Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide when creating an account, using the Services, or communicating with us, including:

Account Information:

• •Full name
• •Email address
• •Password (stored in encrypted form; we never store plain-text passwords)
• •Company or brand name

Authentication Data:

If you register or log in using third-party OAuth providers (such as Google), we receive only the basic profile information expressly authorised by you through that provider's permission framework, namely your name and email address. We do not receive or store any credentials from those providers.

Payment Information:

All payment transactions are processed exclusively by Stripe, Inc., a PCI-DSS compliant third-party payment processor. ReKreate does not at any time store, access, transmit, or retain full payment card numbers, CVV codes, bank account numbers, or any other sensitive financial credentials on its servers or systems. You accept Stripe's own terms and privacy policy when making payments.

User Content and Brand Assets:

Users may upload content to the platform, including product images, logos, packaging images, brand guidelines, colour palettes, marketing assets, and design references (collectively, "User Content"). By uploading User Content, you represent and warrant that you hold all necessary rights to that content and that its upload does not infringe any third-party intellectual property, privacy, or other rights. ReKreate accepts no liability for User Content that infringes third-party rights.

Connected Platform Data:

If you connect external platforms such as Shopify, Amazon Seller Central, or other e-commerce or marketing platforms, we receive only the data strictly necessary to deliver the Services and only to the extent expressly authorised by you through those platforms' permission systems. This may include product listings, titles, descriptions, product images, and SKU or ASIN identifiers. We do not access, process, or retain customer personal data belonging to your end customers from these platforms unless you have provided specific instructions and obtained all necessary consents from those customers.

Support Communications:

When you contact our support team, we collect the content of your communications including email messages, support tickets, and any attachments or screenshots you choose to provide. This information is used solely to resolve your enquiry.

1.2 Information Collected Automatically

When you interact with the Services, we automatically collect the following technical and usage data:

Usage Data:

• •Platform features accessed and actions taken
• •Templates selected and creatives generated
• •Session duration and frequency of use
• •In-platform click paths and navigation patterns
• •Referring URLs

Technical Data:

• •IP address
• •Browser type and version
• •Device type, hardware model, and operating system
• •Unique device identifiers
• •Time zone and locale settings
• •Session timestamps

Cookies and Tracking Technologies:

We use cookies, pixel tags, and similar tracking technologies to maintain sessions, understand platform usage, and improve performance. You may manage cookie preferences through your browser settings or via our cookie consent tool. For full details, see Section 14 and our Cookie Policy at www.werekreate.com/cookies.

1.3 Information Received from Third Parties

We may receive information from third-party partners including authentication providers (Google), analytics services, connected e-commerce platforms, and cloud infrastructure providers. In all cases, we collect only the data strictly necessary to provide the requested Services.

2. How We Use Your Information

We use the information we collect for the following purposes, each supported by the legal basis identified:

We will not use your personal data for any purpose materially different from those listed above without first obtaining your explicit, prior consent.

3. AI Processing and Automated Systems

ReKreate uses artificial intelligence and machine learning technologies to generate creative assets, images, and marketing content. The following terms govern all AI processing of User Content and are designed to protect both users and ReKreate.

3.1 How AI Processes Your Content

• •User Content uploaded to the platform is processed by ReKreate's AI systems solely to generate the creative outputs you have specifically requested.
• •Such processing may occur through vetted third-party AI infrastructure providers. All such providers are contractually bound to: (a) use User Content only to generate your requested outputs; (b) never retain User Content beyond the period required to deliver those outputs; (c) never use User Content for any independent training, research, or commercial purpose.
• •Your generated creatives are stored only within your account and are not shared with, visible to, or accessible by any other user of the platform.

3.2 AI Training — Absolute Prohibition Without Consent

ReKreate will NEVER use your User Content — including uploaded images, brand assets, connected account data, or generated creatives — to train, fine-tune, benchmark, or improve any AI model without your explicit, separate, opt-in consent obtained at the specific time such use is proposed. No such consent is implied by your acceptance of this Policy or by your use of the Services.

3.3 AI Output Disclaimers — Limitation of Liability

Users acknowledge and agree that:

• •AI systems operate through probabilistic and generative methods. Outputs may be incomplete, unexpected, inaccurate, or inconsistent with instructions.
• •Outputs may not be unique. Similar or identical outputs may be generated for other users of the platform, or may resemble publicly available materials.
• •ReKreate does not guarantee the exclusivity, novelty, originality, or fitness for purpose of any generated output.
• •Users are solely responsible for reviewing all AI-generated outputs before any commercial, public, or other use. ReKreate accepts no liability for any loss, damage, or third-party claim arising from a user's commercial use of generated content without independent review.
• •Users must independently conduct all necessary intellectual property, trademark, copyright, and regulatory checks before using any AI-generated content commercially.

4. Intellectual Property — Ownership of Generated Content

You retain all ownership rights in your original User Content (your uploaded brand assets, images, and materials). By uploading User Content, you grant ReKreate a limited, non-exclusive, royalty-free licence to process and use your User Content solely to provide the Services to you.

You warrant that your User Content does not infringe any third-party intellectual property rights, and you agree to indemnify and hold harmless ReKreate and all of its founders, directors, officers, employees, contractors, and affiliates from any claim, loss, damage, or expense arising from any third-party intellectual property challenge relating to your User Content.

5. How We Share Your Information

ReKreate does not sell, rent, or trade your personal information to any third party, under any circumstances. We share information only in the following strictly limited and controlled circumstances:

5.1 Service Providers

We share information with third-party vendors providing services on our behalf, including Stripe (payment processing), Google (authentication), cloud infrastructure providers (hosting and storage), and analytics providers. All vendors are bound by written data processing agreements that restrict their use of data to service delivery only.

5.2 AI Infrastructure Partners

User Content may be processed by vetted AI infrastructure providers solely to generate your requested outputs. Such partners are contractually prohibited from retaining, repurposing, independently training on, or otherwise using your data. ReKreate remains the data controller in all such arrangements.

5.3 Connected Platforms

Data is shared with connected platforms such as Shopify or Amazon only to the extent strictly required to fulfil the integration you have specifically authorised.

5.4 Legal Compliance and Protection

We may disclose information where required by applicable law, regulation, court order, governmental authority, or legal process; or where reasonably necessary to: (a) enforce our agreements; (b) protect the rights, property, or safety of ReKreate, its founders, directors, officers, employees, contractors, users, or the public; (c) detect or prevent fraud, abuse, security incidents, or illegal activity.

5.5 Business Transfers

In the event of a merger, acquisition, corporate restructuring, or sale of all or substantially all of ReKreate's assets, your personal data may be transferred as part of that transaction. We will provide at least thirty (30) days' prior written notice to affected users before any such transfer takes place. Your continued use of the Services following such notice will constitute acceptance of the transfer.

5.6 With Your Explicit Consent

In any circumstance beyond those listed above, we will only share your personal data with your prior, specific, informed, and freely given written consent.

6. Data Retention

We retain your personal information for as long as your account is active, or as reasonably necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements.

Upon account deletion, we will delete or irreversibly anonymise your personal information within thirty (30) days, except where retention is required by applicable law, tax obligations, active legal proceedings, or regulatory requirements. Uploaded User Content and generated creatives will be deleted within thirty (30) days of account deletion.

Aggregated and truly anonymised analytics data — data that has been processed such that it can no longer be linked to any identifiable individual or organisation using any reasonably available means — may be retained indefinitely for platform improvement purposes.

7. Data Security

We implement industry-standard technical and organisational security measures to protect your personal data, including:

• •Encryption of data in transit using TLS 1.2 or higher
• •Encryption of data at rest using AES-256 or equivalent
• •Strict access controls — personal data is accessible only on a need-to-know basis
• •Multi-factor authentication for all internal system access
• •Regular security assessments, vulnerability scanning, and penetration testing
• •Documented incident response procedures

No method of electronic transmission or storage is 100% secure. ReKreate cannot guarantee absolute security of information transmitted to or from the Services, and any such transmission is at your own risk.

In the event of a personal data breach that poses a risk to the rights and freedoms of affected users, we will: (a) notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, where required under applicable law; and (b) notify affected users without undue delay, providing details of the nature of the breach, likely consequences, and measures taken.

9. Your Rights

9.1 General Rights

Depending on your jurisdiction and the applicable law, you may have the following rights regarding your personal data:

• •Access — request a copy of the personal data we hold about you
• •Correction — request correction of inaccurate or incomplete personal data
• •Deletion — request deletion of your personal data, subject to legal retention obligations
• •Portability — receive your data in a structured, commonly used, machine-readable format
• •Objection — object to processing based on legitimate interests, including direct marketing
• •Restriction — request that we restrict processing of your personal data in certain circumstances
• •Withdrawal of Consent — where processing is based on consent, withdraw that consent at any time, without affecting the lawfulness of prior processing

To exercise any right, submit your request to: hello@werekreate.com. We will acknowledge your request within five (5) business days and respond within thirty (30) days, or within such shorter period as required by applicable law. Exercising your rights will not result in any penalty or reduction in the quality of Services provided to you.

9.2 European Economic Area and United Kingdom Residents (GDPR / UK GDPR)

Our legal bases for processing are set out in Section 2. You have the right to lodge a complaint with your relevant supervisory data protection authority — for example, the Information Commissioner's Office (ICO) in the UK, or your national data protection authority in the EEA.

9.3 California Residents (CCPA / CPRA)

California residents have the right to: know what personal information we collect and how it is used; request deletion of personal information; correct inaccurate personal information; opt out of the sale or sharing of personal information (we do not sell or share personal information); and not be discriminated against for exercising these rights. To exercise CCPA rights, contact us at hello@werekreate.com.

9.4 Indian Residents (DPDP Act 2023 and IT Rules 2011)

Under the Digital Personal Data Protection Act 2023, you have the right to: access information about your personal data processed by us; correct and update inaccurate personal data; request erasure of personal data where it is no longer necessary for the purpose for which it was collected; seek grievance redressal; and nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.

We will engage with the Data Protection Board of India upon its establishment as required under the DPDP Act 2023.

8. International Data Transfers

ReKreate operates globally. Your personal information may be transferred to, stored in, and processed in countries other than your country of residence, including countries that may not offer an equivalent level of data protection to your home jurisdiction.

Where we transfer personal data internationally, we implement appropriate legal safeguards as required by applicable law, including: Standard Contractual Clauses (SCCs) approved by the European Commission; UK International Data Transfer Agreements (IDTAs); adequacy decisions; or equivalent protective mechanisms.

By using the Services, you acknowledge the necessity of such international transfers to deliver the Services and consent to such transfers subject to the safeguards described above.

10. Marketing Communications

We will only send you marketing, promotional, or non-transactional communications if you have explicitly opted in to receive them. You may withdraw your consent and opt out of all marketing communications at any time by:

• •Clicking the unsubscribe link in any marketing email
• •Emailing hello@werekreate.com with your opt-out request
• •Updating your communication preferences in your account settings

Opting out of marketing communications will not affect delivery of transactional or service communications (such as account notifications, security alerts, and billing receipts), which are necessary to provide the Services.

11. Children's Privacy

The Services are not directed to, intended for, or accessible by individuals under eighteen (18) years of age. We do not knowingly collect personal information from minors.

If we become aware that we have inadvertently collected personal information from a person under 18, we will take immediate steps to delete that information and, where applicable, terminate the associated account. If you believe a minor may have created an account or provided personal information, please contact us immediately at hello@werekreate.com.

12. Third-Party Links and Services

Our Services may contain links to third-party websites, platforms, or services. We have no control over, and assume no responsibility for, the content, privacy practices, terms, or security of any third-party service. The inclusion of any link does not constitute an endorsement by ReKreate.

We strongly encourage you to review the privacy policy and terms of any third-party service you access. ReKreate accepts no liability for any loss or damage arising from your use of, or reliance on, any third-party website or service.

13. Data Protection Officer

Where required by applicable law (including GDPR Article 37), ReKreate will appoint a Data Protection Officer (DPO). ReKreate has assessed its data processing activities and determined that appointment of a DPO is not currently mandated under applicable law. This assessment is reviewed annually.

For all data protection queries, you may contact us at hello@werekreate.com.

14. Cookies and Tracking Technologies

We use the following categories of cookies on the Services:

Full details of all cookies used, their purpose, duration, and provider are available in our Cookie Policy at www.werekreate.com/cookies. You may update your cookie preferences at any time through our consent management tool.

15. Updates to This Policy

We may update this Policy from time to time to reflect changes in our data practices, Services, or applicable law. We will notify you of any update by revising the "Last Updated" date at the top of this Policy.

For non-material updates (minor clarifications, formatting changes, or updates required by law that do not diminish your rights), your continued use of the Services after the effective date of the update constitutes acceptance of the revised Policy.

For material updates — meaning any change that materially affects your rights, the scope of data collected, the purposes for which it is used, or the parties with whom it is shared — we will provide at least thirty (30) days' prior written notice by email and by prominent notice within the platform. Material updates will require your affirmative acceptance before taking effect. If you do not accept a material update, you may terminate your account and cease using the Services.

16. Limitation of Liability and Indemnification

All limitation of liability, exclusion of warranties, and indemnification obligations applicable to your use of the Services are set out exclusively in the Terms and Conditions, which form a separate binding agreement between you and ReKreate. For avoidance of doubt:

• •To the maximum extent permitted by applicable law, ReKreate, its founders, directors, officers, employees, contractors, agents, and affiliates (the "ReKreate Parties") shall not be liable for any indirect, incidental, special, exemplary, consequential, or punitive damages arising from or related to your use of the Services, including any AI-generated outputs.
• •Total aggregate liability of the ReKreate Parties for any claim arising from or related to this Policy or the Services shall not exceed the amounts paid by you to ReKreate in the twelve (12) months immediately preceding the event giving rise to the claim.
• •You agree to indemnify, defend, and hold harmless the ReKreate Parties from and against any claim, loss, damage, liability, cost, or expense (including reasonable legal fees) arising from: (a) User Content you upload; (b) your breach of this Policy or the T&C; (c) your violation of any applicable law; or (d) infringement of any third-party right by you or your User Content.

The liability limitations and indemnification obligations in this section and in the T&C apply to the fullest extent permitted by applicable law. Nothing in this Policy excludes liability that cannot be excluded under mandatory law.

17. Governing Law and Dispute Resolution

This Policy shall be governed by and construed in accordance with the laws of the Republic of India, without regard to its conflict of law provisions.

Any dispute, claim, or controversy arising out of or relating to this Policy or the Services shall be subject to the exclusive jurisdiction of the competent courts located in Mumbai, Maharashtra, India.

You irrevocably submit to the personal jurisdiction of such courts and waive any objection to proceedings in those courts on the grounds of venue, inconvenient forum, or otherwise.

18. Contact Information

For privacy-related questions, data subject requests, or general enquiries regarding this Policy:

© 2026 ReKreate. All rights reserved.

This Privacy Policy is effective as of the date stated above and supersedes all prior versions. Unauthorised reproduction or distribution of this document is prohibited.