Privacy Policy

Effective date: June 6, 2026

This Privacy Policy describes how Crutan ("Crutan," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use our websites (including crutan.com and app.crutan.com), the Crutan software platform, our HubSpot and other CRM integrations, personalized landing pages hosted through Crutan, and related services (collectively, the "Service").

If you do not agree with this Privacy Policy, please do not use the Service. For business customers, our Data Processing Addendum describes additional terms that apply when we process personal information on your behalf.

1. Who this policy applies to

We interact with several categories of individuals:

• Account users — people who register for, administer, or use a Crutan workspace (for example, employees or contractors of a business customer).
• Business customers — organizations that subscribe to Crutan and control the prospect, lead, and visitor data they upload or connect to the Service.
• Prospects and recipients — individuals whose information a business customer imports or syncs into Crutan to generate personalized landing pages.
• Page visitors — individuals who view or interact with personalized landing pages published through Crutan, including by submitting forms or booking meetings.
• Integration contacts — individuals whose data is read from or written back to connected systems such as HubSpot when a customer enables an integration.

2. Our role: controller and processor

Crutan acts in different roles depending on the data involved:

• As a controller, we determine how to collect and use information needed to operate accounts, billing, security, product improvement, and communications with our customers. This includes account user profile data, authentication records, subscription and payment-related information, support correspondence, and usage data relating to how customers use the Crutan application.
• As a processor, we process prospect, page visitor, and CRM-synced information on behalf of our business customers according to their instructions. Our customers are responsible for providing appropriate notice to individuals and for having a lawful basis to collect and use that information. Our Data Processing Addendum governs that processing.

Questions about how a specific business customer uses your information should be directed to that customer. Questions about Crutan's own processing may be sent to privacy@crutan.com.

3. Information we collect

3.1 Information you provide directly

When you create or manage a Crutan account, we may collect:

• Name, email address, and authentication credentials
• Organization and workspace names, team memberships, and role assignments
• Billing contact details and subscription selections
• Support requests, feedback, and communications with us
• Configuration data such as brand settings, templates, domain settings, API keys, and connector settings
• Files and media you upload to the media library

3.2 Customer-controlled prospect and CRM data

Business customers may upload or sync personal information about prospects and contacts, including:

• Contact details such as name, email address, phone number, job title, and company name
• Company domain, industry, location, and social or professional profile URLs
• Custom fields, tags, external system identifiers (for example HubSpot contact IDs), and notes
• Research artifacts and AI-generated personalization content derived from customer-provided inputs
• Meeting or booking details captured through personalized pages

Customers may import this data via CSV upload, our API, webhooks, or native integrations. We process this information to generate personalized pages, deliver analytics, and sync events to connected systems.

3.3 Landing page and interaction data

When an individual views or interacts with a personalized landing page hosted through Crutan, we may collect:

• Page views, CTA clicks, scroll or engagement signals, and similar interaction events
• Form submissions and meeting-booking details configured by the customer
• Referrer URL, UTM parameters, and page token identifiers
• A one-way cryptographic hash of the visitor's IP address (we do not store raw IP addresses in our standard page analytics pipeline)
• Derived intent scores and conversion-related metadata associated with a prospect record

3.4 Integration and connection data

When a customer connects third-party services, we may collect and store:

• OAuth tokens and related metadata for services such as HubSpot, encrypted at rest
• Portal, account, or workspace identifiers from the connected system
• Field mappings, webhook configuration, and delivery logs for outbound events
• Data received through inbound webhooks or API calls authorized by the customer

3.5 Automatically collected technical data

When you use the Service, we may automatically collect:

• Device and browser type, operating system, and language preferences
• Log data such as timestamps, request paths, and error reports
• Security and anti-abuse signals, including rate-limiting metadata
• Session and authentication events needed to keep accounts secure

3.6 Payment information

Paid subscriptions and credit purchases are processed by Stripe. We receive billing status, subscription identifiers, invoice references, and limited payment metadata from Stripe, but we do not store full payment card numbers on our servers.

4. How we use information

We use personal information to:

• Provide, operate, maintain, and secure the Service
• Authenticate users and enforce workspace access controls
• Generate, host, and deliver personalized landing pages on behalf of customers
• Capture page interactions, analytics, and lead or meeting responses
• Sync data with customer-authorized CRMs, webhooks, and APIs
• Process subscriptions, usage metering, credits, and billing
• Send transactional emails such as invitations, notifications, and account alerts
• Provide customer support and respond to inquiries
• Monitor performance, troubleshoot errors, and protect against fraud or abuse
• Comply with law, enforce our terms, and protect our rights and users
• Improve the Service, including through aggregated or de-identified analytics

We use AI service providers to power certain product features, including template generation, content personalization, brand extraction, and optional discovery workflows. Customer content sent to those providers is used only to deliver the requested feature, subject to the provider's terms and our agreements with them.

5. Legal bases for processing (EEA, UK, and Switzerland)

Where applicable privacy law requires a legal basis, we rely on:

• Contract — to provide the Service, manage accounts, and fulfill customer subscriptions
• Legitimate interests — to secure the Service, prevent abuse, improve reliability, and support business operations, balanced against individual rights
• Consent — where required for optional communications or integrations, or where a customer has obtained consent for visitor tracking or form collection
• Legal obligation — to comply with applicable law, tax, accounting, or regulatory requirements

When we process personal information on behalf of customers, the customer determines the applicable legal basis for that processing.

6. How we share information

We do not sell personal information. We may share information in these circumstances:

• Service providers and subprocessors — vendors that help us host, operate, secure, and support the Service, as described in Section 7
• Customer-directed integrations — when a customer connects HubSpot, webhooks, or other systems, data is shared according to the customer's configuration
• Within a customer organization — workspace members authorized by the customer may access data within that workspace
• Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards
• Legal and safety — when required by law, court order, or governmental request, or when we believe disclosure is necessary to protect rights, safety, or security
• With consent — when you or the relevant customer has directed us to share information

7. Subprocessors

We use trusted third-party providers to run the Service. Depending on the features you use, personal information may be processed by:

• Supabase — database, authentication, file storage, and application infrastructure
• Vercel — application hosting and deployment
• Stripe — payment processing and subscription management
• Resend — transactional email delivery
• Anthropic and OpenAI — AI-assisted content generation, personalization, and optional audio transcription
• Inngest — background job orchestration
• Upstash — caching and rate limiting
• Sentry — error monitoring and diagnostics
• Cloudflare — DNS and custom domain services, where configured
• HubSpot and other CRM platforms — when a customer enables a native integration or outbound connector

We require subprocessors to process personal information only for the purposes we specify and to maintain appropriate security measures. We may update subprocessors from time to time and will maintain commercially reasonable oversight of those providers.

8. International data transfers

Crutan is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States and other countries where we or our subprocessors operate. Those countries may have data protection laws that differ from the laws of your jurisdiction.

Where required, we use appropriate safeguards for cross-border transfers, such as standard contractual clauses or equivalent mechanisms offered by our subprocessors.

9. Data retention

We retain personal information for as long as necessary to provide the Service, fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary by data type:

• Account and workspace data — retained while the account is active and for a limited period afterward to support backups, billing reconciliation, security, and legal compliance
• Customer-controlled prospect and page content — retained according to customer use of the Service and deleted when the customer deletes the data, removes a workspace, or deletes the organization
• Raw page event logs — retained for a default period of up to 180 days unless a shorter or longer period is configured for the deployment
• Discovery session recordings — retained for a limited period (typically up to 7 days) unless deleted earlier by the customer
• OAuth tokens and connector credentials — retained while an integration remains connected and removed or invalidated upon disconnect
• Audit and security logs — retained for a period appropriate to security, compliance, and incident investigation needs

Customers may request export or deletion of account-related data through account settings or by contacting us. When a business customer deletes its organization, we delete or de-identify associated workspace data subject to legal retention requirements.

10. Security

We implement technical and organizational measures designed to protect personal information, including encryption of sensitive credentials at rest, tenant isolation by workspace, access controls for authenticated users, audit logging for important account actions, and monitoring for abuse. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

You are responsible for safeguarding your account credentials, API keys, and webhook secrets. Notify us promptly at security@crutan.com if you believe your account has been compromised.

11. Your privacy rights and choices

11.1 Account users and business customers

Depending on your location, you may have the right to:

• Access personal information we hold about you
• Correct inaccurate information
• Delete certain information, subject to legal exceptions
• Export information you provided to us
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent
• Lodge a complaint with a supervisory authority

Account holders may submit export or deletion requests from account settings or by emailing privacy@crutan.com. We may need to verify your identity before fulfilling a request.

11.2 Prospects, page visitors, and integration contacts

If your information was submitted to Crutan by one of our business customers, or collected when you interacted with a customer's personalized page, please contact that customer first. We will assist the customer with applicable requests where we act as their processor.

11.3 Marketing communications

You may opt out of promotional emails by using the unsubscribe link in the message or by contacting us. We may still send transactional or service-related communications.

12. California privacy notice

This section applies to California residents and supplements the rest of this Privacy Policy.

Categories collected. In the preceding 12 months, we may have collected identifiers (such as name and email), commercial information (subscription and billing records), internet or network activity (usage logs and page interaction data), professional information (job title and company details provided by customers), and inferences (such as intent scores derived from page behavior).

Sources. Information is collected directly from you, from business customers, from page visitors, from connected integrations, and automatically through the Service.

Business purposes. We use these categories for the purposes described in Sections 4 and 6, including providing the Service, security, analytics, billing, and customer support.

Sale or sharing. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

Retention. See Section 9.

Rights. California residents may request access, correction, deletion, and information about our processing. You may also have the right to limit use of sensitive personal information where applicable. Submit requests to privacy@crutan.com. We will not discriminate against you for exercising privacy rights.

13. HubSpot integration

When a customer installs the Crutan HubSpot app, HubSpot shares contact and account information with Crutan according to the permissions granted during installation. Crutan may read HubSpot contact records, create or update contact properties (including personalized landing page URLs and engagement-related fields), and receive webhook notifications about contact changes.

When a customer disconnects HubSpot from Crutan, we revoke stored tokens and use HubSpot's uninstall APIs where applicable. Customers should review HubSpot's own privacy documentation for information about how HubSpot processes data in connection with third-party apps.

14. Cookies and similar technologies

The Crutan application uses cookies and similar technologies that are necessary for authentication, session management, security, and core product functionality. Personalized landing pages published by customers may use additional tracking or form technologies configured by the customer. Customers are responsible for providing appropriate notice and obtaining any required consents for visitor-facing pages they publish.

15. Children's privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe we have collected information from a child, contact privacy@crutan.com and we will take appropriate steps to delete it.

16. Third-party links and services

The Service may contain links to third-party websites, booking tools, or services that we do not control. Your use of those services is governed by the third party's privacy policies. We are not responsible for the privacy practices of third-party sites or services.

17. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated policy on this page and update the effective date above. Where required by law, we will provide additional notice. Your continued use of the Service after the effective date of an update constitutes acceptance of the revised policy.

18. Contact us

If you have questions about this Privacy Policy or our privacy practices, contact us at: