Privacy Policy

KreatOS is operated by 2HAAS Ltd, a company registered in the United Kingdom. We are the data controller for the personal information you provide when using our platform. If you have any questions about this policy or how we handle your data, contact us at [email protected].

We collect information when you create an account, use the platform, or contact us for support.

Account and profile information

When you sign up, we collect your name, email address, and a password. You may also provide a display name and profile picture. If you are part of a team, we store your role and the permissions assigned to you by your workspace administrator.

Content you create

We store the posts, captions, images, videos, and other content you compose or upload through KreatOS — including drafts, scheduled posts, published post records, and any version history you generate while editing. This content belongs to you at all times.

Billing and payment information

When you subscribe to a paid plan, we collect your billing details. Full payment card processing is handled by our payment partners (Stripe, bKash, Nagad, or SSLCommerz) — we do not store your full card number on our servers. We retain payment history records (amounts, dates, invoice references) for accounting and support purposes.

Usage and technical data

We automatically collect certain technical information when you use KreatOS: your IP address, browser type, device type, operating system, and the pages or features you interact with. This helps us keep the platform running reliably and improve the experience over time.

We use the information we collect for the following purposes:

• To provide the service — authenticating your account, publishing your scheduled content to connected social media accounts, and making your workspace available to you and your team.
• To communicate with you — sending transactional emails such as password resets, invoice receipts, approval notifications, and important account updates. We do not send unsolicited marketing emails without your opt-in.
• To show you performance data — pulling analytics from your connected social media accounts so you can view reach, engagement, and other metrics inside KreatOS.
• To improve the platform — analysing aggregated, anonymised usage patterns to understand how features are used and where we can improve.
• To keep the platform safe — detecting and preventing fraud, abuse, and security threats.
• To meet legal obligations — retaining records as required by applicable law, and responding to lawful requests from authorities.

We never sell your personal data to third parties, and we never use your content to train machine learning models.

We share personal information only in the following circumstances:

• With your connected social platforms — when you schedule or publish a post, we transmit your content to the platform you chose (e.g. Facebook, Instagram, TikTok). This is the core function of the service.
• With your team members — members of your workspace can see content, analytics, and account information according to the permissions your workspace administrator has set.
• With payment processors — your billing details are passed to our payment partners to process your subscription. Each partner is bound by its own privacy and security standards.
• With our infrastructure providers — we use cloud hosting, storage, and email delivery services to run KreatOS. These providers process data only under our instructions and are contractually bound to protect it.
• When required by law — we may disclose information to respond to a court order, comply with a legal obligation, or protect the rights and safety of our users.
• In a business transfer — if KreatOS is acquired or merged with another company, your data may be transferred as part of that transaction. We will notify you before this happens.

KreatOS lets you connect social media accounts so you can manage and publish content from one place. We support Facebook, Instagram, Threads, TikTok, YouTube, LinkedIn, X (Twitter), Pinterest, Reddit, Shopify, WordPress.com, and custom blog platforms.

When you connect an account, you authorise KreatOS to act on your behalf on that platform. We store a secure access credential provided by the platform that allows us to publish content and retrieve performance data on your behalf. We only request the level of access needed to deliver the features you use, and we never access your private messages, contacts, or any data not related to the content you are managing.

For each connected account, we may store: the account name and profile picture shown in the platform, a unique account identifier assigned by the platform, and performance metrics (such as reach, impressions, and engagement) for posts published through KreatOS.

You can disconnect any social account at any time from Settings > Integrations. When you disconnect, we immediately revoke our access and delete the stored credentials for that account.

We use browser storage (cookies and local storage) only to keep you signed in and remember your preferences. We do not use advertising cookies, third-party tracking pixels, or any technology that tracks you across other websites.

If you check “Remember me” at sign-in, your session is stored in your browser's persistent storage so you stay signed in between sessions. If you do not, your session is stored only for the duration of the browser tab and clears when you close it.

You can clear cookies and local storage at any time from your browser settings. Doing so will sign you out of KreatOS.

We keep your personal data for as long as your account is active, or as long as is necessary to provide you with the service.

• Account and content data — retained while your account is open. After you delete your account, your personal data is permanently removed within 30 days.
• Social account credentials — deleted immediately when you disconnect an account, or within 30 days of account deletion.
• Analytics and performance data — retained for up to 24 months on a rolling basis, and deleted when you disconnect the associated social account.
• Payment records — retained for 7 years as required by financial regulations.
• Error and access logs — retained for 30 days for security and debugging, then permanently deleted.

When we delete data, it is removed from our systems and from our backup rotation within 90 days.

Depending on where you live, you may have certain rights regarding your personal data. We honour these rights regardless of your location.

• Access — you can request a copy of the personal data we hold about you.
• Correction — you can update your name, email, and other profile information at any time from your account settings.
• Deletion — you can delete your account from Settings > Account, or email us to request deletion of specific data. We will process your request within 30 days.
• Portability — you can request your personal data in a portable format.
• Objection — you can object to certain types of processing, including any profiling we may carry out.
• Restriction — you can ask us to pause processing your data in certain circumstances.
• Withdraw consent — where we rely on your consent to process data, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email [email protected]. We respond within 30 days. If you are in the EU or UK and feel we have not adequately addressed your request, you have the right to lodge a complaint with your local data protection authority.

We take the security of your data seriously and apply industry-standard measures throughout our platform:

• All data in transit is encrypted using TLS (Transport Layer Security).
• Sensitive data stored in our database — including social media access credentials — is encrypted at rest.
• Passwords are never stored in plain text; they are hashed using industry-standard algorithms.
• Access to our production systems is restricted to authorised staff and protected by multi-factor authentication.
• We conduct regular security reviews of our codebase and infrastructure.

No system is completely immune to security risks. If you discover a vulnerability in KreatOS, please report it to [email protected] before disclosing it publicly. We will acknowledge your report within 24 hours.

KreatOS is operated from the United Kingdom. If you are accessing the service from outside the UK, your information will be transferred to and processed in the UK, and potentially in other countries where our infrastructure or service providers operate. We ensure that any such transfers are governed by appropriate safeguards, such as Standard Contractual Clauses, in accordance with applicable data protection law.

KreatOS is not intended for children under 13 years of age (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with their personal information, please contact us at [email protected] and we will promptly delete it.

You have two ways to remove your data from KreatOS:

• Delete your KreatOS account — go to Settings > Account > Delete account. All your personal data, content, and connected account credentials will be permanently removed within 30 days.
• Disconnect a social account — go to Settings > Integrations and disconnect any platform. We immediately revoke our access and delete the stored credentials for that account.

For Facebook, Instagram, and Threads specifically, you can also trigger data deletion directly from your Meta account settings. When you remove KreatOS from your app list there, Meta notifies us automatically and we begin the deletion process. You can check the status of any such request at kreatos.2haas.com/data-deletion.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and display a notice in the app at least 14 days before the changes take effect. The effective date at the top of this page will always reflect the most recent version. Continued use of KreatOS after the effective date means you accept the updated policy.