01 Summary
Crëo is an AI creative studio operated from Montréal, Canada. We store only what we need to run the platform, we never sell your data, and the only people who see your prompts are the AI model providers who generate your outputs. You can export or delete your data at any time.
02 What we collect
Account data
- Name and email (from Google OAuth or email sign-in)
- Profile picture, if you sign in with Google
- Account creation date and auth method
Usage data
- Prompts and parameters you submit to the models
- Generation metadata (timestamps, model version, resolution, duration)
- Credit balance and subscription tier
Payment data
- We do not store your full card number. Stripe handles payment details and only returns us a customer ID.
- We store your Stripe customer ID, invoices, and subscription status for billing purposes.
Technical data
- IP address, browser, device fingerprint (for auth and fraud prevention)
- Session cookies from better-auth
- Error logs and request logs kept briefly for debugging
03 How we use it
| Purpose | Data used |
|---|---|
| Running the studio | Account, prompts, generations, credits |
| Processing payments | Stripe customer ID, invoices |
| Improving the product | Aggregated, anonymized usage |
| Security & fraud prevention | IP, session, request logs |
| Customer support | Account info, generation history |
| Legal compliance | Whatever the law requires, when it applies |
04 Third-party providers
Crëo is built on top of a small, carefully chosen set of providers. Each receives only the slice of data needed to do its job:
- Google — OAuth sign-in (email, name, avatar)
- Stripe — payment processing (PCI-compliant, receives card data directly)
- Replicate and peer AI model hosts — receive your prompts and any uploaded source images, only to run the model you chose
- Cloudflare R2 — encrypted object storage for generations
- Turso — managed libSQL database, encrypted at rest
- better-auth — open-source session/auth layer running on our own infrastructure
Your payment details never reach our model providers. Your prompts never reach our payment provider. We keep those lanes separate on purpose.
05 Storage & security
All traffic is HTTPS. Database rows are scoped by userId so another account can't read yours. Secrets and API keys live only on the server side. Media is stored in Cloudflare R2 with access-controlled URLs.
We take reasonable measures to protect your data, but no system is perfectly secure. If a breach occurs, we will notify affected users without undue delay.
06 Retention
- Account data — kept while your account is active. Deleted within 30 days of a delete request.
- Generations — kept in R2 while your account is active. Removed from primary storage when you delete them; CDN caches expire within 24h.
- Stripe invoices — kept as long as tax law requires (typically 6 years).
- Logs — kept up to 30 days for debugging and security.
07 Your rights
Depending on where you live (GDPR, PIPEDA, CCPA, Law 25, etc.), you may have the right to:
- Access — request a copy of the data we hold about you
- Correct — ask us to fix anything inaccurate
- Delete — ask us to erase your account and data
- Port — receive your data in a portable format
- Object — object to certain processing activities
- Withdraw consent — for any optional processing you previously opted into
Send any of these requests to virtuatechmedia@gmail.com. We reply within 30 days.
08 GDPR & Law 25 (Québec)
If you are in the EEA, UK, or Québec, we process your data under these legal bases:
- Contract — to deliver the Service you pay for
- Legitimate interest — to secure and improve the platform
- Consent — for optional communications or analytics you opt into
You may lodge a complaint with your local data protection authority (CNIL, ICO, Commission d'accès à l'information du Québec, etc.).
09 Cookies
Crëo uses two categories of cookies:
- Essential — session tokens required to stay signed in. Turning these off breaks the app.
- Analytics — anonymized usage signals. You can disable these in your browser.
We do not use third-party advertising or retargeting cookies.
10 Children's privacy
Crëo is not directed to anyone under 16. We don't knowingly collect data from children. If you believe a minor has signed up, email us and we'll remove the account.
11 International transfers
Crëo is operated from Canada, and some of our providers (Stripe, Replicate, Cloudflare, Google) operate globally. Your data may be processed in the US, EU, or elsewhere. We only use providers that offer equivalent safeguards (Standard Contractual Clauses, adequacy decisions, etc.).
12 Changes
We may update this Privacy Policy. Material changes will be announced on the dashboard and by email. The "Effective" date above is always the latest version.
13 Contact
Privacy questions, data requests, or security reports: