Privacy Policy
Last updated: October 28, 2025
1. Information We Collect
We may collect personal information that you provide to us directly, that is collected automatically through your use of our services, or obtained from third parties. This includes, for example:
- Identifiers and Contact Information: Name, email address, phone number, postal address, and similar identifiers.
- Account and Profile Data: Login credentials, profile details, and preferences if you create an account.
- Usage Data: Information on how you use our website or app (e.g., pages visited, actions taken, IP address, browser type, device identifiers, cookies, and similar technologies).
- Marketing & Newsletter Data: Your marketing preferences (subscribe/unsubscribe), email deliverability and engagement metrics (e.g., opens, clicks), and suppression status collected via our email provider to manage the newsletter and honor opt‑outs.
- Payment and Transaction Data: If you make purchases, we collect payment information (processed via secure third-party payment processors) and records of transactions.
- Other Information You Provide: Any personal data you choose to send us (e.g. when contacting support or filling out forms).
- Sensitive Personal Information (where needed): government ID numbers, tax IDs, precise geolocation (if you enable location), account log‑in credentials, or identity verification artifacts (e.g., images/selfies for liveness). We restrict use of SPI to allowed purposes (e.g., account security, fraud prevention, payouts/verification) and do not use it to infer characteristics.
- Seller Payout & Tax Data (for sellers): date of birth, address, taxpayer information (e.g., W‑9/W‑8 details), and payout/bank details, processed by our payment/payout providers to comply with tax, fraud‑prevention, and sanctions screening obligations.
- Identity Verification: if required for seller onboarding, we may collect government ID images and selfie/liveness checks through a verification provider.
- Biometric Information: data derived from facial geometry solely to confirm identity via our provider; we do not use it for other purposes. We obtain any required consent and delete biometric data once verification is complete or within the applicable statutory period.
- Public Content. Information you include in profiles, listings, photos, and reviews is public and may be indexed by search engines. Please do not include personal data you prefer not to make public. We may monitor or scan messages for trust & safety (e.g., fraud/spam detection), consistent with this Policy.
We do not knowingly collect data from children under 13. Our services are intended for general audiences. If we learn we have collected personal information from a child under 13 without parental consent, we will delete it as required by law.
Our Services are directed to the United States. We do not offer goods/services to individuals in the EEA or UK or intentionally monitor their behavior.
For California residents, see our Notice at Collection for a table of categories we collect, purposes, whether we sell/share, and our retention periods.
The table below lists the categories of personal information we collect, purposes, whether we sell/share (we do not), and typical retention.
| Category | Examples | Purposes | Sold/Shared? | Typical Retention |
|---|---|---|---|---|
| Identifiers | name, email, phone, IP | account, support, security | No | life of account + 2 yrs |
| Commercial/Txn | orders, transaction totals | provide service, receipts, tax | No | 7 yrs (tax) |
| Internet activity | pages visited, device/ID | security, analytics | No | 13–24 mo |
| Geolocation (if you enable) | coarse/precise | nearby search, fraud | No | up to 24 mo |
| Payment data | last 4, billing address (via processor) | checkout, fraud | No | per processor records |
| KYC/verification (sellers) | DOB, address, tax IDs | payouts, fraud/AML | No | verification + up to 5 yrs |
| Biometric (only if used) | selfie/liveness | identity verification | No | per published retention schedule |
| Sensitive PI | gov’t ID, precise location, login credentials | security, payouts/verification | No | see above by type |
We keep data no longer than necessary for the purposes described and then delete or de‑identify it, and we commit not to re‑identify de‑identified data.
2. Purpose of Collection and Use
We use personal information for the following purposes, and only when we have a valid legal basis to do so in accordance with applicable law:
- To Provide and Maintain Services: We process data to create and manage user accounts, allow you to use our website/app features, and deliver the services or products you request.
- To Communicate with You: We use contact information to respond to inquiries, send service-related announcements, and provide customer support.
- Personalization and Improvements: We analyze usage data to understand user preferences, customize your experience, and improve our services and content.
- Marketing and Newsletter: If you create an account or provide your email while using the Platform, we may send you marketing and promotional communications (including the Creatures newsletter). We may add your email to our newsletter list on sign‑up. You can unsubscribe at any time via the link in our emails or by contacting support; opting out of marketing does not affect service or transactional emails. Where a law requires express consent before sending marketing emails, we will only send marketing if you have provided that consent (see Terms §2.7).
- Compliance and Legal Obligations: We process personal data as needed to comply with our legal obligations.
- Protecting Rights and Security: We may use data to protect the rights, property, or safety of Creatures LLC, our users, or others.
- Trust & Safety / KYC: verify identity, prevent fraud and abuse, comply with sanctions and tax requirements, and protect buyers and sellers.
- Automated decisions & profiling. We use automated systems (e.g., fraud/risk scoring, integrity checks) to protect our users and platform. In some states you can opt out of profiling used to make decisions with legal or similarly significant effects; see Sec. 8 for how to exercise this right.
We will not use personal information for new, incompatible purposes without updating this Policy and, if required, obtaining your consent.
3. Legal Bases for Processing (GDPR)
For individuals in the European Economic Area (EEA) or United Kingdom, we ensure that each use of your personal data is supported by a legal basis under the General Data Protection Regulation (GDPR). Depending on the context, one or more of the following legal bases apply:
- Consent: You have given clear consent for us to process your personal data for a specific purpose. You can withdraw it at any time.
- Contractual Necessity: Processing is necessary to perform a contract with you or to take steps at your request before entering into a contract.
- Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject.
- Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party, except where overridden by your interests or fundamental rights.
Marketing legal bases. For marketing emails, we rely on: (i) your consent where required by law (for example, in the EEA/UK and certain other countries), or (ii) our legitimate interests to promote our services (for example, in the United States). You may withdraw consent or opt out of marketing at any time.
If you have questions about the specific legal basis we rely on for any particular processing activity, feel free to contact us.
4. Disclosure of Personal Information
We do not sell personal information for money. We do not sell or share personal information for cross‑context behavioral advertising. If this changes, we will update this Policy and provide a Your Privacy Choices mechanism before any such activity begins.
However, we may share personal information in the following circumstances:
- Service Providers: We share data with trusted third-party service providers who need the information to perform services on our behalf (e.g., cloud hosting, payment processors, analytics tools).
- Email & Newsletter Providers: We share your name, email address, subscription status, and engagement metrics with our email service provider(s) to deliver newsletters and manage preferences, unsubscribes, and suppression lists.
- Affiliates and Business Transfers: We may share information with our corporate affiliates or as part of a merger, acquisition, financing, due diligence, reorganization, or sale of assets.
- Legal Compliance and Protection: We may disclose personal information to government authorities or other third parties if required by law, or to protect the rights, property, and safety of our company, our users, or the public.
- With Your Consent: We will share your personal data with others for purposes outside of this Policy only when we have your explicit consent to do so.
- Marketplace sharing: If you create listings or a seller profile, certain information (e.g., display name, city/region, listings, reviews, and the content you post) is public and may be indexed by search engines. We also share limited data with other users during messages, offers, and transactions as needed to complete the transaction (e.g., name, preferred contact method, city/region).
- Payments & payouts: We share data with payment processors and payout partners for checkout and seller payouts (e.g., billing address, last four digits, transaction amounts, tax forms, and, if needed, identity verification results). We do not store full card numbers; processors handle that.
5. International Data Transfers
Creatures LLC is based in the United States. If you are located outside the U.S., your personal information may be transferred to and processed in the U.S. or other jurisdictions. These locations may have data protection laws different from those in your country. We take appropriate safeguards when transferring personal data across borders to ensure it remains protected in accordance with this Privacy Policy.
Where EEA/UK/Swiss personal data is transferred to the U.S. or other non‑EEA countries, we use one or more of the following transfer mechanisms:
- EU‑U.S. Data Privacy Framework (and, where applicable, the UK Extension / UK‑U.S. Data Bridge); if our U.S. entity or relevant provider is self‑certified.
- Standard Contractual Clauses (SCCs) adopted by the European Commission, including supplementary measures as appropriate. We will disclose the specific mechanism(s) applicable to your data upon request.
6. Data Security Measures
We employ reasonable and appropriate security measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the Internet or method of electronic storage is 100% secure, so we cannot guarantee absolute security.
Security Breach Notification
In the event of a data breach that affects your personal information, we will promptly notify you and any relevant supervisory authorities as required by law. We maintain an incident response plan and will take all necessary steps to mitigate the impact of any data breach.
7. Data Retention
We retain personal information only for as long as necessary to fulfill the purposes we collected it for, unless a longer retention period is required by law. We consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, and our legal obligations.
We may retain backup copies of data for a limited period as part of routine archival practices. When personal information is no longer needed, we will delete or anonymize it in a secure manner.
We keep personal information no longer than necessary for the purposes described above, or as required by law. Typical periods:
- Account & profile: life of account + 2 years
- Transaction & receipts: 7 years (tax/accounting)
- KYC/verification: until verification is complete + up to 5 years (fraud/records)
- Support tickets: 2 years
- Analytics identifiers: 13–24 months
- Email newsletter contact & engagement: until you unsubscribe or your account is deleted; we retain a suppression record as needed to honor opt‑out requests.
- Advertising identifiers: until you opt out or 24 months (unused at launch)
- Backups/logs: 12 months (security/continuity) When retention ends, we delete or de‑identify the data and commit not to re‑identify it.
8. Your Rights and Choices
You have rights and choices regarding your personal information. You can make any request related to your data by contacting us at info@creatures.com. We will respond within the timeframes required by law.
Your Privacy Choices
We do not sell or share personal information for cross‑context behavioral advertising and we do not use sensitive personal information beyond permitted purposes. Accordingly, there’s nothing to opt out of at this time. If our practices change, we will update this section and provide a simple way to opt out of sale/sharing and to limit sensitive personal information, consistent with applicable law. You can always email info@creatures.com with any request.
Marketing Preferences & Unsubscribe
You can opt out of marketing emails at any time using the unsubscribe link in our emails or by contacting support@creatures.com. We maintain suppression lists to ensure you do not receive marketing after you unsubscribe. Unsubscribing from marketing will not stop service or transactional communications (e.g., receipts, order/auction updates, security alerts).
EU/EEA (GDPR) Rights
- Right of Access: Request confirmation of whether we process your personal data and obtain a copy.
- Right to Rectification: Request correction of any inaccurate or incomplete personal data.
- Right to Erasure: Ask us to delete your personal data under certain conditions.
- Right to Restrict Processing: Request that we limit our processing of your data in certain circumstances.
- Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
- Right to Data Portability: Request a machine-readable copy of certain data you provided and have it transferred to another controller.
- Right to Withdraw Consent: If we rely on your consent, you may withdraw it at any time.
- Right to Lodge a Complaint: You can file a complaint with your local Data Protection Authority.
California (CCPA/CPRA) Rights
- Right to Know: Request the categories and specific pieces of personal data we have collected, sources, purposes, and third parties we share with.
- Right to Deletion: Request deletion of personal information we have collected about you, subject to exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out: We do not sell personal information, but you can request to opt out if we ever change our practices.
- Non-Discrimination: We will not discriminate against you for exercising your rights.
- Right to Limit SPI: If we ever use your sensitive personal information beyond permitted purposes, we will provide a “Limit the Use of My Sensitive Personal Information” control and honor requests within the statutory timeframe. (At launch, we do not use SPI beyond permitted purposes.)
- Minors (California): We do not sell or share the personal information of consumers under 16. If our practices change, we will first obtain opt‑in consent from consumers ages 13–16, and parental consent for children under 13.
U.S. State Privacy Rights (Va., Colo., Conn., Utah, Ore., Tex., Del., N.J.)
If you reside in one of these states, you may have some or all of the following rights, subject to limits: access, correction, deletion, portability, and the right to opt out of (i) targeted advertising, (ii) the sale of personal data, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects (e.g., eligibility, access to essential features, or fraud‑related account actions). Use Your Privacy Choices and/or send a request to info@creatures.com.
Appeal process. If we deny your request, you may appeal by replying to our decision email or contacting info@creatures.com with “Privacy Appeal” in the subject. We will respond in 45–60 days with our decision and, if we continue to deny, how to contact your state Attorney General.
Canadian (PIPEDA) Rights
- Right to Access: Request information about the existence, use, and disclosure of your personal data and obtain a copy.
- Right to Correction: Request correction of any inaccurate or incomplete data.
- Consent and Withdrawal: Withdraw your consent at any time, subject to legal or contractual restrictions.
How to submit & verify. You can submit requests by web form or email. We will take reasonable steps to verify your identity (e.g., email verification, logged‑in checks). Authorized agents may submit requests with proof of authorization and, if needed, we may ask you to verify your identity directly with us.
9. Updates to This Privacy Policy
We may update or revise this Privacy Policy from time to time to reflect changes in our practices or relevant laws. The updated version will be indicated by an updated “Last Updated” date at the top of the Policy. Any changes will become effective when we post the revised Policy on our website.
Your continued use of our services after the updated Policy is posted constitutes your acceptance of the changes, to the extent permitted by law.
10. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please contact us at:
Creatures LLC (Privacy Office)
Email: info@creatures.com
Mailing Address: 108 5th St SE, Ste 206A, Charlottesville, VA 22902, USA
If you are an EU resident, Creatures LLC is the “data controller” of your personal data. You may also lodge a complaint with your local Data Protection Authority. Similarly, Canadian residents may contact the Office of the Privacy Commissioner of Canada, and California residents can reach out to the California Privacy Protection Agency, but we invite you to contact us first so we can address your concerns.
11. Governing Law and Dispute Resolution
By using our services or providing personal information to us, you agree that any dispute or claim arising out of or relating to this Privacy Policy or our handling of your personal data will be governed by the laws of the Commonwealth of Virginia, USA, without regard to its conflict of law principles.
Arbitration: You further agree that all disputes or claims relating to privacy or the use of personal data must first be submitted to confidential binding arbitration in Virginia (or another location mutually agreed upon) before a single neutral arbitrator, prior to initiating any formal lawsuit. Arbitration shall be conducted in English in accordance with the rules of a reputable arbitration organization. Each party will bear its own arbitration costs, except as required by law. The arbitrator’s decision will be final and binding, and may be entered as a judgment in any competent court.
Class Action Waiver: To the fullest extent permitted by law, you and Creatures LLC agree that any dispute resolution will be conducted on an individual basis only, and not in a class, consolidated, or representative action.
You have the right to opt out of this arbitration agreement by sending us written notice within 30 days of first accepting this Policy. If you opt out, only the governing law and venue provisions (Virginia law, and state or federal courts in Virginia) will apply to any disputes.