Skip to main content
CREAO respects your privacy and gives you control over your data.
CREAO collects the minimum data necessary to provide the service:
  • Account data — email address, name, and authentication credentials
  • Conversation data — messages, files, and artifacts you create during chat sessions. When Reflexio analytics/retrieval is enabled, user turns and selected assistant final-turn summaries (with compact tool metadata) may be sent to Reflexio for quality monitoring, and your current query text may be sent to Reflexio search to retrieve relevant profiles/playbooks (see Subprocessors)
  • Usage data — credit consumption, feature usage, acquisition attribution (UTM parameters, click IDs, referring site, landing path, and owner-derived affiliate or referral attribution from public shared-thread and agent-install pages), and session metadata for billing, analytics, and product improvement
  • Billing coupon data — when a one-time subscription coupon is created or redeemed, CREAO stores the coupon code, campaign type, discount terms, optional internal distributor note, Stripe coupon/promotion identifiers, and admin/redeemer attribution needed to prevent reuse, reconcile checkout, support customers, and audit discount issuance. Redeemer email is visible only to CREAO admins and is removed if the redeemer’s account is deleted
  • Affiliate and referral billing data — when you join or use an affiliate referral campaign, CREAO may store referral handle attribution, KOL account identifiers, configurable commission rates, invitee reward credit grants, and related credit ledger metadata so rewards, revenue share, and payouts can be calculated and audited
  • Memory data — facts and preferences the super agent saves on your behalf (you can view, search, and delete these at any time)
  • Login geolocation — country derived from your IP address by Cloudflare (ISO 3166 alpha-2 country code) is recorded with each login event for analytics, abuse detection, and billing routing. No city-level or precise location is stored
  • Dream profiles — AI-generated summaries of your preferences, working style, and recent activity, derived from your conversation history. These are created automatically (daily) or on demand, and can be viewed from the Memory → Dream tab
  • Linked social profiles — when you connect an X (Twitter) or Discord account from the Rewards hub or Account Settings, CREAO stores the provider account ID, username, display name, and avatar URL so the UI can show which accounts you have linked. For Discord we also retain the OAuth access token so reward verification (CREAO server membership) can run without prompting you to re-authenticate. For X, the OAuth token is used only at link time to confirm account ownership — CREAO does not call back to X to read your follows, posts, or social graph. To prevent reward-farming via re-binding, an X or Discord identity that has been linked to a CREAO account is bound permanently to that account — it cannot be disconnected from the UI. As a security measure, linked profile data and stored OAuth tokens are also removed automatically whenever your authentication state is revoked (password reset, admin force-logout, account ban) — this prevents an attacker who briefly held a session cookie from leaving an attached account behind after the rightful owner regains control. They are otherwise removed only when you delete your CREAO account, at which point all linked profile data and stored OAuth tokens are deleted with it. You can still revoke CREAO’s access at any time from your provider’s settings (X → Connected apps, Discord → Authorized apps), which invalidates the stored token immediately
  • Campaign participation data — if you join a CREAO campaign or challenge, CREAO may store campaign-specific enrollment state, eligibility checks, public leaderboard identity, and setup metadata. For the Agent Trading Campaign, this includes your submitted WEEX email/UID, the linked X profile used as your public leaderboard identity (x_username, x_provider_account_id, display name, and avatar), the Discord link and CREAO Discord server membership required for enrollment, your selected CREAO agent app ID, your user-chosen public leaderboard agent name/slug, readiness/freeze audit hashes, and disqualification/finalization status. Total CREAO credits consumed may be used to determine prize eligibility; public campaign pages may show eligibility status or prize-claim rank, while exact credit totals are visible only to you and CREAO admins
  • Campaign financial performance data — for trading challenges, CREAO may use the WEEX API credentials you configure in CREAO Secrets to request demo-account balance and order data from WEEX during the campaign. CREAO stores leaderboard snapshots such as USDT equity, PnL, and trade count for ranking, audit, and results pages. CREAO does not store your raw WEEX API key, secret, or passphrase in the campaign database
  • Scheduled-run result delivery — when you enable “Email me a summary” on a scheduled agent app, CREAO sends a summary email after each run. We store the email delivery record in schedule_email_deliveries (schedule ID, run status, delivery outcome, and timestamp). These records are deleted automatically after 30 days by a nightly cron. The delivery setting is off by default and can be changed at any time from the schedule settings
  • Team-collaboration attribution — when you and other members work in the same organization, CREAO stores the user identifier of the team member who sent each message, uploaded each file, scheduled each run, or performed each tracked action on a shared agent. Team members in the same organization can see each other’s display name and email next to those entries (in chat, files, schedules, and the agent activity log) so that collaborators know who did what. This information is visible only to other members of the same organization — never to users outside the org or to anonymous visitors of a shared link
  • Organization invite emails — when an organization admin invites a new member, CREAO stores the invitee’s email address in org_invites to deliver the invitation and track its status (pending, accepted, or revoked). The invitee may or may not have an existing CREAO account. Invite records are deleted when the invitation is revoked by an admin, when the organization is deleted (FK cascade), or when the invite expires. Accepted invites retain the email for audit purposes until the organization is deleted
  • Action approvals — when an agent or chat session proposes a guarded write through a connector (email, social media, messaging, etc.), CREAO stores the proposed action payload (for example tweet text, email subject, or message content), validation results, approval status, approver/rejector audit metadata, and apply result so you can review, approve, reject, retry, and audit external actions. This applies to both Agent App sessions and regular chat threads
  • Workflow orchestration data — when you use the /workflow command, CREAO stores approved workflow definitions (name, description, and JSON task spec), workflow run and task execution records (status, task prompts, summaries, artifact references, and per-task cost), and append-only progress events so the host can schedule, pause, resume, cancel, retry, and audit the workflow
  • Agent Store engagement — when you interact with agents in the public Agent Store, CREAO stores your likes, bookmarks, shares, written reviews (with star rating), and view impressions. View impressions include your account ID when you are signed in and a SHA-256 hash of your IP address (truncated to 16 hex chars) for deduplication only — no raw IP, user agent, or precise geolocation is stored.
  • Discover Skills install activity — when you install a community-recommended skill from Discover Skills, CREAO records the Discover Skills entry and your user ID so we can keep install counts accurate and avoid double-counting repeat installs
  • LLM transaction forensics — when the super agent calls a large language model on your behalf, CREAO stores per-request invocation metadata for billing accuracy and abuse prevention: source IP address (from cf-connecting-ip), user agent, country code, Cloudflare edge-location code (cf.colo), provider name and request path, token counts, cache status, JWT issued-at and age, upstream response identifier, run-history thread identifier (internal UUID), and the per-request cost in USD. This data is written to credit_deduction_logs (one row per LLM call) and is retained alongside other billing records. It is used to spot stolen sandbox credentials, replay attacks, and runaway agent loops, and to reconcile our spend against upstream provider invoices
  • Connected-database configuration — for enterprise organizations that connect their own database (Bring Your Own Data), CREAO stores the encrypted connection credentials and the database/schema names the workspace admin chose to expose. Credentials are encrypted under a dedicated key separate from the one used for user-uploaded secrets so the two rotation lifecycles stay independent. Connection records are hard-deleted immediately when an admin disconnects the source and cascade on organization deletion
We do not sell your data to third parties.
CREAO is designed with GDPR principles in mind:
  • Lawful basis — we process data based on contractual necessity (to provide the service) and legitimate interest (to improve the product)
  • Data minimization — we collect only what is needed to deliver the service
  • Right to access — you can export your data at any time
  • Right to deletion — you can delete your account and all associated data
  • Right to portability — conversation and file data can be exported in standard formats
  • Data processing — see the Subprocessors section below for a list of third parties that process data on our behalf
  • International transfers — user data is stored in the United States. For EU users, data transfers are governed by Standard Contractual Clauses (SCCs) in accordance with GDPR Chapter V
  • Data Processing Agreement — enterprise customers can request a DPA by contacting privacy@creao.ai
For California residents, CREAO provides:
  • Right to know — what personal information we collect and how it is used
  • Right to delete — request deletion of your personal information
  • Right to opt-out — we do not sell personal information
  • Non-discrimination — exercising your rights does not affect pricing or service quality

AI & Model Usage

Your data is not used to train AI models. Conversations and files sent to AI providers (Anthropic, OpenAI, Google, MiniMax, xAI) are processed under API agreements that prohibit use of your data for model training. This includes image inputs sent for generation tasks (for example, image-to-video with Veo). Providers may retain data briefly for abuse monitoring and safety as required by their terms, but never for training purposes.
When you chat with the super agent, your messages and relevant context (files, memory, Dream profile, skill instructions, and — for organizations that have connected their own database — the names of the connected databases and schemas) are sent to the selected LLM provider via their API. All API calls use encrypted connections. Responses are streamed back to your browser in real time.When you approve a dynamic workflow, individual workflow task prompts and scoped task context may be sent to LLM providers as isolated worker or synthesis requests. CREAO stores task summaries and artifact references for the parent thread, but worker intermediate transcripts are not inserted back into the parent conversation context.Connected-database metadata is limited to the source name, type, and the database/schema NAMES that the workspace owner chose to expose. Database row contents are not sent to the LLM unless the agent is explicitly asked to query the data; in that case, the query result rows flow through the same provider channel as the rest of your conversation.When Reflexio retrieval is enabled for your request, CREAO may send your current prompt/query text to Reflexio search and inject compact Reflexio profiles/playbooks into the model context. This means Reflexio-derived summaries can be forwarded to your selected LLM provider as part of the context window.Dream profiles are generated using Claude Haiku and may be included in agent context alongside your selected LLM provider. This means profile summaries generated by one provider may be forwarded to another as part of the agent’s context window.
CREAO supports multiple LLM providers:
  • Anthropic (Claude Opus, Sonnet, Haiku)
  • OpenAI (GPT-5.5, GPT-4.1, GPT-4.1 mini)
  • Google (Gemini Pro, Gemini Flash, Veo for video generation)
  • MiniMax (MiniMax M3)
  • xAI (Grok)
All providers are accessed via API with no-training agreements. Providers may retain data briefly for abuse monitoring and safety per their terms, but your data is never used for model training.
Code generated by the AI runs in an isolated sandbox. The sandbox has no access to other users’ data, no persistent network access to internal systems, and is destroyed after the session ends. Generated files are stored encrypted and associated only with your account. If you share a thread via the Share feature, files and artifacts within that thread become accessible to anyone with the share link.

Connector Data Access

Connectors provide scoped access to third-party systems (OAuth/API-key based). See Skills and Connectors for the full feature overview and Security for auth model and security controls.
Connector groupAuth modeTypical data categoriesRevocation
Google Workspace (Gmail, Calendar, Docs, Sheets, Drive, Tasks)OAuthMail, calendar events, docs, spreadsheets, files, tasksDisconnect in CREAO + revoke in Google account if needed
Google Marketing (Ads, Analytics, Search Console)OAuthCampaign/reporting and web analytics dataDisconnect in CREAO + revoke in Google account if needed
Microsoft (Outlook, Teams, OneDrive, Word, Excel)OAuthMail, collaboration messages, files, documents, workbook dataDisconnect in CREAO + revoke in Microsoft account if needed
Collaboration (Slack, Discord, Notion, Asana, Linear)OAuth or API keyMessages, channels/pages, tasks/issues/project dataDisconnect in CREAO + revoke in provider account
Developer (GitHub)OAuthRepository metadata/content and issue/workflow dataDisconnect in CREAO + revoke in GitHub settings
Social/commerce (X, YouTube, Reddit, Shopify, eBay, Telegram)OAuth or tokenSocial content, publishing metadata, storefront/listing data, bot messaging dataDisconnect in CREAO + revoke in provider account
Some connectors run through direct provider API integrations; others may run through integration relay infrastructure. In all cases, access is bound to your authenticated connector account and approved permissions.

Skill Data Handling

Built-in skills are instruction packages — they do not create new third-party data sharing paths by themselves. See Skills and Connectors for the full feature overview and Security for safety boundaries. Built-in skills may operate on:
  • User prompts and conversation context
  • User-provided files and generated artifacts
  • Connected-service data when relevant connectors are authorized
Data leaves CREAO only when required by tools/providers used during execution.

Subprocessors

The following third-party services process data on behalf of CREAO:
SubprocessorPurposeData Processed
AWS (Amazon Web Services)Cloud infrastructure, data storage, computeAll service data
AnthropicLLM provider (Claude models)Conversation messages, context
OpenAILLM provider (GPT models)Conversation messages, context
Google CloudAI provider (Gemini models, Veo video generation)Conversation messages, context, user image inputs for image-to-video generation
MiniMaxLLM provider (MiniMax models)Conversation messages, context
xAILLM provider (Grok models)Conversation messages, context
E2BSandbox executionCode, files during execution
StripePayment processingBilling and payment data. Payments are routed to a regional Stripe account based on your country (see Billing Routing below)
CloudflareCDN, DDoS protection, bot detectionRequest metadata, country derived from IP address (used for billing routing, login geolocation analytics, and abuse detection)
Better Auth CloudEmail validation during signup (disposable, invalid-MX, reserved-TLD detection); supplementary abuse signals (IP reputation, bot / impossible-travel detection); auth event telemetry across all auth operations (signup, signin, password-reset, session-refresh, OAuth callbacks) for the Sentinel security dashboardEmail address; IP address; auth event metadata (event type, timestamp, user ID, user email, user display name, IP address, derived city / country / country code)
SentryError monitoringError diagnostics (no conversation content)
incident.ioIncident management and on-call alertingOperational alert metadata only — CloudWatch alarm names and service status (no conversation content, no user PII)
AmplitudeProduct analytics and event data exportUsage events and session metadata (no conversation content)
ReflexioInteraction analytics, experiment instrumentation, retrieval for context injectionUser ID, thread/session ID, user message content, selected assistant final-turn content, compact tool metadata (tools_used), retrieval query text sent to /api/search, and returned profile/playbook snippets used for prompt context
PipedreamConnector OAuth and integration relay (user-triggered, when you authorize a connector)OAuth tokens for connected services
People Data LabsCompany data enrichment (premium data tool, when you request company intelligence)User-provided company identifiers such as website, name, ticker, LinkedIn URL, and location hints
DiscordRewards verification (platform-level — checks Discord account link and CREAO server membership for the Rewards hub)OAuth access token, Discord user id, username, avatar, server membership status
X (Twitter)Rewards account linking (platform-level — confirms ownership of an X account when you connect it from the Rewards hub)OAuth access token (held to bind the identity), X user id, username, display name, avatar
WEEXDemo trading challenge account access and performance tracking (when you join a WEEX-backed campaign and configure WEEX API credentials)WEEX UID/email, signed account-balance requests, demo-account equity, PnL, available balance, unrealized PnL, and trade count/performance metadata

Billing Routing

CREAO uses Stripe Connect to route payments through regional Stripe accounts so that charges are processed by a merchant entity closer to the cardholder, reducing payment declines. The country associated with your IP address (provided by Cloudflare via the cf-ipcountry header) determines which Stripe account processes your payment:
  • United States and Canada — payments are processed by New Boundary, Inc. (US Stripe account) as a connected account on the CREAO platform
  • All other regions — payments are processed directly by the CREAO platform Stripe account (Hong Kong)
No new personal data is collected for this routing — only the country code already present in the request metadata is used. Your billing region is stored alongside your subscription record so that subsequent charges, portal sessions, and webhook processing use the same account. This value is cleared if your subscription is reset.

Data Retention

Data TypeRetention PeriodNotes
Conversations & messagesUntil deleted by userUsers can delete individual threads or all data
Harness cycle feedbackUntil workspace or cycle deletedOptional free-text input on the Self-Improve hero between cycles (e.g. “focus more on the conversion funnel”). The current-cycle draft lives on harness_processes.loop_state.nextCycleFeedback and is cleared once the next audit dispatches; the value that informed each completed cycle is snapshotted onto harness_sessions.summary.userFeedback so the cycle history can show “your focus for this cycle”. Deleted via the workspace cascade when the workspace is removed
API keysUntil revoked by userHMAC hash stored; raw key shown once at creation and never stored
API run data (inputs, outputs)Until deleted by userPrompts and results from API-triggered agent runs; same retention as conversations
Workflow definitionsUntil account deletionSaved workflow templates created through /workflow, including name, description, and JSON task spec. Deleted during account deletion
Workflow runs, tasks, and eventsUntil the parent thread is deletedApproved workflow execution records, including run/task status, task prompts, summaries, artifact references, progress events, and cost metadata. Deleted when the associated thread is deleted or when the account is deleted. Internal ODS warehouse views mirror these records for analytics under the same deletion controls
Generated filesUntil deleted by userStored encrypted in cloud storage
Sandbox environmentsSession duration + 30 min idleDestroyed after inactivity timeout
Memory entriesUntil deleted by userViewable and deletable from the Memory page. Associated embedding vectors (used for semantic recall) share the same retention and are removed when the memory entry is permanently purged (e.g. on account deletion).
Dream profilesActive + last 10 versionsDeleted on account deletion (FK cascade). Viewable from Memory → Dream tab
Audit logs90 daysImmutable, used for security monitoring
Team activity logsUntil app deletionOne row per tracked action on a shared agent (member added/removed, share toggled, schedule created/updated/deleted, etc.). Cascades when the agent app is deleted. The acting user’s id is replaced with a deleted-account placeholder when that user closes their account, so the action history remains coherent for surviving collaborators without exposing data tied to a deleted user
Organization invite records (org_invites)Until revoked or org deletedStores the invitee email address, invite status, and role. Pending invites are deleted when revoked by an admin. Expired invites become unusable but remain in the database until the organization is deleted. All invite records cascade-delete when the organization is deleted. Accepted invites are retained for audit until org deletion
Organization billing records (org_subscriptions, org_credits, org_member_credit_caps, org_credit_operations)Until org deletedStores the organization’s Stripe subscription state, shared credit pool balance, per-member monthly usage caps and cycle counters, and per-request deduction idempotency log. All records cascade-delete when the organization is deleted
Connected-database configurationUntil admin disconnects the sourceEncrypted credentials and discovery metadata (database/schema names) for enterprise BYOD sources. Hard-deleted immediately when an org admin disconnects the source; cascades on organization deletion. No backup copy is retained after disconnect
Login records365 daysOne row per session with IP, user agent, device fingerprint, and country code; used for abuse detection clustering and admin geo analytics
LLM transaction forensics (credit_deduction_logs)12 monthsOne row per LLM API call with billing metadata (cost, model, token counts) and forensic invocation details (source IP, user agent, country code, Cloudflare edge-location code, JWT issued-at and age, upstream response identifier). Used for billing reconciliation, abuse cross-referencing (e.g. detecting stolen sandbox credentials and replay attacks), and audit. After 12 months the IP address and user agent fields are anonymized/dropped; aggregated totals (cost, tokens) may be kept longer for billing analytics
Billing coupon records (billing_coupons)As required for billing, tax, audit, fraud-prevention, and dispute recordsStores one-time coupon code, campaign type, discount terms, optional internal distributor note, Stripe coupon/promotion identifiers, creator/disable/redeemer attribution, and redemption timestamps. Redeemer email and user ID are removed when the redeemer’s account is deleted; admin email attribution is limited to internal staff audit context. Coupon email fields are excluded from the Redshift ODS warehouse view
Amplitude analytics eventsPer Amplitude default retentionUsage events and session metadata exported to Amplitude for product analytics; no conversation content
Reflexio interaction analytics and retrieval recordsPer Reflexio DPA and service retention policyUser chat turns and selected assistant final turns (with compact tool metadata) may be forwarded for interaction-quality monitoring; retrieval queries and resulting profile/playbook snippets may be processed to build prompt context. CREAO can disable this by removing Reflexio configuration
Acquisition attributionUntil account deletionUTM parameters, click IDs, referring site, landing path, first-touch timestamp, last-touch timestamp, and owner-derived affiliate handle or referral code from public shared-thread and agent-install pages stored with the account to measure campaign effectiveness, credit creators, and understand signup journeys. Deleted when the account is deleted (FK cascade)
Action approvalsUntil the parent is deletedProposed connector-write payloads, validation previews, approval/rejection audit metadata, and apply results for guarded actions. For Agent App actions, deleted when the Agent App is deleted (FK cascade). For chat thread actions, retained until the thread is deleted or the user deletes their account
Agent Store views90 daysPer-impression rows (authenticated viewer ID when available plus a 16-char SHA-256 hash of the IP) used for view counts, deduplication, abuse prevention, and trending ranking. Pruned daily by an automated cron at 03:30 UTC
Agent Store engagementUntil store agent or account deletionLikes, bookmarks, shares, and written reviews (with star rating) on Agent Store listings. Deleted when the Agent Store agent is removed (FK cascade) or when the user account is deleted
Discover Skills install activity (discover_skill_installs)Until account deletionOne row per Discover Skills entry installed by a user, used for idempotent install counts and product analytics. Deleted when the account is deleted (FK cascade)
Affiliate commission history (affiliate_commission_rate_history)Campaign duration + 12 monthsStores affiliate link ID, KOL user ID, commission rate, effective timestamp, and admin creator identifier for revenue-share calculation, payout audit, and dispute handling. Rows are deleted when the affiliate link is deleted
Campaign enrollment records (s1_trading_challenge_participants)Campaign duration + 12 months after resultsUsed for eligibility, audit, fraud prevention, prize administration, and support. Includes CREAO account identifiers, submitted WEEX UID/email, linked public X profile metadata, Discord enrollment requirement status, user-chosen public leaderboard agent name/slug, readiness/freeze status, and final rank/PnL. Total CREAO credits consumed may be computed from billing logs to determine prize eligibility; public pages may disclose eligibility status or prize-claim rank, but exact credit totals are visible only to the participant and CREAO admins. Deleted or anonymized after the retention period unless a legal, tax, security, or dispute hold applies; account deletion removes or anonymizes personal data where legally required
Campaign leaderboard snapshots (s1_trading_challenge_leaderboard_snapshots)Campaign duration + 12 months after resultsStores time-series equity, PnL, and trade-count snapshots used for ranking, audit, and public results. Deleted or aggregated/anonymized after the retention period unless needed for prize, fraud, security, legal, or dispute records
Campaign admin action records (s1_trading_challenge_admin_actions)Campaign duration + 12 months after resultsInternal audit trail for admin operations. Actor email is internal staff, not user PII. Deleted after the retention period unless needed for prize, fraud, security, legal, or dispute records
Scheduled-run email deliveries (schedule_email_deliveries)30 daysDelivery records (schedule ID, run status, delivery outcome, error) created each time CREAO sends a scheduled-run summary email. Deleted automatically by nightly cron after 30 days. No email content is stored
Account dataUntil account deletionDeleted within 30 days of account closure (per GDPR Article 17 and CCPA requirements)
Linked social profilesUntil account deletion or auth-state revocationX / Discord profile data and OAuth tokens. Discord tokens are reused for server-membership verification; X tokens are held only as proof of the link and are not used for outbound reads. Bindings are permanent (the same external identity cannot be re-linked to a different CREAO account, to prevent reward-farming). Deleted when the CREAO account is deleted (FK cascade) and also automatically wiped whenever authentication state is revoked (password reset, admin force-logout, account ban) so an attacker-attached link cannot outlive the security event. Provider-side revocation (X / Discord settings) immediately invalidates the stored token but leaves the binding row in place
Payment dataAs required by lawManaged by Stripe; CREAO does not store card numbers

Contact

For privacy and compliance inquiries or Data Processing Agreement (DPA) requests, contact privacy@creao.ai. CREAO, Inc. acts as the data controller for personal data processed through the platform.