Privacy Policy

Who We Are

CSCC (the “Service”) is the creative strategy command center for performance marketers. The Service connects to commerce, marketing, lifecycle, review, survey, analytics, and creative systems so teams can manage briefs, measure performance, and turn learnings into the next creative decision.

For the personal information of customers and end users that brands connect to CSCC, the brand is the data controller and CSCC operates as a data processor acting on the brand’s instructions. For account-level information about CSCC users themselves, CSCC is the data controller.

Information We Collect

Customer-provided. Account information such as name, email address, brand membership, role, authentication identifiers, and the configuration a brand enters into the portal.

Provider-sourced. When a brand connects an integration, we process provider account identifiers, OAuth state, access and refresh tokens, granted scopes, sync logs, and the provider-reported data needed to operate the Service. The exact data depends on the provider and the permissions the brand grants.

• Commerce data such as stores, orders, products, customers, and customer journeys.
• Marketing data such as ad accounts, campaigns, creatives, insights, and conversion configuration.
• Creative strategy data such as findings, insights, concepts, briefs, taxonomy tags, and learning logs.
• Lifecycle and customer experience data such as email, subscription, review, and survey records.
• Operational data such as sync jobs, audit events, logs, errors, and connection health.

Automatically collected. Server logs (IP address, user agent, request path, timestamp), session identifiers, and product telemetry generated as authenticated users interact with the portal. These are retained for operational and security purposes only.

How We Use Information

We use information to authenticate users, enforce brand access, connect provider accounts, run sync jobs, resolve attribution, support the brief pipeline, surface operational health, and dispatch configured conversion events back to providers on behalf of a brand. The lawful bases for processing are (i) the contract between CSCC and the brand, (ii) the legitimate interests of CSCC and the brand in operating the Service securely and effectively, and (iii) compliance with legal obligations.

We do not use information accessed through provider APIs to enrich profiles outside the connecting brand, to train general-purpose machine-learning models that benefit other tenants, or to resell data to third parties.

Provider Connections

Connected providers may include Shopify, Meta, Google Ads, TikTok, AppLovin, Klaviyo, Slack, Zendesk, Recharge, Skio, Judge.me, Okendo, KnoCommerce, Amazon Ads, and the Amazon Selling Partner API. The exact data processed depends on which providers a brand connects and which permissions are granted at consent.

Amazon Data Handling

When a brand connects the Amazon Ads API or the Amazon Selling Partner API (SP-API), CSCC processes the resulting data (“Amazon Information”) in accordance with Amazon’s Data Protection Policy and Acceptable Use Policy. Amazon Information is treated as Confidential Information.

• Amazon Information is used only to provide the Service to the authorizing seller or advertiser, and only within that seller’s or advertiser’s tenant. We do not combine Amazon Information across sellers, advertisers, or brands.
• Amazon Information is not sold, licensed, or otherwise disclosed to third parties, except to the sub-processors listed below that operate the underlying infrastructure on which CSCC runs.
• Personally Identifiable Information (PII) obtained through the Amazon SP-API is deleted within thirty (30) days of order delivery, unless a longer retention period is required for legal, tax, or regulatory purposes.
• Non-PII Amazon Information is retained no longer than eighteen (18) months from collection, unless a longer retention period is required by applicable law or by the brand for active operational use.
• CSCC honors deletion requests received from a connecting seller, advertiser, or from Amazon within thirty (30) days of receipt.
• CSCC will notify Amazon within twenty-four (24) hours of any confirmed security incident affecting Amazon Information, in accordance with Amazon’s incident-notification requirements.

How We Share Information

We do not sell personal information. We share information only as needed to (i) provide the Service, (ii) operate infrastructure with the sub-processors listed below, (iii) comply with applicable law or a valid legal request, or (iv) send configured data back to connected providers on behalf of a brand.

Sub-processors

We engage a limited set of sub-processors to operate the underlying infrastructure. Each is bound by contractual confidentiality and security obligations that are no less protective than the commitments in this policy.

• Amazon Web Services (United States, us-west-2) — backend compute, container registry, secrets, certificate, and logging infrastructure.
• Supabase (United States) — managed Postgres database for application data and OAuth credentials at rest.
• Vercel (United States) — hosting for the operator dashboard front-end.
• Authentication provider (United States) — identity and session management for operator sign-in.
• OpenAI (United States), Anthropic (United States), and Google (United States) — AI model processing used for authorized analysis, classification, summarization, and creative diagnostics inside the connecting brand's workspace.

We will update this list when a new sub-processor is added and provide reasonable notice through this page.

International Transfers

CSCC is operated from the United States and our sub-processors host data in the United States. Where information is transferred from the European Economic Area, the United Kingdom, or Switzerland, the transfer is made under Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful mechanism available to us at the time of transfer.

Security

CSCC implements administrative, physical, and technical safeguards designed to protect information consistent with industry standards. Specific controls include:

• Encryption in transit using TLS 1.2 or higher for all public endpoints and provider API calls.
• Encryption at rest for OAuth access and refresh tokens, with keys managed in AWS Secrets Manager. Database storage is encrypted at rest by the managed database provider.
• Multifactor authentication required on all administrative accounts with access to production systems or Amazon Information.
• Role-based access controls, least-privilege provisioning, and audit logging of access to production data.
• Operational monitoring, CloudWatch log retention of at least twelve (12) months, and alerting on anomalous activity.
• A documented vulnerability-management program with remediation timelines that align with Amazon’s Data Protection Policy (critical findings within seven (7) days, high findings within thirty (30) days).

No system is perfectly secure. CSCC’s public security and incident-response process is available at /security and describes how to report suspected vulnerabilities, suspected misuse of Amazon Information, and other security concerns.

Data Retention

We retain information for as long as needed to provide the Service, maintain auditability, and comply with legal obligations. Retention varies by data category:

• Amazon SP-API PII: deleted within thirty (30) days of order delivery, unless longer retention is required by law.
• Non-PII Amazon Information: retained no longer than eighteen (18) months from collection, unless longer retention is legally required or the brand maintains active operational use.
• Application logs and audit events: retained for at least twelve (12) months for security and operational purposes.
• Account information: retained while the account is active and for a reasonable period thereafter to support reactivation, dispute resolution, and legal compliance.
• On verified deletion request from a brand, seller, advertiser, or Amazon, the corresponding records are deleted within thirty (30) days, subject to legal retention obligations.

Your Rights

Depending on your location, you may have the right to access, correct, delete, port, or restrict the use of your personal information, and to object to certain processing. To exercise any of these rights, contact us at privacy@creativestrategysystem.com. We will respond to verified requests within thirty (30) days.

If your information is processed by CSCC on behalf of a brand acting as the data controller, we will direct your request to that brand or honor it under their instructions.

Children's Data

The Service is not directed to children under the age of sixteen (16). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without verified parental consent, we will delete it.

Public Authority Requests

CSCC reviews public-authority requests for legality, jurisdiction, scope, and validity before disclosing personal information. Where a request is unlawful, overbroad, or improperly issued, CSCC may challenge or reject the request.

If disclosure is legally required, CSCC limits disclosure to the minimum information necessary and documents the request, response, legal basis, and personnel involved.

Cookies and Similar Technologies

The operator dashboard uses session cookies strictly necessary to maintain authentication and to remember user preferences. We do not use third-party advertising cookies or sell information for cross-site behavioral advertising. Where the Service dispatches configured conversion events to providers such as Amazon Ads on behalf of a brand, the brand is responsible for obtaining the end-user consent required by Amazon’s Consent Signal Requirements and other applicable law.

Incident Notification

In the event of a confirmed security incident affecting personal information or Amazon Information processed by CSCC, we will notify affected brands without undue delay and, where Amazon Information is involved, notify Amazon within twenty-four (24) hours, in each case consistent with the requirements of Amazon’s Data Protection Policy and applicable law. Our public incident-response process is available at /security.

Changes

We may update this policy as the Service changes. The latest version will be posted on this page with an updated date. Material changes will be communicated through the Service or by email to brand administrators.

Contact

For privacy questions, data subject requests, or sub-processor inquiries, contact privacy@creativestrategysystem.com. For security incidents or suspected misuse of Amazon Information, contact security@creativestrategysystem.com.