Privacy Policy

Last Updated: February 12, 2025

Cruva LLC (“Cruva”, “we”, “us”, or “our”) operates cruva.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services. This policy applies to all users of our Service, including individual users, business accounts, and enterprise clients.

1. Data Controller & Processor Roles

For the purposes of applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and the California Consumer Privacy Act (“CCPA”):

Cruva as Data Controller: We act as the data controller for personal data we collect directly from you for the purposes of account management, billing, communications, and improving our Service.

Cruva as Data Processor: When you use our Service to manage affiliate marketing campaigns, creator relationships, or other business activities, we act as a data processor on your behalf. In this capacity, we process data only according to your instructions and the terms of our Data Processing Agreement (DPA), which is available upon request and incorporated by reference into our Terms of Service for enterprise clients.

2. Information We Collect

Account & Profile Data:

We collect personally identifiable information such as your name, email address, company name, billing address, and contact details when you register for our services, subscribe to a plan, or communicate with us.

Usage Data:

We automatically collect information about your interactions with our services, including your IP address, browser type, operating system, device information, pages viewed, features used, and the dates/times of your visits. We use this data to improve the Service and diagnose technical issues.

Client Business Data:

When you use the Service, you may upload or generate business data including creator lists, campaign configurations, affiliate performance metrics, sales data, and outreach content. This data is processed solely to provide the Service and remains your property as described in our Terms of Service.

Cookies and Tracking Technologies:

We use cookies and similar tracking technologies to maintain your session, remember your preferences, and analyze usage patterns. We use the following categories of cookies:

• Strictly Necessary Cookies: Required for the Service to function (e.g., authentication, security).
• Functional Cookies: Remember your preferences and settings to enhance your experience.
• Analytics Cookies: Help us understand how users interact with the Service so we can improve it.

You can control cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

Google OAuth Data for Email Campaigns:

When you connect a Google account for our email campaign services, we collect only the necessary credentials – such as the app token and refresh token – required to send, manage, and track your outgoing emails. This data is collected solely to facilitate your email campaigns and is not used for any other purpose.

3. How We Use Your Information

We process your information on the following legal bases and for the following purposes:

• Performance of Contract: To provide, operate, and maintain the Service; to process transactions; and to manage your account.
• Legitimate Interest: To improve, personalize, and expand the Service; to monitor and analyze usage trends; and to detect, prevent, and address technical issues and fraud.
• Consent: To communicate marketing materials where you have opted in; to facilitate email campaigns using Google OAuth data.
• Legal Obligation: To comply with applicable laws, regulations, and legal processes.

We use your Google OAuth data solely for sending and managing outgoing emails on your behalf and will not use it for any other purposes.

4. Sharing Your Information

We do not sell your personal data. We may share your information only in the following circumstances:

• Sub-processors: With trusted third-party service providers who process data on our behalf to operate the Service (see Section 5 below).
• Legal Requirements: When required by law, regulation, legal process, or governmental request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case we will notify affected users before personal data is transferred and becomes subject to a different privacy policy.
• With Your Consent: In any other case where you have provided explicit consent.

5. Sub-processors

We use the following categories of sub-processors to deliver the Service. All sub-processors are reviewed for security and compliance before integration and are contractually obligated to protect your data:

• Cloud Infrastructure: Amazon Web Services (AWS) – hosting, data storage, and compute services (US regions).
• Payment Processing: Stripe – secure payment processing and billing management.
• Email Services: Third-party email delivery services for transactional and campaign emails.
• Analytics: Usage analytics providers to help us understand and improve the Service.

A complete, up-to-date list of sub-processors is available upon request. Enterprise clients under a Data Processing Agreement will be notified of any changes to our sub-processor list at least thirty (30) days before a new sub-processor begins processing data, providing an opportunity to object.

6. International Data Transfers

Cruva is based in the United States, and your data may be transferred to, stored, and processed in the United States or other countries where our service providers maintain facilities. These countries may have data protection laws that differ from those in your jurisdiction.

For transfers of personal data from the European Economic Area (EEA) or the United Kingdom to the United States, we rely on appropriate safeguards, including the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs) approved by the European Commission, and the UK International Data Transfer Agreement or Addendum, as applicable. Copies of these safeguards are available upon request.

7. Data Protection & Security

We are committed to ensuring that your data is handled securely and in compliance with relevant data protection laws. Our security measures include:

• Encryption: All sensitive data (including passwords, access tokens, and Client Data) is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
• Access Controls: Access to user data is strictly limited to authorized personnel through role-based access control, with all access logged and audited.
• Data Minimization: We only collect and retain the minimum personal information necessary for legitimate business purposes.
• Infrastructure Security: Our infrastructure is hosted on AWS with industry-standard protections including network firewalls, intrusion detection, and regular vulnerability assessments.
• Employee Training: All personnel with access to user data receive regular security awareness training.
• Incident Response: We maintain a documented incident response plan that is tested and updated regularly.

8. Breach Notification

In the event of a confirmed data breach affecting your personal information, we will notify affected users without undue delay and within seventy-two (72) hours of becoming aware of the breach, in accordance with GDPR Article 33 and applicable UK GDPR requirements. Notification will include: (a) the nature of the breach; (b) the categories and approximate number of data subjects affected; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its effects. Where required, we will also notify the relevant supervisory authority within the same timeframe.

9. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your personal data. We will respond to all legitimate requests within thirty (30) days (or the applicable statutory period):

• Right to Access: You may request copies of your personal data that we hold.
• Right to Rectification: You may request correction of any inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to certain legal exceptions.
• Right to Restrict Processing: You may request that we limit the processing of your personal data under certain conditions.
• Right to Object: You may object to the processing of your personal data where we rely on legitimate interests as the legal basis.
• Right to Data Portability: You may request that we transfer your personal data to you or a third party in a structured, commonly used, machine-readable format.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Additional Rights for California Residents (CCPA): California residents have the right to know what personal information is collected, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise any of these rights, contact us at info@cruva.com.

Additional Rights for UK & EEA Residents: If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. For UK residents, this is the Information Commissioner’s Office (ICO) at ico.org.uk.

10. Data Retention & Deletion

We retain your personal information only as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Specific retention periods include:

• Account Data: Retained for the duration of your account and for up to thirty (30) days after account deletion to allow for data export.
• Usage & Analytics Data: Retained in identifiable form for up to twenty-four (24) months, then anonymized or deleted.
• Billing Records: Retained for up to seven (7) years as required for tax and accounting purposes.
• Google OAuth Tokens: Deleted immediately upon disconnection of your Google account or termination of your Cruva account.

Upon request, we will securely delete or anonymize your personal data within thirty (30) days, subject to any legal obligations to retain it. For enterprise clients, data export and deletion procedures may be specified in the applicable Data Processing Agreement.

11. Data Processing Agreement

For enterprise clients and any users who require a formal Data Processing Agreement (DPA) to comply with GDPR, UK GDPR, or other applicable data protection regulations, Cruva offers a DPA that covers: the scope and purpose of data processing, the categories of data processed, sub-processor management and notification, data subject rights assistance, audit rights, data breach notification procedures, cross-border transfer mechanisms, and data return and deletion upon termination. To request a copy of our DPA, please contact us at info@cruva.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by posting a prominent notice on our website or by sending an email to the address associated with your account at least thirty (30) days before the changes take effect. The “Last Updated” date at the top of this page indicates when this policy was most recently revised. We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or need to request a Data Processing Agreement, please contact us at:

Cruva LLC

Email: info@cruva.com

For data protection inquiries specifically, you may also reach our data protection contact at privacy@cruva.com.