GDPR Compliance

Overview

Cruxi applies GDPR practices and recommendations to protect personal data and enable data subject rights. This page explains the measures we use to protect personal data and enable data subject rights.

We process personal data for legitimate business purposes (directory services, RFQ matching, and regulatory tools) and provide privacy controls to support transparency, consent, and user control.

Important clarification: While Cruxi's directories include EU-related services (such as EU Authorized Representative, EU/UK Cosmetics Responsible Person, GDPR Article 27 Representative), the individuals we target for these services are not located in the EU/UK. Our platform serves non-EU/UK businesses that need EU/UK compliance services. The RFQ form requires no personal names or personal information—only business email addresses, company information, and service requirements.

1. Lawful Basis & Legitimate Interest

We process personal data under the following lawful bases:

Legitimate Interest: Operating provider directories to connect businesses with service providers. We assess this against individual rights and provide easy opt-out/removal options.
Consent: For analytics cookies, marketing communications, and non-essential tracking. Users can withdraw consent at any time via our cookie settings.
Contract Performance: Processing necessary to deliver services (RFQ matching, regulatory tools, account management).
Legal Obligation: Compliance with regulatory requirements, tax obligations, and data retention laws.

Provider Directory: We may create provider listings from public business information. Providers can request removal or corrections via the removal/update link on their profile page or via our Data Subject Request page.

2. Consent Management

Cookie Consent

We use a granular cookie consent system that allows users to control:

Essential Cookies: Required for site functionality (session management, authentication). Always enabled.
Analytics Cookies: Google Analytics tracking (only loaded after explicit consent).
Marketing Cookies: Advertising and remarketing (only loaded after explicit consent).
Performance Cookies: Site performance monitoring (only loaded after explicit consent).
Preference Cookies: User preferences and settings.

Google Tag Manager (GTM) and analytics scripts are not loaded until users grant consent. Users can change their preferences at any time via the "Cookie settings" link in the footer.

See our Cookie Policy for detailed information about each cookie type.

3. Data Subject Rights

We enable all GDPR data subject rights:

Right of Access (Article 15): Users can request a copy of all personal data we hold about them.
Right to Rectification (Article 16): Users can update their account information or request corrections.
Right to Erasure (Article 17): Users can request deletion of their data ("right to be forgotten").
Right to Data Portability (Article 20): Users can export their data in a machine-readable format.
Right to Object (Article 21): Users can object to processing based on legitimate interest (e.g., provider directory listings).
Right to Restrict Processing (Article 18): Users can request temporary suspension of processing.

How to Exercise Your Rights:

Authenticated users: Use the Data Subject Request form or contact privacy@cruxi.ai.
Unauthenticated users: Use our public DSAR form to submit requests without logging in.
Provider removal: Use the "Is this your business?" link on any provider profile page for instant removal.

We respond to all requests within 30 days (or sooner when possible).

4. Data Minimization & Purpose Limitation

We only collect and process personal data that is:

Necessary: Required for the specific purpose (e.g., RFQ matching, account management).
Relevant: Directly related to the service being provided.
Adequate: Sufficient but not excessive for the purpose.

We do not collect unnecessary personal data, and we delete data when it's no longer needed for the original purpose (subject to legal retention requirements).

5. Data Security

We implement technical and organizational measures to protect personal data:

Encryption: Data in transit (TLS/SSL) and at rest (encrypted databases).
Access Controls: Role-based access, authentication requirements, and audit logs.
Infrastructure: Google Cloud Platform with industry-standard security controls.
Backup & Recovery: Regular backups with secure storage and recovery procedures.
Monitoring: Security monitoring, intrusion detection, and incident response procedures.

6. Subprocessors & Third-Party Services

We use the following subprocessors to deliver our services:

Google Cloud Platform: Hosting, storage, and infrastructure services.
Google Analytics: Website analytics (only loaded after consent).
Stripe: Payment processing (PCI DSS compliant).
Google Vertex AI / Gemini: AI/ML services for regulatory tools.

All subprocessors are bound by Data Processing Agreements (DPAs) and apply GDPR practices and recommendations. See our Subprocessors page for details.

We maintain a standard DPA available to clients upon request.

7. International Data Transfers

Cruxi is a U.S.-based company with primary infrastructure in the U.S. (Google Cloud). We do not currently direct services to individuals in the EU/UK.

If and when we begin processing personal data of individuals in the EU/UK, we will implement appropriate transfer safeguards, which may include:

Standard Contractual Clauses (SCCs): EU-approved contractual clauses for international data transfers.
Data Processing Addenda: Agreements with subprocessors that include appropriate safeguards.
Adequacy Decisions: Reliance on adequacy decisions where applicable.

For more information about our EU scope assessment, see our Compliance & Contacts page.

8. Data Retention

We retain personal data only as long as necessary:

Account Data: Retained while the account is active, plus 7 years for legal/tax compliance.
Provider Directory Listings: Retained until the provider requests removal or the listing becomes inactive.
RFQ Data: Retained for 7 years for business and legal purposes.
Analytics Data: Retained according to Google Analytics retention settings (typically 26 months, configurable).
Suppression Lists: Provider removal requests are permanently recorded to prevent re-listing.

When data is deleted, it is removed from active systems and backups within 90 days (subject to legal hold requirements).

9. Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms:

Supervisory Authority: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
Data Subjects: We will notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.
Documentation: All breaches are documented, investigated, and remediated with appropriate security measures.

10. Privacy by Design & Default

We implement privacy by design principles:

Default Privacy Settings: New accounts start with the most privacy-protective settings (e.g., analytics opt-out by default).
Minimal Data Collection: We only request necessary information during registration and service use.
Granular Controls: Users have fine-grained control over cookies, communications, and data sharing.
Instant Removal: Provider removal requests are honored immediately (no waiting period).

11. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it immediately.

12. Contact & Complaints

Data Protection Contact:

Email: privacy@cruxi.ai
For EU scope assessment: See our Compliance & Contacts page.

Supervisory Authority Complaints:

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority:

UK: Information Commissioner's Office (ICO)
EU: Your local data protection authority (DPA). Find yours at edpb.europa.eu