Privacy Policy – CreateFame

Effective Date: 23-09-2025 | Last Updated: 16-01-2026

This Privacy Policy explains how Barrière Brekers B.V. ("CreateFame", "we", "us", "our") processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and Dutch privacy law.

1. Who We Are (Data Controller)

Barrière Brekers B.V.

Groene Woud 60, 4834BC, Breda, The Netherlands

Contact: [email protected]

We operate the CreateFame platform (the "Service"). Unless stated otherwise, we act as the data controller for the processing activities described in this policy.

2. Scope

This policy applies to users of CreateFame, including account holders connecting social profiles and using our AI-powered content generation features.3. Personal Data We Collect

3.1 Account & Identification Data

Name (optional), email address, profile details (username, handle, profile photo)

Authentication identifiers, login timestamps, security events (via Clerk)

3.2 User-Provided Content

Text, documents, and notes you upload or create

Video/audio you upload (we may transcribe to text)

Samples of your writing style

Reference image(s) of yourself used to create new images of you (not for biometric identification)

Generated content (e.g., posts, images, short videos, carousels, captions, quote cards, content collections)

3.3 Social Media Connections (Optional)

Access tokens and permissions you grant (e.g., read profile, create posts)

Scheduling data and publish status

Public profile information provided by the social platform

We use official API services provided by each platform:

YouTube API Services – for video publishing and channel management

Meta Graph API – for Facebook, Instagram, and Threads posting

X API – for posting to X (Twitter)

LinkedIn API – for LinkedIn post publishing

TikTok API – for TikTok video publishing

We only read or publish content where you have explicitly connected an account and granted permission. You can revoke access at any time.

3.4 Payments & Subscriptions

Subscription plan, credit usage, invoices and transaction history

Payment processing is handled by Stripe. We do not store full card numbers or CVV.

3.5 Technical & Usage Data

Device and browser information, IP address, app events, diagnostics and logs

Aggregated analytics and performance metrics

Special categories: We do not intentionally process special categories of data. Reference images of you are used to generate images of you, not to uniquely identify you; we do not perform biometric identification or facial recognition.

4. Purposes & Legal Bases

Purpose

Legal Basis

Details

Provide and operate the Service

Performance of a contract (Art. 6(1)(b) GDPR)

Account creation, login, content uploads, content generation, planner, posting to connected profiles.

AI content generation (text, image, video) using external APIsContract; and where required, your consent (Art. 6(1)(b)/(a))

We process your inputs and send them to chosen AI providers to generate outputs you request.

Transcription of uploaded video/audioPerformance of a contract

Creates a text source to enable editing and generation features.

Payments, subscriptions, credit top-ups

Performance of a contract; Legal obligation

Stripe processes payments; we keep invoicing records as required by law.

Security, fraud prevention, integrityLegitimate interests (Art. 6(1)(f))

Authentication, access controls, logs, abuse prevention.

Service improvement and analytics

Legitimate interests; or consent where required

Aggregate analytics to improve performance and features.

Customer support & communications

Legitimate interests; Contract

Respond to requests, send service notifications and updates.

Advertising and remarketing

Consent (Art. 6(1)(a))

We may use ad platforms (Meta, Google, TikTok, LinkedIn, etc.).

We only do this with your consent and you can withdraw at any time.

Compliance with laws

Legal obligation (Art. 6(1)(c))

Tax, accounting, law enforcement requests where applicable.

We do not sell your personal data.

We do not perform automated decision-making producing legal or similarly significant effects.

5. Recipients & Processors

We share personal data with trusted providers acting on our behalf under written data processing agreements:

Clerk

Authentication, identity, session managementEU/US with Standard Contractual Clauses (SCCs) where applicable.

Convex

Hosted application databaseEU/US with SCCs where applicable.Amazon S3Media storage (uploads & generated assets)EU region where available.

Stripe

Payments & subscriptionsEU/US with SCCs where applicable.

We do not store full card data.

Anthropic (Claude API)

AI text/image/video generation (as configured)Transfers to US; SCCs or equivalent safeguards.

OpenAI APIAI

text/image/video generation (as configured)Transfers to US; SCCs or equivalent safeguards.

Google (Gemini API)

AI generation and analysis

Global processing; SCCs or equivalent safeguards.

Bannerbear

Automated visual generation (social graphics)

Transfers to US; SCCs or equivalent safeguards.

Gamma

Carousel & visual content generationTransfers to US; SCCs or equivalent safeguards.

Advertising platforms

Meta, Google, YouTube, TikTok, LinkedIn (with consent)

Marketing and remarketing; limited data as configured; opt-in only.

Connected Social Platforms & Their Privacy Policies

When you connect social accounts, your use of those platforms is also governed by their privacy policies:

Google/YouTubeVideo uploads via YouTube API Services

Google Privacy Policy

MetaFacebook/Instagram/Threads posting

Meta Privacy Policy

XTwitter/X posting

X Privacy Policy

LinkedInLinkedIn posting

LinkedIn Privacy Policy

TikTokTikTok video posting

TikTok Privacy Policy

We may disclose data to public authorities if required by law. We require all processors to implement appropriate technical and organisational measures.

6. International Data Transfers

Your personal data may be transferred outside the European Economic Area (EEA).

Where such transfers occur, we rely on one or more of the following safeguards:

EU Commission Adequacy Decisions (GDPR Art. 45)

Standard Contractual Clauses (GDPR Art. 46)

Other appropriate safeguards permitted by Chapter V GDPR

You can request a copy or summary of the relevant safeguards by contacting [email protected]. Data Retention

Account & profile data

For the life of the account; deleted upon request or account closure.

User-provided and generated content

Until you delete it or close your account; backups roll off on a schedule.

Authentication logs / security events

Up to 24 months (shorter where feasible).

Billing & invoicing records

Up to 7 years to comply with tax and accounting obligations.Support correspondenceUp to 3 years after last interaction or as required by law.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, role-based permissions, audit logging, and regular backups.

No system is 100% secure; we continuously improve our controls and will notify authorities and affected users of data breaches when legally required.

9. Social Media Connections & Posting

Connecting a social profile grants us only the permissions you approve.

We read profile data and publish content only as instructed by you (including via the planner).

You can disconnect any profile at any time in your account settings; tokens will be revoked.

9.1 Data Accessed via Platform APIs

YouTube API Services:

Channel name and ID (to identify posting destination)

Upload capability (to publish videos)

Video metadata (title, description you provide)

Meta Graph API (Facebook, Instagram, Threads):

Page/account name and ID

Posting permissions you grant

Post content you create through our Service

X API:

Account username and ID

Posting permissions

Tweet content you create through our Service

LinkedIn API:

Profile name and organization pages

Posting permissions

Post content you create through our Service

TikTok API:

Account username

Video upload permissions

Video content you create through our Service

9.2 How We Use Platform Data

We access only the permissions necessary to post content on your behalf

We do not analyze, profile, or share your social media data with third parties

We store access tokens securely and delete them when you disconnect

9.3 Revoking Platform Access

You can revoke our access to your connected accounts at any time via each platform's settings:

YouTube/Google: myaccount.google.com/connections

Meta (Facebook/Instagram): facebook.com/settings?tab=applications

X: twitter.com/settings/connected_apps

LinkedIn: linkedin.com/psettings/permitted-services

TikTok: tiktok.com/setting (Connected Apps section)

10. Marketing & Advertising

With your consent, we may use your data to run advertising and remarketing campaigns on platforms such as Meta, Google, TikTok, and LinkedIn.

You can withdraw consent at any time in the app settings or by contacting us. We do not share your content libraries with ad platforms unless explicitly configured for a campaign you request.

11. Cookies & Similar Technologies

We use essential cookies to operate the Service and, with your consent where required, analytics/advertising cookies to understand usage and improve the Service.

You can manage preferences via your browser and in-app controls where available.

Platform Authentication Cookies:

When you connect social media accounts (YouTube, Meta, X, LinkedIn, TikTok), the respective platforms may place cookies or similar technologies on your device during the authentication process.

These are governed by each platform's privacy policy (see Section 5 for links).

12. Your GDPR Rights

You can exercise the following rights, subject to conditions and applicable law:

Access your personal data

Rectify inaccurate or incomplete data

Erase data ("right to be forgotten")

Restrict processing

Object to processing based on legitimate interests or direct marketing

Data portability (receive a copy in a machine-readable format)

Withdraw consent at any time where processing is based on consent

To make a request, contact [email protected].

We may ask for information to verify your identity before acting on your request.

You also have the right to lodge a complaint with the Dutch Data Protection Authority: autoriteitpersoonsgegevens.nl.

13. Children's Privacy

The Service is intended for users aged 18 and older.

We do not knowingly collect personal data from children. If we become aware of such data, we will delete it.

14. Changes to This Policy

We may update this Privacy Policy to reflect legal, technical, or business changes.

The "Last Updated" date will be revised accordingly. Material changes will be communicated within the app or by email where appropriate.

15. Contact

For privacy questions, requests, or complaints, contact:

Barrière Brekers B.V.

Groene Woud 60, 4834BC, Breda, The Netherlands

Email: [email protected]

Note: Where we rely on consent (e.g., advertising cookies/remarketing), you can withdraw consent at any time in your settings or by contacting us. Withdrawal does not affect the lawfulness of prior processing.