Privacy Policy
1. Controller
The controller responsible for your personal data is:
Dmytro Pustovitenko Tech CreationsTax identification number (NIP): 9452278715
Józefa Wybickiego 44a/3
31-302 Kraków, Poland
Privacy and legal contact: legal@crumbroad.com
Data-rights and security contact: security@crumbroad.com
2. Personal data we collect
- Account and identity data: email address, user ID, authentication provider, sign-in records, browser locale, display name, username, profile image, account role, and settings.
- User content: prompts, chats, answers, templates, workflow definitions, generated outputs, folders, assets, revisions, uploaded files, feedback, and support communications.
- Public and marketplace data: creator profile, storefront, listings, covers and media, ratings, reviews, likes, subscriptions, public templates, seller country, and store analytics. Content you choose to publish is publicly accessible.
- Transaction and seller data: plan, credit ledger, order and subscription status, amounts, currency, Stripe customer and connected-account identifiers, checkout and payment identifiers, refund, dispute and payout status, fee records, and limited account-status information returned by Stripe. Complete card details are handled by Stripe and are not stored by Crumbroad.
- Device, usage, and log data: IP address, approximate location derived from IP, browser and device information, pages and features used, referring page, timestamps, cookie or similar identifiers, performance information, and application errors.
- Marketing data: your marketing choice and engagement with messages, where you separately opt in.
- Connected-app data: authorization requests, approved scopes, app identifiers, and information exchanged when you deliberately authorize an integration.
We receive data directly from you, automatically from your browser and use of the Service, and from providers such as Google, Stripe, connected applications, and fraud or security services.
3. Why we process data and our legal bases
| Purpose | Typical data | Legal basis under GDPR |
|---|---|---|
| Create accounts, authenticate users, provide workflows, storage, AI generation, and requested integrations | Account, content, files, settings, connected-app data | Performance of our contract and steps requested before entering it |
| Process purchases, subscriptions, credits, creator onboarding, marketplace sales, refund requests sent to our contact email, and support | Account, transaction, seller, communications | Contract; legal obligations; legitimate interests in operating and protecting commerce |
| Secure the Service, prevent fraud and abuse, diagnose errors, enforce rules, and establish legal claims | Account, content where necessary, logs, device, transaction data | Legitimate interests; legal obligations; establishment, exercise, or defence of claims |
| Measure and improve product performance and understand feature usage | Usage, device, cookie identifiers, errors | Consent where required for non-essential analytics; otherwise legitimate interests where law permits |
| Send product and service communications | Email, account, transaction data | Contract and legitimate interests |
| Send promotional email | Email, marketing choice and engagement | Your separate consent; where legally permitted, legitimate interests for similar-product communications subject to opt-out |
| Comply with tax, accounting, consumer, regulatory, and law-enforcement requirements | Identity, transaction, content, and communications as required | Legal obligation |
Providing account and transaction information is necessary to create an account or complete a purchase. If you do not provide it, we cannot provide the relevant Service. Marketing and optional analytics consent are voluntary and may be withdrawn without affecting prior lawful processing.
4. AI processing
When you use AI features, relevant prompts, chat history, workflow context, files or images, and instructions are sent to OpenAI through its API or to another AI provider configured for the requested feature. The provider returns generated content to Crumbroad. We use the result to provide your requested workflow and may retain inputs and outputs in your account history.
OpenAI states that API inputs and outputs are not used to train its models by default unless the API customer opts in. Its standard abuse-monitoring logs may retain content for up to 30 days unless longer retention is legally required. Provider practices may change; the provider's own privacy and data-control terms also apply.
Crumbroad does not use AI to make decisions about you that produce legal or similarly significant effects. AI-generated recommendations and classifications assist content creation and Service operation and should be reviewed by a person.
5. When we share data
We disclose personal data only as needed for the purposes above:
- Supabase: database, authentication, file storage, server functions, and related infrastructure;
- Vercel: website hosting, delivery, and operational infrastructure;
- OpenAI or another configured AI provider: generation and processing of prompts, context, and outputs;
- Stripe: checkout, subscriptions, refunds, fraud prevention, and Stripe Connect seller onboarding, charges, and payouts;
- PostHog: product analytics, usage measurement, and application-error information;
- Google: authentication when you choose “Continue with Google”;
- Email, support, security, and professional advisers: communications, incident response, legal, accounting, and compliance services;
- Creators, buyers, and the public: information necessary for marketplace transactions and content you intentionally publish;
- Connected applications: data within the scopes you expressly approve; and
- Authorities or transaction parties: when required by law, to protect rights and safety, or in a merger, financing, reorganization, or transfer, subject to appropriate safeguards.
We do not sell personal data. We do not share personal data for cross-context behavioural advertising.
6. International transfers
Crumbroad is established in Poland, but providers may process data in the EEA and other countries, including the United States. Where GDPR or similar law requires safeguards, we rely on an adequacy decision, the EU Standard Contractual Clauses, the UK Addendum or International Data Transfer Agreement where relevant, or another lawful transfer mechanism. You may request information about applicable safeguards at legal@crumbroad.com.
7. Retention
We retain personal data only as long as necessary for the purpose collected, including:
- account data and private content while your account remains active;
- deleted account data removed or anonymized from active systems ordinarily within 30 days, with residual encrypted backups expiring within 90 days unless retention is legally required;
- public marketplace records, completed transaction records, and license evidence as needed to preserve buyer rights, handle disputes, and meet legal obligations;
- billing, tax, accounting, payout, refund-request, and fraud records for the period required by Polish and other applicable law, generally at least five years calculated under the relevant statutory rules;
- security logs and records of disputes for the applicable limitation period or longer where a live investigation or claim requires it;
- optional analytics data for no longer than 13 months unless it has been aggregated or anonymized; and
- marketing data until you withdraw consent or unsubscribe, after which we may retain a minimal suppression record so we respect your choice.
Specific information may be retained longer if necessary to comply with law, prevent fraud, enforce agreements, protect users, or establish or defend legal claims.
8. Cookies and similar technologies
Crumbroad uses essential cookies and local storage for authentication, security, session continuity, preferences, and payment or OAuth flows. These are necessary to provide the Service.
We also use PostHog analytics technologies to understand visits, interactions, errors, and feature usage. Where required by law, non-essential analytics must not be activated until you consent, and you must be able to reject or later withdraw consent as easily as you gave it. Browser controls can remove stored cookies, but blocking essential cookies may prevent sign-in or other features from working.
9. Marketing communications
We send promotional email only when you separately opt in or another lawful basis permits it. Marketing consent is not required to create or use an account. You can withdraw consent at any time through an unsubscribe link or by emailing legal@crumbroad.com. You will still receive necessary account, security, billing, and transaction messages.
10. Public content and other users
Public profiles, storefronts, listings, templates, reviews, and media can be viewed, copied, indexed, and shared by others. Do not publish personal information you do not want to make public. Removing public content from Crumbroad may not remove copies already indexed, lawfully retained by buyers, or shared outside the Service.
11. Security
We use reasonable technical and organizational measures designed to protect personal data, including access controls, encryption in transit, provider security controls, and restricted administrative access. No online service is completely secure. Report suspected vulnerabilities or account compromise to security@crumbroad.com.
12. Your rights
Depending on your location, you may have rights to:
- access and receive a copy of your personal data;
- correct inaccurate or incomplete data;
- delete data;
- restrict or object to processing, including an absolute right to object to direct marketing;
- receive portable data in a structured, commonly used, machine-readable format;
- withdraw consent at any time without affecting earlier processing;
- not be subject to a solely automated decision with legal or similarly significant effects; and
- complain to a supervisory authority.
Send requests to security@crumbroad.com. We may verify your identity and will normally respond within one month under GDPR, subject to lawful extensions. Rights are not absolute; we may retain information where law permits or requires it.
In Poland, you may complain to the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stanisława Moniuszki 1A, 00-014 Warsaw, Poland, at uodo.gov.pl. EEA, UK, and Swiss residents may also contact the competent authority where they live or work.
13. Additional United States privacy rights
If a US state privacy law applies to our processing, residents may have rights to know, access, correct, delete, and obtain portable copies of personal data; opt out of sale, targeted advertising, or certain profiling; and appeal a denied request. We do not sell personal data or use it for cross-context behavioural advertising. We will not discriminate against you for exercising applicable rights. Submit requests or appeals to security@crumbroad.com.
14. Children
The Service is not directed to children under 13 or a higher minimum digital-consent age required by local law. Users under 18 need permission from a parent or legal guardian. Paid purchases and creator-selling features are restricted to adults. If you believe a child provided data contrary to this section, contact security@crumbroad.com.
15. Changes to this Policy
We may update this Policy to reflect legal, technical, or product changes. We will post the updated version, revise the effective date, and provide additional notice for material changes where required.
16. Contact
For privacy questions, contact legal@crumbroad.com. For rights requests, deletion, or security matters, contact security@crumbroad.com or write to the controller address in Section 1.