Privacy Policy

At CR3W, we believe data sovereignty is a right, not a privilege. This Privacy Policy explains how CR3W Ltd. ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use cr3w.app (the "Platform") or otherwise interact with us. This policy is designed to comply with the highest global data protection standards, including the UK General Data Protection Regulation (UK GDPR), the EU GDPR, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA), and other applicable US state privacy laws (such as VCDPA, CPA, CDPA, and UCPA).

Data Controller: CR3W is the data controller for personal data collected through the Platform. For data-related enquiries, or to contact our Data Protection Officer (DPO), please email us at legal@cr3w.app.

1. Data We Collect (Notice at Collection)

We collect only what is necessary to operate the Platform. In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers & Account Information: Your full name, email address, profile photo, bio, location, social media links, LinkedIn URL, and professional background — provided when you register.
• User-Generated Content: Projects you submit, messages you send, connections you form, and any other content you post to the Platform.
• Internet or Electronic Network Activity Data: IP address, browser type, device information, pages visited, and session timestamps — collected automatically for security, anti-fraud, and performance purposes.
• Commercial Information: Payment is processed securely by our third-party provider, Stripe. We do not store your full card details. We may retain transaction histories, invoice IDs, and amounts for accounting purposes.
• Communications: Emails you send to us, support requests, and feedback.

2. Lawful Basis for Processing (UK/EU GDPR)

If you are located in the UK or the European Economic Area (EEA), we process your personal data under the following lawful bases (Article 6 of the UK/EU GDPR):

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with your membership, operate your account, and deliver requested services (e.g., profile creation, project hosting, messaging).
• Legitimate Interests (Art. 6(1)(f)): Processing for network security, spam prevention, fraud detection, and improving Platform quality — where these interests are not overridden by your fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws (e.g., financial record-keeping, responding to lawful authority requests).
• Consent (Art. 6(1)(a)): For optional communications (e.g., promotional emails, non-essential cookies). You may withdraw consent at any time without affecting prior processing.

3. How We Use Your Data

• To create, manage, and authenticate your account and profile;
• To enable communication between members (messaging, connection requests);
• To display your projects and profile to other members within the curated network;
• To process payments for mentorship sessions or premium features securely;
• To send transactional emails (account verification, booking confirmations, security alerts);
• To enforce our Terms of Service, Acceptable Use Policy, and Community Guidelines;
• To improve the Platform through aggregated, anonymised analytics;
• To comply with legal obligations and protect the rights, property, or safety of CR3W, its users, or others.

We do not use your data for targeted third-party advertising. We do not sell your data.

4. Data Sharing & Third-Party Processors

We do not sell or "share" (as defined by the CCPA/CPRA for cross-context behavioral advertising) your personal data with third parties. We engage the following GDPR and CCPA-compliant service providers ("processors") strictly to operate the Platform on our behalf:

• Supabase (Infrastructure & Database): Database and authentication infrastructure. Data processed under Supabase's Data Processing Addendum (DPA).
• Vercel (Hosting): Platform hosting and Content Delivery Network (CDN).
• Stripe (Payments): Secure payment processing for mentorship bookings and subscriptions. Data is processed in accordance with Stripe's Privacy Policy.
• Cal.com (Scheduling): Scheduling infrastructure for mentorship sessions. Processes availability, booking times, and participant contact details.
• Google Gemini (AI Services): Processing text exclusively to power the "Ask CR3WY" AI features. Prompts and generated text are not used to train Google's foundational AI models in accordance with our enterprise agreement.
• Resend: Transactional email delivery.
• PostHog (Analytics): Product analytics and session replay. We use PostHog to understand user behaviour, improve the Platform, and monitor for performance and security issues.

We require all processors to maintain appropriate technical and organisational security measures and only process data in accordance with our documented, strict instructions.

5. International Data Transfers

CR3W operates globally. Some of our processors (including Stripe and Vercel) may process data outside the UK/EEA. Where your personal data is transferred internationally, we ensure it is protected by appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), or other legally recognised transfer mechanisms.

6. Data Retention

We retain your personal data only for as long as your account is active or as required to fulfil the purposes described in this Policy. Specifically:

• Account & Profile Data: Retained while your account is active. Deleted within 30 days of an account deletion request, except where retention is required by law.
• Messages & Content: Deleted upon account deletion, unless required for an ongoing dispute, safety investigation, or legal obligation.
• Payment Records: Retained for 7 years to comply with tax and financial regulations.
• Usage Logs: Aggregated, anonymised, or securely deleted within 90 days.

7. Your UK/EU Privacy Rights

Under the UK GDPR and EU GDPR, you have the following rights — which you can exercise directly in your account settings, or by contacting us at legal@cr3w.app:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16): Correct inaccurate or incomplete data via your profile settings at any time.
• Right to Erasure / Right to be Forgotten (Art. 17): Delete your account and associated personal data using the "Delete My Account" tool.
• Right to Data Portability (Art. 20): Export your data in a machine-readable format using the "Export My Data" tool.
• Right to Object (Art. 21): Object to processing based on legitimate interests.
• Right to Restrict Processing (Art. 18): Request that we limit the processing of your data in certain circumstances.
• Right to Withdraw Consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing.

You have the right to lodge a complaint with a supervisory authority, such as the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local EU data protection authority.

8. Your US State Privacy Rights (CCPA/CPRA, VCDPA, CPA, CDPA, UCPA)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other applicable US states, you have specific rights regarding your personal information:

• Right to Know & Access: You may request details on the categories and specific pieces of personal information we have collected about you, the sources of that information, and the business purpose for collecting it.
• Right to Delete: You may request the deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request the correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: CR3W does not sell your personal information. We do not share your personal information for cross-context behavioral advertising. You have the right to opt-out if our practices ever change.
• Right to Opt-Out of Profiling/Targeted Advertising: We do not use your data for automated profiling that produces legal or similarly significant effects, nor for targeted advertising.
• Right to Limit Use of Sensitive Personal Information: We do not collect "Sensitive Personal Information" as defined by US laws beyond what is strictly necessary to provide the Platform.
• Non-Discrimination: We will not discriminate against you (e.g., by denying services or changing prices) for exercising your privacy rights.

To exercise these rights, or to submit a request via an authorised agent, please email us at legal@cr3w.app. We will verify your request using the email address associated with your account.

9. Security

We implement robust, industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Strict access controls restricting data access to authorised personnel only on a principle of least privilege;
• Regular security reviews of our infrastructure and third-party processors;
• Supabase's Row-Level Security (RLS) policies governing database access.

In the event of a data breach that is likely to affect your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with our legal obligations (e.g., within 72 hours for GDPR).

10. Artificial Intelligence (AI) & Machine Learning

We are committed to transparency regarding our use of Artificial Intelligence (AI) and Large Language Models (LLMs):

• Third-Party Processors: When you use AI-assisted features on CR3W (such as the "Ask CR3WY" composer), your input prompts and text drafts are processed by third-party enterprise AI providers via API.
• Zero Data Training Policy: We do not allow third-party AI service providers to use your personal data or inputs to train their base foundational models. We utilise enterprise API endpoints that strictly prohibit data harvesting for training purposes.
• Internal Models: CR3W does not use your personal data to train our own proprietary AI or Machine Learning models without first obtaining your explicit, opt-in consent.
• EU AI Act Transparency: In compliance with emerging frameworks like the EU AI Act, we aim to ensure that users are informed when they are interacting with an AI system (such as CR3WY), and any AI-generated outputs are clearly identifiable where appropriate.

11. Cookies and Tracking Technologies

We use essential cookies to operate the Platform (e.g., session authentication). For full details on how we use cookies, and how to manage your preferences to comply with UK PECR and global standards, please see our Cookie Policy.

12. Age Limits & Children's Privacy

Eligibility Requirements: Under our Terms of Service, you must be at least 18 years of age to register for an account and use the Platform. CR3W is strictly an adult-only platform, and we do not knowingly collect or process personal data from anyone under the age of 18.

Children's Privacy (COPPA): The Platform is not intended for or directed to children under 13 years of age. In compliance with the US Children's Online Privacy Protection Act (COPPA) and similar global children's privacy regulations (which specifically govern the collection of personal information from children under 13), we do not knowingly collect personal data from children under 13. If we learn that we have collected personal data from a child under 13, we will immediately delete that information from our database. If you believe we have inadvertently collected personal data from a child under 13, please contact us immediately at legal@cr3w.app.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated Policy with an updated "Last Updated" date and, where appropriate, by email. Your continued use of the Platform after such changes constitutes your acknowledgment and acceptance of the updated Policy.

14. Contact Us

For any privacy-related questions, data subject requests, or to contact our Data Protection Officer:

• Email: legal@cr3w.app
• Subject line: "Privacy / Data Request"
• Registered Company: CR3W LTD
• Registered Address: 124 City Road, London, EC1V 2NX
• ICO Registration Number: C1922990