Ajánlatkérés
Privacy Policy — Creatinsta Dashboard
Creatinsta
Kereskedelmi es Szolgaltato Korlátolt Felelossegu Tarsasag

Privacy Policy

How we collect, use, and protect your data

Effective: March 12, 2026

Table of Contents

  1. Data Controller
  2. Scope and Applicability
  3. Data We Collect
  4. Legal Basis for Processing
  5. How We Use Your Data
  6. Third-Party Processors and Integrations
  7. International Data Transfers
  8. Data Retention
  9. Cookies and Tracking Technologies
  10. Security Measures
  11. Your Rights Under GDPR
  12. Children's Privacy
  13. Changes to This Policy
  14. Contact and Supervisory Authority

1 Data Controller

Creatinsta Kereskedelmi es Szolgaltato Korlátolt Felelossegu Tarsasag
Registered address: 8130 Enying, Erkel Ferenc utca 1/A, Hungary
Tax number: 14145757-2-07
Email: hello@creatinsta.agency
Website: https://creatinsta.agency

Creatinsta Kft. ("Creatinsta", "we", "us", or "our") operates the PPC and Social Dashboard (the "Dashboard"), a software-as-a-service platform for advertising performance management. We are the data controller for personal data processed through the Dashboard as described in this Privacy Policy.

Where we act as a data processor on behalf of our client companies (advertisers), the respective client company is the data controller for the end-consumer data they bring into the platform. Creatinsta processes such data only under documented instructions from the client and in accordance with applicable data processing agreements.

2 Scope and Applicability

This Privacy Policy applies to all personal data processed in connection with:

  • Access to and use of the Dashboard at any subdomain or deployment of creatinsta.agency
  • OAuth authentication flows connecting third-party advertising and social media accounts
  • Data synchronisation from Meta (Facebook/Instagram), Google Ads, TikTok, and WooCommerce
  • Account registration, team management, and client administration features
  • Communications with Creatinsta via email or in-platform support

This policy does not cover third-party websites or platforms to which the Dashboard may link. Please review those platforms' own privacy policies.

3 Data We Collect

3.1 Account and User Data

When a user account is created, we collect:

  • Email address
  • Display name
  • Role (agency admin, agency member, or client user)
  • Hashed password (managed by Supabase Auth — we never store plain-text passwords)
  • Account creation timestamp and last sign-in timestamp

3.2 OAuth Credentials and Tokens

To connect advertising and social accounts, we store OAuth tokens obtained through authorised OAuth flows with Meta, Google, and TikTok. Specifically:

  • Access tokens and refresh tokens for Meta (Facebook/Instagram)
  • Access tokens and refresh tokens for Google (Google Ads and Google Analytics 4)
  • Access tokens and refresh tokens for TikTok Ads (Business API)
  • Access tokens and refresh tokens for TikTok Organic (Open Platform)
  • WooCommerce API consumer keys and consumer secrets (Basic Auth)

Tokens are stored encrypted at rest in our database and are used exclusively to retrieve advertising performance and social analytics data on behalf of the agency.

3.3 Advertising and Analytics Performance Data

We retrieve and store aggregated daily performance metrics from connected platforms. This data relates to advertising campaigns and does not include individual end-consumer personal data. Metrics include:

  • Ad spend, impressions, clicks, CTR, CPC, ROAS, conversions
  • Google Analytics 4: sessions, users, conversion rate
  • WooCommerce: order count, revenue, average order value
  • Facebook/Instagram: page reach, impressions, engaged users, follower count, top post engagement
  • TikTok (organic): follower count snapshot, video view count, likes, comments, shares

3.4 Client and Ad Account Configuration

  • Client company names and identifiers
  • Connected ad account IDs and platform identifiers
  • KPI targets and custom metric configuration
  • WooCommerce store URLs
  • Social media page/account IDs and display names

3.5 Usage and Technical Data

  • IP address (collected by the hosting provider at request level)
  • Browser type and version (from HTTP headers)
  • Sync logs: timestamps, success/failure status, error messages from data sync jobs
  • Server-side logs retained by the hosting infrastructure (Vercel)

4 Legal Basis for Processing

We process personal data only where we have a valid legal basis under the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Hungarian Privacy Act (Infotv.). The following table summarises our processing activities and their legal bases:

Processing ActivityLegal Basis (GDPR Art.)
Creating and managing user accountsContract performance — Art. 6(1)(b)
Storing and using OAuth tokens to sync ad dataContract performance — Art. 6(1)(b)
Storing WooCommerce API credentialsContract performance — Art. 6(1)(b)
Displaying performance dashboards to agency and client usersContract performance — Art. 6(1)(b)
Sending transactional emails (password reset, sync alerts)Contract performance — Art. 6(1)(b)
Retaining sync logs for troubleshootingLegitimate interests — Art. 6(1)(f)
Security logging and fraud preventionLegitimate interests — Art. 6(1)(f)
Compliance with legal obligations (tax, accounting)Legal obligation — Art. 6(1)(c)

Where we rely on legitimate interests, we have assessed that our interests do not override the rights and freedoms of data subjects.

5 How We Use Your Data

We use collected data solely for the following purposes:

  • Service delivery: Authenticate users, display performance dashboards, and sync advertising and social data from connected platforms.
  • Platform integrations: Use stored OAuth tokens to make authorised API calls to Meta, Google, TikTok, and WooCommerce on behalf of the agency.
  • Notifications and alerts: Send system notifications such as password reset emails and sync failure alerts.
  • Support and troubleshooting: Use sync logs and error messages to diagnose and resolve technical issues.
  • Security: Detect and prevent unauthorised access, abuse, and fraud.
  • Legal compliance: Meet our obligations under applicable law.

We do not sell, rent, or trade personal data to third parties. We do not use personal data for automated profiling or decision-making that produces significant legal effects on individuals.

6 Third-Party Processors and Integrations

We engage the following sub-processors to deliver the Dashboard. Each processor has been assessed for adequate data protection standards:

ProcessorRoleLocationBasis for Transfer
Supabase Inc.Database hosting, authentication (PostgreSQL + Auth)EU (Frankfurt, AWS eu-central-1)Adequacy / SCCs
Vercel Inc.Application hosting, serverless functions, edge networkUSA (primarily) + global CDNSCCs / Data Processing Addendum
Meta Platforms IrelandAd data and social analytics API (Facebook, Instagram)Ireland (EU)Adequacy (EU entity)
Google Ireland LimitedGoogle Ads and Google Analytics 4 APIIreland (EU)Adequacy (EU entity)
TikTok Technology LimitedTikTok Ads and TikTok Open Platform APIIreland (EU) / SingaporeSCCs
WooCommerce (Automattic)E-commerce order and revenue data (client-hosted stores)USASCCs / Data Processing Addendum

Data shared with these processors is limited to what is strictly necessary for the stated purpose. We do not authorise processors to use the data for their own purposes.

Note on platform APIs: When we retrieve data from Meta, Google, or TikTok, we act under the authorisation granted by the agency via OAuth. The agency is responsible for ensuring it has appropriate permissions and legal basis to allow Creatinsta to access the data through those APIs.

7 International Data Transfers

Our primary database is hosted in the EU (Supabase on AWS Frankfurt). However, certain sub-processors (Vercel, TikTok, WooCommerce/Automattic) may process data in the United States or other countries outside the European Economic Area (EEA).

For transfers outside the EEA, we rely on one or more of the following safeguards:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding data processing agreements incorporating appropriate safeguards

You may request a copy of the transfer mechanisms in place by contacting us at hello@creatinsta.agency.

8 Data Retention

Data CategoryRetention Period
User account dataUntil account deletion, then 30 days for recovery period
OAuth tokensUntil the connected account is disconnected or the credential is revoked
Daily ad performance metrics3 years from the date of the metric
Social daily metrics (reach, impressions, followers)3 years from the date of the metric
Social post dataRefreshed on each sync; latest snapshot retained until connection is removed
Sync logs90 days
WooCommerce order data (aggregated daily)3 years from the date of the metric
Billing and contractual records8 years (Hungarian accounting law requirement)

When a client account is deleted, all associated ad accounts, social connections, daily metrics, and OAuth credentials are deleted within 30 days. User accounts may be retained in anonymised form for statistical purposes.

9 Cookies and Tracking Technologies

The Dashboard uses a minimal set of cookies required for operation:

Cookie NamePurposeTypeDuration
sb-*-auth-tokenSupabase session authenticationStrictly necessarySession / up to 7 days
sb-*-auth-token-code-verifierPKCE OAuth state verificationStrictly necessarySession

We do not use tracking cookies, advertising cookies, or third-party analytics cookies on the Dashboard. No cookie consent banner is displayed because no non-essential cookies are set.

The public-facing website at creatinsta.agency may use cookies independently — please refer to the cookie settings on that site.

10 Security Measures

We implement the following technical and organisational measures to protect personal data:

  • Encryption in transit: All connections use TLS 1.2 or higher.
  • Encryption at rest: Database storage is encrypted at rest by Supabase (AES-256).
  • Row Level Security (RLS): Database policies ensure that agency users can only access data belonging to their clients, and client users can only access their own client's data.
  • Authentication: User authentication is managed by Supabase Auth, which uses bcrypt for password hashing and supports secure session tokens.
  • API key isolation: Service role keys (admin credentials) are never exposed to the client side and are used only in server-side code.
  • OAuth state validation: CSRF tokens are validated on all OAuth callback routes to prevent CSRF attacks.
  • Access control: Role-based access control (agency_admin, agency, client) restricts functionality to authorised users.
  • Cron secrets: Automated sync jobs require a secret token; they are not accessible without that token.

Despite our security measures, no system is completely immune to breaches. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Art. 33 and 34.

11 Your Rights Under GDPR

If you are an individual whose personal data we process, you have the following rights under GDPR:

RightDescription
Right of Access (Art. 15)Request a copy of the personal data we hold about you and information about how it is processed.
Right to Rectification (Art. 16)Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)Request deletion of your personal data where there is no compelling reason for its continued processing.
Right to Restriction (Art. 18)Request that we restrict the processing of your data under certain circumstances.
Right to Data Portability (Art. 20)Receive your personal data in a structured, machine-readable format and transmit it to another controller.
Right to Object (Art. 21)Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7)Where processing is based on consent, withdraw consent at any time without affecting prior processing.
Right Not to Be Subject to Automated Decisions (Art. 22)Not to be subject to decisions based solely on automated processing that produce significant legal effects. We do not engage in such processing.

To exercise any of these rights, contact us at hello@creatinsta.agency. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are a client user (not an agency user), some of these rights may need to be exercised through the agency that manages your account, as the agency may be the data controller for your data within the platform.

12 Children's Privacy

The Dashboard is a professional B2B tool intended solely for business users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If we become aware that a minor has provided us with personal data, we will delete it promptly.

13 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make material changes, we will:

  • Update the "Effective" date at the top of this document
  • Notify agency administrators by email at least 14 days before the changes take effect
  • Post the updated policy at the URL where this policy is accessible

Continued use of the Dashboard after the effective date constitutes acceptance of the updated policy.

14 Contact and Supervisory Authority

For any questions, requests, or concerns relating to this Privacy Policy or our data processing activities, please contact us:

Creatinsta Kft.
8130 Enying, Erkel Ferenc utca 1/A, Hungary
Email: hello@creatinsta.agency
Website: https://creatinsta.agency

If you are not satisfied with our response, you have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):

Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11, Hungary
Phone: +36 1 391 1400
Email: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu

If you are located in another EU/EEA member state, you may also contact your local data protection authority.

We do marketing.

hello@creatinsta.agency

Adatvédelmi tájékoztató