(Last updated — January 2026)

1. About Us

CreatorPad, Inc. (operating as "Grapevyn") 2810 N Church St, Wilmington, DE 19802, USA Email: hello@grapevyn.com

CreatorPad, Inc. ("Grapevyn," "we," "us") provides a WhatsApp-based referral, loyalty, and marketing platform for local businesses ("Merchants"). Under the EU General Data Protection Regulation ("GDPR"):

a) We act as Data Controller for Merchant contact details, billing data, and website analytics.
b) We act as Data Processor for end-customer phone numbers and reward events processed on behalf of a Merchant.

2. Scope of This Policy

This Policy explains what personal data we collect, how we use it, with whom we share it, and the choices you have. It applies to:

a) Merchants who sign up for Grapevyn.
b) End-customers ("Referrers" and "Friends") who interact with Grapevyn via WhatsApp or QR landing pages.
c) Visitors to grapevyn.com and related landing pages.

3. Data We Collect

a) Merchant Data — owner name, business name and address, email, phone, VAT/EIN, Stripe customer ID.
b) Customer Data — phone numbers, referral links, redemption tokens, reward status, loyalty progress, language preference.
c) Staff Data — staff phone numbers added to a store WhatsApp thread for reward verification.
d) Technical Data — IP address, device type, browser user-agent, WhatsApp ID, QR-scan timestamps.
e) Website & Cookie Data — page views, UTM parameters, first-party cookie ID.

We do not knowingly collect special-category data or data from children under 16. If you believe a child's data has been submitted, please email us for deletion.

4. How We Use Data — Legal Bases

a) Provide, secure, and improve the Service — Art 6(1)(b) contract.
b) Process payments and send invoices — Art 6(1)(b) contract.
c) Send transactional WhatsApp messages (links, rewards, loyalty updates) — Art 6(1)(b) contract.
d) Detect and prevent fraud — Art 6(1)(f) legitimate interest.
e) Send product-update emails to Merchants — Art 6(1)(f) legitimate interest (opt-out anytime).
f) Comply with tax, accounting, and legal requests — Art 6(1)(c) legal obligation.

We never sell or rent personal data.

5. Sharing and Sub-Processors

We share data only with providers essential to the Service:

a) Stripe — payments & billing
b) Lovable — application hosting
c) Supabase — database
d) Resend — transactional email delivery
e) OpenAI — language-model processing (no phone numbers or personal data included in prompts)

All Sub-processors are bound by GDPR-equivalent terms. A current list is maintained at grapevyn.com/legal/subprocessors. Future additions will be posted there at least 30 days before activation.

6. International Transfers

Primary storage is in the EU. When data is transferred to the USA (for example, to Stripe, Resend, or OpenAI), we rely on the EU Standard Contractual Clauses and supplementary safeguards.

7. Data Retention

a) Merchant billing records — 7 years (tax law).
b) Customer phone numbers & reward events — deleted 30 days after Merchant account closure unless the Merchant requests earlier deletion.
c) Logs and analytics — retained 12 months, then anonymized.

8. Security

a) TLS 1.2+ encryption in transit.
b) AES-256 encryption at rest.
c) Role-based access; least-privilege principle.
d) Encrypted daily backups (7-day retention).
e) Continuous infrastructure monitoring and intrusion alerts.
f) Breach-notification plan: we notify affected Controllers without undue delay and within 72 hours of confirmation.

9. Your Rights (EEA / UK / Swiss Residents)

You may:

a) Access the personal data we hold about you.
b) Request correction of inaccurate data.
c) Request deletion ("right to be forgotten").
d) Restrict or object to processing.
e) Request a machine-readable copy (data portability).

Submit requests to hello@grapevyn.com. We may verify your identity before responding. You have the right to lodge a complaint with your local supervisory authority (e.g., UODO in Poland, CNIL in France, ICO in the UK).

10. Marketing Communications

Merchants may receive occasional product-update emails or WhatsApp messages. Unsubscribe at any time via the link in the email or by replying "STOP" in WhatsApp.

We do not send marketing messages to end-customers unless the Merchant has separately obtained valid consent.

11. Cookies & Tracking

Grapevyn sets one first-party cookie to remember language and UTM parameters. We do not use third-party advertising or cross-site cookies. Basic visit analytics employ anonymized IP truncation.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be announced by email or WhatsApp at least 30 days before taking effect. Continued use of the Service after that date constitutes acceptance.

13. Contact

CreatorPad, Inc. (operating as "Grapevyn") 2810 N Church St, Wilmington, DE 19802, USA Email: hello@grapevyn.com