Summary: We collect only the data we need to provide our services, we never sell it, and we give you full control to access, correct, or delete it. This policy explains the details.
Contents
1. Data Controller
Kreativa Tech S.A. ("Kreativa", "we", "us", "our") is the data controller for personal data processed through our website (kreativacr.com) and our security platform.
Registered address: San José, Costa Rica
Email: privacy@kreativacr.com
EU Representative: Available on request for EU/EEA data subjects
2. Data We Collect
Information you provide
- Contact form submissions: name, work email, company, role, and message content
- Account registration: email address, company name, billing information (processed by our payment provider)
- Support requests: correspondence and diagnostic information you share with us
Information collected automatically
- Usage analytics: pages visited, time on site, referring URL (anonymised IP)
- Technical data: browser type, operating system, screen resolution
- Cookies: see Section 10 for full cookie details
Platform data (enterprise customers)
When you use our security platform, we process security event data (network logs, alerts, endpoint telemetry) as a data processor on your behalf. This is governed by our Data Processing Agreement (DPA), not this Privacy Policy.
3. How We Use Your Data
- Responding to demo requests and sales inquiries
- Providing and improving our platform and services
- Sending product updates and security advisories (opt-in only for marketing)
- Preventing fraud, abuse, and ensuring platform security
- Legal compliance obligations
We do not sell, rent, or trade personal data to third parties for their marketing purposes.
4. Legal Basis for Processing (GDPR)
- Contract performance: Processing required to provide our services to you
- Legitimate interests: Analytics, fraud prevention, product improvement (balanced against your privacy rights)
- Consent: Marketing communications — you may withdraw consent at any time
- Legal obligation: Compliance with applicable laws and regulations
5. Data Sharing
We share data with the following categories of processors, all bound by data processing agreements:
- Cloud infrastructure: AWS (EU regions) and Microsoft Azure
- Form processing: Formspree (contact form submissions)
- Analytics: Anonymised usage data only
- Payment processing: Stripe (we never store card numbers)
We may disclose data where required by law, court order, or to protect the rights and safety of Kreativa, our customers, or the public.
6. Data Retention
- Contact form data: 3 years from last interaction, unless you request deletion
- Account data: Duration of contract + 7 years for legal/financial records
- Analytics data: 26 months, then deleted or fully anonymised
- Platform security data: Per the retention schedule in your DPA
7. Security Measures
We implement industry-leading security controls including:
- AES-256 encryption at rest and TLS 1.3 in transit
- SOC 2 Type II certified infrastructure
- ISO 27001:2022 certified management systems
- Annual third-party penetration testing
- Role-based access control and multi-factor authentication for all staff
8. International Data Transfers
By default, data from EU/EEA visitors is processed and stored within the EU (Ireland and Frankfurt). Any transfer outside the EEA is covered by Standard Contractual Clauses (SCCs) approved by the European Commission. US customers' data is processed in AWS US-East-1 and US-West-2.
9. Your Rights
Under GDPR and applicable law, you have the right to:
- Access: Request a copy of personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Objection: Object to processing based on legitimate interests
- Restriction: Request that we restrict processing in certain circumstances
- Withdraw consent: For marketing emails, click unsubscribe in any email
To exercise any right, email privacy@kreativacr.com. We respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
10. Cookies
We use the following cookie categories:
- Strictly necessary: Session management and security. Cannot be disabled.
- Analytics (opt-in): Anonymised page view analytics to improve the site
- Marketing (opt-in): Used only if you accept cookies on our banner
You can manage cookie preferences at any time by clicking "Cookie Settings" in our banner, or by clearing cookies in your browser. Most browsers also allow you to block all cookies; note this may affect site functionality.
11. California Consumer Privacy Act (CCPA)
If you are a California resident, you have additional rights under CCPA, including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise CCPA rights, contact us at privacy@kreativacr.com or write to us at our address above.
12. Children's Privacy
Our services are intended for business users aged 18 and over. We do not knowingly collect data from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately.
13. Changes to This Policy
We will post any material changes to this policy on this page with a revised "Last updated" date. For significant changes, we will notify active customers by email at least 30 days before the changes take effect.
14. Contact & Data Protection Officer
For privacy questions, data requests, or to contact our DPO:
Email: privacy@kreativacr.com
Post: Kreativa Tech S.A., Attn: Privacy Team, San José, Costa Rica
We aim to respond to all requests within 5 business days and to complete them within 30 days.