Maya — Privacy Policy
Effective Date: February 17, 2026 · Last Updated: February 17, 2026
1. Introduction
CREAIT B.V. (“Company,” “we,” “us,” “our”) is committed to protecting the privacy of individuals who visit our Website, create an Account, or use the Maya Service (“you,” “your”).
This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Service. It applies to all users worldwide, including users in the European Economic Area (“EEA”), United Kingdom (“UK”), and other jurisdictions with data protection regulations.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Data Controller
The data controller responsible for your personal data is:
CREAIT B.V.
Maastricht, Limburg, The Netherlands
Chamber of Commerce (KVK): 98184911
Email: support@mayadvisor.ai
For billing-related data, Paddle.com Market Limited acts as an independent data controller. Please refer to Paddle’s Privacy Policy at https://www.paddle.com/legal/privacy for information about how Paddle handles your data.
3. Data We Collect
3.1 Data You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password (hashed) | Account creation, authentication, communication |
| Profile Information | Display name, preferences, settings | Personalization and Service delivery |
| Analysis Inputs | YouTube channel URLs, video URLs, query parameters, custom questions | Performing the requested analysis |
| Support Communications | Emails, support tickets, feedback | Customer support, product improvement |
3.2 Data Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage Data | Pages visited, features used, analysis types run, Credit consumption patterns | Service improvement, analytics, debugging |
| Device/Technical Data | IP address, browser type, OS, device identifiers, screen resolution | Security, compatibility, fraud prevention |
| Log Data | Access times, error logs, referral URLs | System administration, security, debugging |
3.3 Data from Third Parties
- Paddle: Transaction data, payment status, tax jurisdiction (Paddle does not share your full payment card details with us).
- YouTube API: Publicly available channel and video data that you request us to analyze. If you connect your YouTube account via OAuth, we access data you have authorized (such as your channel analytics).
- Authentication providers: If you use social login (e.g., Google), we receive basic profile information as authorized by you.
3.4 Data We Do Not Collect
We do not intentionally collect sensitive personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data). We do not collect payment card numbers; all payment processing is handled by Paddle.
4. Legal Bases for Processing (EEA/UK Users)
If you are located in the EEA or UK, we process your personal data on the following legal bases:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance (Art. 6(1)(b) GDPR) | Account creation, Service delivery, processing analyses, Credit management, customer support |
| Legitimate Interests (Art. 6(1)(f) GDPR) | Service improvement, analytics, fraud prevention, security, marketing our own services (with opt-out) |
| Consent (Art. 6(1)(a) GDPR) | Non-essential cookies, optional marketing communications, connecting third-party accounts (e.g., YouTube OAuth) |
| Legal Obligation (Art. 6(1)(c) GDPR) | Tax compliance, responding to lawful requests from authorities, record-keeping obligations |
5. How We Use Your Data
We use your personal data for the following purposes:
- Service Delivery: To operate, maintain, and provide the features and functionality of the Service, including processing your analyses and delivering results.
- Account Management: To create and manage your Account, authenticate your identity, and communicate with you about your Account.
- Credit and Transaction Management: To track your Credit balance, process purchases (via Paddle), and maintain transaction records.
- Service Improvement: To understand how users interact with the Service, identify issues, and develop new features and improvements.
- Security and Fraud Prevention: To detect, prevent, and address fraud, unauthorized access, and other illegal activities, and to protect the rights and safety of our users and the Company.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
- Communications: To send you service-related notices (e.g., security alerts, account notifications). We will only send marketing communications with your consent, and you may opt out at any time.
6. Data Sharing and Disclosure
We do not sell your personal data. We may share your data with the following categories of recipients:
6.1 Service Providers and Sub-processors
We engage trusted third-party service providers to help us operate the Service. These include:
- Paddle (Merchant of Record): Processes payments, invoicing, tax compliance, and billing-related customer support. Paddle acts as an independent data controller for transaction data.
- Cloud Infrastructure Providers: Host our servers and databases (e.g., AWS, Google Cloud, or equivalent).
- AI/LLM Providers: Process analysis requests. We send only the necessary data (e.g., YouTube content data) to generate analyses. We do not send your personal account information to AI providers.
- Analytics Providers: Help us understand usage patterns (e.g., privacy-friendly analytics tools).
- Email/Communication Providers: For transactional and service-related emails.
6.2 Legal Requirements
We may disclose your data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of the Company, our users, or the public.
6.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
6.4 With Your Consent
We may share your data for other purposes with your explicit consent.
7. International Data Transfers
Your personal data may be transferred to and processed in countries outside your country of residence, including countries outside the EEA/UK. When we transfer personal data outside the EEA/UK, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Adequacy decisions by the European Commission or UK Secretary of State;
- Other legally recognized transfer mechanisms.
You may request a copy of the safeguards in place by contacting us at the address provided in Section 2.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:
- Account Data: Retained for the duration of your Account and for a reasonable period thereafter (typically up to 12 months) for record-keeping and to address any post-termination inquiries.
- Analysis Data: Analysis inputs and generated reports are retained for a period of 18 months from the date of creation. This retention period allows you to review past analyses and enables us to improve our AI models. After 18 months, this data is automatically deleted or permanently anonymized. You may request earlier deletion at any time.
- Transaction Records: Retained for a minimum of 7 years to comply with Dutch and EU tax and accounting obligations.
- Log Data: Retained for up to 12 months for security and debugging purposes.
- Marketing Consent Records: Retained for the duration of your consent plus a reasonable period to demonstrate compliance.
When personal data is no longer needed, we will securely delete or anonymize it.
9. Your Rights
9.1 Rights for All Users
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete personal data.
- Erasure (“Right to be Forgotten”): Request deletion of your personal data, subject to our legal obligations.
- Data Portability: Request your data in a structured, commonly used, machine-readable format.
- Restriction of Processing: Request that we limit how we process your data in certain circumstances.
- Objection: Object to processing of your data based on legitimate interests or for direct marketing purposes.
- Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
9.2 Additional Rights for EEA/UK Users
If you are located in the EEA or UK, you have the right to lodge a complaint with your local data protection authority. For the Netherlands, this is the Autoriteit Persoonsgegevens (https://autoriteitpersoonsgegevens.nl).
9.3 Additional Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the CCPA/CPRA, including the right to know what personal information we collect, the right to delete, the right to opt out of the sale or sharing of personal information (we do not sell personal information), and the right to non-discrimination for exercising your rights.
9.4 Exercising Your Rights
To exercise any of your rights, please contact us at support@mayadvisor.ai. We will respond to your request within the timeframes required by applicable law (generally within 30 days for GDPR requests). We may need to verify your identity before processing your request.
10. Cookies and Tracking Technologies
We use cookies and similar technologies (such as local storage) on the Website. Our use of cookies falls into the following categories:
- Strictly Necessary Cookies: Required for the operation of the Website (e.g., session management, authentication). These do not require consent.
- Analytics Cookies: These cookies help us understand how visitors interact with the Website (e.g., page visits, bounce rates). We employ Strict Prior Consent mechanisms: these cookies are blocked by default and are only set on your device if and when you explicitly click “Accept” on our Cookie Banner. We use privacy-friendly analytics tools where possible.
- Preference Cookies: Remember your settings and preferences. Set with your consent.
We do not use third-party advertising or tracking cookies. You can manage your cookie preferences through the cookie banner displayed on the Website or through your browser settings.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
- Encryption of data in transit (TLS/HTTPS) and at rest;
- Access controls and authentication mechanisms;
- Regular security assessments and monitoring;
- Secure software development practices;
- Incident response procedures.
While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
12. Children’s Privacy
The Service is not directed to individuals under the age of 18 (or the age of digital consent in your jurisdiction, if different). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such data promptly. If you believe we have collected data from a child, please contact us immediately.
13. YouTube API Services and Google Data
The Service uses the YouTube API Services. By using features that access YouTube data, you acknowledge and agree to Google’s Privacy Policy.
If you connect your YouTube account to the Service via OAuth:
- We only access the data scopes you have authorized;
- We use YouTube data solely to provide the Service’s analytical features;
- We do not share your YouTube credentials or OAuth tokens with third parties;
- You may revoke access at any time through Google’s security settings (https://security.google.com/settings/security/permissions);
- Upon revocation or account deletion, we will delete your YouTube-related data within a reasonable timeframe, subject to our retention obligations.
14. Paddle and Payment Data
Paddle, as Merchant of Record, independently collects and processes personal data necessary for payment transactions, invoicing, and tax compliance. This includes your name, email, billing address, payment method details, and transaction history.
When you make a purchase, Paddle may share the following data with us for product fulfillment and support purposes: your name, email, transaction ID, product purchased, and country. We use this data in accordance with this Privacy Policy.
We do not have access to your full payment card details. For information about how Paddle handles your data, please refer to Paddle’s Privacy Policy at https://www.paddle.com/legal/privacy.
15. Third-Party Links and Services
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to read the privacy policies of any third-party services you access.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on the Website, updating the “Last Updated” date, and where required, notifying you by email or in-app notification. We encourage you to review this Privacy Policy periodically.
17. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
CREAIT B.V.
Maastricht, Limburg, The Netherlands
Data Protection Contact: support@mayadvisor.ai
General Inquiries: support@mayadvisor.ai
© 2026 CREAIT B.V. All rights reserved.