Privacy Policy

How we protect and handle your data

Last updated: January 27, 2026

Create State, Inc. (the "Company", "we", "us", or "our") is committed to maintaining robust privacy protections for its users. This Privacy Policy is designed to help you understand how we collect, use, and safeguard the information you provide to us and to assist you in making informed decisions when using our Service.

For purposes of this Privacy Policy, "Service" refers to the Company's website located at createstate.ai and all related services, APIs, and applications. "You" refers to you, as a user of our Service.

By accessing our Service, you accept this Privacy Policy and our Terms of Service, and you consent to our collection, storage, use, and disclosure of your information as described in this Privacy Policy.

Quick Links: SDK & CLI | GDPR Rights | CCPA Rights | Cookie Policy

1 Information We Collect

We collect information that you provide directly to us, including:

  • - Account information (name, email address, password)
  • - Billing information (for paid subscriptions)
  • - Code and project data you upload to the Service
  • - Usage information and analytics

2 How We Use Your Information

We use the information we collect to:

  • - Provide, maintain, and improve our Service
  • - Process transactions and send related information
  • - Send technical notices and support messages
  • - Respond to your comments and questions
  • - Analyze usage patterns and improve user experience

3 Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • - TLS 1.3 encryption for data in transit
  • - Encryption for data at rest
  • - Regular security audits and monitoring
  • - Access controls and authentication
  • - Secure infrastructure with enterprise-grade providers

4 Your Code and Data

Your code and project data belongs to you:

  • - We do not use your private code for training our models
  • - Your world models are private to your account
  • - You can export or delete your data at any time
  • - We maintain strict access controls on user data

4b. Python SDK and Command-Line Tool

Our Python SDK and create-state command-line tool can access files on your local computer. This section explains what data is accessed and transmitted.

Local Filesystem Access

The following SDK functions read files from your local filesystem:

  • - analyze_file(path) - Reads the specified file and transmits its contents to our servers for analysis
  • - analyze_directory(path) - Recursively scans the directory for source code files and transmits each file's contents for analysis
  • - create-state analyze <path> - CLI command that performs the same operations as above

What Data Is Transmitted

When you use the SDK or CLI to analyze code:

  • - Source code contents - The full text content of files you choose to analyze
  • - File paths - Names and relative paths of analyzed files (as metadata)
  • - Programming language - Detected or specified language of the code

What We Do NOT Access

  • - We do not access files without explicit commands from you
  • - We do not scan your filesystem in the background
  • - We do not access files outside the paths you specify
  • - We do not store your API key on our servers (only local config)

Excluded Paths

When scanning directories, the SDK automatically excludes common non-source directories: node_modules, .git, __pycache__, venv, .venv, dist, build.

Your Control

You maintain full control over what data is transmitted. The SDK only reads and sends files when you explicitly invoke analysis commands. You can review the SDK source code to verify its behavior. If you prefer not to transmit source code, you can use the MCP protocol directly through IDE integrations, which do not access your local filesystem.

5 Data Sharing

We do not sell your personal information. We may share information only in these circumstances:

  • - With your explicit consent
  • - With service providers who assist in our operations
  • - To comply with legal obligations
  • - To protect our rights and prevent fraud

5b. Business Transactions

In the event Create State undergoes a business transaction such as a merger, acquisition by another company, or sale of all or a portion of its assets, your personal information may be among the assets transferred. You acknowledge and consent that such transfers may occur and are permitted by this Privacy Policy, and that any acquirer of our assets may continue to process your personal information as set forth in this Privacy Policy.

If our information practices change materially as a result of such a transaction, we will notify you by email (using the address associated with your account) and/or by posting a prominent notice on our Service prior to the change becoming effective. You will have the opportunity to delete your account and data before such changes take effect.

6 Data Retention

We retain your information for as long as your account is active or as needed to provide you services. You may request deletion of your data at any time.

7 Cookies and Tracking

We use cookies and similar tracking technologies to:

  • - Maintain your session and authentication
  • - Remember your preferences
  • - Analyze usage patterns
  • - Improve our Service

8 Third-Party Services

Our Service may integrate with third-party services (such as AI providers when you use BYOK). Your use of these services is subject to their own privacy policies.

9 International Data Transfers

Your information may be transferred to and maintained on servers located outside of your country. We ensure appropriate safeguards are in place for such transfers.

10 Your Rights

You have the right to:

  • - Access your personal data
  • - Correct inaccurate data
  • - Request deletion of your data
  • - Export your data
  • - Opt-out of marketing communications

11. GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • - Right of Access: Request a copy of all personal data we hold about you
  • - Right to Rectification: Update or correct inaccurate personal data
  • - Right to Erasure: Request deletion of your personal data
  • - Right to Restriction: Request we limit how we use your data
  • - Right to Data Portability: Receive your data in a machine-readable format
  • - Right to Object: Object to certain processing activities
  • - Right to Withdraw Consent: Withdraw consent at any time
  • - Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise your GDPR rights, contact us at privacy@createstate.ai. We will respond within 30 days as required by GDPR.

12. CCPA Rights (California Residents Only)

Applicability Notice: This section applies exclusively to residents of the State of California, USA, as defined under the California Consumer Privacy Act (CCPA). If you are not a California resident, this section does not confer additional legal rights upon you, though we voluntarily extend similar protections to all users.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

Categories of Personal Information We Collect:

  • - Identifiers: Name, email address, IP address
  • - Commercial Information: Subscription tier, payment history
  • - Internet Activity: Usage data, log files, analytics
  • - Professional Information: Code and project data you provide

Your CCPA Rights:

  • - Right to Know: Request information about data we collect, use, and share
  • - Right to Delete: Request deletion of your personal information
  • - Right to Opt-Out: Opt out of the sale of personal information
  • - Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Do Not Sell My Personal Information: We do not sell your personal information to third parties.

To exercise your CCPA rights, contact us at privacy@createstate.ai. We will respond within 45 days as required by CCPA.

13 Cookie Policy

We use the following types of cookies:

  • - Strictly Necessary Cookies: Required for authentication and core functionality (cannot be disabled)
  • - Functional Cookies: Enable enhanced features and personalization (optional)
  • - Analytics Cookies: Help us understand how the site is used (optional)
  • - Marketing Cookies: Used for advertising and tracking (optional)

14 Age Restrictions

Create State is not intended for use by individuals under the age of 18.

  • - By creating an account, you confirm that you are at least 18 years old
  • - We do not knowingly collect or solicit personal information from anyone under 18
  • - If we learn that we have collected personal information from a minor, we will delete that information promptly
  • - If you believe we may have information from or about someone under 18, please contact us immediately

15 Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

16 Contact Us

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:

For EU/EEA residents: Our representative in the European Union can be contacted at eu-representative@createstate.ai