← Back to Crevo

Privacy Policy

Last updated: June 12, 2026

1. Introduction

Crevo (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform as a Creator or Member. By using Crevo, you consent to the practices described here.

This policy covers all Crevo features including digital products, online courses, community memberships, bookings, email marketing, spin wheel, discount codes, giveaways, waitlists, funnels, upsells, AutoDM (Instagram), analytics, donations, and storefront pages.

2. Information We Collect

2.1 Account Information. When you register, we collect your name, email address, and password (hashed and salted — never stored in plain text). If you sign in with Google, we receive your name, email address, and profile picture from Google OAuth.

2.2 Creator Profile Information. Creators may provide a display name, bio, profile photo, logo, favicon, brand colors, social media handles (Instagram, TikTok, YouTube, Twitter/X, Facebook, Pinterest, LinkedIn, Twitch), website URL, contact email, timezone, and currency preference. Profile information marked as public is displayed on your storefront and visible to all visitors.

2.3 Payment and Transaction Information. We do not store your full payment card details. All payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. We store transaction identifiers, order amounts, currency, payment status, and metadata (such as which product was purchased). Creator payouts are processed through Stripe Connect — we store your Stripe account ID and connection status. By making or receiving payments, you agree to Stripe's Privacy Policy.

2.4 Content You Upload. Creators may upload digital files, PDFs, videos, images, thumbnails, course materials, and community media. Files are stored via Bunny.net (cloud storage and CDN) and delivered only to authorized purchasers or members. We store metadata about uploaded files including filenames, sizes, and storage paths.

2.5 Course and Learning Data. For online courses, we track lesson completion status, quiz answers, quiz scores, and overall course progress for each enrolled student. This data is used to display progress to the student and to the Creator.

2.6 Community Data. Community posts, comments, poll responses, reactions, and media shared within community spaces are stored on our servers. Community content may be visible to all members of that community tier. Creator-moderators can view, pin, hide, or delete posts within their community.

2.7 Booking and Scheduling Data. For booking services, we collect availability schedules set by Creators and booking details submitted by Members (name, email, selected time slot, and any notes). If Google Calendar integration is enabled, booking events are synced to the Creator's Google Calendar. We store Google OAuth tokens (encrypted) for this purpose.

2.8 Instagram / AutoDM Data. If you connect an Instagram Business account, we store your Instagram User ID, Instagram username, and a long-lived API access token issued by Meta (valid up to 60 days, refreshed automatically). This token is used solely to monitor incoming comments and direct messages for keyword matches and to send automated replies as configured in your AutoDM rules. We do not store the content of processed messages beyond what is needed to send a reply. We do not access your Instagram feed, follower list, media, or any data beyond what is necessary to operate the AutoDM feature. You can disconnect Instagram at any time from Settings, which permanently deletes all stored Instagram credentials.

2.9 Google Calendar Integration Data. If you connect Google Calendar, we store your Google OAuth access token, refresh token, token expiry, and calendar ID. These are used solely to create and manage booking events on your behalf. You can disconnect Google Calendar from Settings at any time.

2.10 Email Marketing Data. We collect and store subscriber email addresses, names, subscription status, unsubscribe status, and email engagement data (sends, opens where tracked) for Creators' email lists. Creators are responsible for obtaining lawful consent from their subscribers.

2.11 Spin Wheel and Lead Generation Data. When a visitor enters their email through a spin wheel or waitlist widget, we collect their email address and any other fields configured by the Creator. This data is stored and associated with the Creator's subscriber list.

2.12 Discount and Promotional Data. We store discount code usage records including which code was used, which order it applied to, and the discount amount. This is used for reporting and to enforce usage limits.

2.13 Giveaway Data. For giveaway entries, we collect participant email addresses and names. Winner selections are made algorithmically and winner contact information is used to send notification emails.

2.14 Analytics and Usage Data. We collect storefront analytics including page views, product views, checkout starts, purchases, traffic sources (UTM parameters, referrer), device type, browser, and country. This data is aggregated and attributed to the Creator's storefront for their reporting dashboard. We do not sell this analytics data.

2.15 Tracking Pixels. Creators may connect third-party tracking pixels (such as Meta Pixel) to their storefronts. When a visitor lands on a Creator's storefront or completes a purchase, pixel events may fire and send data to the respective third-party platform. Crevo does not control the data practices of third-party pixel providers.

2.16 Cookies and Session Data. We use cookies and similar technologies for authentication (session management), security (CSRF protection), and preference storage. You can configure your browser to refuse cookies, but some features — including login and dashboard access — will not function without them.

2.17 Communications. We store support emails and inquiries sent to us. We may send you transactional emails (purchase confirmations, booking notifications, welcome emails) and, with your consent, platform update communications. You can opt out of non-essential emails at any time.

3. How We Use Your Information

  • To create and manage your account and provide access to the Platform;
  • To process payments, facilitate Creator payouts, and maintain order records;
  • To deliver purchased digital products, course access, and community membership access;
  • To track and display course progress and completion;
  • To operate community spaces including posts, comments, polls, and media;
  • To manage bookings, availability, and calendar synchronization;
  • To operate the AutoDM feature on behalf of Creators who have enabled it;
  • To send transactional emails including purchase confirmations and booking notifications;
  • To enable Creator email marketing to opted-in subscribers;
  • To power spin wheel, waitlist, and lead generation features;
  • To track discount code usage and enforce promotional rules;
  • To run giveaways and notify winners;
  • To provide Creators with analytics and performance reporting;
  • To fire Creator-configured tracking pixels on storefront events;
  • To detect, prevent, and address fraud, abuse, chargebacks, and security incidents;
  • To comply with legal obligations and respond to lawful requests;
  • To improve the Platform and develop new features.

4. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

  • Stripe – Payment processing, Connect payouts, and subscription billing.
  • Bunny.net – File storage, video hosting, CDN delivery of Creator content.
  • Supabase – Managed database and authentication hosting.
  • Resend – Transactional and marketing email delivery.
  • Meta (Instagram Graph API) – Sending AutoDM messages on behalf of connected Creators.
  • Google – OAuth authentication and Google Calendar integration for bookings.
  • Creators – When a Member purchases from a Creator, we share the Member's name, email, and order details with that Creator solely for order fulfillment and support.
  • Legal Requirements – We may disclose data when required by law, court order, or to protect the rights, property, or safety of Crevo or others.
  • Business Transfers – In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction with notice to affected users.

Each service provider is bound by data processing agreements requiring appropriate data protection measures.

5. Meta Platform Data

Crevo uses the Meta (Instagram) Graph API to enable the AutoDM feature. In doing so:

  • We receive data from Meta's APIs only as permitted by Meta's Platform Terms and solely to operate the AutoDM feature.
  • Meta Platform Data (Instagram User IDs, usernames, access tokens) is used only for its stated purpose — detecting keyword triggers and sending automated DM responses on behalf of the connected Creator.
  • We do not sell, transfer, or use Meta Platform Data for advertising, profiling, or any purpose beyond the AutoDM feature.
  • We do not share Meta Platform Data with third parties except when making API calls to Meta itself on the Creator's behalf.
  • Creators can revoke access at any time from Settings or via Instagram's app settings. Upon disconnection, all stored Meta credentials are permanently deleted.
  • To request deletion of Meta-sourced data, email foundercrevo@gmail.com with subject “Meta Data Deletion Request”. We will process within 30 days.

Our use of Meta Platform Data complies with Meta's Platform Terms and Developer Policies.

6. Google Data

If you connect Google Calendar, we store OAuth tokens to create and manage booking events on your behalf. We request only the minimum scopes required for calendar access. Google OAuth tokens are stored encrypted and are used solely for the booking integration. You can revoke access at any time from Settings or from your Google Account permissions page. Our use of Google user data complies with Google's API Services User Data Policy, including the Limited Use requirements.

7. Data Retention

We retain your account and transaction data for as long as your account is active or as needed to provide services and comply with legal obligations. Upon account deletion, we delete personal data within 30 days, except where retention is required by law, to resolve disputes, enforce agreements, or prevent fraud.

  • Instagram access tokens: deleted immediately upon disconnecting Instagram.
  • Google OAuth tokens: deleted immediately upon disconnecting Google Calendar.
  • Order records: retained for a minimum of 7 years for tax and legal compliance.
  • Email marketing lists: retained until the Creator deletes their account or removes subscribers.
  • Analytics data: retained for up to 24 months in aggregated form.

8. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+) for all data sent between your browser and our servers;
  • Encryption at rest for sensitive fields including OAuth tokens and passwords;
  • Row-level security policies on the database;
  • Access controls limiting data access to authorized personnel only;
  • Signed URLs for private file delivery (digital products, course videos).

No method of transmission over the Internet is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from factors outside our reasonable control.

9. Creator Obligations Regarding Member Data

Creators act as independent data controllers for member data they collect via the Platform (emails, purchase history, booking information, community activity). Creators are solely responsible for:

  • Maintaining their own privacy policy disclosing how they use member data;
  • Complying with applicable data protection laws (GDPR, CCPA, PIPEDA, etc.);
  • Obtaining lawful consent for email marketing;
  • Honoring member data access, correction, and deletion requests;
  • Not using member data for purposes beyond what was disclosed at collection.

10. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the right to:

  • Access – Request a copy of the personal data we hold about you;
  • Correction – Request correction of inaccurate or incomplete data;
  • Deletion – Request deletion of your personal data (“right to be forgotten”);
  • Portability – Request your data in a structured, machine-readable format;
  • Objection / Restriction – Object to or restrict certain types of processing;
  • Withdraw Consent – Withdraw consent at any time where processing is consent-based.

To exercise any of these rights, email foundercrevo@gmail.com. We will respond within 30 days.

California residents (CCPA): We do not sell personal information. You have the right to know what data we collect, request deletion, and opt out of any future sale (which we do not engage in). Contact us at the address above and indicate you are a California resident.

EU/EEA residents (GDPR): Our legal bases for processing include contract performance (to provide the services you signed up for), legitimate interests (fraud prevention, platform security), legal obligation, and consent (marketing emails). You have the right to lodge a complaint with your local supervisory authority.

11. Children's Privacy

The Platform is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected information from a minor, contact us immediately at foundercrevo@gmail.com and we will delete it promptly.

12. Third-Party Links and Pixels

Creator storefronts may contain links to third-party websites or embed third-party tracking pixels configured by the Creator. We are not responsible for the privacy practices or content of those third parties. When you visit a Creator storefront with tracking pixels enabled, data may be sent to those third-party platforms per their own privacy policies.

13. International Data Transfers

Crevo operates globally. Your data may be processed in countries outside your own, including the United States and countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including data processing agreements with service providers that include standard contractual clauses where required.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or a prominent notice on the Platform before taking effect. Continued use after the effective date of the updated policy constitutes acceptance.

15. Contact Us

For privacy-related questions, data requests, or complaints, contact us at foundercrevo@gmail.com. We aim to respond within 30 days.

Terms of ServiceBack to Crevo