Privacy policy

She Creates Academy (“She Creates,” “we,” “us”) is a coaching program that helps women become working UGC (user-generated content) creators, and an introduction layer between those creators and brands. We collect the minimum we need to run that service. If you connect a social account (TikTok or Instagram), we use it only to show you your own content analytics and to show brands the performance of content you explicitly tag to their campaign. We never post, message, or comment on your behalf, we never access anyone else's data, and we never sell your data or use it for advertising. You can disconnect any platform at any time, and we delete your data on request.

• Identity & account. If you sign in with Discord (creators, coaches), your Discord user ID, username, display name, and avatar URL. If you create a brand account, your email address, a securely hashed password, and the brand profile you enter (company name, logo, social links, website).
• Activity in the She Creates Discord. Metadata about messages you post (timestamp, channel ID, message ID). We do not store message content. This powers “last seen” and accountability tracking for coaches.
• Connected social accounts (TikTok, Instagram) — only if you connect them.
  • OAuth access / refresh tokens for the connected account.
  • Your public profile on that platform (handle, display name, avatar, follower/following counts, bio, verification status).
  • Your own posts/videos and their public metrics (views, likes, comments, shares, saves, reach), including periodic snapshots so we can chart growth over time.
• Canva (only if you connect): OAuth tokens, metadata about the designs you mark as your portfolio, and the exported PDF for each marked design (pulled when you click “Sync”).
• Whop (only if you connect): your Whop user ID and course-lesson completion events, used to track graduation progress.
• Brand & campaign data: for brands, the campaigns you create (brief, pay, requirements, optional logo and cover image); for creators, the campaigns you apply to and the messages exchanged on an application.
• Server logs: request timestamps, IP address, path, and user-agent, used for debugging and abuse prevention.

• Identify you on the dashboard and link creators to their coach.
• Show you analytics for your own connected content, and power coach feedback, leaderboards, and graduation tracking.
• Show a brand the performance of the specific content a creator tags to that brand's campaign.
• Match open brand campaigns with interested creators.
• Detect abuse, debug, and keep the service secure.

When you connect Instagram (via the Instagram Graph API / Meta) or TikTok (via TikTok's Login Kit and Display API), we request only the read scopes needed to display analytics: your basic profile and your media together with their insights/metrics. Specifically:

• We use this data for two purposes only: (a) to show you your own content analytics inside your creator dashboard, and (b) to show a brand the aggregate reach and engagement of content you choose to tag to that brand's campaign.
• We never publish posts, send or read messages, or manage comments on your behalf. We only read your own public account and media.
• We never sell this data, share it with data brokers, or use it for advertising or to build profiles about anyone.
• Connecting one platform does not give us access to any other platform, nor to any other person's account.
• Our use of Instagram/Meta data complies with the Meta Platform Terms and Developer Policies. Our use of TikTok data complies with TikTok's Developer Terms.

You can disconnect a platform at any time from your dashboard. Disconnecting immediately stops further syncing and revokes the token where the platform supports it; see “Your choices and data deletion” below for what happens to stored data.

We do not sell your data and we do not share it with advertisers. We share it only with the service providers below, who process it on our behalf to operate the service:

• Railway — cloud hosting for our web service and Postgres database, in the United States. This is where all Platform Data is stored.
• Discord — authentication and community hosting.
• Anthropic — only if a coach runs an optional AI portfolio analysis or a creator uploads a contract for AI extraction, the relevant file is sent to Anthropic's Claude API for that single request. Anthropic does not retain API content for model training under its commercial terms. No Instagram or TikTok data is sent to Anthropic.
• Resend — sends transactional email (for example, brand sign-up verification codes). Receives only an email address and the message content.
• Zoom — only if an admin syncs a webinar; we read registrant and attendance counts. No social-platform data is shared with Zoom.

Your coach (an authorized staff member of She Creates Academy) can see your portfolio, progress, and activity tracking. Admins can see what any coach can see.

When a creator applies to a brand campaign, the brand sees the creator's display name and the pitch she provides. After the brand accepts, the two can message inside the portal. A brand sees performance numbers (views, engagement) only for the specific posts or videos the creator chooses to tag to that campaign — never the creator's full account, contact details, or other content.

• Discord profile + message metadata: until you leave the Discord server (then marked inactive); hard-deleted on request.
• Instagram / TikTok data: kept while the account is connected so your analytics and any campaign performance you tagged stay accurate. When you disconnect, we stop syncing and revoke the token; the stored history is removed on request (and we delete it automatically if you ask us to remove your account). See below.
• Canva tokens, design metadata, cached PDFs: hard-deleted within 24 hours of disconnecting; token revoked immediately.
• Brand account + campaign data: kept while the account is active; deleted on request.
• Server logs: retained for 30 days.

You can, at any time:

• Disconnect a social account (Instagram, TikTok, Canva, or Whop) from your dashboard. This stops further syncing and revokes the access token where the platform supports it.
• Request full deletion of your data or account by emailing hello@shecreates.cc with the subject “Data deletion.” We will delete the personal data we hold about you, including any Instagram or TikTok data, within 30 days and confirm when it's done.
• Request a copy of the data we hold about you at the same address.

If you are in the EU or UK, you also have rights under the GDPR (access, correction, deletion, restriction, portability, and objection). Email us to exercise them.

We use a single first-party session cookie (set by our authentication library) to keep you signed in. No analytics cookies, no tracking cookies, no third-party advertising cookies.

Data in transit is encrypted via HTTPS. Data at rest is encrypted on Railway's managed infrastructure. Passwords are stored only as salted hashes. We follow least-privilege access controls. Report any security concern to hello@shecreates.cc.

Our infrastructure runs in the United States. If you access the service from outside the US, your data will be transferred to and processed in the US.

The service is not directed to children under 13, and we do not knowingly collect personal information from them. If we learn we have, we will delete it.

We may update this policy occasionally. Material changes will be reflected by an updated “Last updated” date at the top of this page.

Questions, concerns, or data requests? Email hello@shecreates.cc.

See also our Terms of Service.