Privacy Policy

What Creaters Is

Creaters is a project discovery, role listing, application, and collaborator-introduction platform. Founders can share projects, publish roles, review applicants, and manage project visibility. Applicants can build a profile, apply to roles, upload a Resume/CV, and control how contact details are shared.

This Privacy Policy explains how Creaters collects, uses, protects, retains, and deletes data in the current service. It is written as practical product privacy copy and is not a substitute for advice from a qualified lawyer.

Creaters is designed around public, private, and authorized visibility. Public information may be visible to visitors and search engines. Private and authorized information is protected through server-side checks, database policies, and short-lived access links where applicable.

Privacy Contact

For privacy, deletion, security, support, or data-access questions, contact Creaters through the Contact page or email support@creaters.org. If you are asking about an account, use the email address associated with that account whenever possible so ownership can be verified.

Creaters may ask for additional information before acting on a privacy or deletion request. This helps prevent unauthorized people from changing or deleting someone else's account, application, files, or profile data.

Account and Profile Data

Creaters uses Supabase Auth for account sessions. Account data can include user id, email address, authentication provider, sign-in metadata, session state, password-auth status if used, OAuth identity identifiers, timestamps, and security-related account events.

Profile data can include first name, last name, display name, avatar, biography, country or region, contact number, Telegram handle, LinkedIn URL, GitHub URL, portfolio URL, profile visibility settings, Terms acknowledgement timestamp, and account-completion status.

Some profile fields are required so Creaters can keep project and application workflows accountable. Contact number is treated as a contact signal, not as proof of identity. Members remain responsible for keeping profile and contact information accurate.

OAuth and Connected Accounts

If you sign in with or connect Google, GitHub, LinkedIn, or another supported provider, the provider may send Creaters identity metadata such as provider id, username, display name, email address, avatar URL, and account-linking status.

Creaters uses OAuth metadata to authenticate users, prefill profile fields, show connected-account controls, preserve login destination, and support GitHub repository selection where that feature is enabled.

Creaters does not need your provider password. OAuth client secrets are handled through the provider and Supabase configuration, not through public browser code. You can manage linked identities from the connected accounts area when the provider and Supabase project support linking.

Projects, Roles, and Public Content

Project data can include title, project description, proof of effort, country or region, industry, tech stack, project status, public/private setting, founder id, project links, repository metadata, link visibility, and activity timestamps.

Role data can include role title, description, requirements, country or region, application questions, status, project id, and timestamps. Public active projects and roles can appear on the Feed, Opportunities, project detail pages, sitemap, and search-engine-accessible pages.

Private projects are intended to stay out of public discovery. Creaters may still store private project records so the founder can continue editing, manage visibility, or preserve internal workflow history.

Applications, Review, and Drafts

Application data can include applicant id, founder id through the related project, project id, opportunity id, application status, applicant remarks, answers to role questions, multiple-choice selections, submitted timestamps, review actions, and match or close-listing outcomes.

Application drafts may be stored locally in the browser or in account-backed draft records, depending on the workflow. Drafts are used to help applicants resume work and may not include uploaded files. Browser-stored drafts remain on that device until submitted, discarded, overwritten, or cleared by the browser.

Founders can review applications only for projects they are authorized to manage. Applicants can review their own submitted applications and drafts through the authenticated dashboard.

Resume/CV Files and Private Storage

Resume/CV files submitted with applications are stored in a private Supabase Storage bucket. The current app accepts PDF, DOCX, and DOC files within the configured size and type limits, and validates file metadata and file structure server-side before finalizing an application.

Creaters uses short-lived signed URLs for authorized document access. These links are intended to expire quickly and are generated only after server-side authorization checks confirm that the requester is the applicant, an authorized founder, or another permitted server-side actor.

Do not upload documents containing information you do not want reviewed by the receiving founder or processed by Creaters infrastructure. If you upload sensitive information, you are responsible for ensuring you have the right to share it.

Public, Private, and Authorized Visibility

Creaters uses visibility settings to decide whether fields are public, private, or authorized. Public fields can be visible to visitors and search engines. Private fields are intended for the owner and authorized backend workflows. Authorized fields can be revealed after accepted applications, accepted connections, founder ownership, or another server-side rule allows access.

Profile fields, contact details, project links, GitHub repository links, public profiles, project pages, role pages, and dashboard views each have their own visibility and authorization rules. Creaters does not rely only on hidden buttons or robots rules to protect private data.

Members should review visibility settings before publishing projects, adding links, applying to roles, or accepting connections. Once another person sees or receives information off platform, Creaters cannot control copies they keep outside Creaters systems.

Contact Form, Support, and Screenshots

The Contact form can collect category, title, description, page URL, browser user agent, viewport size, optional screenshot file metadata, stored screenshot path, related error event id, account id when signed in, and support workflow status.

Contact screenshots are stored in a private bucket and should be used only for support, bug triage, abuse review, product feedback, and reliability work. Members should avoid uploading screenshots that expose other people's private information unless necessary for support.

Creaters may send acknowledgement emails to the requester and support notifications to the Creaters support address. Email content may include the submitted category, title, description, and internal reference details needed to handle the request.

Analytics, Logs, and Observability

Creaters may use Vercel Analytics, Vercel Speed Insights, application logs, Supabase logs, database logs, storage logs, and error monitoring to understand reliability, route performance, usage patterns, security events, and production issues.

Operational logs can include IP-derived request metadata, route paths, timestamps, user agent, status codes, performance timings, error messages, and request identifiers. These logs are used to debug the service, detect abuse, measure performance, and maintain security.

If error-session replay or similar debugging is enabled, it should be configured to mask text, inputs, media, and normal user sessions by default. Creaters should avoid collecting unnecessary sensitive content through monitoring tools.

Service Emails and Delivery Events

Creaters may send transactional emails such as application notifications, application acceptance notices, connection notifications, digest emails, welcome emails, contact acknowledgements, account lifecycle messages, and support messages.

Email providers such as Resend may process recipient addresses, sender address, subject, message metadata, delivery status, bounce or complaint events, provider ids, timestamps, and webhook event payloads so Creaters can deliver messages and investigate delivery problems.

Supabase Auth emails and Creaters app notification emails are separate systems. Password reset, confirmation, magic link, and account-authentication emails may be handled through Supabase Auth configuration, while application and support notifications may be handled through Creaters Edge Functions.

Cookies, Local Storage, and Session Storage

Creaters uses authentication cookies and Supabase session state to keep users signed in, protect authenticated routes, and complete login or OAuth callback flows. Some cookies or storage entries are necessary for authentication and security.

The app may use local storage or session storage for temporary UI state such as profile drafts, project form recovery, application drafts, viewed-item markers, theme preference, OAuth return state, one-time messages, or recent submission state.

Local and session storage are controlled by the user's browser. Clearing browser data, using another device, or using a private browser mode can remove local drafts or session state.

Security Measures

Creaters uses Supabase Row Level Security, server-side authorization, private storage buckets, signed URLs, environment separation, rate-limit events where implemented, OAuth origin checks, deployment preflight checks, and service-role isolation for trusted backend operations.

Service-role credentials and provider secrets must not be exposed in client bundles, public logs, screenshots, docs, or support messages. Browser clients receive only public configuration needed to use Supabase safely.

No online service can promise perfect security. Members should use strong passwords where password auth is enabled, keep OAuth accounts secure, review connected accounts, and report suspicious behavior quickly.

Retention

Creaters retains data for as long as needed to provide the service, maintain user accounts, support founders and applicants, comply with legal obligations, prevent abuse, investigate disputes, preserve audit trails, and operate security or reliability systems.

Different records can have different retention periods. Account data, project records, applications, contact submissions, email events, logs, rate-limit events, and storage objects may be retained or deleted under different rules based on their purpose and risk.

Creaters may keep backups or infrastructure logs for a limited period even after data is removed from the active product. Backups are intended for security, disaster recovery, and operational continuity, not for active public display.

Account Deletion

Members can request account deletion from the profile page when the account is accessible. Account deletion has a 7-day grace period. During that grace period, the account remains usable and the deletion request can be cancelled from the profile page.

After final deletion, Creaters anonymizes or removes profile identifiers where practical, hides founded projects from public discovery where the deletion workflow controls those records, removes or anonymizes connection data, and prevents new founder-facing access to deleted-user Resume/CV files.

Some application records, review history, security records, support records, and Resume/CV files may be retained in anonymized or admin-only form for founder protection, abuse investigation, appeals, disputes, legal compliance, and audit trails. See the Data Deletion page for the current workflow.

International Users and Minors

Creaters may be used by members in different countries. Data may be processed by hosting, database, analytics, storage, email, and monitoring providers in countries outside the user's location. Members should not upload information they are not permitted to transfer or share.

Creaters is intended for people who are old enough to manage project, application, and professional collaboration responsibilities in their jurisdiction. Minors should use the service only with appropriate permission from a parent, guardian, school, or other responsible adult where required.

Changes to This Policy

Creaters may update this Privacy Policy as the service, legal requirements, providers, or product workflows change. The updated date will change when the policy is materially revised.

If a change materially affects how Creaters handles personal data, Creaters should provide notice in a reasonable way, such as through the site, email, or account surfaces, depending on the nature of the change.