What we collect, and what we won't.

Version 1.0 · Effective May 15, 2026

Cruma is a back-office crew for builders. We hold customer data only to do the work you've asked us to do — drafts, triage, booking, follow-through — and we treat your inbox, your voice, and your business state as yours. This page is the long version. Plain-English summary boxes alongside each section; legal precision underneath.

Companion documents. Our specific sub-processor categories are at /legal/subprocessors, cookies practices at /legal/cookies, security posture at /legal/security, and B2B customers can find the Data Processing Addendum at /legal/dpa. Acceptable use is governed by our AUP.

1 · Who we are

Cruma Inc. ("Cruma," "we," "us") is a Delaware corporation operating the Cruma service at cruma.ai and app.cruma.ai. We are the data controller for personal data we collect about visitors, waitlist signups, and account holders. For data your workspace stores about your own customers and prospects, you are the controller and Cruma is the processor.

What this meansCruma is the company in charge of how we handle data about you. When you put data about your customers into Cruma, you're in charge and we just process it for you.

2 · What we collect

Account & profile

Email, name, password hash, workspace name, role, and profile fields you fill in.

Workspace content

Everything you put into Cruma — offers, ICPs, voice calibration, target accounts, drafts, sends, replies, evidence, business memory.

Connected accounts

When you grant Cruma access to Gmail, Google Calendar, or another integration, we store OAuth tokens (encrypted at rest) for the minimum scopes needed. The exact scopes are shown at the connection step. Revoking from your provider's settings immediately disables that connection in Cruma.

Usage data

Standard telemetry — page views, feature interactions, error reports, request logs (IP, user agent, timestamps). Used to keep the product running and fix bugs. We do not sell this data and we do not use it to retarget you across the web.

Communications

Support tickets, sales emails, chat threads, survey responses, beta feedback.

What this meansYour account info, what you put in your workspace, your connected mail/calendar (only with the scopes you grant), and the minimum usage data needed to operate the service. No surveillance, no ad-targeting profile.

3 · How we use it

Run the service — execute the work you asked Cruma to do, in your voice, against the connections you granted.
Improve quality in your workspace — every skill invocation logs inputs, outputs, success/failure, and cost so we can tune skills for your workspace specifically.
Operate the business — billing, support, fraud prevention, security monitoring, account communications.
Comply with law — when we receive a valid legal request.

Lawful bases (UK/EU): contractual necessity, legitimate interests, consent (where required), and legal obligation.

We share personal data with:

Sub-processors we use to run the service (categories at /legal/subprocessors; full list available to active customers on request).
Providers you connect (Gmail, Calendar, etc.) — only as needed to execute work you approved.
Law enforcement / regulators when legally required and only to the minimum required.
Acquirers in the event of a merger, acquisition, or asset sale — with notice and continued protection.

We do not sell or share personal information for cross-context behavioral advertising. No advertising cookies. No social-media retargeting pixels.

5 · Your inbox, voice, and workspace

Outbound messages send from your own Gmail through your OAuth grant. Cruma never relays through a Cruma-owned SMTP server, never receives the body of mail you didn't authorize Cruma to send, and never reads inbox content you didn't explicitly opt in to ingest.

Every workspace's content is scoped to its members only, enforced at the database layer (Postgres row-level security). A query from your workspace literally cannot read another workspace's data.

LinkedIn signals route through a licensed third-party broker. Cruma never scrapes from your LinkedIn session, never logs in as you, never uses Cruma-owned IPs to hit LinkedIn directly.

What this meansYour inbox stays yours, your workspace is walled off from other workspaces at the database level, and LinkedIn never touches your account.

6 · AI providers + training

Cruma uses third-party AI providers (currently Anthropic, with fallback routing through OpenRouter and OpenAI) to generate drafts, classify replies, score signals, and synthesize research. Prompts and outputs are sent to these providers under their terms.

We do not train shared models on your private workspace data. AI providers we use are bound by zero-data-retention or no-training agreements wherever available; for providers without such terms, we transmit only the minimum content needed and rely on their consumer-tier "no training" defaults.

Skills get better in your workspace specifically through per-workspace failure-driven recursion. That improvement stays in your workspace; it does not propagate into a shared model that other customers can see.

What this meansAnthropic and a couple of fallback providers see your prompts to run Cruma's AI features. None of them train on your data. The way Cruma improves at your business doesn't leak into anyone else's.

7 · Retention & deletion

Active accounts: we retain workspace data for as long as the account exists, plus a 30-day rolling backup window.

Workspace deletion: hard-delete from Postgres, purge file references, clear evidence-ledger entries. Backups age out on the 30-day schedule.

Account deletion: hard-delete profile data and revoke OAuth grants. Limited records (invoices, fraud signals, legal holds) retained as required by law.

Telemetry & logs: 90 days unless required for incident investigation.

8 · Your rights

You have these rights (some depending on where you live):

Access — get a copy of personal data we hold.
Correction — fix data that's wrong.
Deletion — erase your data.
Portability — export your data in a machine-readable format (Settings → Export).
Restriction / objection — limit how we process your data.
Withdraw consent — revoke any consent you previously gave.
Non-discrimination (CCPA) — exercising your rights does not change how we treat you.
Complaint — lodge a complaint with your local DPA.

Exercise any of these by emailing privacy@cruma.ai. We respond within 30 days. If you're not the account holder but your contact details landed in someone's workspace, send the same request and we will route it.

California residents: We do not "sell" personal information and do not "share" personal information for cross-context behavioral advertising as defined by the CPRA. You may exercise the rights above by emailing privacy@cruma.ai or designating an authorized agent in writing.

9 · Security

TLS 1.2+ in transit, AES-256 at rest, OAuth tokens encrypted with envelope encryption, least-privilege service roles, row-level security on every workspace-scoped table, dependency review on every pull request. Full posture at /legal/security. Vulnerability disclosure to security@cruma.ai.

Private beta status. During private beta, our founder may read workspace-scoped data when explicitly investigating a support issue you raised. We don't browse workspaces casually. As the cohort grows, this access tightens (SSO, audit-logged break-glass).

10 · International transfers

Cruma is operated from the United States. If you access Cruma from outside the US, your data is transferred to and processed in the US (and other regions where our sub-processors operate). For transfers from the UK, EEA, and Switzerland, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), executed with our sub-processors and incorporated into our Data Processing Addendum.

11 · Cookies & analytics

Minimal first-party cookies for session and preference state. Privacy-respecting analytics (PostHog or Plausible) that do not sell data or build advertising profiles. Full details and opt-out at /legal/cookies.

12 · Children

Cruma is not directed to anyone under 16. We do not knowingly collect personal data from children. If you believe a child's data has reached us, email privacy@cruma.ai and we will delete it.

13 · Changes

We update this page when our practices change. Material changes are announced via email to account holders and on this page at least 14 days before they take effect. The current version is at the top.

14 · Contact

Cruma Inc.
Privacy: privacy@cruma.ai
Security: security@cruma.ai
Support: support@cruma.ai
Mailing address: Cruma Inc., c/o Registered Agent (update on request).