Privacy Policy.

Creasheeps is a small motion design studio based in Indonesia, working with product teams worldwide. For the purposes of data protection law, we are the data controller of personal information collected through our website and project communications.

We comply with Indonesia's Personal Data Protection Law (UU 27/2022) and, for visitors and clients in the European Union, the General Data Protection Regulation (GDPR).

We only collect what we need to do our job. That breaks down to:

• Contact form submissions: name, email address, company/app name (optional), project description, timeline, budget range, referral source.
• Technical metadata of inquiries: your IP address and browser user-agent at submission time. Used only for spam detection and abuse triage.
• Anonymous analytics: aggregate page-view counts and referrer information via Cloudflare Web Analytics — cookieless, no fingerprinting, GDPR-friendly. No personal identifiers are stored.
• Project files & communications: if you engage us for a project, we'll process whatever you send us (briefs, design references, brand assets, feedback).

We do not collect or store passwords, payment card numbers, or any sensitive personal data (health, religion, political views, etc.).

• To respond to your inquiry: we read it, scope the project, and reply within 24 business hours.
• To deliver project work: communication, file delivery, invoicing.
• For our records: we keep a history of past inquiries and projects for portfolio reference and accounting.
• For analytics: understanding which pages bring real inquiries so we can improve the site.
• Legal compliance: if a law or court order requires us to retain or disclose data.

We will never sell your data, share it with advertisers, or use it for retargeting.

• Consent — when you fill out our contact form, you agree to us using that data to respond to you.
• Contract — when we're working together on a project, processing your data is necessary to deliver the work.
• Legitimate interest — running a small business: keeping records, preventing spam, basic analytics.

We share data only with the third-party services we use to operate. Each processor has appropriate data protection agreements:

• NeonDB (PostgreSQL hosting) — stores inquiry rows and project metadata.
• Resend — sends transactional email (your reply, our internal notifications). Encrypted in transit.
• Cloudflare (R2 storage, CDN, Turnstile, Web Analytics) — stores project files; protects against spam; provides cookieless traffic analytics.
• Railway — hosting infrastructure.

We don't share your information with anyone else unless you've explicitly approved it (e.g. portfolio publication after a project) or unless legally compelled.

• Contact form inquiries: retained as long as is reasonable for follow-up and records. IP + user-agent are purged after 6 months.
• Active project data: retained for the project duration plus 12 months (for revisions, support, portfolio rights).
• Accounting records: retained for the legally required period (typically 7 years for invoices in Indonesia).
• Analytics: aggregate, anonymous, and retained for up to 24 months.

You can request earlier deletion of your inquiry or project data at any time — see Your rights.

Whether you're under GDPR, PDP Law, or another framework, you have:

• Right of access — ask what data we hold about you.
• Right to rectification — correct inaccurate data.
• Right to erasure — ask us to delete your data (subject to legal retention obligations).
• Right to data portability — receive your data in a common format.
• Right to object — to processing based on legitimate interest.
• Right to withdraw consent — without affecting the lawfulness of prior processing.

To exercise any of these, email [email protected] from the address associated with your data. We respond within 30 days.

If you're in the EU and believe we've mishandled your data, you may complain to your national data protection authority.

We don't use tracking cookies. Our analytics provider (Cloudflare Web Analytics) is cookieless by design. The only cookies set are functional — an admin session cookie (only visible if you're logged into the admin area, which you aren't as a visitor) and any cookies set by embedded third parties on case study pages (e.g. LottieFiles previews).

Our processors (NeonDB, Cloudflare, Resend, Railway) operate globally. Data may be processed outside of your country of residence — including in the United States and European Union. Each processor has contractual safeguards (Standard Contractual Clauses for GDPR transfers).

Our services are intended for businesses and professionals. We do not knowingly collect data from children under 18. If you believe we've inadvertently collected such data, contact us and we'll delete it.

We may update this policy from time to time — when we add a new processor, change retention windows, or in response to legal changes. Material changes will be flagged at the top of this page; the “Last updated” date always reflects the most recent revision.

For any privacy-related question, email [email protected]. We'll respond within 24 business hours.