Legal

Privacy Policy.

Effective from 12 May 2026.

This Privacy Policy explains what personal data Create Beyond processes when you visit createbeyond.io, browse our marketing pages, sign up for an account, use the Create Beyond platform at app.createbeyond.io, take part in the community, or contact us. We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the German Federal Data Protection Act (BDSG).

1. Controller

The controller responsible for the processing of personal data described in this policy is:

CREATE BEYOND®: Matthias Dangl; Josef-Orlopp-Straße 54, 10365 Berlin, Germany
Email: support@createbeyond.io

For privacy enquiries, please use the email address above and put "Data protection" in the subject line.

2. What This Policy Covers

This policy applies to:

the marketing website at createbeyond.io;
the membership platform at app.createbeyond.io;
any email, newsletter, or direct communication we send;
our presence on social platforms, to the extent that we act as controller for the data collected there.

Where third-party platforms (for example payment processors, hosting providers, or social networks) act as independent controllers, their own privacy notices apply in addition to this one.

3. Categories of Data We Process

Account & profile data

When you create an account, we process the name, email address, password (stored as a salted hash), profile picture (if you choose to add one), and any optional profile fields you complete (such as social handles or short bio).

Billing & subscription data

To process payments we collect billing name, billing address, country, the plan you selected, and a tokenised payment reference returned by our payment processor. We do not store full card numbers on our own systems.

Learning & activity data

To deliver and improve the service we record which courses you have started, which lessons you have completed, the PIXEL credits you earn and redeem, and similar progress information.

Community & user-generated content

If you post in the community, submit feedback, or upload files such as edits or images, we process that content together with the metadata needed to display, moderate, and (where you ask us) remove it.

Communication data

When you contact support, reply to an email, or take part in a live call, we process the content of those exchanges so we can respond and keep a record of our interactions with you.

Technical & log data

Each time you visit our pages, our servers and CDN automatically record the request URL, the time of the request, the response status, your IP address (usually truncated for analytics), the referring URL, and information about your device and browser. This data is used to operate, secure, and troubleshoot the service.

Cookies and similar technologies

See section 7 below for details on cookies and tracking technologies, including the choices available to you.

4. Purposes and Legal Bases

We process personal data only where we have a legal basis under Article 6 (1) GDPR. The most relevant bases for our processing are:

Performance of a contract - Art. 6 (1)(b) GDPR. Creating and managing your account, providing access to courses and community, processing payments, sending transactional emails (receipts, password resets, important service notices), and operating the PIXEL marketplace.
Legal obligation - Art. 6 (1)(c) GDPR. Retaining accounting records for the periods required by German tax law (typically up to ten years), responding to lawful requests from authorities, and complying with consumer-protection obligations.
Legitimate interests - Art. 6 (1)(f) GDPR. Securing our systems, preventing fraud and abuse, analysing aggregate usage to improve the service, presenting our public website in a stable form, and contacting existing customers about closely related services. You may object to processing based on this ground at any time (see section 9).
Consent - Art. 6 (1)(a) GDPR. Sending marketing newsletters, setting non-essential cookies, and any other processing for which we ask for your separate consent. Consent can be withdrawn at any time without affecting the lawfulness of processing carried out before the withdrawal.

5. Recipients and Processors

We share personal data with the following categories of recipients, only to the extent necessary for the purposes set out above:

Hosting, CDN and infrastructure providers that store and deliver our website, the membership platform, and static assets (including bunny.net for content delivery).
Payment service providers that process payments on our behalf and manage subscription billing.
Email and notification providers that send transactional and (with your consent) marketing emails.
Video and audio platforms that host and stream course content.
Analytics and product-measurement tools used in privacy-respecting configurations to understand aggregate usage of the site and platform. Specifically, we use Microsoft Clarity (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA) for anonymised session replays and heatmaps; see section 7 below.
Customer support tools used to handle your enquiries.
Professional advisers (accountants, tax advisers, lawyers) and the competent tax authorities, where required by law.

Each processor acts under a data processing agreement that complies with Art. 28 GDPR. We do not sell personal data.

6. International Transfers

Some of the providers we use are based outside the European Economic Area, including in the United Kingdom and the United States. Examples include Microsoft Corporation (Microsoft Clarity) and other US-based analytics, hosting, and email providers. Where we transfer personal data outside the EEA, we rely on an adequacy decision of the European Commission where one applies (for example for transfers to the UK and to providers certified under the EU-U.S. Data Privacy Framework), or on the Standard Contractual Clauses adopted by the Commission, supplemented by additional safeguards where required. A copy of the safeguards used for a specific transfer is available on request to support@createbeyond.io.

7. Cookies and Tracking Technologies

We use cookies and similar browser storage to operate the website and platform. We distinguish three categories:

Strictly necessary cookies - required for logging in, holding your session, remembering your basket, and protecting against abuse. These are set on the legal basis of Art. 6 (1)(b) GDPR and § 25 (2) TTDSG (strictly necessary). They cannot be switched off.
Functional cookies - used to remember preferences such as language, display options, or whether you have seen a particular notice.
Analytics and marketing cookies - set only where you have given explicit consent through our cookie banner. You can withdraw consent at any time from the cookie banner or your browser settings.

Most browsers let you block or delete cookies through their settings. Disabling strictly necessary cookies may prevent core features of the service from working.

8. Retention

We keep personal data only for as long as necessary for the purposes for which it was collected:

Account data - for the lifetime of your account, plus a short period after closure to handle final billing and disputes.
Billing and accounting records - for as long as German tax and commercial law require us to retain them (currently up to ten years from the end of the calendar year of the transaction).
Community content - until you delete it or close your account, after which posts may be retained in anonymised form to preserve thread continuity.
Support correspondence - typically three years from the last interaction.
Server and security logs - typically up to 30 days, longer where necessary to investigate a specific incident.
Newsletter and marketing data - until you unsubscribe or withdraw consent.

9. Your Rights

You have the following rights under the GDPR in relation to personal data we hold about you:

Access (Art. 15) - to obtain a copy of your data and information about how we process it.
Rectification (Art. 16) - to have inaccurate data corrected and incomplete data completed.
Erasure (Art. 17) - to have your data deleted where one of the grounds in the GDPR applies.
Restriction (Art. 18) - to have processing restricted in certain circumstances.
Portability (Art. 20) - to receive the personal data you have provided in a structured, commonly used, machine-readable format.
Objection (Art. 21) - to object to processing based on our legitimate interests, including profiling for direct marketing.
Withdrawal of consent (Art. 7 (3)) - to withdraw any consent you have given, at any time, without affecting prior processing.
Complaint to a supervisory authority (Art. 77) - in particular to the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), which is competent for our establishment.

To exercise any of these rights, write to support@createbeyond.io. We will respond within one month of receiving your request, in line with Art. 12 (3) GDPR.

10. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal effects for you or similarly significantly affects you within the meaning of Art. 22 GDPR.

11. Children

Create Beyond is intended for adults. The service is not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

12. Security

We protect personal data with technical and organisational measures appropriate to the risk, including encrypted transport (TLS), encryption of credentials at rest, restricted access to production systems on a need-to-know basis, regular backups, and logging of administrative actions. No internet-based service can be guaranteed to be perfectly secure; if you become aware of a vulnerability or possible incident, please report it to support@createbeyond.io.

13. Links to Third-Party Sites

Create Beyond contains links to third-party sites and services (for example partner brands, course bonus links, and tool recommendations). Those sites operate under their own privacy notices, which we encourage you to review. We have no control over and accept no responsibility for the processing of personal data on those sites.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our service, our processors, or applicable law. We will indicate the date of the latest revision at the top of the page and, where the changes are material, notify active users in advance through the platform or by email.

15. Contact

If you have any question about this policy or about the way we handle personal data, contact us at support@createbeyond.io.