Privacy Policy

Last updated: May 2026

1. Who We Are

Critiqa (“we”, “us”, “our”) is an AI-powered creative content scoring service. For the purposes of data protection law, Critiqa is the data controller of the personal data you provide to us. If you have any questions about this policy or our data practices, contact us at privacy@critiqa.ai.

2. What Data We Collect

We collect the following categories of data:

  • Account data: email address, hashed password, account creation date.
  • Profile data: onboarding answers (role, business type, team size) that you voluntarily provide to personalise your experience.
  • Content you upload: video files, images, GIFs, or URLs you submit for analysis. Files are forwarded directly to Google Gemini for processing and are automatically deleted by Google within 48 hours. We do not permanently store your uploaded media files on our servers.
  • Analysis reports: the scoring results, jury verdicts, and recommendations generated from your content are stored in your account history.
  • Billing data: if you subscribe, Stripe processes and stores your payment details. We never see or store full card numbers.
  • Usage data: analysis count, plan tier, timestamps of analyses, and session identifiers managed by Supabase Auth.
  • Technical data: IP address, browser type, and device type, collected automatically via standard web logs.

3. How We Use Your Data

We use your data to:

  • Provide and improve the Critiqa service
  • Generate AI analysis reports on content you submit
  • Manage your account, subscription, and billing
  • Personalise your experience based on your onboarding answers
  • Send transactional emails (account confirmation, billing receipts)
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

We do not sell your personal data to third parties. We do not use your uploaded content to train our own AI models.

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

  • Contract: processing necessary to provide the service you signed up for.
  • Consent: where you have explicitly agreed (e.g., account creation, marketing communications).
  • Legitimate interests: security, fraud prevention, and service improvement, where these do not override your rights.
  • Legal obligation: where we are required to retain data by applicable law.

5. Cookies & Tracking

We use cookies strictly necessary for authentication and session management (managed by Supabase Auth). These cannot be disabled without breaking the service. We do not use advertising cookies or cross-site tracking pixels. We do not use Google Analytics or any third-party analytics that track individual users.

6. Third-Party Services

We share data with the following processors under appropriate data processing agreements:

  • Supabase (database & authentication) — EU/US data processing, SOC 2 compliant.
  • Google Gemini API (AI analysis) — uploaded files are processed by Google and deleted within 48 hours per Google's Files API policy.
  • Vercel (hosting) — EU/US infrastructure.
  • Stripe (payments) — PCI DSS Level 1 certified. Stripe is the processor of all billing data.

7. Data Retention

  • Uploaded media files: deleted by Google Gemini within 48 hours of upload.
  • Analysis reports: retained as long as your account is active. You can delete individual reports at any time from your History page.
  • Account data: retained until you delete your account.
  • Billing records: retained for 7 years to comply with financial regulations.

8. Your Rights (GDPR / CCPA)

Depending on where you are located, you have the following rights:

  • Access: request a copy of all personal data we hold about you.
  • Rectification: correct inaccurate data.
  • Erasure (“right to be forgotten”): request deletion of your account and all associated data. Use the Delete Account option in Account Settings, or email us.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection / Restriction: object to or restrict certain processing activities.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any right, email privacy@critiqa.ai. We will respond within 30 days. EU residents may also lodge a complaint with their national data protection authority.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including: encrypted data transmission (TLS), encrypted database storage, strict access controls, and regular security reviews. However, no internet transmission is 100% secure — if you discover a security vulnerability, please contact us at security@critiqa.ai.

10. International Data Transfers

Your data may be processed in the United States and European Union by our service providers (Supabase, Vercel, Google, Stripe). Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions as appropriate under GDPR.

11. Children's Privacy

Critiqa is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or a prominent notice in the app at least 14 days before the change takes effect. Continued use of the service after that date constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions or requests:
Email: privacy@critiqa.ai
Response time: within 5 business days

← Back to CritiqaCreate account