Global Privacy Policy
Crescaa ("Company", "we", "us", or "our") is deeply committed to protecting the privacy rights of our users and safeguarding the information processed through our platform. This Privacy Policy outlines our strict data collection practices, operational utilization, AI processing guardrails, advertising mechanisms, and regulatory disclosure protocols.
1. Compliance Standards and Regulatory Roles
This Privacy Policy is structured to comply comprehensively with the General Data Protection Regulation (GDPR), the ePrivacy Directive, UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other global data privacy frameworks. Under these laws, our operational role depends strictly on your account type:
B2C Consumer Accounts: When an individual manager purchases or accesses the Service directly, the Company functions as the Data Controller for the personal information collected to manage the account.
B2B Enterprise Accounts: When an enterprise organization purchases the platform for its staff, the enterprise organization acts as the Data Controller, and the Company operates strictly as a Data Processor acting under the explicit legal directives of the employer via a Data Processing Addendum (DPA).
2. Categories of Data We Collect and Process
We collect information across distinct operational vectors:
A. Information You Directly Provide to Us — Account Registration Data: Full name, business or personal email address, telephone numbers, and billing variables. Profile Customization Variables: Learning goals, role parameters, and scheduled notification preferences.
B. Abstracted Behavioral Inputs & Third-Party Data — The Pseudonymization Mandate: Crescaa is designed for educational coaching using abstracted identifiers. When using the app to track team dynamics, our interface specifically requests a "Teammate" alias (e.g., "Agent A" or initials). You are strictly prohibited from inputting Personally Identifiable Information (PII)—such as legal names, personal emails, or exact physical locations—regarding any third party.
Operational Copy-Pasting Ban: You are prohibited from copying and pasting raw, unredacted corporate documents (such as customer transcripts, QA scorecards, or official performance reviews) into the open-text fields. Because we mandate pseudonymization at the UI level, we do not knowingly collect or store identifiable third-party HR data.
C. Technical Data, Diagnostics, and Telemetry — Essential Diagnostic Data: To maintain platform stability, we automatically collect app crash logs, operating system versions, and system telemetry. Diagnostic Segregation: We intentionally segregate diagnostic telemetry from the primary database hosting your behavioral notes to ensure crash reports do not capture your raw text inputs.
Non-Essential Network Data: Unique device identifiers, advertising IDs, and localized cellular carrier data (collected only with explicit consent where required by law).
3. Artificial Intelligence and Prompt Engineering Defenses
AI Coach Interactions: The textual transcript of prompt queries and contextual leadership scenarios you transmit to our AI assistant are processed to generate educational feedback.
Zero-Training Mandate: We utilize strict corporate enterprise APIs with foundational AI vendors (e.g., OpenAI, Anthropic, Google). Your data and prompt inputs are strictly prohibited from being used by these vendors to train, optimize, refine, or adjust their public foundational models.
Automated Redaction: As a secondary safeguard against accidental user error, Crescaa employs automated system-level prompt engineering designed to identify and strip suspected names or direct contact information before processing your notes through the AI APIs.
4. Data Monetization, Advertising, and Sharing
A. Aggregated Macro-Trends (Data Monetization): We do not sell, rent, or trade your personal data or the personal data of anyone you manage to data brokers. However, we may aggregate and entirely anonymize behavioral data and usage patterns to create macro-trend reports (e.g., "70% of operations managers report empathy challenges in Q4"). Because this data is irreversibly anonymized and cannot identify any individual, we may sell, share, or publish these aggregated insights for market research.
B. Third-Party Advertising and SDKs: Crescaa partners with third-party ad networks to display advertisements. These partners may use cookies, tracking pixels, and software development kits (SDKs) to collect device identifiers and usage data to serve relevant ads. You will be prompted with a Consent Management interface upon your first launch to opt-in or opt-out of targeted advertising tracking.
C. Essential Subprocessors: We disclose your data strictly to essential subprocessors required to operate the Service, including secure cloud hosting ecosystems (e.g., Google Cloud/Firebase) and transaction processors (e.g., Stripe, Apple, Google).
5. Legal Bases for Processing (GDPR & ePrivacy)
If you access the Service from the European Economic Area (EEA) or the UK, we process your data under the following legal bases:
Performance of a Contract: Required to provision your Account, process billing, and deliver the AI coaching features.
Legitimate Interests: Required to safeguard platform security and process essential, segregated crash telemetry to fix critical bugs, provided this does not override your baseline privacy rights.
Consent: Required for processing non-essential cookies, deploying advertising SDKs, and sending promotional marketing. You may withdraw this consent at any time via the in-app settings.
Compliance with Law: Required to fulfill statutory financial tax auditing or lawful court orders.
6. International Data Transfers and Cross-Border Safeguards
Crescaa utilizes globally distributed hosting architecture. Your data may be stored and processed outside of your nation of origin, including in the United States or the Republic of Armenia. To ensure cross-border compliance, we enforce standard data protection safeguards, including the execution of the European Commission's Standard Contractual Clauses (SCCs) and necessary Transfer Impact Assessments (TIAs), ensuring an equivalent framework of data protection applies regardless of server location.
7. Data Retention Strategies and Permanent Erasure
B2C Consumer Profiles: Maintained for the life of the account. Upon initiating a deletion request via the app UI, personal account fields are permanently deleted or irreversibly anonymized within thirty (30) calendar days.
Diagnostic Logs: Crash logs and essential telemetry are retained only as long as necessary to resolve technical anomalies, and never longer than ninety (90) days.
B2B Enterprise Profiles: Retained in strict alignment with the master enterprise contract and systematically deleted or returned to the client within ninety (90) days of contract termination.
8. Your Statutory Privacy Rights (GDPR & CCPA)
Regardless of your jurisdiction, Crescaa affords all users the right to control their data. You maintain the right to:
Request Access/Disclosure: Obtain a report showing the personal data we hold about you.
Request Erasure/Deletion (Right to be Forgotten): Compel us to permanently delete your account and associated data.
Request Rectification: Correct inaccurate profile records.
Data Portability: Export your account details in a machine-readable format.
Opt-Out of Targeted Advertising / "Do Not Sell or Share My Personal Information": Under the CCPA/CPRA, the deployment of third-party advertising cookies may be considered "sharing" for cross-context behavioral advertising. You maintain the absolute right to opt-out of this sharing via the Consent Management interface or the "Do Not Sell or Share" link in the application settings.
9. Contact Information and Statutory Notices
To exercise your privacy rights, report a data concern, or contact our Data Protection Officer (DPO), please submit a formal request via the in-app Privacy Settings or contact us at:
Crescaa
Privacy & Compliance Team: privacy@crescaa.app