Privacy Policy
Last Updated: January 19, 2026
Our Privacy Commitment
At Cruxi, we believe your documents and data belong to you. We've built our entire platform around protecting your privacy while delivering powerful AI capabilities. This policy explains how we achieve both.
1. Information We Collect
1.1 Information You Provide
- Account Information: When you sign up via Google OAuth, we collect your name, email address, and Google profile information
- Regulatory Data and Content: Device information, regulatory documents, project data, and files you upload to the platform, including PDFs, Word documents, and other supported formats related to FDA regulatory submissions
- Usage Data: How you interact with our features, including queries, AI responses, and document operations
- Communication Data: Support requests, feedback, and any direct communications with our team
- Payment Information: Billing details, subscription status, and payment history (processed securely through our payment providers)
- Preferences and Settings: Your application preferences, notification settings, and customization choices
1.2 Information Collected Automatically
- Technical Data: IP address, browser type, device information, and operating system
- Analytics Data: Page views, feature usage, and performance metrics (anonymized)
- Token Usage: AI processing metrics for billing and optimization purposes
- Session Data: Login times, duration of sessions, and interaction patterns
- Error Logs: System errors and debugging information to improve service reliability
- Performance Metrics: Response times, processing speeds, and system health indicators
1.3 Information from Third Parties
- OAuth Providers: Profile information from Google when you authenticate
- Integration Partners: Data from connected services you authorize
- Public Sources: Publicly available information for verification purposes and provider/consultant directory creation
1.4 Provider & Consultant Directories
Cruxi maintains public directories that may include profiles of service providers and regulatory consultants. This section explains how we handle information in these directories.
1.4.1 Profile Creation and Data Sources
Directory profiles may be created from two sources:
- Public Source Information: We may create provisional directory profiles using AI-assisted analysis of publicly available information, including but not limited to:
- LinkedIn profiles and professional networks
- Company websites and professional bios
- Public directories and professional listings
- Published articles, presentations, or professional content
- Public regulatory databases and filings
- Self-Reported Information: Providers/consultants who claim their profiles may provide additional information, updates, or corrections directly to Cruxi.
1.4.2 Information Displayed on Public Profiles
Public profiles may include the following types of information:
- Professional Information: Name, professional title, company/firm name, years of experience, areas of expertise, certifications, and professional background
- Professional Links: LinkedIn profile URL, company website URL, and other professional online presence
- Location Information: Country, state/province, and timezone (general location only)
- Professional Services: Types of regulatory services offered, device classes, submission types, and specialties
- Pricing Information: General pricing structure (hourly rates, project ranges, or "contact for quote") if provided by the profile owner
1.4.3 Information NOT Published Without Consent
We do NOT publish the following information on public profiles without explicit consent from the profile owner:
- Direct Contact Information: Personal email addresses, direct phone numbers, or WhatsApp numbers (unless the owner explicitly chooses to make these public)
- Profile Photos: Personal or professional photos (unless provided and approved by the owner)
- Private Information: Home addresses, personal social media accounts, or any information not publicly available
- Sensitive Data: Financial information, tax identification numbers, or other sensitive personal data
1.4.4 Claiming and Correcting Your Profile
If you are listed and wish to:
- Claim your profile: Verify ownership and gain control over your profile information
- Correct information: Update or correct any inaccurate information in your profile
- Request removal: Have your profile removed from the public directory
- Opt out: Prevent creation of a profile from public sources
Please contact us at support@cruxi.ai, use the "Claim Profile" feature on your profile page, or submit a request through our Data Subject Request page. We will respond to such requests within 30 days.
1.4.5 Profile Verification and Accuracy
Unclaimed provisional profiles are created from public sources and may contain inaccuracies or incomplete information. We make reasonable efforts to improve accuracy but do not guarantee the completeness or accuracy of information derived from public sources. Once a profile is claimed, the owner is responsible for maintaining accurate information in their profile.
2. How We Use Your Information
Note: For information specific to directory profiles, please see Section 1.4 above.
2.1 Primary Uses
- Service Delivery: Processing your documents, generating AI responses, and providing core functionality
- Account Management: Managing your subscription, authentication, and user preferences
- Communication: Sending service updates, security alerts, and responding to inquiries
- Improvement: Analyzing usage patterns to enhance features and user experience
- Security: Detecting and preventing fraud, abuse, and unauthorized access
- Legal Compliance: Meeting regulatory requirements and responding to legal requests
2.2 AI Processing
Your regulatory data and device information are processed using advanced AI models with the following safeguards:
- Data is transmitted over encrypted connections (TLS) between your browser and our servers
- We design features to minimize personal data sent to external AI services, and rely on contractual and technical controls with subprocessors
- Access to production systems is restricted and logged
- We do not share your private project data with other users unless you explicitly share it
- Support access to customer data, if needed, is limited to what is necessary to resolve an issue
2.3 Marketing and Analytics
- We may send promotional emails only with your explicit consent
- Analytics are aggregated and anonymized to protect individual privacy
- You can opt-out of marketing communications at any time
- We never sell your personal information to third parties
3. Data Storage and Security
3.1 Storage Practices
- Location: Data is stored with reputable cloud infrastructure providers (see our Subprocessors list)
- Encryption: We use encryption in transit (TLS) and encryption at rest where supported by our infrastructure
- Access Controls: Access is restricted on a least-privilege basis, with authentication and auditing
- Backups: We maintain backups and recovery procedures to support service continuity
- Isolation: We use logical separation and access controls to help protect customer data
3.2 Security Measures
- Security logging and monitoring
- Vulnerability management and patching
- Access reviews and least-privilege controls
- Incident response procedures
3.3 Incident Response
In the event of a security incident:
- Immediate containment and investigation
- Notification within 72 hours where required by law if personal data is affected
- Detailed incident report and remediation steps
- Cooperation with relevant authorities
4. Data Sharing and Disclosure
4.1 We Do Not Sell Your Data
Cruxi never sells, rents, or trades your personal information or documents to third parties.
4.2 Limited Sharing Scenarios
We may share your information only in these specific circumstances:
- Service Providers: Trusted vendors who help operate our service (e.g., cloud infrastructure, payment processing)
- Legal Requirements: When required by law, subpoena, or court order
- Safety and Rights: To protect the safety and rights of Cruxi, our users, or the public
- Business Transfers: In connection with a merger, acquisition, or sale of assets (with prior notice)
- With Your Consent: When you explicitly authorize sharing for specific purposes
4.3 Third-Party Service Providers
| Provider Type | Purpose | Data Shared |
|---|---|---|
| Cloud Infrastructure (Google Cloud) | Hosting, storage, networking, monitoring | Account data, application data, logs/metadata, IP address |
| Payment Processing (Stripe) | Billing, subscriptions, fraud prevention | Billing details and payment metadata (we do not store full card details) |
| Analytics (Google Analytics / Tag Manager) | Product analytics and measurement | Usage events, device/browser data, IP address (only after consent where required) |
| AI Processing (Gemini / Vertex AI) | AI-assisted features (text generation, analysis) | Inputs you submit to AI features (may include personal data if you provide it) |
For a current list of subprocessors, see our Subprocessors page.
5. Your Rights and Controls
5.1 Access and Portability
- Request a copy of all personal information we hold about you
- Export your documents and data in standard formats
- Access detailed logs of data processing activities
- Receive data in a structured, machine-readable format
5.2 Correction and Deletion
- Update or correct inaccurate personal information
- Request deletion of your account and associated data
- Remove specific documents from your Knowledge Base
- Clear usage history and analytics data
5.3 Control and Consent
- Manage communication preferences and opt-out options
- Control data sharing with third-party integrations
- Withdraw consent for data processing (where applicable)
- Object to automated decision-making processes
5.4 How to Exercise Your Rights
You can exercise these rights by:
- Using the privacy settings in your account dashboard
- Contacting our Data Protection Officer at dpo@cruxi.ai
- Submitting a request through our Data Subject Request form
- Response time: Within 30 days of receiving your request
6. Cookies and Tracking Technologies
6.1 Types of Cookies We Use
- Essential Cookies: Required for basic site functionality and security
- Analytics Cookies: Help us understand how users interact with our service
- Preference Cookies: Remember your settings and preferences
- Performance Cookies: Monitor and improve service performance
6.2 Third-Party Cookies
We use limited third-party cookies for:
- Google OAuth authentication
- Analytics services (with IP anonymization)
- Security and fraud prevention
6.3 Managing Cookies
- Use our cookie consent banner to manage preferences
- Open “Cookie settings” from the footer to change preferences at any time
- Adjust browser settings to block or delete cookies
- Note: Disabling essential cookies may impact service functionality
For more details, see our Cookie Policy.
6.4 Do Not Track
Some browsers offer a “Do Not Track” signal. Our primary mechanism for controlling optional tracking is our cookie consent banner and “Cookie settings” controls.
7. Data Retention
7.1 Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of account + 90 days | Account recovery and security |
| Regulatory Projects and Data | Until deleted by user | User-controlled content |
| Usage Analytics | 24 months | Service improvement |
| Security Logs | 12 months | Security and compliance |
| Billing Records | 7 years | Legal requirements |
| Support Communications | 3 years | Service quality and training |
7.2 Deletion Process
- Immediate removal from production systems
- Purged from backups within 90 days
- Secure overwriting of storage media
- Confirmation of deletion upon request
8. International Data Transfers
8.1 Transfer Mechanisms
When we transfer data internationally, we ensure protection through:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions for countries with equivalent data protection
- Binding Corporate Rules for intra-group transfers
- Your explicit consent for specific transfers
8.2 Data Localization Options
- Enterprise customers can request data residency in specific regions
- Available regions: United States, European Union, United Kingdom, Canada, Australia
- Contact our sales team for data localization requirements
9. Children's Privacy
Cruxi is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete such information promptly.
9.1 Parental Rights
If you believe your child has provided us with personal information, please contact us at privacy@cruxi.ai. Parents and guardians may:
- Request deletion of their child's information
- Refuse further collection or use of their child's information
- Request access to information collected about their child
10. California Privacy Rights (CCPA)
California residents have additional rights under the California Consumer Privacy Act (CCPA):
10.1 Your CCPA Rights
- Right to Know: Request disclosure of personal information we collect, use, and share
- Right to Delete: Request deletion of personal information we hold
- Right to Opt-Out: Opt-out of the sale of personal information (Note: We do not sell personal information)
- Right to Non-Discrimination: Equal service and pricing regardless of exercising privacy rights
10.2 Categories of Information Collected
- Identifiers (name, email, IP address)
- Commercial information (subscription history)
- Internet activity (usage data)
- Professional information (uploaded documents)
10.3 How to Submit CCPA Requests
- Email: privacy@cruxi.ai with subject "CCPA Request"
- Toll-free number: 1-646-379-7158
- Online form: Available in account settings
- Authorized agent: May submit requests with written permission
11. European Privacy Rights (GDPR)
For EU/EEA residents, we comply with the General Data Protection Regulation (GDPR):
11.1 Legal Basis for Processing
- Contract Performance: Processing necessary to provide our services
- Legitimate Interests: Improving services, security, and fraud prevention
- Consent: Marketing communications and optional features
- Legal Obligations: Compliance with applicable laws
11.2 Your GDPR Rights
- Right to access your personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Rights related to automated decision-making
11.3 Data Protection Officer
Contact our DPO for privacy concerns or to exercise your rights:
- Email: dpo@cruxi.ai
- Mailing Address: Cruxi, Inc., 730 Third Avenue, New York, NY 10017, United States
11.4 EU Scope and Contacts
Cruxi is a U.S.-based platform and does not direct services to individuals in the EU/UK. We do not operate EU/UK-targeted marketing campaigns. We periodically review our operations to assess whether EU legal requirements apply. For more information about our EU scope assessment and contact points, see our Compliance & Contacts page.
11.5 Supervisory Authority
You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.
12. Third-Party Links and Services
Our service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.
12.1 Integrated Services
When you connect third-party services to Cruxi:
- You authorize data sharing as described in the integration settings
- Third-party services are governed by their own privacy policies
- You can disconnect integrations at any time from your account settings
- We maintain audit logs of all third-party data access
13. Changes to This Policy
13.1 Notification Process
- Email notification for material changes at least 30 days before effective date
- In-app notifications for all policy updates
- Version history available on our website
- Continued use after notification constitutes acceptance
13.2 Right to Object
If you disagree with changes to this policy, you may:
- Export your data before changes take effect
- Close your account without penalty
- Contact us to discuss concerns
14. Accessibility
We are committed to making our privacy policy accessible to all users. If you need this policy in an alternative format or have accessibility concerns, please contact us at accessibility@cruxi.ai.
15. Contact Information
Privacy Questions or Concerns?
We're here to help with any privacy-related questions:
General Privacy Inquiries:
Email: privacy@cruxi.ai
Phone: 1-646-379-7158
Data Protection Officer:
Email: dpo@cruxi.ai
Mailing Address:
Cruxi, Inc.
Attn: Privacy Team
730 Third Avenue
New York, NY 10017
United States
EU/UK GDPR Article 27 Representative:
Cruxi does not currently direct services to individuals in the EU/UK. If and when we begin offering services to individuals in the EU/UK, we will appoint an Article 27 representative as required. See our EU/UK Article 27 Representative page for current status.
For privacy inquiries, contact: privacy@cruxi.ai
16. Regulatory Compliance
Cruxi complies with the following privacy regulations and frameworks:
- General Data Protection Regulation (GDPR) - European Union
- California Consumer Privacy Act (CCPA) - California, USA
- Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
- Privacy Act 1988 - Australia
- Data Protection Act 2018 - United Kingdom
- Lei Geral de Proteção de Dados (LGPD) - Brazil