Privacy Policy

This Privacy Policy describes how CREscope (“CREscope,” “we,” “us”) handles personal information when you visit our websites or use the Service. It applies to U.S. users. During the pilot, the Service is offered to U.S. business users; see the Terms of Service for the full pilot scope.

We collect the following categories of information:

• Account data— name, email, hashed password (via our authentication provider), profile preferences, billing metadata (we receive a payment token from our payment processor; we do not see your card number).
• User Content— deal records, properties, contacts, notes, uploaded files, share-link configurations, and text you enter into the Service.
• Usage data— page views, feature interactions, performance telemetry, error logs, IP address, user agent, viewport, timestamps.
• Acknowledgment / audit data— records of when you accepted Terms, opened click-through warnings, or confirmed disclaimers, along with timestamp, IP, user agent, viewport, and framework version.
• Communications— support emails, in-app messages, and the content of feedback you send us.

We use information to operate, secure, and improve the Service, including to:

• Provide account access, authentication, and session management.
• Process payments and prevent fraudulent or abusive use.
• Host, store, and process your User Content so the Service works.
• Generate analyses, extractions, and exports you request.
• Send transactional emails (account, billing, security, support).
• Send marketing email only where you have opted in or where allowed under applicable law, with unsubscribe in every message.
• Detect, prevent, and respond to abuse, security incidents, and policy violations.
• Maintain acknowledgment / audit logs to defend against legal claims.
• Comply with legal obligations, including sanctions screening and tax reporting.

Legal bases. We rely on contract performance (account, billing, User Content), legitimate interest / fraud prevention (security telemetry, acknowledgment audit), legal obligation (audit retention, OFAC compliance, tax records), and consent (marketing, jurisdiction-required analytics).

No AI-training use of your data. We do not use your User Content to train general-purpose AI or machine-learning models. Server-side automated processing of your User Content occurs only to generate the outputs you request within the Service.

We share personal information only with subprocessors who help us operate the Service, with parties to whom you direct disclosure (for example via a share link), or as required by law.

We do not sell personal information. During the pilot, non-essential trackers are not enabled; a cookie inventory and consent banner will be published before any are turned on, and this section will be updated at that time with our final posture on sharing for cross-context behavioral advertising.

Subprocessors. The following vendors process data on our behalf in the categories noted:

Subprocessor list last reviewed: 2026-05-13. We update the public list no later than 5 business days after a new subprocessor is in production use. Material additions to subprocessors that process account data, payment data, or User Content receive 30 days’ advance notice via email to active users.

Legal disclosure. We may disclose information if required by valid legal process (subpoena, court order, government request), to enforce our Terms, to protect rights or safety, or in connection with an investigation of suspected fraud, abuse, or security incidents.

• Active account data: retained until account closure or a verified deletion request.
• User Content (deals, notes, uploads): deleted on account closure unless you export it first, subject to backup-retention windows below.
• Acknowledgment / audit logs: 7 years post-closure or longer if a litigation hold applies.
• Internal staff access and export logs: 7 years.
• Operational server logs: 90 days; security-incident-related logs: 1 year.
• Backups: 90-day rolling retention; deletions propagate as backups cycle out.

Subject to applicable law, you may have the right to access, correct, delete, or port your personal information, and to opt out of certain processing. To exercise these rights, email privacy@crescope.com from the address associated with your account, and we will verify and respond. Self-serve account-closure controls are not currently available in-app; email is the supported channel.

We respond to verified requests within 45 days (extensible to 90 where allowed). Requests may be denied or limited where the law permits, including where retention is required to defend legal claims, comply with legal obligations, or prevent fraud and abuse.

We use strictly necessary cookies for authentication, session management, and security. Non-essential trackers (product analytics, marketing analytics) are off by default during the pilot and are enabled only after we publish a cookie inventory and consent mechanism. We honor the Global Privacy Control (GPC) signal where required by state law.

A dedicated cookie notice with the full inventory will be published before any non-essential trackers are enabled.

We use commercially reasonable administrative, technical, and organizational safeguards including TLS 1.2+ for all user-facing connections, encryption at rest at the storage layer, MFA-required staff access, least-privilege role assignments, audit logging of privileged actions, monthly automated vulnerability scanning, and a documented incident-response runbook. No system is perfectly secure; you must promptly notify us at security@crescope.com if you suspect unauthorized access to your account.

Breach notice. If a security incident affects your personal information, we will notify you and applicable regulators within the timelines required by applicable state law, generally no later than 30 days after determining notice is required, and as early as is reasonable given investigative needs.

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. Accounts must be held by users 18 or older. If you believe a minor account exists, report it to legal@crescope.com and we will close it and delete associated data within 30 days.

Primary application data, databases, and uploaded files are hosted in U.S. cloud regions. Some subprocessors (for example, content delivery and edge-storage providers) may route metadata or edge traffic globally in the ordinary course of operating their networks; our subprocessor list above identifies any vendor with a non-U.S. processing footprint.

We do not target or actively market to users in the European Economic Area, the United Kingdom, or Switzerland and we do not knowingly accept signups from those regions. If you reach an account from such a region, contact privacy@crescope.com and we will assist with closure and deletion.

We may update this Policy. Material changes (data we collect, how we use or share it, your rights, retention, security) will be noticed through in-app notice or email at least 30 days before they take effect, except where a shorter timeframe is required by law. Non-material updates take effect on posting.

Privacy: privacy@crescope.com. Security: security@crescope.com. Our registered legal entity and mailing address are being finalized and will be published here once available.