies are session-based and are deleted when you close your browser. Others may remain active for a maximum of 13 months, in line with applicable privacy regulations.
Managing your preferences
You can choose to accept or refuse specific categories of cookies via our cookie banner, which appears on your first visit. Your choices are stored and can be updated at any time via the “Cookie Settings” link in the footer of our website.
Legal basis
Strictly necessary cookies are processed based on our legitimate interest in delivering a secure and functional service
All other cookies are processed based on your consent, which you can withdraw at any time
For further information, please refer to our [Cookie & Tracking Policy].
AI-Specific Provisions
Creativate integrates artificial intelligence into its platform in compliance with the EU Artificial Intelligence Act (AI Act) and applicable ethical standards. We implement the following core safeguards:
AI systems are classified according to their risk level (e.g., limited or high-risk), based on their purpose and potential impact.
Meaningful human oversight is built into all critical AI-driven processes.
Users are clearly informed when they are interacting with or receiving outputs from an AI system.
The logic and functioning of algorithms are documented and can be explained upon request.
Regular assessments are conducted to detect and address bias, unfair outcomes, or performance degradation.
Users have the right to object to certain types of AI processing and to request a human alternative in applicable cases.
For a complete overview of our AI governance practices, including fairness, transparency, sustainability, and ethical innovation, please refer to our dedicated [Responsible AI, Ethics & Sustainability Policy]
Privacy Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or technological developments. In the event of significant changes, we will notify you by appropriate means, such as email, platform notifications, or banners, before the changes take effect.
The most recent and applicable version of this Privacy Policy will always be available on our website at www.creativate.tech.
We encourage you to review this page periodically to stay informed about how we protect your personal data.
Effective Date: August 2024
Creativate Technologies GmbH