Privacy Policy

Kree8 Studios Ltd ("we", "us", "our") is a UK-based creative agency, registered in England & Wales under company number 17201939. Registered office: 128 City Road, London, United Kingdom, EC1V 2NX. This policy describes what data we collect when you visit kree8studios.com, sign up for the Kree8 platform at app.kree8studios.com, or get in touch — and what we do with it. If you have questions about this policy, contact us at hello@kree8studios.com.

We collect the minimum data needed to run the business, deliver our platform, and respond to enquiries: • Marketing site — information you submit through the contact form (name, email, company, project details), newsletter sign-ups (email only), and anonymised analytics via Google Analytics 4 (browser, country, pages viewed). • Kree8 platform account — name, email, password hash, organisation, role, profile photo (optional), and timezone. • Content you upload — briefs, scripts, photo and video files, contracts, and messages exchanged with our team through the platform. • Google account data — if you choose to connect Google Calendar, we receive the email of the connected Google account, OAuth access and refresh tokens, your calendar ID, and free/busy + event metadata (titles, start/end times, locations) for calendars you grant us access to. See section 3 below. • Social-platform data — if you connect Instagram, TikTok, YouTube, Facebook, or LinkedIn for scheduling and analytics, we receive the access tokens and the published-post metadata those platforms return. • Operational logs — IP address, user agent, and request timestamps, kept for security and debugging.

If you connect a Google Calendar to the Kree8 platform, we request the following OAuth scopes: • https://www.googleapis.com/auth/calendar.events — to create, update, and delete shoot calendar events on your behalf. • https://www.googleapis.com/auth/calendar.freebusy — to check your availability for shoot scheduling. What we do with Google user data: • We read free/busy windows to show which dates a videographer is available, and we write calendar events for confirmed shoots so they appear on your Google Calendar. • We never sell Google user data. • We never use Google user data to serve advertising, including retargeting, personalised, or interest-based advertising. • We never use Google user data to train, improve, or develop generalised or non-personalised AI/ML models. Google Calendar event data is not sent to Anthropic Claude or any other AI provider. • We never share Google user data with third parties except as required to provide the user-facing feature you've requested (e.g. our hosting provider serving the request) or as required by law. • Human access to Google user data is restricted to (a) Kree8 staff with a documented need to support you, after your explicit consent, (b) automated processing required to deliver the feature, (c) compliance with applicable law, and (d) aggregated, anonymous statistics with all identifying data removed. How to revoke access: you can disconnect Google Calendar from inside the Kree8 platform (Settings → Integrations → Disconnect), or revoke access at any time via your Google Account at myaccount.google.com/permissions. When you revoke, we delete the stored OAuth tokens and stop accessing your calendar; previously-created calendar events remain on your calendar unless you delete them.

Limited Use Disclosure

Kree8 Studios' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. This applies in full to all data obtained via Google Workspace APIs (including Google Calendar) and to any features that use AI services such as Anthropic Claude — Google Workspace API data is never used to develop, improve, or train generalised or non-personalised AI/ML models, and is never sent to AI providers.

We use industry-standard mechanisms to keep your data secure, with stronger protections applied to sensitive data such as Google user data, OAuth credentials, payment information, and uploaded contracts: • Encryption in transit — all traffic to kree8studios.com and app.kree8studios.com is served over HTTPS/TLS 1.2+. • Encryption at rest — our database and file storage encrypt all stored data using AES-256. • OAuth tokens (sensitive) — Google and social-platform access and refresh tokens are stored encrypted at the application layer in our database and are only decrypted server-side at the moment they're needed to call the relevant API. They are never exposed to the browser, logs, or analytics tools. • Access control — role-based access in the platform restricts each user to data their organisation owns. Production database access is limited to a small number of named staff, requires multi-factor authentication, is granted on a least-privilege basis, and admin actions are logged. • Segregation — Google user data is processed only within Kree8 systems and is never copied to AI providers, analytics tools, or marketing tools. • Secure development — code changes are peer-reviewed, dependencies are monitored for vulnerabilities, and secrets are managed via a dedicated secret store (never committed to source). • Backups — automated daily database backups are encrypted and access-controlled, and retained for 7 days. • Incident response — if we discover a personal-data breach affecting you, we will notify the ICO within 72 hours where required, and notify affected users without undue delay.

We use a small number of trusted vendors to run the platform. Each is bound by a data processing agreement and is reviewed for security and privacy posture: • Supabase (database, authentication) — EU region. Stores account data, content metadata, OAuth tokens (encrypted). • Cloudflare R2 (file storage) — stores uploaded photos, videos, contracts, and other content files. Encrypted at rest. • Vercel (application hosting) — runs the kree8studios.com and app.kree8studios.com web applications. • Resend (transactional email) — sends booking confirmations, invoices, and notifications. • Anthropic (Claude AI) — powers AI-assisted features inside the platform (see section 8). • Zernio (social publishing API) — used to schedule and publish posts to social platforms you've connected. • Stripe (payments) — processes subscription and invoice payments. We do not store full card numbers. • Google Analytics 4 — anonymised marketing-site analytics only. A current sub-processor list is available on request from hello@kree8studios.com.

We use the data above to: • Reply to your enquiries and scope your projects. • Deliver the Kree8 platform — accounts, content delivery, contracts, billing, messaging, and scheduling. • Schedule shoots and synchronise them with your Google Calendar (if connected). • Publish, schedule, and report on social content (if you've connected social accounts). • Send transactional email (booking confirmations, invoices, contract notifications) and — if you've opted in — occasional studio updates. • Investigate security incidents and prevent abuse. We do not sell, rent, or share your data with third parties for their own marketing purposes.

Some platform features (content idea generation, brief drafting, message reply suggestions, website analysis) use Anthropic's Claude models. When you use one of these features, the content you submit to that feature — for example a brief description, a website URL, or a message thread you're replying to — is sent to Anthropic's API for processing. What we send and what we don't: • We only send the specific content needed to fulfil the feature. We do not feed your account-wide data, contract terms, billing data, or Google Workspace API data (including Google Calendar data) into AI prompts. • Anthropic processes the request and returns a result; under Anthropic's commercial terms, your inputs and outputs are not used to train Anthropic's models. • We log AI requests for debugging and abuse prevention, and these logs are retained for up to 30 days. You can avoid AI processing entirely by not using the AI-assisted features. Use of AI services does not change our Limited Use commitment in section 4: Google Workspace API data is never sent to Anthropic or any other AI provider.

We use a small number of cookies — strictly necessary cookies for the site and platform to function (authentication, CSRF protection, session state), plus analytics cookies (Google Analytics 4) on the marketing site only. You can decline analytics cookies via your browser settings or our cookie banner. The Kree8 platform does not use advertising cookies.

Under UK and EU GDPR you have the right to: • Access the personal data we hold about you. • Correct inaccurate data. • Delete your data (right to erasure). • Export your data in a portable format. • Restrict or object to certain processing. • Withdraw consent at any time (where processing is based on consent). • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority. To exercise any of these rights, email hello@kree8studios.com. We'll respond within 30 days. Account holders can also delete their account directly from Settings → Account → Delete account, which removes profile data, content, and tokens from our systems within 30 days (some data may be retained longer where required by law — e.g. invoices for tax purposes).

• Marketing-site enquiry data — retained for 24 months unless we're actively working together. • Newsletter data — retained until you unsubscribe. • Platform account data and uploaded content — retained for the life of the account and for 30 days after deletion, then permanently removed. • Google OAuth tokens — deleted immediately when you disconnect Google Calendar or delete your account. • Operational and security logs — retained for 90 days. • AI request logs — retained for 30 days. • Invoices and contracts — retained for 7 years to satisfy UK tax and accounting law.

Some of our processors (Anthropic, Stripe, Cloudflare, Google) operate in the United States. Where personal data is transferred outside the UK or EEA, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, to ensure equivalent protection.

Kree8 Studios is a B2B platform intended for use by professionals. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact hello@kree8studios.com and we'll delete it.

We may update this policy from time to time. The Last Updated date at the top will reflect any changes. If a change is material, we'll notify affected users by email.