Privacy Policy

At Crealix AI ("Crealix", "we", "us"), your privacy matters. This Privacy Policy explains what we collect, how we use it, and who we share it with when you use our websites, web apps, and AI generation tools (collectively, the "Services").

1. Information We Collect

We collect the following categories of information:

• Account information: name, email address, password hash, avatar, and preferred language. If you sign in with Google, we receive your name, email, and Google account identifier.
• Billing information: purchase history, subscription status, plan, credit balance, invoices, and metadata returned by Stripe. Full card numbers are never stored on our servers — Stripe processes payments directly.
• User content: prompts, scripts, uploaded images and audio, voice selections, and the images, videos, voiceovers, music, and motion clips generated through the Services.
• Usage data: IP address, browser type, operating system, device identifiers, referrer URL, and pages or features you interact with. We use this to keep the Services reliable and to debug issues.
• Anti-abuse signals: Cloudflare Turnstile tokens and rate-limiting signals collected on auth and contact forms to block bots.
• Cookies: small values we set in your browser for sign-in session, language preference, pending checkout plan, and UI state. See our Cookie Policy for the full list.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Services.
• Run AI generations (images, videos, voiceovers, music, motion) and store their output in your media library.
• Process subscriptions, top-up purchases, renewals, credit consumption, and automatic credit refunds on failed jobs.
• Send transactional email (verification, password reset, billing notices, support replies).
• Personalize the interface, remember your locale and sidebar state, and keep you signed in.
• Detect, prevent, and respond to abuse, fraud, and security incidents.
• Comply with our legal obligations.

3. How We Share Your Information

We do not sell your personal information and we do not use it to train third-party AI models outside of producing the output you requested. We share data only with the service providers that power the Services:

• fal.ai: runs the AI inference workloads (image, video, music, and text-to-speech models). Prompts and required reference assets are sent to fal.ai to produce the output you request.
• ElevenLabs (accessed through fal.ai): synthesizes voiceovers from the scripts you provide.
• OpenRouter: runs a lightweight GPT-4o-mini assistant used in the subscription cancellation flow to help with retention and support responses.
• Stripe: processes payments, subscriptions, invoices, and webhooks. Stripe receives your payment details and billing address directly — we never see full card numbers.
• Resend: delivers our transactional email (sign-up, password reset, billing, support).
• Cloudflare R2: stores your uploaded assets, generated media, and invoice PDFs.
• Cloudflare Turnstile: bot-protection checks on sign-up, sign-in, password reset, and contact forms.
• Google Sign-In: if you choose Google OAuth, Google shares your name, email, and account identifier with us to create or match your Crealix account.

We may also disclose information when required by law, to protect our rights, or as part of a merger, acquisition, or sale of assets — in which case we will notify affected users.

4. Data Retention

We retain account and usage data for as long as your account is active. When you delete your account from Settings → Security, we immediately disable access and mark the account for deletion (soft-delete). Generated media and uploads are removed from your library, and billing records are retained for the period required by tax and accounting laws. An email that was attached to a deleted account cannot be reused for self-registration — contact support if you want to reactivate.

5. Your Rights

Depending on where you live, you may have the right to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent. Residents of the European Economic Area, the United Kingdom, California, and other regions with similar laws may have additional rights under GDPR, UK GDPR, or the CCPA/CPRA.

To exercise any of these rights, reach out through our contact form.

6. Security

We use industry-standard technical and organizational measures to protect your information: TLS in transit, passwords stored as salted hashes, segregated R2 buckets for public vs. private assets (invoices are private), and Turnstile gating on public forms. No system is perfectly secure and we cannot guarantee absolute security.

7. Children

The Services are not directed at children under 13, and we do not knowingly collect personal information from children. If you believe a child has provided us data, please reach us through our contact form and we will promptly delete it.

8. International Transfers

Your information may be processed in countries other than your own — in particular by our infrastructure providers and AI inference partners. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Effective as of" date at the top and, for material changes, provide prominent notice. Continued use of the Services after an update constitutes acceptance of the revised Policy.

Affiliate Program data

If you opt in to the Crealix Affiliate Program, we additionally process: (i) your chosen affiliate slug, (ii) the click, signup, and commission events tied to your link, (iii) data shared with Stripe Connect Express to verify your identity and pay you (full name, country, date of birth, government ID, and bank account or debit card details). Stripe processes this information as an independent controller under its own privacy notice.

When a visitor uses your affiliate link, we set a first-party `crealix-ref` cookie on their browser to remember the attribution for up to 90 days. The cookie value is your public affiliate slug. We do not share this cookie with any third party and it is never used for advertising or cross-site tracking. See the Cookie Policy for details.

10. Contact

If you have any questions about this Privacy Policy or how we handle your data, please get in touch via our contact form.

YouTube API Services

Crealix uses YouTube API Services to enable creators to publish AI-generated short-form videos directly to their YouTube channel. When you connect your YouTube account via OAuth, Crealix accesses the following data on your behalf:

• Basic channel information (channel title, channel ID, channel thumbnail) via the youtube.readonly scope — used to identify which channel you are publishing to in our UI.
• Video upload capability via the youtube.upload scope — used to publish a single video at a time when you explicitly click 'Publish' inside Crealix.

Crealix uses YouTube API Services strictly to provide the publishing functionality you have authorized. We comply with the Google API Services User Data Policy, including the Limited Use requirements. In particular:

• We do NOT sell, transfer, or share YouTube user data with any third party for advertising, analytics, or marketing purposes.
• We do NOT use YouTube user data to train artificial intelligence or machine learning models.
• We access YouTube user data only when necessary to perform actions you have explicitly initiated.

You can revoke Crealix's access to your YouTube account at any time:

• Disconnect the account from Crealix Settings → Social Media.
• Revoke access directly via Google's account permissions page: myaccount.google.com/permissions.

By using Crealix's YouTube integration, you agree to be bound by the YouTube Terms of Service.

Instagram API Services

Crealix uses Meta's Instagram API (via Instagram Business Login) to enable creators to publish AI-generated Reels directly to their Instagram Business or Creator profile. When you connect your Instagram account, Crealix accesses the following data on your behalf:

• Username, account type, profile picture URL and user ID via the instagram_business_basic permission — used to identify which Instagram account you are publishing to in our UI.
• Reels publishing capability via the instagram_business_content_publish permission — used to create a media container and publish a single Reel each time you explicitly click 'Publish' inside Crealix.

Crealix uses Instagram API Services strictly to provide the publishing functionality you have authorized. We comply with the Meta Platform Terms and the Instagram Platform Policy. In particular:

• We do NOT sell, transfer, or share Instagram user data with any third party for advertising, analytics, or marketing purposes.
• We do NOT use Instagram user data to train artificial intelligence or machine learning models.
• Instagram access and refresh tokens are stored encrypted at rest using AES-256-GCM with a per-environment encryption key. Tokens are decrypted only in-memory during a publish action and are never exposed to the client browser.

You can revoke Crealix's access to your Instagram account at any time:

• Disconnect the account from Crealix Settings → Social Media.
• Revoke access directly inside the Instagram app: Settings → Apps and Websites → Active → Remove Crealix.

TikTok API Services

Crealix uses TikTok's Content Posting API to enable creators to publish AI-generated short-form videos directly to their TikTok profile. When you connect your TikTok account via OAuth, Crealix accesses the following data on your behalf:

• Open ID, display name, and avatar via the user.info.basic scope — used to identify which TikTok account you are publishing to in our UI.
• Video upload via the video.upload scope and publishing via the video.publish scope — used to send a single rendered video to your TikTok profile each time you explicitly click 'Publish' inside Crealix, using TikTok's PULL_FROM_URL transfer method.

Crealix uses TikTok API Services strictly to provide the publishing functionality you have authorized. We comply with the TikTok Content Sharing Guidelines and the TikTok Developer Terms. In particular:

• We do NOT sell, transfer, or share TikTok user data with any third party for advertising, analytics, or marketing purposes.
• We do NOT use TikTok user data to train artificial intelligence or machine learning models.
• We do NOT add watermarks, logos, or other promotional branding to creators' content before publishing — every video published is the creator's original content as rendered inside Crealix.
• TikTok access and refresh tokens are stored encrypted at rest using AES-256-GCM with a per-environment encryption key. Tokens are decrypted only in-memory during a publish action and are never exposed to the client browser.

You can revoke Crealix's access to your TikTok account at any time:

• Disconnect the account from Crealix Settings → Social Media — Crealix will best-effort revoke the token on TikTok's side and mark the connection as revoked locally.
• Manage connected apps directly in the TikTok mobile app: Profile → Settings and privacy → Security and login → Manage apps.