Data Deletion Policy – CreateFame
Effective Date: 01-10-2025 | Last Updated: 01-10-2025
This Data Deletion Policy explains how Barrière Brekers B.V. ("CreateFame", "we", "us", "our") deletes personal data and user-provided materials in accordance with the EU General Data Protection Regulation (GDPR) and Dutch law.
1) Controller & Contact
Barrière Brekers B.V.
Groene Woud 60, 4834BC, Breda, The Netherlands
Email: hello@createfame.ai
2) Purpose & Scope
This policy describes how we handle deletion for data processed through CreateFame, including:
- Account & profile data (managed with Clerk);
- User Content (text, audio/video uploads, transcripts, writing samples, reference images/likeness);
- AI-generated Outputs (text posts, images of you, short-form videos, carousels, quote/caption cards);
- Planner/scheduling data and connected social tokens;
- Billing/subscription records (via Stripe);
- Operational logs and analytics; and
- Data stored in our database (Convex) and media storage (Amazon S3).
3) Your Right to Erasure (GDPR Art. 17)
You may request deletion of your personal data at any time. Subject to legal exceptions, this includes:
- Account & Profile: email, identifiers, authentication data, profile photo, handle;
- User Content: uploads, transcripts, writing samples, reference images, social collections;
- Outputs: generated text, images, videos, carousels; and
- Connected Accounts: social access tokens and schedules.
We will retain only what we are legally required to keep (e.g., billing/invoicing records) and securely delete the rest.
4) How to Request Deletion
- Email hello@createfame.ai with subject: "Data Deletion Request" from the email address associated with your account; or
- Use any in-app deletion or account closure controls (where available) to initiate automated deletion.
We may ask you to verify your identity (e.g., via a code or reply from your registered email) before proceeding.
5) Our Deletion Process & Timelines
- Acknowledgement: We confirm receipt without undue delay and in any case within 7 business days.
- Completion: We complete deletion without undue delay and within 30 days of verification. Where requests are complex, we may extend by up to 2 additional months (GDPR), informing you of reasons within one month.
- Backups: Data in immutable or point-in-time backups is purged on the next scheduled rotation cycle, no later than 90 days after completion of active deletion.
- Proof of Action: On request, we will confirm completion and summarize which systems were impacted.
6) What We Delete (by System)
| System / Vendor | Data Examples | Deletion Action |
|---|---|---|
| Convex (hosted database) | Accounts metadata, content records, planner entries, collections, audit items | Records are hard-deleted from active tables; references are nullified/cascaded to prevent orphaned data. |
| Amazon S3 (media) | Uploads (video/audio/images), generated assets, thumbnails | Objects are deleted; any CDN caches naturally expire; multipart remnants are cleaned per S3 lifecycles. |
| Clerk (auth & profiles) | Identity, email, profile photo, sessions | Profile is removed; sessions revoked; identifiers are purged per Clerk's deletion workflow. |
| Stripe (billing) | Customer profile, invoices, payments | We minimize/lock records and retain only what's required by tax/accounting law (generally up to 7 years in NL). Non-required fields are redacted where feasible. |
| Third-Party AI APIs (Anthropic, OpenAI, Google Gemini, Bannerbear, Gamma) | Prompts, inputs, generation requests, generated artifacts | We submit deletion/retention-limit requests where the provider offers controls; otherwise we configure no-log/limited retention settings where available and cease further processing. |
| Social Platforms | Access tokens, scheduled posts, post history created via our app | Tokens are revoked; schedules and metadata are deleted from our systems. Content already posted to the platform must be deleted directly on that platform by you. |
| Analytics & Logs | Usage events, IP, device/browser info | Events linked to your identifiers are removed or anonymized; security logs are minimized and retained only as necessary for integrity and legal requirements. |
Important: Deleting your account removes access to all associated content and Outputs in CreateFame. Items you exported or posted to external platforms are outside our control.
7) Your Options: Account Closure vs. Selective Deletion
- Selective deletion: You may ask us to delete specific uploads, transcripts, reference images, Outputs, schedules, or connected accounts while keeping your account active.
- Full account deletion: Removes your account and all associated personal data/records from our active systems (subject to legal retention obligations).
- Grace period (optional): On request, we can apply a short "soft-delete" window (up to 7 days) to allow recovery from accidental requests—unless we are legally required to delete immediately.
8) Legal Retention & Exceptions
- Billing & Tax: Invoices and payment records are retained as required by Dutch/EU law (typically up to 7 years).
- Security & Fraud: We may retain minimal data needed to detect/prevent fraud, secure our systems, or enforce terms.
- Disputes & Compliance: If data is necessary to establish, exercise, or defend legal claims, or to comply with a legal obligation, we may retain it for that purpose only.
Where retention is necessary, access is restricted, data is minimized, and securely archived until the purpose expires.
9) Third-Party Processors & Cross-Border Deletion
We work with third-party processors (e.g., Clerk, Convex, Amazon S3, Stripe, Anthropic, OpenAI, Google Gemini, Bannerbear, Gamma). For verified deletion requests, we will:
- Cease further processing with those providers;
- Trigger available deletion APIs/tools or submit deletion requests;
- Rely on EU adequacy decisions or Standard Contractual Clauses (SCCs) for cross-border compliance; and
- Request confirmation where the provider exposes such functionality.
Some providers maintain limited operational logs for short periods (e.g., security/abuse prevention). These are outside our direct control but are subject to the providers' own legal and contractual obligations.
10) Automatic Deletion & Inactivity
- Inactivity: Accounts inactive for 24 months may be deleted after we send a 30-day notice to the registered email.
- Expired tokens: Connected social tokens automatically expire or are revoked, removing associated posting capability.
- Temporary files: Processing intermediates and caches are routinely purged via automated jobs.
11) Children's Data
CreateFame is for users 18+. If we become aware that we hold data from a minor, we will delete it promptly upon discovery.
12) Records of Deletion Requests
We maintain an internal log of verified deletion requests (request date, requester, scope, completion date) for accountability and compliance auditing.
13) Questions, Appeals & Supervisory Authority
If you have questions or believe your request was not handled properly, contact us at hello@createfame.ai. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
14) Changes to This Policy
We may update this policy to reflect changes in law, providers, or our Service. We will post the updated version and, for material changes, provide notice in-app or via email prior to the effective date.