Privacy Policy
Last updated: 16 June 2026
This Privacy Policy explains how we collect, use, share, and protect personal data when you visit our marketing website at https://createen.pl ("Website") and when you use the Createen application (the "Service"). It also describes your rights under the GDPR.
1. Data Controller
The controller of your personal data is Dawid Zbiński, ul. gen. Władysława Sikorskiego 15/15, 34-400 Nowy Targ, Poland (NIP 7352921429, REGON 528114982). You can contact us about privacy matters at support@createen.pl.
This Privacy Policy describes how we process personal data as a controller — for example your account and usage data. Where you, as our customer, entrust us with personal data of third parties (your clients, contacts or their representatives) by using the Service, we act as a processor on your behalf, and that processing is governed by our Data Processing Agreement (DPA).
2. Data We Collect
2.1 Marketing website
Our marketing website collects almost no personal data on the server side. With your consent, we use Google Tag
Manager and Google Analytics to understand how the Website is used (see our Cookie Policy).
Analytics only run after you opt in via the cookie consent banner. We also store, locally in your browser, a
consent-preference entry (createen-consent) and a theme preference (createen-theme); these
stay on your device and are not transmitted to us.
2.2 The Service (application)
When you use the Createen application, we process the data you and your team provide and generate, including:
- Account data — your email address, name, and authentication credentials (passwords are stored hashed, never in plain text).
- Workspace data — clients, projects, tasks, schedules, notes, and related records you create.
- Uploaded files — media assets and invoice documents you upload, stored on our object-storage provider.
- Invoice data — fields extracted from uploaded invoices using an AI provider, plus payment records you enter.
- Communications — transactional emails we send you (e.g. verification, review notifications) via our email provider, and, only if you opt in, occasional product and marketing emails (see Section 2.3).
- Technical data — authentication cookies and limited server logs necessary to operate and secure the Service.
- Product analytics — to understand how the application is used and improve it, we use PostHog (a first-party, EU-hosted analytics tool) to capture aggregated, privacy-preserving usage events and limited device/technical data. Autocapture is configured to be non-invasive: it does not capture the content you type, and we do not record your screen (session replay is disabled).
2.3 Marketing emails
Product and marketing emails are strictly opt-in. We send them only if you tick the optional consent box at signup or enable "Product & marketing emails" in your account settings. We use your email address solely to send you news about new features and changes to Createen — we never sell or share it for marketing, and never disclose it to third parties for their own marketing. You can withdraw consent at any time by toggling the setting off in your account or using the unsubscribe option in any such email; this does not affect transactional emails required to operate the Service.
3. Purposes and Legal Bases
We process personal data on the following legal bases under Article 6 GDPR:
- Performance of a contract (Art. 6(1)(b)) — to create and manage your account, provide the Service, process your workspace and uploaded data, and provide support.
- Consent (Art. 6(1)(a)) — for non-essential cookies and analytics on the Website, and for optional product and marketing emails (see Section 2.3). You can withdraw consent at any time.
- Legitimate interests (Art. 6(1)(f)) — to secure our systems, prevent fraud and abuse, maintain service integrity, and improve the Service (including non-invasive product analytics within the application), where these interests are not overridden by your rights.
- Legal obligation (Art. 6(1)(c)) — to comply with accounting, tax, and other legal requirements.
4. Subprocessors and Sharing
We do not sell your personal data. We share data with carefully selected service providers ("subprocessors") who process it on our behalf under data processing agreements. The principal subprocessors are:
| Subprocessor | Purpose | Data involved |
|---|---|---|
| Cloudflare (R2) | Object storage for uploaded media and invoice files | Uploaded files |
| Resend | Transactional and (opt-in) marketing email delivery | Email address, message content |
| Anthropic | AI-assisted extraction of fields from uploaded invoices | Invoice document contents |
| PostHog (EU) | Product analytics for the application (aggregated usage events; session replay disabled) | Aggregated usage and device data, user id (no typed content) |
| Google (Tag Manager / Analytics) | Marketing-website analytics (consent-based only) | Usage and device data |
| netcup GmbH (Germany) | Server infrastructure hosting the application and database (self-managed via Dokploy, PostgreSQL) | All Service data at rest |
We may also disclose data where required by law, to enforce our agreements, or to protect the rights, safety, and security of Createen, our users, or the public.
5. International Transfers
Some subprocessors may process data outside the European Economic Area (EEA). Where this occurs, we rely on appropriate safeguards under the GDPR, such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision.
6. Data Retention
We retain personal data for as long as your account is active and as needed to provide the Service. After account closure we delete or anonymize personal data within a reasonable period, except where we must retain certain data to comply with legal obligations (for example, invoicing and tax records) or to resolve disputes.
7. Your Rights
Under the GDPR you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erasure ("right to be forgotten") in certain circumstances;
- Restrict or object to certain processing, including processing based on legitimate interests;
- Data portability — receive your data in a structured, commonly used, machine-readable format;
- Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at support@createen.pl. You also have the right to lodge a complaint with a supervisory authority. In Poland this is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych — UODO / PUODO), uodo.gov.pl.
8. Cookies
We use cookies and similar local-storage technologies on both surfaces. On the marketing Website, non-essential analytics cookies (Google) are set only after you opt in via the consent banner. The application (Service) separately uses first-party PostHog analytics cookies/local storage under our legitimate interest; these are non-invasive and do not track you across other websites. For full details and to manage your preferences, see our Cookie Policy.
9. Children
The Service is intended for business and professional use and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, please contact us and we will delete it.
10. Security
We implement appropriate technical and organizational measures to protect personal data, including encryption in transit, hashed passwords, access controls, and tenant isolation between client workspaces. No method of transmission or storage is completely secure, but we work to protect your data and to address vulnerabilities promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be indicated by updating the "Last updated" date above and, where appropriate, by additional notice. Please review this page periodically.
12. Contact
For any privacy questions or requests, contact Dawid Zbiński at support@createen.pl or at ul. gen. Władysława Sikorskiego 15/15, 34-400 Nowy Targ, Poland.