This policy explains how VMC collects, uses, stores, protects, and shares personal information across Creatoll websites, apps, and services.
By using the Platform, you acknowledge and accept the processing practices described in this policy.
VMC (Visit Maldives Corporation)
Email: privacy@creatoll.com
Website: https://creatoll.com
3.1 Information You Provide Directly
Account data: name, email, hashed password.
Client profile data: client type, national ID, nationality; and entity details (organization name, BRN) where applicable.
Verification documents: IDs, business registration docs, official letters.
Creator data: profile content, bank details for payouts.
Media and submissions: uploads, metadata, contest entries.
Payment verification artifacts: transfer receipts/supporting docs.
3.2 Information Collected Automatically
Authentication/session data, token lifecycle metadata, login timestamps.
IP address and user-agent logs for agreement acceptance, downloads, and security auditing.
Download, purchase, and usage analytics records for compliance and platform improvement.
3.3 Information from Third Parties
Google OAuth data (name, email, profile photo URL).
BML payment status and transaction confirmation data.
Account administration and authentication (including role-based access controls).
Verification/KYC and nationality-based currency assignment.
License processing, agreement generation, quota enforcement, and secure entitlement delivery.
Marketplace purchases, fee calculations, wallet credits, and payout handling.
Transactional communications (purchase, payout, verification, account status).
Platform operations: trending, contests, reporting, fraud prevention, and legal/compliance logging.
Contractual necessity (service delivery and transactions).
Legitimate interests (security, fraud prevention, analytics, service improvement).
Legal obligations (financial, tax, and regulatory compliance).
Consent where required (e.g., optional communications/cookie consent by law).
MySQL with encrypted transport for account/profile records.
Passwords are bcrypt-hashed; bank details are encrypted at rest.
Media/documents are stored in private S3-compatible storage, not publicly exposed.
Access relies on presigned URLs, HTTPS/TLS, Sanctum tokens, RBAC, and audit logging for sensitive actions.
Security controls include CSRF protections, server-side validation, webhook signature checks, and idempotent payment handling.
Service providers include BML (payments), Google OAuth, SMTP providers, and storage providers for operational delivery.
Data may be disclosed for legal obligations, terms enforcement, fraud/security response, or business transfers.
VMC does not sell personal data or use it for third-party advertising.
Data is retained as necessary for service operation and legal obligations.
Typical retention examples: transaction and payout records (minimum 7 years), audit logs (minimum 5 years), download logs (minimum 3 years), session data (idle expiry-based purge), and long-term legal records where required.
When no longer required, data is deleted or anonymized.
You may request access, rectification, deletion/anonymization (where permitted), processing restriction, portability, and objection to certain processing.
Some fields are integrity-locked (e.g., post-verification nationality and verified bank details).
Requests can be submitted to privacy@creatoll.com and will be handled in accordance with applicable law.
Creatoll primarily uses essential cookies for functionality. See the Cookie Policy for full details.
The Platform is not intended for individuals under 18 (or local age of majority), and known child data is removed when identified.
Where transfers occur outside your jurisdiction, VMC applies safeguards aligned with applicable data protection requirements.
VMC may update this policy for operational, legal, or technical reasons.
Material updates are communicated via platform notices and/or email.
VMC - Creatoll Privacy
Email: privacy@creatoll.com
Website: https://creatoll.com