Skip to main content
CREAO respects your privacy and gives you control over your data.
CREAO collects the minimum data necessary to provide the service:
  • Account data — email address, name, and authentication credentials
  • Conversation data — messages, files, and artifacts you create during chat sessions
  • Usage data — credit consumption, feature usage, and session metadata for billing and product improvement
  • Memory data — facts and preferences the super agent saves on your behalf (you can view, search, and delete these at any time)
We do not sell your data to third parties.
CREAO is designed with GDPR principles in mind:
  • Lawful basis — we process data based on contractual necessity (to provide the service) and legitimate interest (to improve the product)
  • Data minimization — we collect only what is needed to deliver the service
  • Right to access — you can export your data at any time
  • Right to deletion — you can delete your account and all associated data
  • Right to portability — conversation and file data can be exported in standard formats
  • Data processing — see the Subprocessors section below for a list of third parties that process data on our behalf
  • International transfers — user data is stored in the United States. For EU users, data transfers are governed by Standard Contractual Clauses (SCCs) in accordance with GDPR Chapter V
  • Data Processing Agreement — enterprise customers can request a DPA by contacting privacy@creao.ai
For California residents, CREAO provides:
  • Right to know — what personal information we collect and how it is used
  • Right to delete — request deletion of your personal information
  • Right to opt-out — we do not sell personal information
  • Non-discrimination — exercising your rights does not affect pricing or service quality

AI & Model Usage

Your data is not used to train AI models. Conversations and files sent to AI providers (Anthropic, OpenAI, Google, MiniMax, xAI) are processed under API agreements that prohibit use of your data for model training. This includes image inputs sent for generation tasks (for example, image-to-video with Veo). Providers may retain data briefly for abuse monitoring and safety as required by their terms, but never for training purposes.
When you chat with the super agent, your messages and relevant context (files, memory, skill instructions) are sent to the selected LLM provider via their API. All API calls use encrypted connections. Responses are streamed back to your browser in real time.
CREAO supports multiple LLM providers:
  • Anthropic (Claude Opus, Sonnet, Haiku)
  • OpenAI (GPT-4o, GPT-4o mini)
  • Google (Gemini Pro, Gemini Flash, Veo for video generation)
  • MiniMax (MiniMax M2.7)
  • xAI (Grok)
All providers are accessed via API with no-training agreements. Providers may retain data briefly for abuse monitoring and safety per their terms, but your data is never used for model training.
Code generated by the AI runs in an isolated sandbox. The sandbox has no access to other users’ data, no persistent network access to internal systems, and is destroyed after the session ends. Generated files are stored encrypted and associated only with your account.

Connector Data Access

Connectors provide scoped access to third-party systems (OAuth/API-key based). See Skills and Connectors for the full feature overview and Security for auth model and security controls.
Connector groupAuth modeTypical data categoriesRevocation
Google Workspace (Gmail, Calendar, Docs, Sheets, Drive, Tasks)OAuthMail, calendar events, docs, spreadsheets, files, tasksDisconnect in CREAO + revoke in Google account if needed
Google Marketing (Ads, Analytics, Search Console)OAuthCampaign/reporting and web analytics dataDisconnect in CREAO + revoke in Google account if needed
Microsoft (Outlook, Teams, OneDrive, Word, Excel)OAuthMail, collaboration messages, files, documents, workbook dataDisconnect in CREAO + revoke in Microsoft account if needed
Collaboration (Slack, Discord, Notion, Asana, Linear)OAuth or API keyMessages, channels/pages, tasks/issues/project dataDisconnect in CREAO + revoke in provider account
Developer (GitHub)OAuthRepository metadata/content and issue/workflow dataDisconnect in CREAO + revoke in GitHub settings
Social/commerce (X, YouTube, Reddit, Shopify, Telegram)OAuth or tokenSocial content, publishing metadata, storefront data, bot messaging dataDisconnect in CREAO + revoke in provider account
Some connectors run through direct provider API integrations; others may run through integration relay infrastructure. In all cases, access is bound to your authenticated connector account and approved permissions.

Skill Data Handling

Built-in skills are instruction packages — they do not create new third-party data sharing paths by themselves. See Skills and Connectors for the full feature overview and Security for safety boundaries. Built-in skills may operate on:
  • User prompts and conversation context
  • User-provided files and generated artifacts
  • Connected-service data when relevant connectors are authorized
Data leaves CREAO only when required by tools/providers used during execution.

Subprocessors

The following third-party services process data on behalf of CREAO:
SubprocessorPurposeData Processed
AWS (Amazon Web Services)Cloud infrastructure, data storage, computeAll service data
AnthropicLLM provider (Claude models)Conversation messages, context
OpenAILLM provider (GPT models)Conversation messages, context
Google CloudAI provider (Gemini models, Veo video generation)Conversation messages, context, user image inputs for image-to-video generation
MiniMaxLLM provider (MiniMax models)Conversation messages, context
xAILLM provider (Grok models)Conversation messages, context
E2BSandbox executionCode, files during execution
StripePayment processingBilling and payment data
CloudflareCDN, DDoS protection, bot detectionRequest metadata
SentryError monitoringError diagnostics (no conversation content)
PipedreamConnector OAuth and integration relayOAuth tokens for connected services

Data Retention

Data TypeRetention PeriodNotes
Conversations & messagesUntil deleted by userUsers can delete individual threads or all data
Generated filesUntil deleted by userStored encrypted in cloud storage
Sandbox environmentsSession duration + 30 min idleDestroyed after inactivity timeout
Memory entriesUntil deleted by userViewable and deletable from the Memory page
Audit logs90 daysImmutable, used for security monitoring
Account dataUntil account deletionDeleted within 30 days of account closure (per GDPR Article 17 and CCPA requirements)
Payment dataAs required by lawManaged by Stripe; CREAO does not store card numbers

Contact

For privacy and compliance inquiries or Data Processing Agreement (DPA) requests, contact privacy@creao.ai. CREAO, Inc. acts as the data controller for personal data processed through the platform.