privacy policy

1. about this policy

This Privacy Policy explains how Crumblx AI Ltd (trading as "Crumbless") collects, uses, and shares personal data when you visit our website, create an account, or use the Crumbless service ("Service"). It also tells you about your rights under data-protection law and how to exercise them.

This Policy is written in accordance with the UK General Data Protection Regulation ("UK GDPR") as it forms part of the law of England and Wales, the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation ("EU GDPR"). It also describes rights for residents of California under the CCPA / CPRA and for residents of other jurisdictions where notice obligations apply.

2. controller identity

The data controller of personal data processed in connection with the Service is:

• Crumblx AI Ltd, a private limited company registered in England and Wales under company number 16961442.
• Registered office: 4 Bunnsfield, Welwyn Garden City, AL7 2DZ, United Kingdom.
• Privacy contact: office@crumbless.ai.

We are registered with the UK Information Commissioner's Office (ICO) as a data controller. Our ICO registration reference is published on this page once issued and can be verified through the ICO's online register.

Where you upload, generate, or transmit personal data of identifiable individuals (for example, customer email lists, audience attributes, or end-user identifiers) through the Service, you are the controller of that data and we act as your processor. Our Data Processing Addendum governs that processing and is available from office@crumbless.ai.

3. personal data we collect

We collect the following categories of personal data:

• Identity and account data — name, email, password hash, organisation, role, profile image, language and timezone.
• Billing data — billing name and address, VAT number, last four digits of payment card, payment-method tokens (full card data is held by Stripe, not by us).
• Service-usage data — campaigns, brand guidelines, ideal-customer-profile inputs, generated assets, autonomous-agent activity logs, review-queue decisions, and other data you input or that the Service produces in the course of operating your account.
• Third-party platform data — when you connect a Google Ads account, Google Merchant Center account, or other Third-Party Platform, we receive account metadata, performance metrics, asset libraries, and configuration relevant to the integration, under the OAuth scopes you grant.
• Communications — emails, in-product messages, support tickets, and feedback you send us.
• Technical and log data — IP address, device and browser type, operating system, referrer, pages viewed, timestamps, error reports, and security-relevant events.
• Cookies and similar technologies — as described in our Cookie Policy.

We do not knowingly collect special category data (such as data revealing health, race, religion, political opinions, sexual orientation, or biometric data) and ask that you not upload such data to the Service.

4. sources of personal data

We collect personal data (a) directly from you when you create an account, configure the Service, or contact us; (b) automatically when you interact with the Service; (c) from Third-Party Platforms you have authorised us to connect to; and (d) from limited public sources used for fraud prevention, sanctions screening, and identity verification.

5. purposes and lawful bases of processing

We process personal data for the following purposes, on the lawful bases set out alongside each (UK GDPR Article 6 / EU GDPR Article 6):

• Providing the Service to you (account creation, authentication, agent execution, generation of output, third-party integration) — performance of a contract with you (Art 6(1)(b)).
• Billing and collection (invoicing, payment processing, tax records) — performance of a contract (Art 6(1)(b)) and legal obligation (Art 6(1)(c)).
• Customer support — performance of a contract (Art 6(1)(b)) or, where you are not yet a customer, our legitimate interest in responding to your enquiry (Art 6(1)(f)).
• Service operations, security, fraud prevention, and abuse monitoring — our legitimate interest in keeping the Service secure, available, and free from abuse (Art 6(1)(f)).
• Product analytics and improvement (aggregated usage statistics, error diagnostics) — our legitimate interest in understanding and improving the Service (Art 6(1)(f)).
• Marketing to existing customers about similar products and features — our legitimate interest in promoting the Service (Art 6(1)(f)), subject to your right to object.
• Marketing to prospects — your consent (Art 6(1)(a)) or, for business contacts at corporate email addresses, our legitimate interest, subject to PECR.
• Compliance with legal obligations (tax, accounting, anti-money-laundering, law-enforcement requests) — legal obligation (Art 6(1)(c)).
• Establishment, exercise, or defence of legal claims — our legitimate interest, or where required by law.

6. automated decision-making and the chip agent

The Service includes Chip, an autonomous agent that uses machine-learning models to propose, prepare, and (where you have permitted) execute marketing actions on Third-Party Platforms. Chip's outputs are decisions made or assisted by automated processing.

For our own customers, these decisions concern marketing operations rather than legal or similarly significant effects on the customer as an individual. Customers retain full control through configurable autonomy ceilings, scope settings, and a review queue; you can require human approval before any action takes effect, override or reject any proposal, and disable Chip entirely.

Where Chip's outputs affect end users of your campaigns (for example, by influencing who sees an advertisement), you are the controller of that processing and are responsible under UK GDPR Article 22 for assessing whether automated decision-making restrictions apply and for offering any required safeguards to the affected individuals.

7. ai/ml use of your data

We do not use Customer Content, brand guidelines, generated output, or campaign performance data associated with your account to train foundation models, whether our own or those of third parties. We do not sell personal data, and we do not share Customer Content with foundation-model providers for their model-training purposes.

We may use anonymised, aggregated, statistically derived information about Service usage to operate, improve, secure, and benchmark the Service. Anonymised data cannot be re-identified to you and is not personal data.

8. sharing personal data

We share personal data only as described below:

• Service providers (sub-processors) who help us operate the Service under written contracts that bind them to data-protection obligations equivalent to ours.
• Third-Party Platforms at your direction, under the OAuth scopes or API credentials you provide.
• Professional advisers such as lawyers, auditors, accountants, and insurers, under duties of confidentiality.
• Regulators, courts, and law-enforcement authorities where required by law or in good-faith belief that disclosure is necessary to comply with a legal obligation, protect our rights or property, or prevent serious harm.
• An acquirer, successor, or assignee in connection with a merger, acquisition, financing, reorganisation, bankruptcy, or sale of all or part of our business or assets, subject to standard confidentiality protections.

9. sub-processors

Current sub-processors include providers of cloud infrastructure (Google Cloud Platform), payment processing (Stripe), transactional email (Postmark or equivalent), error monitoring (Sentry), product analytics (where enabled with your consent), and the underlying foundation-model providers configured for your account (which may include Google Vertex AI, OpenAI, or Anthropic). A current sub-processor list is available on request from office@crumbless.ai. We will notify customers of material changes to the sub-processor list with reasonable advance notice and an opportunity to object.

10. international transfers

We are based in the United Kingdom. Some of our sub-processors operate outside the UK and the European Economic Area, including in the United States. Where we transfer personal data outside the UK or EEA, we rely on one or more of the following safeguards as appropriate:

• the UK International Data Transfer Agreement ("IDTA") or the EU Standard Contractual Clauses together with the UK Addendum, as approved by the ICO;
• the EU Standard Contractual Clauses adopted by the European Commission for EU-origin transfers;
• an adequacy decision by the UK government or the European Commission;
• the EU-US Data Privacy Framework and its UK Extension, where the recipient is certified under that framework.

We carry out a transfer impact assessment where required and put in place supplementary technical and organisational measures, such as encryption and access controls, to address risks identified. You can request a summary of the safeguards applicable to a specific transfer by emailing office@crumbless.ai.

11. retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Indicative retention periods:

• Account and profile data — for the duration of your subscription plus up to 24 months after closure, to support reactivation and to defend or pursue legal claims.
• Customer Content and service-usage data — for the duration of your subscription; deleted or anonymised within 90 days after termination, subject to clause 5 (legal obligations) and your export rights under our Terms of Service.
• Billing and tax records — for at least six years from the end of the relevant accounting period, as required by HMRC.
• Security and abuse logs — typically up to 12 months, longer where needed for ongoing investigations.
• Support correspondence — up to 24 months from the date of last contact.
• Marketing data — until you unsubscribe, plus a suppression record retained indefinitely to honour your unsubscribe choice.

12. your rights (uk and eu)

Subject to applicable conditions and exceptions, you have the following rights in respect of your personal data:

• Right to be informed — through this Policy and other notices.
• Right of access — to ask for a copy of the personal data we hold about you.
• Right to rectification — to ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — to ask us to delete personal data in certain circumstances.
• Right to restrict processing — to ask us to limit how we use your data.
• Right to data portability — to receive personal data you have provided to us in a structured, commonly used, machine-readable format.
• Right to object — to processing based on legitimate interests, and an absolute right to object to direct marketing.
• Right to withdraw consent — at any time, where processing is based on consent (without affecting prior processing).
• Rights in relation to automated decision-making — see clause 6.

To exercise any right, email office@crumbless.ai. We will respond within one month, extendable by a further two months for complex requests. We may need to verify your identity before acting on a request.

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or with your local supervisory authority. We would, however, appreciate the chance to address your concerns first.

13. california residents (ccpa / cpra)

If you are a California resident, you have the right to (a) know what categories of personal information we have collected, the sources, purposes, and recipients; (b) request deletion of personal information we have collected from you; (c) request correction of inaccurate personal information; (d) opt out of "sale" or "sharing" of personal information; and (e) limit the use of sensitive personal information.

We do not sell personal information for monetary consideration, and we do not knowingly share personal information for cross-context behavioural advertising on a basis that would constitute "sharing" under the CPRA. We honour Global Privacy Control signals as an opt-out of sharing where it would otherwise apply. To exercise any California right, email office@crumbless.ai. We will not discriminate against you for exercising these rights.

14. children

The Service is intended for use by businesses and by adults of at least 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected personal data from a child, please contact office@crumbless.ai and we will delete it.

15. security

We implement technical and organisational measures appropriate to the risk of processing, including encryption in transit (TLS 1.2+) and at rest, access controls based on least privilege, multi-factor authentication for administrative access, network segmentation, vulnerability management, audit logging, and a documented incident-response process. No system is completely secure; in the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify affected individuals and the ICO in accordance with UK GDPR Article 33–34.

16. marketing preferences

You can opt out of marketing emails at any time by clicking the unsubscribe link in any marketing message or by emailing office@crumbless.ai. You will continue to receive transactional and service-operational messages necessary to provide the Service.

17. cookies

Information about cookies and similar technologies we use, including how to manage consent, is set out in our Cookie Policy.

18. links to third-party sites

The Service may link to third-party websites and services we do not control. We are not responsible for their privacy practices. We encourage you to read their privacy notices before providing personal data.

19. changes to this policy

We will post any material change to this Policy on this page and update the "last updated" date above. Where a change has a meaningful impact on you, we will give you reasonable advance notice by email or in-product notification.

20. contact us

Privacy enquiries and rights requests: office@crumbless.ai. General enquiries: office@crumbless.ai. Post: Crumblx AI Ltd, 4 Bunnsfield, Welwyn Garden City, AL7 2DZ, United Kingdom. Company number: 16961442.