Privacy Policy
Effective: 2026-06-01 · Version: 0.1.0 (lawyer review pending)
This Privacy Policy explains what personal data Crumpert collects, why we collect it, and what your rights are. It's written to satisfy the UK GDPR, the EU GDPR, and the California Consumer Privacy Act (CCPA) at once, and follows the ICO's "fair processing" guidance.
[LAWYER REVIEW] Insert correct controller entity, ICO registration number, and EU Article 27 representative once appointed.
1. Who we are
Crumpert ("we", "us") is the data controller for personal data you provide to us through the Service.
- Contact: privacy@crumpert.com
- Registered office: [LAWYER REVIEW — insert]
- UK ICO registration: [LAWYER REVIEW — to register, see §11]
- EU representative (Art. 27 GDPR): [LAWYER REVIEW — appoint a provider such as rep.eu or EDPO before launch]
2. Data we collect
When you create an account
- Email address (required)
- Name and avatar (from Google if you sign in with Google; otherwise optional)
- An IP address and basic device info at sign-in time (for fraud prevention and audit logs)
When you publish or subscribe (creators)
- Handle, display name, specialty, bio, plan price, compliance acknowledgement
- Posts, comments, trade entries you create
- Stripe Connect account ID and payout-related metadata (phase 2)
- Tax forms (W-9 / W-8BEN) handled directly by Stripe; we receive only a status flag
When you read
- Pages you visit while signed in (for the "Live Feed" and personalised recommendations)
- Subscriptions and follows
- Strictly-necessary session cookies
When you contact us
- The contents of your emails or messages, and any attachments
We do not collect
- Card details (handled by Stripe)
- Sensitive data (health, biometric, political opinion) — please don't post any
- Children's data — the Service is for users 18+
3. Why we use it (lawful bases under UK/EU GDPR)
| Purpose | Lawful basis |
|---|---|
| Provide the Service (auth, posts, comments, subscriptions) | Contract |
| Stripe payments and payouts (phase 2) | Contract |
| Send transactional emails (sign-in link, receipts, comment notifications) | Contract |
| Send digest emails of creators you subscribe to | Contract |
| Send marketing emails (only if you opt in) | Consent |
| Fraud prevention, security, abuse detection | Legitimate interest |
| Comply with legal obligations (tax, takedown notices) | Legal obligation |
| Anonymous analytics if you accept cookies | Consent |
You can withdraw consent at any time (see §6).
4. Who we share data with
We use the following processors under data processing agreements. Each handles your data only on our instructions.
| Processor | What for | Where |
|---|---|---|
| Neon | Postgres database | EU (Frankfurt or Dublin) |
| Vercel | App hosting, serverless functions | EU (London or Frankfurt) |
| Cloudflare R2 | Image hosting | Cloudflare's global network |
| Resend | Transactional + magic-link email | US (sub-processed; standard contractual clauses) |
| Sign-in (only if you choose Google OAuth) | US | |
| Stripe | Subscription payments and creator payouts (phase 2) | US / EU (Stripe routes to local entity) |
| Sentry | Error monitoring (no PII by default; we scrub user data from error reports) | US (standard contractual clauses) |
| Alpaca / Stooq | Stock price lookups (we send ticker symbols, not user data) | US |
We do not sell your personal data. We don't share it with anyone except processors, regulators when legally required, and acquirers in the event of a corporate sale (you'll be notified).
5. International transfers
Crumpert is based in the UK. Some of our processors are in the US. We rely on the UK Addendum to the EU Standard Contractual Clauses (or the EU SCCs directly) plus supplementary measures (Stripe and Resend operate under SCCs; Sentry has an EU data residency plan available if you require it).
6. Your rights
You can exercise any of these by emailing privacy@crumpert.com. We respond within 30 days.
- Access: a copy of the personal data we hold about you
- Rectification: fix inaccuracies
- Erasure: delete your account and personal data (subject to retention obligations — see §8)
- Restriction: stop processing while a complaint is being resolved
- Portability: receive your posts and account data in JSON
- Object: to processing based on legitimate interest, or to direct marketing at any time
- Withdraw consent: for non-essential cookies or marketing emails
If you live in the UK, you can complain to the ICO. If you live in the EU, complain to your local data protection authority. If you live in California, you also have rights under CCPA — same email address.
7. Cookies and similar technologies
We use the minimum cookies necessary:
- Auth session cookie (strictly necessary; can't be disabled without breaking sign-in)
- Cookie-consent state — stored in
localStorage, not a cookie, but tracked similarly
If we add analytics or advertising cookies later, they'll be off by default and only set after explicit consent via the banner.
8. Retention
- Account data: kept while your account is active. Deleted within 30 days of account closure, except where we need to retain it longer for legal obligations (e.g. financial records: 6 years for HMRC).
- Posts and comments: kept while published. Deletion is propagated to processors within 30 days.
- Sign-in logs and audit trails: 12 months.
- Error reports (Sentry): 90 days.
9. Security
We use TLS in transit, encryption-at-rest on the database, principle-of-least-privilege access controls, and audit logging. No system is perfectly secure; if you become aware of a vulnerability please email security@crumpert.com.
10. Children
Crumpert is not for users under 18. We don't knowingly collect data from anyone under 18. If you believe a minor has signed up, email privacy@crumpert.com and we'll delete the account.
11. Regulatory registrations
[LAWYER REVIEW] To be completed before public launch:
- UK ICO registration: required for any UK organisation processing personal data. £40/year for small orgs, register here.
- EU Article 27 representative: required because the UK is outside the EU. Appoint a provider (rep.eu, EDPO) — €500–700/year.
12. Changes
We may update this Policy. Material changes are notified by email or in-product banner at least 14 days before they take effect.