This Privacy Policy describes how Crystl AI ("Crystl AI", "we", "us", or "our") collects, uses, shares, and protects information when you visit our website or use our campaign intelligence platform (the "Service"). By using the Service, you agree to this policy.
1. Information We Collect
Account information
When you create an account, we collect your name, email address, password (hashed), workspace name, and profile details you choose to provide.
Campaign content
We process the campaign briefs, brand inputs, audience data, prompts, generated assets, edits, comments, and optimization feedback you submit to the Service. This content belongs to you.
Usage data
We automatically collect log data, device and browser information, IP address, pages viewed, features used, and timestamps to operate and improve the Service.
Cookies and similar technologies
We use cookies for authentication, preferences, security, and analytics. See our Cookies notice for details.
2. How We Use Information
- Operate, maintain, and improve the Service, including AI-powered planning, generation, and optimization features.
- Authenticate users, secure accounts, and prevent abuse or fraud.
- Provide customer support and respond to requests.
- Send transactional and service-related communications.
- Send product updates and marketing messages where permitted (you can opt out anytime).
- Analyze aggregate usage patterns to improve features and performance.
- Comply with legal obligations and enforce our Terms.
3. AI Processing
To generate and optimize campaign assets, we send your prompts and the relevant context to trusted AI model providers acting as our subprocessors. We contractually prohibit these providers from using your content to train their foundation models. Your campaign content is not used to train Crystl AI's own models without your explicit opt-in. You may request a current list of AI subprocessors at any time by emailing privacy@crystl.ai.
4. How We Share Information
- Service providers who help us run the Service (hosting, databases, AI inference, analytics, email delivery, and payment processing) under contractual confidentiality and data protection terms. Payments and subscription billing are processed by Stripe, Inc.; we do not receive or store your full card number. Stripe processes your payment details under its own privacy policy, and Stripe Tax may use your billing location to calculate applicable sales tax, VAT, or GST.
- Workspace members you collaborate with - campaigns and assets are visible to people in your workspace based on their role.
- Legal and safety when required by law, subpoena, or to protect rights, property, or safety.
- Business transfers in a merger, acquisition, or asset sale, with notice to you.
We do not sell your personal information.
A current list of subprocessors is available on request at privacy@crystl.ai. Material subprocessor changes are communicated by email or in-product notice before they take effect.
5. Data Retention
We retain account and campaign data for as long as your account is active. When you delete a campaign, it is removed from active systems and purged from backups within 30 days. When you close your account, we delete or anonymize personal data within 90 days, except where retention is required by law.
6. Security
We use encryption in transit (TLS 1.2+) and at rest, role-based access controls, row-level security on all customer data, audit logging, isolated workspaces, automated dependency and code scanning, and regular security reviews. No system is perfectly secure; please use a strong password and enable any available account protections.
Vulnerability reports and security contact: security@crystl.ai. We will acknowledge reports within two business days.
Breach notification: If we confirm a personal data breach that affects you, we will notify you without undue delay, and within 72 hours where required by applicable law.
7. Your Rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal information, restrict or object to processing, and withdraw consent. You can exercise most of these rights from your account settings or by contacting privacy@crystl.ai. We respond within 30 days and will not discriminate against you for exercising your rights.
EEA / UK (GDPR)
If you are in the EEA, UK, or Switzerland, you have the rights of access, rectification, erasure, restriction, portability, and to object, including to profiling. You may also lodge a complaint with your local supervisory authority. Our legal bases for processing are: performance of a contract (operating the Service), legitimate interests (security, product analytics, improving the Service), consent (optional analytics and marketing), and compliance with legal obligations.
California (CCPA / CPRA)
California residents may request the categories and specific pieces of personal information we have collected, the sources and purposes of collection, and the categories of third parties with whom we share it. You may request deletion or correction of your personal information and may designate an authorized agent to act on your behalf. We do not sell your personal information and do not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes that require a right-to-limit notice.
Data Processing Addendum
Business customers may request our Data Processing Addendum, which incorporates the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, by emailing privacy@crystl.ai.
8. International Transfers
We operate globally and may transfer information to countries other than your own. Where required, we use appropriate safeguards such as Standard Contractual Clauses.
9. Children
The Service is not directed to children under 16, and we do not knowingly collect personal information from them.
10. Accessibility
We design the Service to meet WCAG 2.1 AA where practicable. If you encounter an accessibility barrier, contact hello@crystl.ai and we will work with you on an alternative.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or in-product notice. Continued use after changes take effect constitutes acceptance.
12. Contact
Privacy: privacy@crystl.ai. Security: security@crystl.ai. General: hello@crystl.ai.