Privacy Policy

CrowVault (operated by TechSynergy Corp., "we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (crowvault.ai) and API services (collectively, the "Service").

By using the Service, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

2.1 Account Information

When you register, we collect:

• Email address
• Password (stored as a bcrypt hash — we never store plaintext passwords)
• Display name (optional)
• Plan selection (Free, Developer, Team, Enterprise)

2.2 Usage Data

When you use our API, we automatically collect:

• API call metadata (tool name, server, timestamp, duration, response size)
• API key identifiers (we store SHA-256 hashes, not raw keys)
• IP address and User-Agent (for rate limiting and security)
• Error logs (for debugging and service improvement)

We do not store the content of your API call arguments or generated output beyond the duration of the request.

2.3 Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or bank account details. We receive from Stripe only: subscription status, plan type, and a customer identifier.

2.4 Analytics

We use Google Analytics 4 (GA4) to understand how visitors use our website. GA4 collects anonymized data including pages visited, session duration, and referral source. You can opt out using browser extensions or cookie settings.

• Provide, maintain, and improve the Service
• Authenticate your identity and authorize API access
• Process payments and manage subscriptions
• Send transactional emails (OTP codes, password resets, receipts)
• Monitor and enforce usage quotas
• Detect and prevent fraud, abuse, and security incidents
• Generate aggregate, anonymized analytics to improve the platform

We do not sell your personal data. We do not use your data to train AI models.

CrowVault uses third-party AI providers (Google Gemini, Anthropic Claude) to enhance tool output. When a tool is called:

• Your tool arguments and the template output are sent to the AI provider for augmentation
• Arguments are sanitized (control characters stripped, length capped) before transmission
• AI providers process data per their own privacy policies — we select providers with strong data handling commitments
• We do not send your email, password, API keys, or account information to AI providers

• Database: Google Cloud SQL (PostgreSQL 16), encrypted at rest, US-Central1 region
• Backups: GPG-encrypted daily backups to Google Cloud Storage with 7-day retention
• Transport: All connections use TLS 1.2+ (HTTPS enforced)
• Access: SSH key-only access, fail2ban intrusion prevention, UFW firewall
• Passwords: bcrypt with cost factor 12+
• API keys: SHA-256 hashed before storage
• Sessions: JWT tokens with configurable expiration, HttpOnly cookies

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• API call logs: Retained for 90 days for analytics, then aggregated and anonymized.
• OTP codes: Automatically expired and purged after 10 minutes.
• Password reset tokens: Expired and purged after 1 hour.

We use the following third-party services that may process your data:

• Stripe — payment processing (Stripe Privacy Policy)
• Google Cloud Platform — infrastructure and AI services (GCP Privacy Notice)
• Google Analytics — website analytics (Google Privacy Policy)
• Anthropic — AI augmentation fallback (Anthropic Privacy Policy)

You have the right to:

• Access your personal data — view your profile and usage history in the dashboard
• Correct inaccurate data — update your display name and email in settings
• Delete your account — contact us and we will delete your data within 30 days
• Export your data — request a copy of your data via our contact form
• Restrict processing — you may revoke API keys at any time to stop data collection

To exercise these rights, contact us at /contact.

We use the following cookies:

• Session cookie (token) — JWT authentication, HttpOnly, SameSite=Lax, expires per session configuration
• GA4 cookies (_ga, _ga_*) — analytics, set by Google Analytics

We do not use advertising cookies or third-party tracking cookies.

CrowVault is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top reflects the most recent revision.

For privacy questions or data requests:

• Use our contact form
• Entity: TechSynergy Corp.