Privacy - Creativa Forge

1. Privacy Policy

(GDPR, CCPA, PCI-DSS & Payment Processor Compliant)

1. Introduction & Definitions

1.1 Scope: T

COMPREHENSIVE PRIVACY POLICY

Last Updated: [Date]
Effective Immediately

1. Introduction & Scope

1.1 This Privacy Policy governs all data collection, processing, and storage by CreativaForge (“we,” “us,” or “our”) through:

Website: [creativaforge.com]
Client portals and project management tools (e.g., Trello, Asana)
Payment and invoicing systems (Stripe, PayPal)
Email, phone, and live chat communications

1.2 Applicability: This policy applies to:

Clients, prospective clients, and website visitors
Third-party vendors and subcontractors
Job applicants

2. Definitions

Term	Definition
Personal Data	Any information relating to an identifiable individual (e.g., name, IP address)
Data Controller	CreativaForge (determines purposes and means of processing)
Data Processor	Third parties processing data on our behalf (e.g., Google Analytics)
Consent	Freely given, specific, informed agreement (GDPR Art. 7)

3. Data Collection: Categories & Legal Basis

3.1 Data We Collect

Category	Examples	Purpose	Legal Basis
Identity Data	Full name, tax ID (for contracts)	Service fulfillment	Contractual necessity
Contact Data	Email, phone, business address	Client communication	Legitimate interest
Financial Data	Bank details, transaction history	Payment processing	PCI-DSS compliance
Technical Data	IP address, browser type, cookies	Security analytics	Consent (via cookie banner)
Project Data	Design briefs, source files	Service delivery	Contractual obligation

3.2 Sensitive Data

We do not intentionally collect:

Racial/ethnic origin
Political opinions
Biometric data (except fraud prevention via payment processors)

4. How We Use Data

4.1 Primary Purposes

Service Execution: Delivering design/development projects
Payment Processing: Via Stripe/PayPal (tokenized transactions)
Legal Compliance: Tax reporting, fraud prevention

4.2 Marketing Uses

Opt-in newsletters: Sent only with explicit consent

5. Data Sharing & Third Parties

5.1 Categories of Recipients

Third Party	Purpose	Data Shared	Safeguards
Stripe/PayPal	Payment processing	Transaction amounts, client email	PCI-DSS compliance
Google Workspace	Email/file storage	Project files, communications	Encryption in transit/at rest
Slack	Internal communications	Client feedback	Enterprise-grade security

5.2 Legal Disclosures

We may share data when required by:

Court orders or subpoenas
Tax authorities (e.g., IRS audits)

6. International Data Transfers (GDPR Art. 44-50)

6.1 EU-US Transfers:

Standard Contractual Clauses (SCCs) with subprocessors
Annual Privacy Shield recertification

6.2 Data Localization Requests:
Clients may require onshore storage for sensitive projects (additional fees apply).

7. Data Security Measures

7.1 Technical Safeguards

Encryption: AES-256 for files, TLS 1.2+ for web traffic
Access Controls: Role-based permissions (least privilege principle)
Audit Logs: All system access tracked and reviewed quarterly

7.2 Breach Response Protocol

Containment: IT team isolates breach within 1 hour
Assessment: Legal determines GDPR/CCPA reporting requirements within 72 hours
Notification: Affected users contacted via encrypted email within 14 days if high risk

8. Data Retention Schedule

Data Type	Retention Period	Deletion Method
Client contracts	7 years after project end	Secure shredding (physical/digital)
Payment records	10 years (tax compliance)	PCI-DSS certified destruction
Website analytics	26 months (Google Analytics)	Automated purging

9. Your Rights (GDPR/CCPA Compliance)

9.1 Request Types

Access: Receive copy of your data (free first request)
Rectification: Correct inaccurate data
Erasure: “Right to be forgotten” (exceptions apply)

9.2 How to Exercise Rights

Submit verifiable request to [[email protected]]
Provide:
- Government-issued ID
- Recent transaction confirmation (for fraud prevention)
We respond within 30 days (45 for complex requests)

10. Cookies & Tracking Technologies

10.1 Detailed Cookie Breakdown

Cookie Name	Provider	Purpose	Duration	Opt-Out
_ga	Google Analytics	Visitor tracking	2 years	[Google Opt-Out]
fr	Meta (Facebook)	Ad retargeting	90 days	[Facebook Ad Preferences]
cart_session	WooCommerce	Shopping cart retention	Session	Disable in browser

10.2 Do Not Track (DNT)

We honor browser DNT signals by disabling non-essential cookies.

11. Policy Updates & Contact

11.1 Changes: Significant updates emailed to active clients 30 days in advance.
11.2 Questions? Contact our Data Protection Officer (DPO):

Email: [[email protected]]
Postal: [Your Physical Address]

12. Jurisdiction-Specific Addenda

12.1 California (CCPA)

“Shine the Light” Law: CA residents may request annual disclosure of data sharing for marketing.
Minor Deletion: Users under 16 may request erasure of publicly posted content.

12.2 European Union (GDPR)

Data Protection Impact Assessments (DPIAs): Conducted for high-risk processing.
Supervisory Authority: Right to lodge complaints with your local DPA.

his Privacy Policy governs all data collection by CreativaForge (“Company,” “we,” “us”) via [creativaforge.com], including subdomains, mobile apps, and client portals.

1.2 Key Definitions:

“Personal Data”: Any information identifying a natural person (e.g., name, IP, payment details).
“Data Controller”: CreativaForge determines data processing purposes.
“Data Processor”: Third parties processing data on our behalf (e.g., Stripe).

2. Detailed Data Collection Practices

2.1 Data Categories Collected:

Data Type	Examples	Legal Basis
Identity Data	Full name, government ID (for contracts)	Contractual necessity
Contact Data	Email, phone, billing address	Legitimate interest
Financial Data	Credit card last 4 digits, PayPal ID	PCI-DSS compliance
Technical Data	IP, browser type, device fingerprints	Consent (via cookie banner)
Project Data	Design briefs, source files	Contractual obligation

2.2 Sensitive Data: We do not intentionally collect:

Racial/ethnic origin
Political opinions
Biometric data (except for fraud prevention via payment processors)

3. Advanced Data Processing Disclosures

3.1 Payment Processing

Stripe/PayPal Integration: Tokenized transactions; we never store full credit card numbers.
Audit Trails: All payment changes logged with timestamps for dispute resolution.

3.2 Automated Decision-Making

Fraud Scoring: Third-party tools (e.g., Sift) analyze transaction patterns. Users may request human review.

4. International Data Transfers (GDPR Article 44-50)

4.1 EU-US Data Protection:

Standard Contractual Clauses (SCCs) with subprocessors
Annual Privacy Shield recertification (where applicable)

4.2 Data Localization: Client projects requiring onshore storage must request this during onboarding.

5. Cookie Policy Expansion

5.1 Cookie Categories:

Type	Purpose	Duration	Opt-Out Method
Essential	Shopping cart, login sessions	Session	None (disabling breaks functionality)
Analytics	Google Analytics, Hotjar	2 years	Browser settings or GDPR banner
Advertising	Meta Pixel, Google Ads	90 days

5.2 Do Not Track (DNT): We honor browser DNT signals by disabling non-essential cookies.

6. Data Subject Rights Procedures

6.1 Request Fulfillment Timeline:

Access/Portability Requests: 30 days (free for first request; $50/admin fee thereafter)
Deletion Requests: 45 days (extended for complex project data archives)

6.2 Identity Verification: Require government ID + recent transaction confirmation to prevent fraud.

7. Breach Notification Protocol

7.1 Internal Escalation:

IT team isolates breach within 1 hour of detection
Legal assesses GDPR/CCPA reporting requirements within 72 hours
Notify affected users via encrypted email within 14 days if risk threshold met