CreateCrew
Post a Job

Privacy Policy

Last updated: May 23, 2026

CreateCrew complies with the Digital Personal Data Protection Act, 2023 (DPDPA) and the Information Technology Act, 2000. This policy explains what we collect, why, and the controls you have.

1. Information We Collect

When you use CreateCrew, we collect:

  • Account information: Your name, email address, and profile photo from your Google account when you sign in.
  • Profile information: Display name, username, bio, headline, skills, location (city/state), avatar, portfolio links, and social media URLs you provide.
  • Content: Gig listings, job posts, proposals, and portfolio samples you create on the Platform.
  • Usage data: Pages visited, features used, and timestamps of actions (job views, proposal submissions, etc.).
  • Contact information: Contact email and WhatsApp number if you choose to provide them for the contact bridge feature.
  • Technical data: IP address, device identifiers, and browser type captured by our hosting infrastructure (Supabase and Vercel) for security, fraud prevention, and abuse investigation.

2. How We Use Your Information

  • To create and manage your account.
  • To display your profile, gigs, and jobs to other users on the Platform.
  • To facilitate connections between Creators and Freelancers (including sharing contact information when a Creator shortlists and reveals your contact).
  • To send transactional emails (proposal notifications, shortlist alerts, connection requests).
  • To investigate reports of policy violations and prevent abuse on the Platform.
  • To improve the Platform based on usage patterns.

3. Information Sharing

We share your information only in these cases:

  • Public profiles: Your display name, headline, bio, skills, location, gigs, and portfolio are visible to all users once your profile is public.
  • Contact reveal: When a Creator shortlists your proposal and reveals your contact, they can see your contact email and WhatsApp number (if provided).
  • Service providers: We use Supabase (database and authentication), Vercel (hosting), Upstash (rate-limit cache), and Resend (email delivery). These providers process data on our behalf under their own privacy policies.
  • Law enforcement and legal requirements: We may disclose information when required by a valid order under the Code of Criminal Procedure §91, the IT Act §69, or any other applicable law, and to protect the safety and rights of users.

We do not sell your personal information to third parties.

4. Data Storage and Security

Your data is stored on Supabase servers with Row Level Security (RLS) policies that restrict access to authorized users. Authentication uses secure JWT tokens. All data transmission uses HTTPS. Reports, admin audit logs, and contract events are immutable — they cannot be modified or deleted from the application layer — to preserve evidence for fraud investigation and legal compliance. While we take reasonable measures to protect your data, no system is completely secure.

5. Cookies and Authentication

We use only essential cookies. We do not use third-party tracking or advertising cookies. The cookies we set are:

  • Supabase auth session cookies (sb-*) — keep you signed in.
  • cc_active_role — remembers whether you’re viewing as Creator or Freelancer (httpOnly, 365 days).
  • Vercel infrastructure cookies — used by our hosting platform for routing and security.

Google OAuth is used for authentication — Google’s privacy practices are governed by their own privacy policy.

6. Your Rights and Data Retention

  • Access: You can view all your data through your profile and settings pages.
  • Update: You can edit your profile information at any time through Settings.
  • Delete: You can delete your account through Settings. This performs a soft delete — your profile becomes invisible to other users immediately. After 12 months, identifying fields (name, email, avatar) are anonymized while structural records (audit log references, reports involving you) are retained for legal compliance.
  • Withdraw consent: Email support@createcrew.online and we will act within 15 days as required under the DPDPA, 2023.

Retention windows:

  • Active account data: kept while your account is active.
  • Soft-deleted profiles: 12 months, then identifying fields anonymized.
  • Archived gigs and closed jobs: retained for moderation reference (not publicly visible).
  • Reports and report notes: 24 months, then the free-text fields are anonymized.
  • Admin audit log and contract events: retained indefinitely as required for fraud and legal compliance.
  • Beta feedback: 12 months, then deleted.
  • Images flagged in reports: up to 24 months in a restricted bucket for evidence preservation.

7. Age Requirement

CreateCrew is intended for users aged 18 and above. The Indian Contract Act, 1872 requires parties to a contract to be of legal age, and the DPDPA, 2023 requires parental consent for users under 18. If you believe a user under 18 has registered, please report it to support@createcrew.online and we will act within 24 hours.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app banner or email at least 7 days before they take effect. Continued use after the effective date constitutes acceptance.

9. Contact

For privacy-related questions or requests, contact us at support@createcrew.online.

10. Grievance Officer

Per Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, our Grievance Officer can be reached at support@createcrew.online. Complaints will be acknowledged within 24 hours and resolved within 15 days.

← Back to CreateCrew