Privacy Policy

Last updated: March 30, 2026

This is an example privacy policy included with CreemKit so your project ships with a legal page structure out of the box. Creem requires a Privacy Policy before approving your store. Replace this content with your own policy before launching your product.

CreemKit ("we", "us", or "our") operates as an open-source Next.js starter template integrated with Supabase and Creem. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our template, documentation site, or any deployed instance of CreemKit (collectively, the "Service").

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

Interpretation and Definitions

Interpretation

Words with an initial capital letter carry the meanings defined below. These definitions apply whether the terms appear in singular or plural form.

Definitions

• Account — a unique account created for you to access the Service or parts of it.
• Company — refers to CreemKit and its maintainers (also "we", "us", or "our").
• Cookies — small data files stored on your device by a website, used to remember preferences and activity.
• Device — any hardware that can access the Service, such as a computer, phone, or tablet.
• Personal Data — any information relating to an identified or identifiable individual.
• Service — the CreemKit template, its documentation, and any hosted instance deployed from the template.
• Service Provider — a third-party company or individual that processes data on our behalf to facilitate the Service.
• Supabase — the open-source backend platform used by CreemKit for authentication, database, and storage.
• Creem — the payment and subscription management platform integrated into CreemKit.
• Usage Data — data collected automatically during your use of the Service, such as page views, session duration, and IP address.
• You — the individual accessing the Service, or the company or entity on whose behalf that individual acts.

Data We Collect

Personal Data

When you use the Service, we may ask you to provide personally identifiable information including but not limited to:

• Email address
• Full name
• Billing information (processed by Creem — we do not store card details)

Usage Data

Usage Data is collected automatically and may include:

• Your device's IP address
• Browser type and version
• Pages visited within the Service
• Date, time, and duration of your visit
• Unique device identifiers
• Referring URL and search terms

When you access the Service from a mobile device, we may additionally collect your device type, mobile OS, unique device ID, and mobile browser type.

Authentication Data

CreemKit uses Supabase Auth for user management. When you sign up or log in — including via third-party OAuth providers such as Google or GitHub — we receive your profile information (name, email, avatar URL) as provided by Supabase and the OAuth provider.

We do not have access to your OAuth provider passwords.

Cookies and Tracking

We use cookies and similar technologies to maintain sessions and improve the Service. These include:

• Essential Cookies — required for authentication and core functionality. Without these, the Service cannot operate. These are session cookies managed by Supabase Auth.
• Preference Cookies — persistent cookies that remember your settings such as theme preference or dismissed banners.
• Analytics Cookies — if analytics are enabled in your CreemKit deployment, these cookies help us understand usage patterns and improve the Service.

You can configure your browser to refuse cookies, though this may limit your ability to use certain features.

How We Use Your Data

We use the data we collect for the following purposes:

• Providing the Service — to create and manage your account, authenticate sessions, and deliver core functionality.
• Processing payments — to handle subscriptions and one-time purchases through Creem. Billing data is transmitted directly to Creem and governed by their privacy policy.
• Managing credits — to track your credit balance, process top-ups, and record transaction history within the Service.
• Communicating with you — to send transactional emails such as welcome messages, payment confirmations, and subscription updates.
• Improving the Service — to analyze usage patterns, identify bugs, and inform product decisions.
• Enforcing our terms — to detect abuse, prevent fraud, and protect the security of the Service and its users.

How We Share Your Data

We do not sell your Personal Data. We may share your information only in the following circumstances:

• With Supabase — your authentication and database records are stored in Supabase infrastructure. Refer to the Supabase Privacy Policy for details.
• With Creem — billing and subscription data is processed by Creem. Refer to the Creem Privacy Policy for details.
• With hosting providers — if deployed on platforms such as Vercel, your Usage Data may be processed by the hosting provider.
• For legal compliance — if required by law, court order, or governmental authority.
• During business transfers — in the event of a merger, acquisition, or asset sale, your data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.

Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes described in this policy. Specifically:

• Account data is retained for the lifetime of your account and deleted upon account deletion.
• Billing records are retained as required by applicable tax and financial regulations.
• Usage Data is retained for up to 12 months for analytics purposes, then anonymized or deleted.

Data Transfer

Your information may be processed on servers located outside your country of residence. By using the Service, you consent to the transfer of your data to jurisdictions that may have different data protection laws.

We take reasonable steps to ensure your data is treated securely and in accordance with this policy regardless of where it is processed.

Data Security

We implement commercially reasonable measures to protect your Personal Data, including:

• Encryption in transit via HTTPS/TLS
• Row-level security policies in Supabase
• Secure webhook signature verification for Creem events
• Environment-based secret management (no secrets in client bundles)

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

Children's Privacy

The Service is not intended for anyone under the age of 16. We do not knowingly collect Personal Data from children. If you believe a child has provided us with their data, please contact us and we will take steps to remove it.

Third-Party Links

The Service may contain links to third-party websites or services not operated by us. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies independently.

Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the Personal Data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Object to or restrict certain processing
• Request data portability
• Withdraw consent at any time

To exercise any of these rights, contact us at the email below. We will respond within 30 days.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for significant changes, notify you via email or a prominent notice within the Service.

We encourage you to review this policy periodically.

Contact Us

If you have any questions about this Privacy Policy, you can reach us at:

• Email: support@creemkit.com