Privacy Policy

1. Information we collect

• Account data such as name, email, company, onboarding details, and authentication identifiers.
• Workspace data such as project names, device descriptions, uploaded files, workflow state, regulatory analysis, drafts, evidence mappings, and messages.
• Operational data such as usage logs, support context, request metadata, security/session information, and subscription status.
• Consent and privacy records such as cookie preferences, user consent records, and data subject requests.

2. How we use the data

• To authenticate users, run the regulatory platform, store projects, and deliver exports, deletion actions, and workflow features.
• To process AI-assisted tasks requested by the user, including classification, predicate analysis, drafting, and evidence workflows.
• To support billing, fraud prevention, platform security, troubleshooting, and product reliability.
• To respond to support requests, contractual requests, and privacy requests.

3. Sharing and subprocessors

Cruxi does not sell customer data. We share data only with subprocessors and infrastructure providers needed to operate the service, such as hosting, database, payment, analytics, identity, and AI providers. Current providers are listed on the Subprocessors page.

Private project data is not shared with other customers, consultants, or partners unless the user explicitly authorizes that sharing through the product or a separate engagement flow.

4. AI processing

When users invoke AI-powered workflows, the submitted device and regulatory content may be processed by AI services used by Cruxi to provide the requested feature. The live 510(k) workflow stack uses Google Vertex AI / Gemini and OpenAI in supported AI-assisted flows. The Trust Center at /data-protection describes the live control posture and related subprocessors.

5. Security and access

• Data is transmitted over encrypted connections.
• The primary production Google Cloud Storage bucket used for uploaded 510(k) documents and generated submission artifacts uses a customer-managed Cloud KMS key for current production writes.
• Managed database and other infrastructure layers are protected by infrastructure-level encryption at rest.
• Email/password account creation and reset flows require a strong password with at least 12 characters, uppercase, lowercase, number, and symbol.
• Production access is restricted to authorized personnel and governed by application and infrastructure controls.
• Customer-facing privacy/security statements are published on verified public pages and are reviewed when controls change.

6. Retention and deletion

Users can delete projects directly from the regulatory app and can delete their account from the in-app Data & Privacy menu. The platform also supports formal data subject requests, which are tracked separately from immediate self-service deletion.

Workspace, consent, and privacy-request records are retained only as needed to operate the service, fulfill requests, meet security and operational needs, and satisfy applicable legal obligations.

7. Your controls

• Export your account and workspace data from the app.
• Submit access, portability, rectification, or erasure requests in-app or through the Data Subject Request page.
• Delete projects individually or permanently delete your account from the app.
• Review the latest public trust and legal documents at any time.

8. Contact

Privacy questions or requests: privacy@cruxi.ai

General support: support@cruxi.ai

Additional trust documents: How Cruxi Protects Your Data, DPA, and Cookie Policy.