Privacy Policy

Criation.io ("Criation", "we", "us", "our") is a software-as-a-service product operated by Human Growth & Freedom LTDA (trade name Whispa), a Brazilian limited liability company, CNPJ 62.213.634/0001-80, with registered address at Avenida Victor Civita, 235, Casa 49, Tambore, Santana de Parnaíba — SP, 06544-072, Brazil. This Privacy Policy explains how we collect, use, store, share and protect personal data when you use Criation.io (the "Service").

This policy is written to comply with the Brazilian General Data Protection Law ("LGPD", Federal Law no. 13.709/2018) and, where applicable to non-Brazilian users, the European General Data Protection Regulation ("GDPR").

This policy applies to two categories of people:

• Customers and users of the Service — individuals who sign up for an account, are invited to a workspace, or otherwise interact with the Service through our web application.
• End users of our customers' websites — individuals whose first-party events (page views, leads, purchases, etc.) are captured by our customers using our tracking tools, and are then processed by Criation on the customer's behalf.

For data in the second category, our customer is the controller and Criation acts as a processor (operador, under LGPD). Customers are responsible for obtaining the appropriate legal basis (including consent, when required) from their own end users.

3.1 Account information

• Email address, full name, password (stored only as a salted hash).
• Workspace name, billing country, and role within a workspace.
• Authentication metadata (sign-in timestamps, IP address hash, user-agent hash, device fingerprint hash for abuse prevention).

3.2 Connected platform credentials

• OAuth access and refresh tokens for advertising platforms you choose to connect (e.g., Google Ads, Meta), as well as connection metadata (granted scopes, connected account name, expiration).
• These tokens are encrypted at rest using AES-256-GCM with a versioned key (see section 7).

3.3 Conversion event data captured on your customers' websites

When our customers install our tracking script (or send events server-to-server), we receive event data such as:

• Event name (e.g., purchase, lead, add_to_cart), event timestamp, event value and currency.
• Browser and device context — user-agent, screen size, time zone, referring URL, UTM parameters, click identifiers (gclid, fbclid, wbraid, gbraid).
• First-party user identifiers that the customer's website chooses to send: email, phone number, first name, last name, external ID. These identifiers are SHA-256 hashed before being forwarded to advertising platforms.
• Consent state (whether the end user granted ad-related consent on the customer's website, in line with Google Consent Mode v2 and equivalent frameworks).

3.4 Product usage and operational data

• Pages and features used within Criation.io, request paths, response codes, performance metrics.
• Error reports (stack traces, scrubbed of payload bodies that may contain personal data).
• Audit logs of administrative actions performed by Criation employees on your data.

• To provide the Service — authenticate you, render the application, run analyses you request, forward conversion events to platforms you connected.
• To act on instructions from our customers — for data captured on customers' websites (section 2), we process it strictly to deliver the integrations and analytics the customer configures.
• To bill and account — issue invoices, collect payments via Asaas or Stripe (section 5), reconcile credit consumption.
• To communicate — transactional emails (account changes, billing, security alerts) and, only with your separate consent, product updates.
• To improve the product — aggregate, de-identified analytics of feature usage; debugging and error monitoring.
• To comply with the law — respond to lawful requests from public authorities and exercise our own rights in legal proceedings.
• To prevent fraud and abuse — detect anomalous sign-ups, account takeovers, and platform abuse.

Under LGPD and GDPR, we rely on the following legal bases:

• Performance of a contract (LGPD art. 7, V; GDPR art. 6(1)(b)) — to provide the Service to you under our Terms.
• Compliance with legal obligations (LGPD art. 7, II; GDPR art. 6(1)(c)) — for tax, accounting and other regulatory obligations.
• Legitimate interest (LGPD art. 7, IX; GDPR art. 6(1)(f)) — for security, fraud prevention, and product analytics that do not override your rights and freedoms.
• Consent (LGPD art. 7, I; GDPR art. 6(1)(a)) — where we ask for it explicitly (e.g., optional product updates by email).

We use the following third-party service providers ("sub-processors") to operate the Service. Each sub-processor processes personal data only under our instructions and is bound by contractual data protection commitments.

We notify customers in advance of material changes to this sub-processor list (e.g., by updating this page and, where required, by direct notice).

• Encryption in transit. All data is transmitted over HTTPS/TLS 1.2 or higher.
• Encryption at rest. OAuth tokens and other sensitive credentials are encrypted with AES-256-GCM using a versioned key managed in our infrastructure.
• PII hashing for advertising fanout. When we forward first-party conversion identifiers to advertising platforms (Google, Meta), email, phone, first name and last name are SHA-256 hashed first.
• Tenant isolation. All persistence is gated by row-level security keyed to a workspace; cross-tenant data access is structurally prevented.
• Access control. Production data access by Criation personnel is restricted, logged in an immutable audit trail, and used only for support and platform maintenance.
• Log redaction. Application logs are scrubbed of personally identifying values at write time via path-based redaction.

• Account data — for as long as your account is active. After cancellation, we retain it for up to 30 days to allow account recovery, then delete or anonymize it.
• Workspace and conversion event data — retained for as long as the workspace is active. After workspace deletion, data is purged within 30 days, except for aggregated statistics that contain no personal data.
• Billing and tax records — retained for 5 years after the corresponding fiscal year, as required by Brazilian tax law.
• Audit logs of administrative actions — retained for 12 months.
• Backups — encrypted backups are retained for up to 30 days; deletion requests propagate to backups within that window.

Under LGPD (art. 18) and GDPR (art. 15-22), subject to legal limits, you have the right to:

• confirm whether we process your personal data;
• access the personal data we hold about you;
• correct incomplete, inaccurate, or outdated data;
• request anonymization, blocking, or deletion of unnecessary or excessive data;
• obtain data portability to another service provider;
• be informed about the public and private entities with which we have shared your data;
• withdraw consent at any time when processing is based on consent;
• object to processing that does not comply with the law;
• request a review of decisions made solely by automated processing that significantly affect you.

To exercise any of these rights, contact our Data Protection Officer at the address in section 12. We will respond within the timeframes required by applicable law (15 days under LGPD; up to one month under GDPR, extendable in complex cases).

Some of our sub-processors operate outside Brazil and the European Economic Area. Where personal data is transferred to such locations, we rely on the legal mechanisms permitted by LGPD (art. 33) and GDPR (Chapter V), including contractual safeguards (Standard Contractual Clauses) and adequacy decisions where applicable.

The Service is not directed to individuals under the age of 18 and we do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data, please contact us and we will take steps to delete it.

For privacy-related questions, complaints, or to exercise the rights described in section 9, you can contact our Data Protection Officer (Encarregado pela LGPD):

• Data Protection Officer: Vinicius Benavides
• Email: me@heywhispa.com
• Postal address: Human Growth & Freedom LTDA, Avenida Victor Civita, 235, Casa 49, Tambore, Santana de Parnaíba — SP, 06544-072, Brazil

You also have the right to lodge a complaint with the Brazilian National Data Protection Authority (ANPD) at gov.br/anpd or, for EU residents, with your local supervisory authority.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.