Emergent | Fullstack App

This Privacy Policy describes how Creator Lab ("we," "us," or "our"), the company that operates CRIYO ("CRIYO," "the Service," or "the Platform"), collects, uses, stores, and protects your personal information when you use criyo.ai or any related services.

We are committed to protecting your privacy. This policy explains what data we collect, why we collect it, how we use it, and the rights you have over your information. We comply with India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), the European Union's General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and Meta's Platform Terms and Developer Policies.

By using CRIYO, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Who We Are

CRIYO is owned and operated by:

Creator Lab (Sole Proprietorship, operated by Charin Paresh Shah)
Registered Office: Narayan Dabholkar Road, Mumbai, Maharashtra 400006, India
GSTIN: 27LANPS7535L1ZK
Contact: support@criyo.ai
Phone: +91 74045 09986

CRIYO is an Instagram automation and lead conversion platform that helps creators, coaches, and businesses automate their Instagram interactions, capture leads, and manage customer relationships.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: Your name, email address, phone number, password (encrypted), and billing information when you sign up for CRIYO.
Profile Information: Your business name, profile photo, niche, and any additional details you choose to share.
Payment Information: Card details, UPI ID, or other payment data, processed securely through Razorpay. We do not store full card numbers on our servers.
Content You Create: Automations, forms, resources, bio pages, and any messages, templates, or media you upload to CRIYO.
Communications: Any messages you send us through email, chat, or support tickets.

2.2 Information We Collect Through Meta Platforms

When you connect your Instagram account to CRIYO using Meta's Instagram Graph API, we access and store the following data, strictly limited to what is necessary to provide the Service:

Your Instagram username, profile information, and account ID
Comments on your Instagram posts that match keywords you configure
Direct messages (DMs) sent to your account in response to automations you create
Story replies sent to your account
Follower events when users follow your account
Basic engagement metrics (number of comments handled, DMs sent, replies received)

We only access this data with your explicit consent, granted through Meta's OAuth authorization flow. You can revoke this access at any time through your Instagram settings or by disconnecting your account inside CRIYO.

We do not access:

Private conversations unrelated to your CRIYO automations
Your followers' personal information beyond their usernames and interaction events
Any data from Instagram accounts you have not explicitly connected to CRIYO
Facebook data unless you separately authorize a Facebook integration

2.3 Information We Collect Automatically

Device Information: Device type, browser type, operating system, IP address, and unique device identifiers
Usage Data: Pages visited, features used, time spent, click patterns, and error logs
Location Data: General location inferred from your IP address (used for currency display and regional compliance)
Cookies and Similar Technologies: As described in our Cookie Policy

3. How We Use Your Information

We use your information only for the following purposes:

Purpose	Examples
Provide the Service	Run your automations, deliver DMs, store your leads, render your bio page
Process Payments	Charge subscription fees, send invoices, handle refund requests
Improve CRIYO	Analyze usage patterns to fix bugs and improve features (always anonymized)
Communicate With You	Send account notifications, support replies, important service updates
Marketing (only with consent)	Send product updates, tips, and offers — only if you opt in
Comply With Law	Respond to legal requests, prevent fraud, enforce our Terms
Maintain Security	Detect suspicious activity, prevent unauthorized access

We do not:

Sell your personal data to third parties
Use your Instagram data for purposes outside CRIYO's stated functionality
Train AI models on your private content
Access your Instagram data when you're not actively using CRIYO

4. Legal Basis for Processing (GDPR)

If you are located in the European Union or United Kingdom, we process your data under the following legal bases:

Legal Basis	When We Use It
Consent	Marketing emails, optional features, Instagram integration
Contract	Providing the Service you've subscribed to
Legitimate Interest	Service improvement, security monitoring, fraud prevention
Legal Obligation	Tax records, regulatory compliance, court orders

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5. Who We Share Data With

5.1 Service Providers (Data Processors)

Provider	Purpose	Data Shared	Location
Meta Platforms, Inc.	Instagram API access for automations	Instagram interactions you authorize	USA
Razorpay Software Pvt Ltd	Payment processing	Name, email, payment amount, transaction details	India
Supabase Inc.	Database hosting	Account data, automation configurations, leads	USA / EU
Cloudflare, Inc.	CDN, storage (R2), DDoS protection	Hosted resources, IP addresses for security	Global
Resend	Transactional email delivery	Email address, message content	USA / EU
Gupshup Technology India Pvt Ltd	WhatsApp Business API (if enabled)	Phone numbers, messages you send	India

Each provider is contractually bound to protect your data and use it only for the purposes we specify.

5.2 Legal Disclosures

We may disclose your information if required by law, court order, or government request, or to:

Protect our rights, property, or safety
Prevent fraud or security threats
Comply with legal proceedings
Respond to lawful requests from public authorities

5.3 Business Transfers

If Creator Lab is acquired, merges, or sells assets, your data may be transferred to the new owner. You will be notified before any such transfer, and your data will continue to be protected under this Privacy Policy.

6. International Data Transfers

CRIYO operates globally, and your data may be transferred to and processed in countries other than your own, including India, the United States, and the European Union.

When we transfer data outside the EU/UK, we use Standard Contractual Clauses approved by the European Commission, adequacy decisions where applicable, and additional safeguards as required under GDPR Article 46. All transfers are subject to appropriate security measures.

7. How Long We Keep Your Data

Data Type	Retention Period
Account information	While your account is active
Instagram access tokens	While your Instagram is connected; immediately deleted on disconnect
Automation logs (DMs sent, comments handled)	12 months from creation, then anonymized
Lead data (in your Leads CRM)	Until you delete it or your account is deleted
Billing records	7 years (Indian tax compliance requirement)
Support communications	3 years
Marketing preferences	Until you opt out

When you delete your account, we permanently delete your data within 30 days, except where retention is legally required.

8. Your Rights

8.1 Universal Rights (All Users)

Access: Request a copy of all data we hold about you
Correction: Update or correct inaccurate information
Deletion: Request permanent deletion of your data (see Data Deletion Instructions)
Portability: Receive your data in a machine-readable format
Withdrawal of consent: Revoke consent for processing at any time
Complaint: Lodge a complaint with a data protection authority

8.2 Additional Rights for EU/UK Users (GDPR)

Restriction: Limit how we process your data
Objection: Object to processing based on legitimate interest
Human review: Request human review of automated decisions

8.3 Additional Rights for California Users (CCPA)

Right to know what categories of personal information we collect
Right to opt out of the sale of personal information (we do not sell data, so this is automatically honored)
Right to non-discrimination for exercising your CCPA rights

8.4 Additional Rights for Indian Users (DPDP Act 2023)

Right to grievance redressal through our Data Protection Officer
Right to nominate another person to exercise rights in case of death or incapacity
Right to consent withdrawal with the same ease as it was given

How to Exercise Your Rights

Email us at support@criyo.ai with the subject line "Privacy Request." We will respond within 30 days (DPDP Act, GDPR) or 45 days (CCPA).

9. How We Protect Your Data

Encryption in transit: TLS 1.3 / HTTPS for all transmissions
Encryption at rest: Sensitive data encrypted in our databases
Access controls: Only authorized personnel can access user data
Regular security audits: Periodic security reviews
Two-factor authentication: Available for all accounts
Token security: Your Instagram access tokens are encrypted and never exposed to client-side code

If we discover a data breach affecting your personal information, we will notify you and the relevant authorities within 72 hours.

10. Children's Privacy

CRIYO is not intended for users under the age of 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal information, please contact support@criyo.ai and we will delete it immediately.

11. Third-Party Links

CRIYO may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before sharing any information with them.

12. Meta Platform-Specific Disclosures

Data We Access via Instagram Graph API

We use Meta's official Instagram Graph API to access the data described in Section 2.2. We do not scrape, crawl, or otherwise extract Instagram data through unauthorized means.

Permissions We Request

Permission	Purpose
`instagram_basic`	Read your Instagram account profile
`instagram_manage_messages`	Send and receive DMs through automations you configure
`instagram_manage_comments`	Read and respond to comments matching your automation triggers
`pages_show_list`	Display your connected Instagram Business account
`pages_messaging`	Required by Meta for messaging-related automations
`business_management`	Manage Instagram Business assets connected to CRIYO

Data Deletion Callback

In compliance with Meta's Platform Terms, we honor Meta's data deletion callback. If Meta sends us a deletion request on behalf of a user, we delete all associated data within 30 days and provide Meta with a confirmation code.

Annual Data Use Checkup

We complete Meta's annual Data Use Checkup and certify our compliance with Meta's Developer Data Use Policy.

13. Cookies and Tracking

We use cookies and similar technologies. For full details, see our Cookie Policy.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top, notify you via email and/or in-app notification at least 30 days before changes take effect, and for material changes affecting your rights, seek your renewed consent where required.

15. Data Protection Officer & Grievance Officer

In compliance with the DPDP Act, 2023, our Data Protection Officer is:

Charin Shah
Creator Lab
Email: support@criyo.ai
Phone: +91 74045 09986
Address: Narayan Dabholkar Road, Mumbai, Maharashtra 400006, India

For grievances unresolved by our DPO, you may approach the Data Protection Board of India.

16. Jurisdiction and Governing Law

This Privacy Policy is governed by the laws of India. Any disputes arising from this policy will be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra, India.

For users in the EU/UK, you also retain the right to lodge a complaint with your local data protection authority.

17. Contact Us

Email: support@criyo.ai

Phone: +91 74045 09986

Mail: Creator Lab, Narayan Dabholkar Road, Mumbai, Maharashtra 400006, India

We aim to respond to all privacy inquiries within 5 business days.

This Privacy Policy was last updated on 1 June 2026.