Privacy Policy

Last updated: 21 April 2026

CreativeOS is an internal operational tool of Turing (REACH Paris) used to track creative performance and compensate the creators participating in our Creator Affiliate Network (CAN) programme.

1. Data controller

Turing, 11 rue d'Enghien, 75010 Paris, France. Contact: david@turing.paris

2. Personal data we process

  • Account data — email, name, hashed password, role.
  • Session data — IP address, user agent, timestamps.
  • Creative performance— ad spend, revenue, ROAS per creator (derived from Meta & Shopify APIs).
  • Commission history — monthly earnings per creator, stored immutably for accounting audit.
  • Admin actions — audit log (who did what, when).

3. Legal basis

Contract performance (CAN programme payments) for creator data. Legitimate interest (creative analysis, platform operations) for admin data. Legal obligation (accounting retention) for commission history.

4. Sub-processors

  • Hetzner (Germany) — server hosting.
  • Meta (Ireland/US) — ad performance data source.
  • Shopify (Canada) — revenue data source.
  • Sentry (Germany) — error monitoring.
  • Axiom (US, DPF) — log aggregation.
  • Resend (US, DPF) — transactional email.
  • Backblaze (US, DPF) — encrypted backups.
  • Groq (US) — audio transcription.
  • Anthropic (US) — AI chat assistant.

5. Retention

  • Active accounts: retained while the account is active.
  • Deleted accounts: personal data purged within 30 days.
  • Server logs with IP: rotated every 90 days.
  • Commission history: retained 10 years (French accounting obligation).
  • Encrypted backups: 30 days rolling + 12 monthly snapshots.

6. Your rights (GDPR)

Access, rectification, erasure, portability, objection. To exercise any of these, email david@turing.paris. We respond within 30 days.

7. International transfers

Where data leaves the EU/EEA, we rely on Standard Contractual Clauses (SCC) or an adequacy decision (e.g. EU-US Data Privacy Framework).

8. Security

TLS 1.2+ in transit. AES-256-GCM for stored secrets. bcrypt for passwords. MFA available (enforced for admins). Automated backups, tested restore drills, OWASP Top 10 defenses.

9. Breach notification

In case of a personal data breach likely to result in risk to your rights, we notify you and the CNIL within 72 hours of discovery.

10. Complaints

You may lodge a complaint with the CNIL (French data protection authority).