createa.meme

Privacy Policy

What data we collect, why, and who we share it with.

Last updated: May 2026.

This policy explains what personal data the Createa Meme API ("we", "us", "the Service") collects from you, why we collect it, and your rights over it.

1. Data we collect

Account data. Your email address, the timestamp of account creation, your subscription tier, and your billing email if different.

API usage data. For every API request we log: a request ID, your API key ID (not the secret), the endpoint, status code, response time, IP address, and User-Agent header. We use this to enforce rate limits, detect abuse, and bill credits accurately.

Prompt and caption content. Text you submit to caption-writing or image-generation endpoints is sent to third-party model providers (see Section 3). We retain prompts in our logs for up to 30 days for abuse investigation, then delete them.

Generated content. Memes you generate are stored on our CDN under URLs only you (and anyone you share the URL with) can access. We retain them for 90 days unless you delete them sooner; on Pro and higher plans, retention may be extended.

Payment data. If you subscribe, Stripe collects and stores your payment method. We never see or store your full card number — we only receive a Stripe customer ID, the last four digits, brand, and expiry.

Cookies. The dashboard uses a single session cookie (Supabase Auth) and does not use third-party advertising cookies.

2. Why we collect it

PurposeLegal basis (GDPR)
Operating the Service (account, generation, delivery)Performance of contract
BillingPerformance of contract
Rate limiting and abuse detectionLegitimate interest
Fraud preventionLegitimate interest
Legal compliance (DMCA, court orders)Legal obligation
Aggregated, anonymized analyticsLegitimate interest

We do not sell your personal data, and we do not use prompts or generated content to train any model.

3. Third parties we share data with

To operate the Service, we route data through these processors. Each is bound by its own terms; we link them so you can review.

  • Supabase — authentication and primary database (your email, hashed API keys, usage rows).
  • Vercel — application hosting; serves all API and dashboard traffic.
  • Upstash Redis — rate-limit counters keyed on your API key ID and IP address.
  • Stripe — payment processing for paid plans.
  • OpenAI — receives caption prompts and image-generation prompts when you call models in the gpt-* family. OpenAI's API terms state inputs are not used to train their models.
  • Anthropic — receives caption prompts when you call models in the claude-* family. Same training-disclaimer policy.
  • xAI — receives caption prompts when you call models in the grok-* family.
  • Cloudflare — provides the Turnstile captcha on signup and (where configured) DNS / DDoS protection.

When you submit a prompt, the prompt text is sent to the provider whose model you selected. Treat prompts as you would treat any data sent to an external SaaS — don't include secrets, customer PII, or anything you wouldn't be comfortable having a third-party process.

4. Data retention

DataRetention
Account recordUntil you delete your account, then 30 days for billing reconciliation
API logs (request metadata)90 days
Prompts (text content)30 days
Generated meme files90 days (longer on paid plans, see plan details)
Stripe billing recordsAs required by tax law (typically 7 years)
DMCA / abuse case records2 years

5. Your rights

If you are in the EEA, UK, or California, you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • delete your data (with limited exceptions for legal/billing records);
  • export your data in a portable format;
  • object to processing based on legitimate interest;
  • withdraw consent (where consent is the legal basis).

You can exercise account deletion and data export from the dashboard. For other requests, email jaz@createa.meme. We respond within 30 days.

If you are unhappy with our response, you may complain to your local data-protection authority.

6. Security

  • All API keys are hashed (SHA-256) before storage; we cannot recover a lost key, only rotate it.
  • All traffic is served over HTTPS.
  • Database access is restricted to a small operator group with auditable logins.
  • Generated content URLs are unguessable but not authenticated; treat shared URLs as public.

We will notify you within 72 hours if we discover a personal-data breach affecting your account.

7. Children

The Service is not directed to children under 13 (under 16 in the EEA/UK). If we learn we have collected data from a child below the applicable age, we delete it.

8. International transfers

We are based in the United States. If you access the Service from outside the U.S., your data is transferred to and processed in the U.S. and other countries where our processors operate. We rely on standard contractual clauses with EU-based users where applicable.

9. Changes to this policy

We may update this policy. Material changes will be announced by email or in-dashboard notice at least 14 days before they take effect.

10. Contact

Privacy questions, data-subject requests, or DPO contact: jaz@createa.meme

Terms of Service

The legal agreement governing your use of the Createa Meme API.

On this page

1. Data we collect2. Why we collect it3. Third parties we share data with4. Data retention5. Your rights6. Security7. Children8. International transfers9. Changes to this policy10. Contact