GDPR Compliance
Cresva, Inc. is committed to protecting the rights and freedoms of data subjects under the General Data Protection Regulation (EU) 2016/679 and the UK GDPR. This page explains how we comply with our obligations.
Legal name: Cresva, Inc. • Privacy Contact: hello@cresva.ai
Quick Summary for EU/UK Residents
We process your data lawfully under GDPR, support all data subject rights, use Standard Contractual Clauses for international transfers, and will notify you of breaches within 72 hours. We do not sell your personal data.
Table of Contents
1. Scope & applicability
This page applies to all individuals located in the European Economic Area (EEA) and the United Kingdom who use Cresva's services or whose personal data we process.
GDPR applies when:
- You are located in the EU/UK and use our Service
- We process personal data of EU/UK residents on behalf of our customers
- We offer services to individuals in the EU/UK market
Where Cresva acts as a data processor on behalf of a customer (the data controller), the terms of our Data Processing Agreement (DPA) govern that relationship.
2. Data controller
For personal data processed through our platform, Cresva acts in the following capacities:
Data Controller
For account data, billing information, website analytics, and marketing communications. We determine the purposes and means of processing this data.
Data Processor
For customer marketing data (ad platform data, campaign metrics). Our customers are the controllers of this data; we process it on their behalf under a DPA.
Controller contact: Cresva, Inc., Email: hello@cresva.ai
3. Legal basis for processing
Under Article 6 of the GDPR, we process personal data only when we have a valid legal basis. The bases we rely on are:
Art. 6(1)(b) – Contract Performance
Processing necessary to provide the Service you signed up for: account management, analytics dashboards, forecasts, AI-powered insights, and customer support.
Art. 6(1)(f) – Legitimate Interests
Processing for fraud prevention, security, product improvement, and aggregated analytics. We balance our interests against your rights and provide opt-out mechanisms.
Art. 6(1)(a) – Consent
For optional cookies, marketing emails, and AI model training on your individual data. You may withdraw consent at any time without affecting prior processing.
Art. 6(1)(c) – Legal Obligation
Processing required to comply with tax, accounting, and regulatory obligations.
Legitimate Interest Assessments (LIAs): We conduct LIAs for all processing based on legitimate interests and can provide these upon request. Email hello@cresva.ai to request a copy.
4. Data we collect
For a comprehensive list of data categories, please refer to Section 1 of our Privacy Policy. In summary, the personal data we collect includes:
Identity Data
Name, email, company name, Google profile
Platform Data
OAuth tokens, ad performance metrics (read-only)
Usage Data
Feature interactions, chat queries, report requests
Technical Data
IP address, browser, device info, logs
Billing Data
Processed by Stripe; no full card numbers stored
Communications
Support tickets, feedback, emails
Data minimization: We only collect data that is necessary for the purposes described. We do not collect special category data (Art. 9) unless explicitly required and consented to.
5. Purposes of processing
We process personal data for the following specific purposes:
Service delivery
Providing analytics, forecasts, AI insights, and dashboard functionality
Account administration
Managing your account, authentication, team permissions
Product improvement
Analyzing usage patterns, fixing bugs, developing features (aggregated data)
Security & fraud prevention
Detecting threats, preventing unauthorized access, monitoring anomalies
Communications
Service notifications, billing, security alerts, and (with consent) marketing
Legal compliance
Tax obligations, regulatory requirements, legal proceedings
6. AI & automated decisions
🤖 Automated Processing Under GDPR
Cresva uses AI to analyze marketing data and generate insights. Under Article 22 of the GDPR, you have rights related to automated decision-making.
Our commitments:
- No solely automated decisions with legal effects - our AI provides recommendations and insights, not binding decisions that affect your legal rights
- Human oversight - all AI outputs are advisory; users retain full control over marketing decisions
- Transparency - we clearly label AI-generated content and provide explanations of how insights are derived
- Right to contest - you may request human review of any AI-generated insight or recommendation
AI training: We do not use your individual data to train general AI models without your explicit opt-in consent. See Section 4 of our Privacy Policy for full details.
7. Your GDPR rights
Under Chapters III and IV of the GDPR, you have the following rights:
Right of Access (Art. 15)
Obtain a copy of your personal data and processing details
Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data
Right to Erasure (Art. 17)
Request deletion of your data ("right to be forgotten")
Right to Restrict Processing (Art. 18)
Limit how we process your data
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format
Right to Object (Art. 21)
Object to processing based on legitimate interests or direct marketing
Rights re: Automated Decisions (Art. 22)
Not be subject to solely automated decisions; request human review
Right to Withdraw Consent
Withdraw consent at any time for consent-based processing
How to exercise your rights:
Email: hello@cresva.ai
Response time: Within 30 days (extendable by 60 days for complex requests, with notice)
Verification: We may need to verify your identity before processing
Supervisory authority: You have the right to lodge a complaint with your local Data Protection Authority
8. International transfers
Cresva is incorporated in the United States. When we transfer personal data from the EU/UK to the US, we implement appropriate safeguards as required by Chapter V of the GDPR.
Standard Contractual Clauses (SCCs)
We use the European Commission's approved SCCs (2021/914) for all transfers of personal data to the US. These clauses are incorporated into our DPAs with customers and subprocessors.
Supplementary Measures
In addition to SCCs, we implement: encryption in transit and at rest, strict access controls, pseudonymization where possible, and regular security assessments.
Transfer Impact Assessment
We conduct Transfer Impact Assessments (TIAs) for data transfers to evaluate the legal framework in the receiving country and ensure adequate protection.
9. Data retention
Under GDPR's storage limitation principle (Art. 5(1)(e)), we retain personal data only as long as necessary for the purposes it was collected:
Retention Periods
- Active account data: Duration of the account plus 30 days
- Backups: Purged within 90 days after account deletion
- Billing records: 7 years (legal/tax obligation)
- Anonymized analytics: Retained indefinitely (no personal data)
- Support communications: 2 years after resolution
Request deletion: Visit /data-deletion or email hello@cresva.ai
10. Subprocessors
Under Article 28 of the GDPR, we maintain a list of subprocessors who process personal data on our behalf. All subprocessors have signed DPAs with SCCs.
Current Subprocessors
- Vercel - Hosting & infrastructure (US)
- AWS / Google Cloud - Cloud storage & compute (US)
- Stripe - Payment processing (US)
- OpenAI / Anthropic - AI services with DPAs (US)
- PostHog - Product analytics (US/EU)
- SendGrid / Resend - Transactional email (US)
Subprocessor changes: We will notify customers of any new subprocessors at least 30 days before engagement, giving you the right to object per the terms of your DPA.
11. Breach notification
In compliance with Articles 33 and 34 of the GDPR, we have established breach notification procedures:
Our Breach Notification Commitments
- Supervisory authority: Notified within 72 hours of becoming aware of a breach (Art. 33)
- Affected individuals: Notified without undue delay if high risk to rights and freedoms (Art. 34)
- Customers (as processors): Notified within 48 hours per our DPA terms
- Notification includes: Nature of breach, data affected, likely consequences, and remedial measures taken
12. Contact & DPO
GDPR questions or data subject requests?
Contact our privacy team for any GDPR-related queries or to exercise your rights.
Supervisory authorities: If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. A list of EU DPAs is available at edpb.europa.eu.