Privacy Policy
How we collect, use, and protect your personal data
Last updated: February 2025 | Compliant with UK GDPR and Data Protection Act 2018
1. Introduction
CRUMBLX AI LTD ("Company", "we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Crumbless platform.
We are the data controller for the personal data we process. Our contact details are:
CRUMBLX AI LTD
Company Number: 16961442
4 Bunnsfield, Welwyn Garden City, England, AL7 2DZ
Data Protection Officer: office@crumbless.ai
This policy applies to all users of the Crumbless platform, including participants in our Beta Testing Program.
2. Information We Collect
2.1 Information You Provide Directly
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password | Account creation and authentication |
| Profile Information | Company name, role, industry | Service customization and support |
| Communication Data | Support requests, feedback, survey responses | Customer support and product improvement |
| Beta Tester Information | Testing preferences, experience level, browser/OS details | Beta program management and testing context |
2.2 Information from Google Services
When you connect your Google account, we receive:
| Data Type | Source | Purpose |
|---|---|---|
| Basic Profile | Google OAuth | Authentication and account identification |
| Google Ads Account Data | Google Ads API | Campaign management and synchronization |
| Campaign Performance | Google Ads API | Analytics and reporting |
| OAuth Tokens | Google OAuth | Maintaining authorized access |
2.3 Information Generated Through Use
| Data Type | Examples | Purpose |
|---|---|---|
| AI Interactions | Prompts, generated content, chat conversations | AI service delivery and improvement |
| Product Data | Product names, descriptions, images, pricing | Campaign creation and management |
| Generated Images | AI-generated product images and metadata | Advertising asset creation |
| Usage Data | Features used, actions taken, timestamps | Service improvement and analytics |
2.4 Technical Data
We automatically collect:
- IP address and approximate location
- Browser type and version
- Operating system
- Device information
- Access times and referring URLs
- Error logs and performance data
3. Legal Basis for Processing
Under UK GDPR, we process your personal data based on the following legal grounds:
3.1 Contract Performance (Article 6(1)(b))
Processing necessary to provide our services to you, including:
- Account creation and management
- Google Ads synchronization and campaign management
- AI content generation services
- Customer support
3.2 Legitimate Interests (Article 6(1)(f))
Processing necessary for our legitimate business interests, balanced against your rights:
- Platform security and fraud prevention
- Service improvement and analytics
- Bug fixing and performance optimization
- Business communications about our services
3.3 Consent (Article 6(1)(a))
Where we rely on your consent:
- Marketing communications (where required)
- Optional data collection for beta feedback
- Cookies and similar technologies (as per our cookie preferences)
You may withdraw consent at any time by contacting office@crumbless.ai.
3.4 Legal Obligation (Article 6(1)(c))
Processing required by law, including:
- Tax and accounting records
- Responding to lawful requests from authorities
4. How We Use Your Information
We use your personal data to:
- Provide Services: Deliver the Crumbless platform functionality, including Google Ads integration and AI content generation
- Improve Services: Analyze usage patterns, fix bugs, and develop new features
- Communicate: Send service updates, security alerts, and support messages
- Personalize: Customize your experience based on your preferences and usage
- Secure: Protect against fraud, unauthorized access, and abuse
- Comply: Meet our legal and regulatory obligations
- Beta Testing: Manage beta program participation and gather feedback
5. Data Sharing and Third Parties
5.1 Service Providers
We share data with trusted third parties who assist in providing our services:
| Provider | Service | Data Shared | Location |
|---|---|---|---|
| Google Cloud Platform | Infrastructure & AI (Vertex AI, Imagen) | All platform data, AI prompts, images | EU/US (SOC2 compliant) |
| Google Ads | Advertising management | Campaign data, performance metrics | Global |
| Stripe | Payment processing | Billing information, subscription data | US/EU |
| OpenAI (optional) | AI content generation | Prompts and generated content | US |
5.2 Data We Never Sell
We do not sell your personal data to third parties. We do not share your data for third-party advertising purposes.
5.3 Legal Disclosures
We may disclose your information if required by law or if we believe disclosure is necessary to:
- Comply with legal process or government requests
- Protect our rights, privacy, safety, or property
- Enforce our Terms of Service
- Respond to emergency situations
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any such change and any choices you may have.
6. International Data Transfers
Your data may be transferred to and processed in countries outside the UK, including the United States (for certain AI services and infrastructure).
We ensure appropriate safeguards are in place for international transfers:
- Adequacy Decisions: Transfers to countries with adequate data protection (e.g., EU member states)
- Standard Contractual Clauses: For transfers to the US and other countries, we rely on EU/UK Standard Contractual Clauses
- Certifications: Our infrastructure providers maintain SOC2 Type II compliance and other relevant certifications
7. Data Security
We implement robust security measures to protect your data:
7.1 Technical Measures
- Encryption at Rest: OAuth tokens and sensitive data encrypted using AES-256
- Encryption in Transit: All data transmitted via TLS 1.3
- Password Security: Passwords hashed using bcrypt with appropriate cost factors
- Access Controls: Role-based access controls and principle of least privilege
- Infrastructure: Hosted on Google Cloud Platform with SOC2 Type II compliance
7.2 Organizational Measures
- Regular security assessments and penetration testing
- Employee security awareness training
- Incident response procedures
- Vendor security assessments
7.3 Breach Notification
In the event of a personal data breach that poses a risk to your rights, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours
- Notify affected individuals without undue delay where required
- Document the breach and remediation steps taken
8. Data Retention
We retain your data only as long as necessary for the purposes described in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Duration of account + 2 years | Service provision and legal compliance |
| Google Ads Data | Synchronized continuously; deleted on account closure | Service functionality |
| AI Conversations | 1 year from creation | Service improvement and context |
| Generated Images | Duration of product/campaign existence | Service functionality |
| Billing Records | 7 years | UK tax and accounting requirements |
| Security Logs | 1 year | Security and fraud prevention |
| Soft-Deleted Campaigns | 30 days before permanent deletion | Recovery capability |
9. Your Rights
Under UK GDPR, you have the following rights:
9.1 Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you. We will provide this within one month of your request.
9.2 Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data.
9.3 Right to Erasure (Article 17)
You have the right to request deletion of your personal data in certain circumstances, including:
- Data is no longer necessary for the purpose collected
- You withdraw consent (where consent is the legal basis)
- You object to processing and there are no overriding legitimate grounds
9.4 Right to Restrict Processing (Article 18)
You have the right to request restriction of processing in certain circumstances.
9.5 Right to Data Portability (Article 20)
You have the right to receive your data in a structured, commonly used format and transmit it to another controller.
9.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes.
9.7 Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing. While our AI generates suggestions, significant decisions require human review.
9.8 Exercising Your Rights
To exercise any of these rights, contact us at:
- Email: office@crumbless.ai
- Subject line: "Data Subject Request - [Your Right]"
We will respond within one month. This period may be extended by two months for complex requests.
10. Cookies and Tracking
We use cookies and similar technologies to:
- Essential Cookies: Enable core functionality (authentication, security)
- Functional Cookies: Remember your preferences and settings
- Analytics Cookies: Understand how you use the platform to improve our services
You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect platform functionality.
11. Children's Privacy
The Crumbless platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website
- Sending an email notification to registered users
- Displaying a notice within the platform
The "Last updated" date at the top indicates when the policy was last revised.
13. Complaints
If you have concerns about how we handle your personal data, please contact us first at office@crumbless.ai.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113
14. Contact Us
For any questions about this Privacy Policy or our data practices, please contact:
CRUMBLX AI LTD
Data Protection Officer
4 Bunnsfield, Welwyn Garden City
England, AL7 2DZ
United Kingdom
Email: office@crumbless.ai
This Privacy Policy is provided in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using the Crumbless platform, you acknowledge that you have read and understood this policy.