Pay | The CreatorPay | The Creator

Last updated 24 May 2026

Privacy Policy

This policy explains what personal information Pay | The Creator collects, how we use it, and the rights you have under the Protection of Personal Information Act, 2013 (POPIA) of South Africa and the California Consumer Privacy Act (CCPA), as amended by the CPRA.

1. Who we are

Pay | The Creator (“Pay | The Creator”, “we”, “us”, “our”) is operated by Bluecelestials (Pty) Ltd, a company registered in the Republic of South Africa (registration number 2025/298476/07), with its principal place of business at [Street address, City, Postal code]. We are the “responsible party” for the purposes of POPIA and the “business” for the purposes of the CCPA.

2. Scope

This policy applies to creators who hold a Pay | The Creator account, to brands who view content via a review link, and to any visitor to our website.

3. Information we collect

3.1 Information you provide

  • Account information. Email address, display name, and password (stored as a salted hash by Firebase Authentication).
  • Profile information. Custom logo, brand contacts and notes you choose to store.
  • Content metadata. Titles you give to drops, the status and visibility settings you select, and the brand a drop is assigned to. The video files themselves are stored on Cloudflare R2; we do not inspect their contents.
  • Payment information. Subscription transaction metadata received from Payfast (e.g. payment status, last billing date, recurring token). We do not collect or store your card number; card data is held by Payfast.
  • Support correspondence. Messages you send to our support, abuse, or privacy mailboxes.

3.2 Information collected automatically

  • Device and log data. IP address, browser type, time of access, and pages viewed, used for security and to operate the service.
  • Cookies and similar technologies. See Section 8 for the cookie categories we use and how you can manage them.

4. How we use your information

We process personal information for the following purposes:

  • To provide the service — creating your account, storing the brands and drops you set up, issuing presigned URLs to upload and view videos.
  • To process subscription payments via Payfast and keep your billing status accurate.
  • To secure the service against unauthorised access, fraud and abuse.
  • To comply with our legal obligations and respond to lawful requests.
  • With your consent, to send product updates or measure feature usage through anonymised analytics.

Under POPIA, our lawful bases include consent (Section 11(1)(a)), the performance of a contract with you (Section 11(1)(b)), and our legitimate interests as set out in Section 11(1)(f). Under the CCPA, we process personal information for the business purposes described above and do not “sell” or “share” personal information for cross-context behavioural advertising.

5. How we share information

We share personal information only with the sub-processors required to operate the service:

  • Google (Firebase). Authentication, Firestore database, and Cloud Functions. Data is stored in Google's [selected region] region.
  • Cloudflare (R2). Object storage for your uploaded video files and custom logos. R2 buckets are private; access is mediated by short-lived presigned URLs we issue from our servers.
  • Payfast (Pty) Ltd. Subscription billing. Payfast is the responsible party for the card data you provide during checkout and operates under its own privacy notice.

We do not sell personal information. We may disclose personal information to law enforcement or regulators when compelled by valid legal process, and to professional advisers under confidentiality.

6. International data transfers

Our sub-processors operate globally. When personal information is transferred outside the Republic of South Africa, we rely on the recipient's binding corporate rules, the European Commission's Standard Contractual Clauses, or other safeguards permitted under Section 72 of POPIA.

7. Data retention

  • Account and profile data: for as long as your account is active.
  • Drops and brand records: until you delete them, or until 30 days after account deletion, whichever is sooner.
  • Video files on Cloudflare R2: deleted when the corresponding drop is deleted, or within 30 days of account deletion.
  • Billing records: retained for at least five (5) years to comply with tax and accounting law.
  • Security and abuse logs: up to twelve (12) months.

8. Cookies and similar technologies

We use the following categories:

  • Strictly necessary. Sign-in session, security, fraud prevention. Always on; these are exempted from the consent requirement under POPIA and CCPA.
  • Functional. Remembers preferences (e.g. sidebar state). Only set after you accept.
  • Analytics. Aggregate, anonymised product usage to help us improve features. Only set after you accept.

You can manage your preferences any time via the cookie banner shown on first visit. Withdrawing consent does not affect the lawfulness of processing already carried out.

9. Your rights under POPIA

Under POPIA, you have the right to: (a) confirm whether we hold personal information about you (Section 23); (b) request access to that information; (c) request correction or deletion of inaccurate, irrelevant, excessive, outdated, or unlawfully obtained information (Section 24); (d) object to processing on reasonable grounds; and (e) submit a complaint to the Information Regulator. Contact details for the Regulator are at inforegulator.org.za.

10. Your rights under the CCPA / CPRA

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, and (if applicable) sell.
  • Delete personal information we have collected from you, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising.
  • Non-discrimination. We will not deny service, charge a different price, or provide a different level of service for exercising any of these rights.

To exercise any of these rights, contact admin@bluerockets.co.za or use the “Request account deletion” button in your Settings.

11. Security

We use industry-standard safeguards including TLS for data in transit, access controls, password hashing, audit logging, and isolated customer storage in Cloudflare R2. No system can guarantee absolute security; we will notify affected users and the Information Regulator without undue delay if a personal information breach occurs, as required by Section 22 of POPIA.

12. Children's privacy

The service is not directed to anyone under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will delete it.

13. Information Officer

Our Information Officer can be reached at:

[Information Officer Name]
admin@bluerockets.co.za
[Postal address]

14. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email and update the “Last updated” date above. Continued use of the service after the effective date constitutes acceptance of the revised policy.

15. Contact us

Questions about this policy can be sent to admin@bluerockets.co.za.