Data Processing Addendum

1. Parties

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Priyatharshini C, operating as Creatrne("Creatrne", "we", "us") and the individual user or organisation accessing the Creatrne platform ("you", "Customer", "Data Controller").

2. Scope and Roles

This DPA applies whenever Creatrne processes personal data on your behalf in connection with the services provided at creatrne.com. It is intended to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and, where applicable, Articles 28 and 32 of the EU General Data Protection Regulation (GDPR).

• You act as the Data Fiduciary / Controller for personal data submitted to Creatrne.
• Creatrne acts as the Data Processor when processing that data on your behalf.
• Creatrne acts as an independent Data Fiduciary only for account authentication data and service-operations data (security logs, billing records).

3. Subject Matter & Duration of Processing

Creatrne processes personal data for the duration of your active account and only for the purpose of delivering the Creatrne services described in the Terms of Service — managing brand deals, generating AI-assisted pitches, displaying connected YouTube and Instagram analytics, and handling payments via Paddle. Processing ceases on account closure, subject to the retention schedule in Section 11.

4. Categories of Personal Data

• Identity data: name, email, hashed password
• Platform data: YouTube channel metadata, Instagram profile and insights (only where you have connected the account)
• Business data: brand contacts, deal values, deliverables, earnings
• Usage data: feature usage, session timestamps, IP address (for security)

Creatrne does not intentionally process special-category or sensitive personal data. You agree not to submit such data through the platform.

5. Processor Obligations

• Process personal data only on your documented instructions, except where required by applicable law.
• Ensure that personnel with access to personal data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures as described in Section 7.
• Assist you in responding to data subject requests (Section 10).
• Make available the information necessary to demonstrate compliance with this DPA.

6. Sub-Processors

You authorise Creatrne to engage the following sub-processors, each bound by contractual data-protection obligations equivalent to those in this DPA:

We will notify you by email of any intended addition or replacement of sub-processors with at least 14 days' notice. You may object to such changes by closing your account within the notice period.

7. Security Measures

Creatrne implements the following measures:

• TLS 1.2+ encryption for all data in transit
• PostgreSQL at-rest encryption on the hosting provider's managed disks
• Passwords stored with bcrypt hashing
• OAuth access/refresh tokens encrypted at rest with AES-256-GCM
• Role-based access control; production access limited to the operator
• Signed-request verification (HMAC-SHA256) on all Meta callbacks
• CSRF protection on OAuth flows via Redis-backed state tokens
• HttpOnly, Secure session cookies; SameSite=Lax for single-origin deployment
• HSTS, Content-Security-Policy, and frame-deny HTTP security headers
• Automatic backups retained for up to 30 days, then permanently deleted

8. Personal Data Breach Notification

Creatrne will notify you without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting your data. The notification will describe the nature of the breach, the categories and approximate number of affected records, the likely consequences, and the measures taken to address and mitigate the incident.

9. International Data Transfers

Creatrne is operated from India. Data may be transferred to and processed in jurisdictions where our sub-processors operate (including the United States, the European Union, and Singapore). Where such transfers involve personal data of EU/EEA or UK residents, they are carried out under the European Commission's Standard Contractual Clauses or an equivalent transfer mechanism adopted by the relevant sub-processor.

10. Data Subject Rights

Creatrne will assist you by appropriate technical and organisational measures in fulfilling your obligation to respond to requests from Data Principals / Data Subjects to exercise their rights under the DPDP Act, GDPR, or other applicable privacy law — including access, rectification, erasure, restriction, portability, and objection. Self-service deletion is available at creatrne.com/data-deletion-status.

11. Deletion and Return of Data

Upon termination of your account or on your written request, Creatrne will delete or return all personal data processed on your behalf within 30 days, except to the extent retention is required by applicable law. Encrypted backups are purged on the standard rotation cycle (within 30 days).

12. Audit Rights

On reasonable written notice (at least 30 days), and no more than once per 12-month period, you may request information demonstrating Creatrne's compliance with this DPA. Where a physical audit is required by regulation, it will be conducted at your expense and subject to a mutually agreed scope.

13. Governing Law

This DPA is governed by the laws of India. Any disputes arising under this DPA are subject to the jurisdiction of the courts of Navi Mumbai, Maharashtra, India, without prejudice to any statutory rights you may have under the DPDP Act, GDPR, or other applicable privacy regulation.

14. Contact