This statement describes how Creator Lab and CRIYO comply with India's Digital Personal Data Protection Act, 2023 ("DPDP Act"). It supplements our Privacy Policy with India-specific obligations.
1. Our Role Under the DPDP Act
Under the DPDP Act, Creator Lab acts as a Data Fiduciary — the entity that determines the purpose and means of processing personal data of users in India.
When you provide us with personal data (such as your name, email, Instagram interactions, or payment information), we are obligated to handle that data in accordance with the DPDP Act.
2. Principles We Follow
We adhere to the seven core principles of the DPDP Act:
| Principle | How We Apply It |
|---|---|
| Lawful Purpose | We collect data only for legitimate business purposes disclosed to you |
| Purpose Limitation | We use data only for the purposes we've stated in our Privacy Policy |
| Data Minimization | We collect only the data necessary to provide CRIYO's services |
| Accuracy | We provide tools for you to update or correct your information |
| Storage Limitation | We retain data only as long as needed (see Privacy Policy Section 7) |
| Security Safeguards | We use encryption, access controls, and regular security audits |
| Accountability | We maintain documentation of our data practices and respond to inquiries |
3. Consent
3.1 How We Obtain Consent
- Account creation: By signing up, you consent to our Privacy Policy and Terms of Service
- Instagram connection: Meta's OAuth flow obtains your explicit consent for API access
- Marketing communications: Separate opt-in for promotional emails
- Cookies: Cookie banner with granular consent options
3.2 Withdrawing Consent
You can withdraw consent at any time with the same ease as giving it:
- Disconnect Instagram via Settings → Instagram Connection
- Unsubscribe from marketing emails via the link in any email
- Adjust cookie preferences via the footer link
- Delete your account via Settings → Account → Delete
Withdrawal of consent does not affect the lawfulness of processing before withdrawal, but stops further processing of that data.
4. Your Rights as a Data Principal
4.1 Right to Access
You can request information about what personal data we hold about you, the purpose for which it is processed, and the identities of Data Processors we share it with.
4.2 Right to Correction and Erasure
You can request correction of inaccurate or incomplete personal data, erasure of personal data that is no longer needed, and updating of outdated information. See Data Deletion Instructions for detailed steps.
4.3 Right to Grievance Redressal
You can raise grievances regarding the handling of your personal data. We respond within 30 days.
4.4 Right to Nominate
You may nominate another person to exercise your rights under the DPDP Act in case of your death or incapacity. To nominate, email support@criyo.ai with the nominee's details and a signed declaration.
How to Exercise Your Rights
Email: support@criyo.ai
Subject Line: "DPDP Data Principal Request"
Include: Your full name, registered email, and the specific right you wish to exercise
We will respond within 30 days, free of charge.
5. Children's Data
In compliance with Section 9 of the DPDP Act:
- CRIYO is not intended for users under 18 years of age
- We do not knowingly collect data from children
- We do not undertake tracking, behavioral monitoring, or targeted advertising directed at children
- If we discover that a user is under 18, we will delete their data immediately
6. Data Localization
The DPDP Act allows cross-border transfer of personal data to countries not blacklisted by the Government of India. We process data primarily in India and within jurisdictions with adequate data protection, use Standard Contractual Clauses with international Data Processors (Cloudflare, Supabase, Meta, Resend), maintain records of all cross-border data transfers, and will comply with any future government-issued restrictions on data localization.
7. Data Breach Notification
In compliance with Section 8(6) of the DPDP Act, if a personal data breach occurs we will notify the Data Protection Board of India and affected users without undue delay (within 72 hours where feasible). Notification will include the nature of the breach, likely consequences, and steps taken to mitigate harm. We maintain a Breach Response Plan with internal escalation, forensic analysis, and remediation procedures.
8. Data Protection Officer
In line with DPDP Act requirements and as a precaution given our cross-border operations, we have appointed a Data Protection Officer:
Role: Data Protection Officer & Grievance Officer, Creator Lab
Email: support@criyo.ai
Phone: +91 74045 09986
Address: Narayan Dabholkar Road, Mumbai, Maharashtra 400006, India
Our DPO is responsible for monitoring our compliance with the DPDP Act, responding to Data Principal requests, liaising with the Data Protection Board of India, and conducting Data Protection Impact Assessments.
9. Grievance Redressal Mechanism
If you have any grievance regarding our handling of your personal data:
- Email our DPO at support@criyo.ai with subject "Grievance: [Brief Description]"
- We acknowledge your grievance within 7 days
- We provide a substantive response within 30 days
If your grievance is unresolved or you are unsatisfied with our response, you may approach the Data Protection Board of India through their official portal.
10. Significant Data Fiduciary Status
The DPDP Act allows the Government of India to designate certain entities as "Significant Data Fiduciaries" based on data volume, sensitivity, and potential impact. While Creator Lab is not currently designated as such, we voluntarily implement many of the associated safeguards:
- Appointed Data Protection Officer
- Maintain records of processing activities
- Conduct periodic security audits
- Implement Data Protection Impact Assessments for new features
11. Updates to This Statement
We will update this statement as the DPDP Act evolves, including in response to new rules issued by the Government of India, guidance from the Data Protection Board, court rulings interpreting the Act, and material changes to our data practices.
12. Contact Us
This DPDP Act Compliance Statement was last updated on 1 June 2026.