Privacy Policy | Celavii

Previous Version: N/A (Initial Version)

Thank you for your interest in Celavii, Inc. ("Celavii," "we," "us," or "our"). Celavii is a creator intelligence platform that helps brands and agencies discover, analyze, and manage relationships with social media creators. This Privacy Policy explains how we collect, use, disclose, and process personal information when you visit our website at celavii.com (the "Site") and use our services offered in connection with the Site, including our platform, applications, tools, AI-powered features, and APIs (collectively with the Site, the "Services").

This Privacy Policy applies to:

Customers and their Authorized Users who access and use the Services;
Visitors to our Site;
Creators whose publicly available social media data may be collected through the Services at our Customers' direction; and
Job applicants who apply for positions at Celavii.

This Privacy Policy does not apply where Celavii acts solely as a data processor and processes personal information on behalf of Customers using the Services. In those cases, the Customer is the data controller, and you should review their privacy policies for more information about how they handle your personal information. For details on how we process data on behalf of Customers, please see our Data Processing Addendum ("DPA") at https://celavii.com/legal/dpa.

This Privacy Policy also describes your privacy rights. More information about your rights, and how to exercise them, is set out in Section 8 ("Your Data Protection Rights").

1. What Does Celavii Do?

Celavii provides a cloud-based creator intelligence platform that enables brands, agencies, and marketing teams to:

Discover creators by collecting and analyzing publicly available data from social media platforms such as Instagram and TikTok;
Analyze creator performance through engagement metrics, audience demographics, affinity scoring, and predictive analytics;
Track campaigns by monitoring creator content, hashtags, and campaign performance in real time;
Manage relationships through CRM tools, contact management, and AI-assisted outreach;
Generate insights using AI-powered features including lookalike analysis, sentiment analysis, content clustering, and strategy recommendations;
Create campaign assets through AI Studio, which enables users to generate images, videos, graphics, and other media using AI-powered generative tools; and
Collaborate through multi-user workspaces with configurable access controls and billing.

For more information about Celavii, please visit https://celavii.com/about.

2. Information We Collect

We collect information about you from the following sources:

a. Information You Provide Directly

The type of information we collect directly from you varies based on your interaction with our Site and Services:

Registration and Account Information. When you create an account, we collect your name, email address, organization name, and other information you provide during registration. We use this information to create and administer your account, provide you with the Services, and communicate with you.

Payment and Billing Information. If you purchase a subscription or make payments through the Services, we collect transactional information in connection with your purchase. We use third-party payment processors, including Stripe, to process payments. We do not directly store your full credit card number or financial account information. Rather, such information is provided directly by you to our payment processor, whose use of your personal information is governed by their privacy policy. To view Stripe's privacy policy, please visit: https://stripe.com/privacy.

Communications. If you communicate with us through any medium, including email, chat, support tickets, or other forms, we collect your name, contact information, and the contents of your communications. We use this information to respond to your inquiries, provide customer support, and improve the Services.

Content and Customer Data. When you use the Services, you may submit, upload, or otherwise provide data including creator lists, campaign information, brand assets, notes, tags, and other content. We collect and store this information as part of the Services.

Feedback. If you send us suggestions, ideas, comments, or other feedback about the Services, we collect and may use such feedback as described in our Terms of Service.

b. Information We Collect Automatically

When you visit our Site or use our Services, we automatically collect certain technical information from your device:

Device and Connection Information. We collect information about the device you use to access the Services, including device type, operating system, browser type, IP address (including approximate location derived from your IP address), unique device identifiers, and network connection information.

Usage Information. We collect information about how you access and use the Services, including the dates and times of access, pages viewed, features used, links clicked, search queries within the Services, and other usage patterns.

Log and Error Information. We collect log files and error reports, including information about the state of the application when an error occurred, the time of the error, and related diagnostic data.

Cookies and Similar Technologies. We and our service providers use cookies, scripts, pixels, and similar tracking technologies to collect information about you and your use of the Services. For more details, please see Section 6 ("Cookies and Tracking Technologies").

c. Information We Receive from Third Parties

We may receive personal information about you from third-party sources, including:

Single Sign-On (SSO). If you authenticate using a third-party SSO provider (such as Google), we receive information from that provider in accordance with their authorization procedures, which may include your name, email address, and profile picture.

Business Partners and Service Providers. We may receive information from business partners, marketing partners, and service providers, including contact information, demographic information, and information about your interactions with their services.

Publicly Available Sources. We may collect information from publicly available sources, including public social media profiles, business directories, and other publicly accessible databases, to supplement information we collect directly.

d. Social Media Data Collected Through the Services

A core function of the Services is collecting and analyzing publicly available data from social media platforms (including Instagram and TikTok) at our Customers' direction. This data ("Social Media Data") may include:

Creator profile information: usernames, display names, profile pictures, biographies, follower and following counts, website URLs, and account verification status;
Content data: posts, reels, stories, captions, hashtags, mentions, and media (images and videos);
Engagement metrics: likes, comments, shares, saves, views, and engagement rates;
Audience data: publicly visible follower and following lists, audience demographics (where publicly available), and geographic indicators;
Derived analytics: engagement scores, growth rates, affinity scores, predicted performance, sentiment analysis, and other metrics calculated by the Services; and
Contact information: email addresses and other contact details where publicly displayed in creator profiles or bios.

Important: Social Media Data is collected from publicly available sources at our Customers' direction. Celavii acts as a data processor with respect to Social Media Data collected on behalf of Customers. Customers are data controllers responsible for ensuring their collection and use of Social Media Data complies with applicable laws.

e. AI Feature Data

When Customers use our AI-powered features, we process:

Inputs: queries, prompts, criteria, and parameters provided by Customers to AI features (e.g., search criteria for creator discovery, parameters for lookalike analysis);
AI Studio Inputs: text prompts, descriptive and instructive commands, reference images, reference videos, brand assets, logos, templates, and other content submitted by Customers to AI Studio for generative media processing;
Outputs: AI-generated recommendations, scores, analyses, drafted content, generated images, generated videos, generated audio, generated graphics, and other results;
Interaction data: how Customers interact with AI features and outputs, including feedback on AI quality; and
Metadata: technical information about AI processing, including model versions, generation parameters, and processing timestamps.

As described in the Terms of Service (Section 7(f)(iii)), Customers grant Celavii a license to use AI Inputs and AI Outputs for operating the Services, training and improving AI models, content moderation, and generating aggregated analytics. We may also use de-identified and aggregated data from AI interactions to improve our AI models and the Services, as described in Section 3.

f. Communication Gateway Data

The Services enable Customers to connect to and interact with the platform through third-party communication platforms ("Communication Gateways"), including WhatsApp, Telegram, Discord, and email. When Customers use Communication Gateways, we may process:

Message content: text messages, media attachments, and other content sent and received through Communication Gateways;
Sender and recipient information: phone numbers, usernames, email addresses, and other identifiers associated with messages;
Account linking data: authentication tokens, account identifiers, and connection metadata for linked third-party messaging accounts;
Conversation metadata: timestamps, message delivery status, read receipts (where available), and conversation thread information; and
Platform identifiers: third-party platform user IDs, channel IDs, and other identifiers necessary to route messages.

Important: Messages transmitted through Communication Gateways are processed by and transit through the servers of third-party platform providers (such as Meta for WhatsApp, Telegram Messenger Inc. for Telegram, and Discord Inc. for Discord). Celavii does not control the data handling, storage, encryption, or privacy practices of these third-party providers. Customers are responsible for informing their contacts that communications may be processed through third-party platforms and for obtaining any necessary consents.

g. Agentic Feature Data

The Services include AI-powered autonomous agents ("Agents") that perform actions on behalf of Customers. When Customers use Agents, we process:

Agent configurations: goals, parameters, guardrails, spending limits, and approval workflows set by Customers;
Agent actions: records of actions taken by Agents, including searches performed, messages sent, credits consumed, and decisions made;
Agent logs: execution history, error logs, and performance data; and
Agent interactions: Customer instructions to Agents (including through Communication Gateways) and Agent responses.

Agent data is treated as Customer Data. All actions taken by Agents are attributable to the Customer who deployed them.

3. How We Use Your Information

Celavii processes personal information for the following purposes:

a. Providing and Operating the Services

To create and administer your account;
To provide, maintain, and improve the Services and their features;
To process transactions and manage billing, including subscription management, credit tracking, and overage billing;
To provide customer support and respond to inquiries;
To collect and process Social Media Data at Customers' direction;
To generate AI-powered insights, recommendations, scores, and analytics;
To facilitate collaboration through workspaces and multi-user access; and
To send service-related communications, including technical notices, updates, security alerts, and administrative messages.

b. Improving and Developing the Services

To monitor and analyze usage patterns, trends, and effectiveness of the Services;
To conduct research, testing, and analysis to improve existing features and develop new ones;
To train and improve our AI models and algorithms using aggregated and de-identified data;
To train, develop, and improve AI models using AI Inputs and AI Outputs submitted to AI Studio, as authorized under the license granted in the Terms of Service (Section 7(f)(iii));
To compile aggregated statistics and performance benchmarks; and
To debug, identify, and repair errors or issues in the Services.

c. Safety, Security, and Compliance

To detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms of Service;
To verify identity and prevent unauthorized access;
To enforce our Terms of Service and other agreements;
To comply with applicable laws, regulations, legal processes, and governmental requests; and
To protect the rights, property, and safety of Celavii, our Customers, and others.

d. Marketing and Communications

To send you information about our Services, features, and updates that may be of interest to you;
To send promotional communications, subject to your consent where required by applicable law;
To conduct surveys and collect feedback; and
To measure the effectiveness of our marketing campaigns.

You may opt out of promotional communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at privacy@celavii.com.

e. Aggregated and De-Identified Data

We may process personal information in an aggregated or de-identified form for any lawful purpose, including:

Analyzing the effectiveness of the Services and compiling benchmarks;
Conducting research and developing new features;
Training and improving AI models; and
Creating industry reports and analytics.

When information is de-identified, we maintain policies and technical procedures to prevent re-identification. We do not attempt to re-identify de-identified information except as necessary to evaluate the effectiveness of our de-identification processes.

4. How We Share Your Information

We share personal information in the following circumstances:

a. Service Providers

We share personal information with third-party service providers who perform services on our behalf, including:

Service Provider	Purpose
Stripe	Payment processing, billing, and fraud prevention
Supabase	Database hosting and infrastructure
Vercel	Application hosting and delivery
Apify	Social media data collection at Customers' direction
Sentry	Error tracking and application monitoring
PostHog	Product analytics (anonymized/aggregated)
Meta (WhatsApp Business API)	Communication Gateway — message delivery and processing
Telegram Messenger Inc.	Communication Gateway — message delivery and processing
Discord Inc.	Communication Gateway — message delivery and processing
AI model providers	AI Studio — generative image, video, and content processing

Our service providers are contractually obligated to use personal information only for the purposes of providing services to us and are prohibited from using it for their own purposes.

b. Customers

Where Celavii collects Social Media Data on behalf of a Customer, we share that data with the Customer who directed the collection. If your publicly available social media data has been collected through the Services, the relevant Customer is the data controller for that data.

c. Within Your Organization

If you are an Authorized User within a Customer's organization, your account information and activity within the Services may be visible to other users within the same Workspace, including administrators, in accordance with the Customer's access configuration.

d. Legal and Safety Reasons

We may share personal information with law enforcement, governmental authorities, or other third parties where we believe disclosure is necessary to:

Comply with applicable law, regulation, court order, or legal process;
Protect the rights, property, or safety of Celavii, our Customers, or others;
Detect, prevent, or investigate fraud, security incidents, or violations of our terms;
Enforce our agreements; or
Respond to an emergency involving danger of death or serious physical injury.

e. Business Transfers

If Celavii is involved in a merger, acquisition, sale of assets, bankruptcy, reorganization, or similar transaction, personal information may be transferred as part of that transaction. We will provide notice before personal information is transferred and becomes subject to a different privacy policy.

f. With Consent

We may share personal information with third parties when you have given us your consent or directed us to do so.

g. Communication Gateway Platforms

When Customers use Communication Gateways, message content and metadata are transmitted to and processed by the third-party platform providers that operate those gateways. Specifically:

Platform	Provider	Data Shared
WhatsApp	Meta Platforms, Inc.	Message content, phone numbers, delivery metadata
Telegram	Telegram Messenger Inc.	Message content, usernames, bot interaction data
Discord	Discord Inc.	Message content, user IDs, channel data
Email	Customer's email provider	Message content, email addresses, headers

Celavii acts as a technology intermediary and does not control how these third-party providers process data after transmission. Customers should review each provider's privacy policy for details on their data practices. For more information, see the Terms of Service (Section 7(i)).

h. Aggregated or De-Identified Data

We may share aggregated or de-identified data that does not reasonably identify any individual, except as prohibited by applicable law.

5. Social Media Data and Creator Privacy

a. How Social Media Data is Collected

Celavii collects Social Media Data from publicly available sources on social media platforms, primarily Instagram and TikTok. This data is collected through third-party data collection services (such as Apify), whether initiated at a Customer's direction or by Celavii for data quality, coverage, or platform improvement purposes. Celavii does not access private or non-public social media content.

b. Communal Creator Database

A core feature of the Services is the Creator Database — a shared database of publicly available creator profile information that is accessible to all registered Customers. The Creator Database operates as follows:

Shared profile data: When any Customer initiates a data collection request through the Services, the resulting creator profile data (including usernames, display names, biographies, profile pictures, follower/following counts, engagement metrics, and publicly displayed contact information such as email addresses and website URLs) is added to the Creator Database and becomes accessible to all Customers of the Services.
Community growth: All Customers benefit from the collective growth of the Creator Database. This means that data collected at the direction of one Customer may be viewed and used by other Customers through the Services.
Private CRM data: While creator profile data in the Creator Database is shared, the following data is private and scoped exclusively to each Customer's organization: notes, tags, internal ratings, email communications, outreach history, campaign assignments, CRM records, lists, and other Customer-generated content ("Organization Data"). Organization Data is never shared with other Customers.

c. Celavii's Role

Celavii operates in a dual capacity with respect to data processed through the Services:

Celavii acts as an independent data controller with respect to the Creator Database. Celavii determines the purposes and means of collecting, maintaining, and making available publicly available creator profile information through the Services. Celavii's legitimate interests in operating the Creator Database include providing and improving the Services, enabling creator discovery and analytics, and maintaining data quality.
Celavii acts as a data processor with respect to Organization Data (notes, tags, CRM records, communications, and other Customer-generated content). Our Customers are the data controllers who determine the purposes and means of processing their Organization Data.
Celavii acts as a data controller for aggregated and de-identified insights derived from Social Media Data that do not identify specific individuals, which we use to improve the Services and AI models.

d. Creator Rights

If you are a creator or social media user whose publicly available data has been collected and stored in the Creator Database:

Access: You may request to know whether your data is stored in the Creator Database by contacting us at privacy@celavii.com.
Deletion: You may request deletion of your profile data from the Creator Database by contacting us at privacy@celavii.com. Because Celavii is the data controller for the Creator Database, we will process your request directly in accordance with applicable law. Deletion from the Creator Database will remove your profile data for all Customers.
Objection: You may object to the inclusion of your data in the Creator Database. We will assess your objection in accordance with applicable law.
Correction: You may request correction of inaccurate data in the Creator Database.
Opt-Out: You may request that your profile not be included in the Creator Database going forward. We will use reasonable efforts to honor opt-out requests, though we cannot guarantee that your publicly available data will not be re-collected if a Customer independently initiates a new collection request.

We will respond to creator rights requests within thirty (30) days of receipt, or within the timeframe required by applicable law, whichever is shorter. We may need to verify your identity before processing your request.

Please note that because Social Media Data is collected from publicly available sources, deleting data from the Creator Database does not remove the underlying data from the social media platform itself or from other services that may have collected the same publicly available data.

e. Data Classification and Legal Framework

Creator Database as a Platform Feature. The Creator Database is a core feature of the Celavii platform. Celavii collects publicly available creator profile information from Social Media Platforms, maintains this information in the Creator Database, and makes it available to Customers as part of the Services. Key characteristics:

Publicly available information only: All data in the Creator Database is collected exclusively from publicly available sources. Celavii does not access private accounts, direct messages, close friends lists, or any non-public content.
Celavii-controlled: Celavii determines what data is collected for the Creator Database, how it is organized, and how it is made available to Customers. Collection may be initiated by Customer requests or by Celavii's own systems for data quality and coverage purposes.
Licensed access: Customers access the Creator Database under a license granted through the Terms of Service. Customers may not export, bulk download, resell, or redistribute Creator Database content outside of the Services.
Organization Data is private: Customer-generated data (notes, tags, communications, CRM records) is never shared with other Customers and is processed by Celavii solely as a data processor.

Data Broker Registration. To the extent that any jurisdiction classifies Celavii's activities as those of a "data broker" under applicable state law (including but not limited to California Civil Code § 1798.99.80, Vermont 9 V.S.A. § 2446, and similar statutes), Celavii will comply with applicable registration requirements.

f. Third-Party Platform Policies

The Services interact with the following social media platforms, each of which has its own privacy policy:

Platform	Privacy Policy
Instagram	https://help.instagram.com/155833707900388
TikTok	https://www.tiktok.com/legal/page/us/privacy-policy/en

We encourage you to review the privacy policies of these platforms to understand how they handle your data.

6. Cookies and Tracking Technologies

a. What We Use

We and our service providers use cookies, pixels, scripts, and similar tracking technologies ("Cookies") to collect information about your use of the Services. These technologies help us:

Remember your preferences and settings;
Authenticate your identity and maintain your session;
Understand how you use the Services;
Measure the effectiveness of our marketing;
Provide and improve the Services; and
Detect and prevent fraud.

b. Types of Cookies

Type	Purpose	Duration
Strictly Necessary	Required for the Services to function (authentication, security, payment processing)	Session or up to 2 years
Analytics	Help us understand how the Services are used and improve performance	Up to 2 years
Functional	Remember your preferences and settings	Up to 1 year
Marketing	Measure advertising effectiveness and deliver relevant ads	Up to 90 days

c. Specific Technologies

Technology	Type	Purpose
Stripe	Strictly Necessary	Payment fraud prevention
Cloudflare	Strictly Necessary	Bot detection and traffic management
PostHog	Analytics	Product usage analytics
Vercel Analytics	Analytics	Performance monitoring

d. Your Cookie Choices

Most browsers allow you to control cookies through your browser settings. You can:

Set your browser to notify you when you receive a cookie;
Disable or delete existing cookies;
Set your browser to automatically reject cookies.

Please note that disabling cookies may impact the functionality of the Services. Some features may not work properly without certain cookies.

e. Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals to websites. There is currently no industry standard for how websites should respond to DNT signals. Accordingly, the Services do not currently respond to DNT signals. However, you may manage your cookie preferences as described above.

7. Data Retention and Security

a. Retention

We retain personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, including:

Data Type	Retention Period
Account information	Duration of the account plus 60 days after closure
Customer Data	Duration of the subscription; deleted immediately upon termination or expiration (Customer is responsible for exporting data prior to termination)
Creator Database Data	As long as the creator's social media profile is publicly available, subject to creator opt-out requests under Section 5(d)
Social Media Data	As long as the Customer's account is active, subject to Customer's data management
Payment records	As required by applicable tax and accounting laws (typically 7 years)
Usage and analytics data	Up to 24 months, then aggregated or deleted
Marketing communications	Until you unsubscribe, plus records of opt-out preferences
Support communications	Duration of the account plus 12 months

When we no longer need to retain personal information, we will securely delete, destroy, or anonymize it in accordance with our data retention policies and applicable law.

b. Security

Celavii implements appropriate technical and organizational security measures designed to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures include:

Encryption: Data encrypted in transit (TLS 1.2+) and at rest;
Access controls: Role-based access controls with principle of least privilege;
Authentication: Multi-factor authentication support and secure session management;
Infrastructure: Cloud infrastructure with enterprise-grade security provided by Supabase and Vercel;
Monitoring: Continuous monitoring for security incidents and anomalies; and
Incident response: Documented incident response procedures.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your personal information. You are responsible for maintaining the confidentiality of your account credentials and should notify us immediately at security@celavii.com if you believe your credentials have been compromised.

8. Your Data Protection Rights

Depending on your location and applicable law, you may have certain rights regarding your personal information:

a. Rights Available to All Users

Access: Request information about the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete personal information.
Deletion: Request deletion of your personal information, subject to certain exceptions.
Data Portability: Request a copy of your personal information in a structured, commonly used, machine-readable format.
Opt-Out of Marketing: Opt out of promotional communications at any time.
Account Data Export: Export your Customer Data through the features available in the Services.

b. Additional Rights for EEA, UK, and Swiss Residents

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to:

Object to processing of your personal information based on legitimate interests;
Restrict processing of your personal information in certain circumstances;
Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of processing before withdrawal); and
Lodge a complaint with your local data protection authority.

c. Additional Rights for California Residents

If you are a California resident, under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), you have the right to:

Know what personal information we collect, use, disclose, and sell;
Delete personal information we have collected from you;
Correct inaccurate personal information;
Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising;
Limit use of sensitive personal information; and
Non-discrimination for exercising your privacy rights.

Notice of Collection: In the preceding 12 months, we have collected the following categories of personal information: identifiers; customer records; commercial information; internet or other electronic network activity information; geolocation data; professional or employment-related information; and inferences.

Sale and Sharing: Celavii operates the Creator Database as a core platform feature, making publicly available creator profile information accessible to all registered Customers of the Services. Celavii does not "sell" or "share" personal information to unrelated third parties for monetary consideration outside of the Services. With respect to the Creator Database, Celavii acts as an independent data controller — not as a service provider processing data on behalf of a single business. The Creator Database is a communal resource that all Customers access under a license through the Services.

With respect to Organization Data (notes, tags, CRM records, communications, and other Customer-generated content), Celavii acts as a service provider as defined under Cal. Civ. Code § 1798.140(ag), processing such data solely on behalf of, and at the direction of, the Customer pursuant to the Terms of Service and Data Processing Addendum.

To the extent any activity could be construed as a "sale" or "sharing" under the CCPA, creators may opt out of inclusion in the Creator Database by contacting us at privacy@celavii.com. See Section 5(d) for creator rights.

d. Additional Rights for Colorado, Virginia, and Other US State Residents

Residents of Colorado, Virginia, Connecticut, Utah, and other states with comprehensive privacy laws may have similar rights to those described for California residents above, including rights to access, correct, delete, and opt out of certain processing activities. To exercise these rights, please contact us at privacy@celavii.com.

e. How to Exercise Your Rights

To exercise any of your privacy rights, you may:

Email us at privacy@celavii.com;
Submit a request through your account settings within the Services; or
Write to us at the address provided in Section 14.

We will respond to your request within the timeframe required by applicable law (generally 30 days for GDPR requests and 45 days for CCPA requests). We may need to verify your identity before processing your request. If we are unable to verify your identity, we may deny your request.

If you are submitting a request regarding Social Media Data that was collected on behalf of a Customer, we may need to forward your request to the relevant Customer for handling, as they are the data controller for that data.

9. Legal Bases for Processing (EEA, UK, and Swiss Users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information based on the following legal bases:

Purpose	Legal Basis
Providing the Services and managing your account	Performance of a contract (our Terms of Service)
Processing payments	Performance of a contract
Service-related communications	Performance of a contract
Improving the Services and conducting research	Legitimate interests (improving and developing our Services)
Analytics and usage monitoring	Legitimate interests (understanding how the Services are used)
Security and fraud prevention	Legitimate interests (protecting our Services and users); Legal obligation
Enforcing our terms and agreements	Legitimate interests (enforcing our legal rights)
Complying with legal obligations	Legal obligation
Marketing communications	Consent (where required) or Legitimate interests (promoting our Services)
Processing Social Media Data on behalf of Customers	Performance of a contract with the Customer; Legitimate interests of the Customer
Training AI models with aggregated/de-identified data	Legitimate interests (improving AI capabilities and the Services)
Training AI models with AI Studio Inputs and Outputs	Legitimate interests (improving AI capabilities); Consent (license granted by Customer under Terms of Service Section 7(f)(iii))

Where we rely on legitimate interests, we have assessed that these interests are not overridden by your data protection rights and freedoms. If you have questions about the legal basis for processing, please contact us at privacy@celavii.com.

10. International Data Transfers

a. Where We Process Data

Celavii is headquartered in the United States. When you use the Services, your personal information may be transferred to, stored, and processed in the United States and other countries where we or our service providers maintain facilities. These countries may have data protection laws that differ from the laws of your country.

b. Safeguards for International Transfers

Where personal information is transferred outside the European Economic Area, the United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses (and the UK Addendum, where applicable) for transfers of personal information to countries without an adequacy decision.
Adequacy Decisions: Where available, we rely on adequacy decisions from the European Commission recognizing that certain countries provide an adequate level of data protection.
Contractual Protections: Our agreements with service providers include data protection obligations consistent with applicable law.

If you wish to inquire further about the safeguards we use for international transfers, please contact us at privacy@celavii.com.

11. Sensitive Personal Information

Celavii does not intentionally collect or process sensitive personal information (also known as "special categories of data" under GDPR), including information about racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation.

Our Terms of Service prohibit Customers from submitting protected health information (as defined by HIPAA) through the Services without a separate Business Associate Agreement, and from storing payment cardholder information without prior written approval.

If you believe that sensitive personal information has been inadvertently collected through the Services, please contact us at privacy@celavii.com and we will take appropriate steps to address the matter.

12. Children's Privacy

The Services are not directed to, and we do not knowingly collect personal information from, children under the age of 13 (or 16 in the EEA/UK, or 18 for certain jurisdictions). All users of the Services must be at least 18 years of age, as specified in our Terms of Service.

If you believe that we have collected personal information from a child in violation of applicable law, please contact us at privacy@celavii.com and we will promptly investigate and, if appropriate, delete the information.

We do not knowingly "sell" or "share," as those terms are defined under the CCPA, the personal information of minors under 16 years of age who are California residents.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will:

Update the "Last Modified" date at the top of this Privacy Policy;
Provide notice through the Services or by email to the address associated with your account; and
Where required by applicable law, obtain your consent to the changes.

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.

14. Contact Us

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your data protection rights, please contact us:

Celavii, Inc.

Privacy inquiries: privacy@celavii.com
Security issues: security@celavii.com
General legal: legal@celavii.com
Website: https://celavii.com

If you are located in the European Economic Area, the United Kingdom, or Switzerland, and you have a privacy concern that we have not satisfactorily addressed, you have the right to lodge a complaint with your local data protection authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. The UK supervisory authority is the Information Commissioner's Office (https://ico.org.uk/).

15. Additional Disclosures

a. Nevada Residents

Nevada law (SB 220) permits Nevada residents to opt out of the sale of certain personal information. Celavii does not sell your personal information as defined under Nevada law. If you are a Nevada resident and wish to obtain information about our compliance with Nevada law, please contact us at privacy@celavii.com.

b. Brazil Residents

If you are located in Brazil, the Brazilian General Data Protection Law (LGPD) grants you certain rights regarding your personal data, including the right to confirmation, access, correction, anonymization, portability, deletion, information about sharing, and withdrawal of consent. To exercise these rights, please contact us at privacy@celavii.com.

c. Canada Residents

By using the Services, you acknowledge and consent to the collection, use, processing, and disclosure of your personal information in accordance with this Privacy Policy. Your personal information may be transferred to or processed in the United States. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting us at privacy@celavii.com.

d. CAN-SPAM Compliance (US Users)

We may send periodic promotional or informational emails to you. You may opt out of promotional communications by following the unsubscribe instructions in the email. Please note that it may take up to 10 business days to process opt-out requests. Even if you opt out of promotional emails, we may still send you service-related communications about your account or the Services.

16. Information for Creators Not Using the Services

If you are a creator or social media user who does not have a Celavii account, but whose publicly available social media data may have been collected through the Services at a Customer's direction, please note the following:

a. What Data May Be Collected

The Services may collect publicly available information from your social media profiles, including your username, display name, profile picture, biography, follower/following counts, posts, engagement metrics, and publicly displayed contact information. This data is sourced only from publicly available content on social media platforms.

b. Why This Data Is Collected

This data is collected at the direction of Celavii's Customers (brands, agencies, and marketing teams) for purposes including creator discovery, campaign planning, performance analysis, and relationship management.

c. Who Is Responsible

With respect to the Creator Database (shared creator profile data), Celavii is the independent data controller. Celavii determines the purposes and means of collecting, maintaining, and making available publicly available creator profile information. With respect to Organization Data (notes, tags, CRM records, and other Customer-generated content), the Customer who directed the collection is the data controller, and Celavii processes such data on the Customer's behalf as a data processor. For more details, see Section 5(c).

d. Your Rights

You have the right to request access to, correction of, or deletion of your data. To exercise these rights, please contact us at privacy@celavii.com. We will process your request in accordance with applicable law, which may require coordination with the relevant Customer.

e. Opting Out

If you would like to opt out of having your publicly available social media data collected through the Services, please contact us at privacy@celavii.com with your social media username(s) and platform(s). We will make reasonable efforts to honor your request, subject to applicable legal requirements and our contractual obligations to Customers.