Last updated: October 6, 2025
This GDPR Compliant Privacy Policy addresses customer data protection as it concerns the use and processing of Consumer Data in Connection with Payment Processing Services, as well as safeguards that are in place when transfers of international data exist (this "Attachment I"). This Attachment I shall have an effective date of what is stated in the Data Retention Policy (the "Agreement").
This Attachment I applies to any product, service, or other offering where CreatorOS Payments, Inc. ("CreatorOS") provides card and/or direct debit processing, gateway and/or fraud protection services (the "Payment Services") to its consumers or Merchants.
Means an entity that determines the purposes and means of the processing of Personal Data, or, if such term is defined in Data Protection Law, "Controller" shall have the meaning as defined in the applicable Data Protection Law including a "Business" as defined in the California Consumer Privacy Act ("CCPA").
Means your consumer or customers who use the Payment Services.
Means the Personal Data that the Customer provides to you and which you pass on to CreatorOS through the use by you of the Payment Services AND CreatorOS may collect from the Customer's device and browser through use by you of the Payment Services.
Means any applicable data protection laws, regulations, directives and regulatory requirements applicable to CreatorOS's provision of the Payment Services, including the California Consumer Privacy Act 2018 (CCPA), the General Data Protection Regulation (EU) 2016/679 (GDPR), the Australian Privacy Act 1988, the Personal Information Protection and Electronic Documents Act (Canada), and others.
Means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The parties acknowledge and agree that the Merchant and CreatorOS are each independent Controllers in respect of all Customer Data Processed in connection with the Payment Services. CreatorOS independently determines the purpose and the means of the Processing of such Customer Data.
CreatorOS is permitted to use, reproduce and Process Customer Data for the following limited purposes:
GDPR COMPLIANCE:
CreatorOS shall comply with the requirements of the Data Protection Laws applicable to Controllers in respect of the Processing of Customer Data under this Policy (including implementing and maintaining appropriate security measures) and shall not knowingly do anything that would likely lead to a breach by Merchant of the Data Protection Laws.
Merchant shall use commercially reasonable efforts to (i) notify Customers in their privacy policy that CreatorOS is an independent Controller for the purpose of Processing Customer Data as described in this Policy and (ii) include a link to the CreatorOS privacy statement available at CreatorOS's website in Merchant's privacy policy.
CreatorOS may transfer Customer Data outside the country where it was collected as necessary to provide the Payment Services. If CreatorOS transfers Customer Data to a jurisdiction without an adequacy decision, CreatorOS will ensure appropriate safeguards have been implemented for the transfer in accordance with applicable Data Protection Laws.
For GDPR compliance, we rely on the EU's Standard Contractual Clauses (SCC) and CreatorOS's internal corporate binding rules for transfers of Customer Data within CreatorOS Payments, Inc.
With respect to data transfers of Customers located in the European Union, Switzerland, the European Economic Area, and/or the United Kingdom, the parties agree to be bound by the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.
The Personal Data transferred concerns the data exporter's customers, employees and other business contacts.
The personal data transferred may include: Name, amount to be charged, date/time, bank account details, payment card details, CVC code, post code, country code, address, email address, fax, phone, website, expiry date, shipping details, tax status, unique customer identifier, IP Address, location, and any other data received by CreatorOS under the Agreement.
The data importer only retains personal data for as long as is necessary with regards the relevant purpose(s) it was collected for. To determine the appropriate retention period, the data importer considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which the personal data is processed, and applicable legal, regulatory, tax, accounting or other requirements.
Data Subject Rights:
For transfers to sub-processors, CreatorOS may share personal data with third-party service providers that perform services at CreatorOS's direction. These may include customer verification, transaction processing, customer support, or storage services. When determining the duration of processing by third-party service providers, CreatorOS applies the same retention criteria outlined above.
In accordance with GDPR requirements, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
For questions about this Privacy Policy or to exercise your data protection rights, please contact us through our support channels.