Privacy Policy

Data we collect

• Account: name, email, password hash (bcrypt), OAuth identifiers and tokens when you sign in via Google.
• Usage: Planetary Model records you view, AgentLayer reads you request, findings you dismiss, and settings you configure.
• Billing: Stripe customer, billing, contract, and checkout identifiers; we never store card numbers.
• Request metadata: IP address, user agent, request IDs, and security events for incident response.

How we use it

• Operate the service, including authentication, personalization, billing, alerts, and support.
• Improve evidence quality, retrieval, and model-review workflows. Some record assembly is assisted by automated systems; you can request human review or object to applicable automated processing by emailing privacy@crowdalpha.ai.
• Prevent fraud, secure the platform, enforce rate limits, and investigate abuse.
• Meet legal, tax, accounting, and compliance obligations.

Sharing

We do not sell personal data. We share only with sub-processors required to run the service. The current list is published at /legal/subprocessors and is updated before a new production sub-processor handles customer personal data.

Your rights

• Access: email privacy@crowdalpha.ai for a copy of your personal data. We respond within one month when GDPR applies.
• Correction: update profile fields in account settings or email privacy@crowdalpha.ai.
• Deletion: delete your account in settings or email privacy@crowdalpha.ai. Security, audit, legal, and accounting records may be retained and minimized where required.
• Portability: request a JSON export at privacy@crowdalpha.ai while self-serve export is being built.
• Objection / restriction: opt out of non-essential processing by emailing privacy@crowdalpha.ai.
• Automated decision-making: request review or object to applicable automated record assembly at privacy@crowdalpha.ai.

Depending on where you live, you may also have rights under US state privacy laws, including CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, and similar statutes.

EU/EEA users may lodge a complaint with their local supervisory authority. UK users may contact the Information Commissioner's Office (ICO). If CrowdAlpha appoints an EU Article 27 representative in Ireland, we will list Ireland's Data Protection Commission (DPC) as the primary contact for that representative.

Retention

• Account profile data: while you have an account, then deleted or anonymized within 30 days of account deletion unless a legal hold applies.
• Billing records: Stripe retains payment records under its legal obligations; CrowdAlpha retains Stripe customer and billing IDs for up to 7 years for tax and accounting.
• Request metadata and security logs: 90 days by default, longer only for active incident response or abuse investigations.
• Source events and Planetary Model records: product telemetry and public-source records are retained for evaluation and auditability; personal workflow links are removed on account deletion.
• Audit events: up to 7 years for security, fraud, accounting, and model-promotion accountability; user identifiers are minimized when deletion is requested and no legal hold applies.
• Session tokens: until expiry, logout, or administrative revocation.

Security

See /security for the current control set and roadmap. Current controls include TLS, managed credentials, per-IP rate limiting, CSRF protection on state-changing routes, and HttpOnly session cookies.

International transfers

Our infrastructure is currently US-hosted. Where personal data is transferred internationally, CrowdAlpha uses vendor data-processing terms and Standard Contractual Clauses where available. EU/UK production onboarding uses the appropriate representative, transfer-impact, and contractual package before customer traffic is opened.

Contact

privacy@crowdalpha.ai. For data-protection requests, use privacy@crowdalpha.ai and include the email associated with your CrowdAlpha account.