Privacy Policy

Last updated: March 2026

1. Introduction

Crux Logic Pty Ltd (ABN [Your ABN]) ("we," "our," or "us") is committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI assistant platform and related services ("Service").

Our commitment: We do not sell your data. We do not use your data for advertising. We do not use your data to train, improve, or develop generalized artificial intelligence or machine learning models. We implement reasonable security measures to protect your information.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, phone number (optional), and any other information you choose to provide.

2.2 Service Data

When you connect third-party services (such as Google Workspace, Microsoft, or other integrations), we access and process data from those services only as necessary to provide the specific features you request. This may include:

  • Email content and metadata
  • Calendar events
  • Files and documents
  • Contact information
  • Task and to-do items

2.3 Conversation Data

We store your conversations with our AI assistant to provide continuity and deliver the service. This includes messages, file attachments, and records of actions taken on your behalf.

2.4 Technical and Usage Data

We automatically collect minimal technical information required to operate the service, including device information, IP addresses, browser type, operating system, and basic usage patterns (e.g., feature usage frequency, error logs).

2.5 Payment Information

Payment processing is handled by Stripe. We receive limited payment information (e.g., last four digits of card, card type, billing address) but do not store full payment card numbers on our systems.

3. Google API Services User Data Policy Compliance

This section describes how we handle data obtained through Google APIs and our compliance with the Google API Services User Data Policy, including the Limited Use requirements.

  • Limited Use Compliance: Our use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
  • Purpose-Limited Use: Google user data is accessed and used solely to provide the specific features you request (e.g., reading emails, managing calendar events, organizing files). We do not use this data for any purpose other than providing, improving, and ensuring the security of our Service to you.
  • No AI/ML Training: We do not use Google user data to train, improve, or develop generalized artificial intelligence or machine learning models. Data is processed only transiently by AI providers to generate responses to your specific requests.
  • No Sale of Data: We do not sell, rent, lease, or trade Google user data to any third party under any circumstances.
  • No Advertising: We do not use Google user data for advertising purposes, including targeted advertising, remarketing, or interest-based advertising.
  • Minimum Necessary Access: We request only the minimum Google API scopes required to deliver each specific feature. You can review and revoke access at any time from your Google Account settings or from our dashboard.
  • Secure Transmission: All Google user data is transmitted using TLS 1.2 or higher encryption.

4. Google Data Access (Scopes)

We follow the principle of least privilege and only request the specific Google API permissions (scopes) necessary for each feature. Below is a detailed mapping of the scopes we may request and their exact purposes:

ScopePurposeFeature
https://www.googleapis.com/auth/gmail.readonlyRead email messages and metadataEmail summaries, search, inbox monitoring
https://www.googleapis.com/auth/calendar.readonlyRead-only access to calendarView upcoming events, availability checking
https://www.googleapis.com/auth/drive.readonlyRead-only access to Drive filesSearch files, view documents, download attachments
https://www.googleapis.com/auth/contacts.readonlyRead contact informationContact lookup, email addressing assistance
https://www.googleapis.com/auth/spreadsheets.readonlyRead-only access to Google SheetsView and summarise spreadsheet data
https://www.googleapis.com/auth/documents.readonlyRead-only access to Google DocsView and summarise document content
https://www.googleapis.com/auth/userinfo.emailView your email addressAccount identification, login
https://www.googleapis.com/auth/userinfo.profileView your basic profile infoDisplay your name in the dashboard
openidOpenID Connect authenticationSecure sign-in via Google

You may be prompted to grant some or all of these permissions depending on which features you choose to use. You can revoke any permission at any time.

5. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve our AI assistant services
  • Process your requests and execute the automated tasks you request
  • Send you service-related communications (e.g., security alerts, account notifications)
  • Detect, prevent, and address technical issues, fraud, or security threats
  • Comply with legal obligations
  • Respond to your support requests

We do NOT use your information to:

  • Train, improve, or develop generalized artificial intelligence or machine learning models
  • Serve advertisements or create advertising profiles
  • Sell, rent, or lease to third parties
  • Build profiles for purposes unrelated to delivering our Service to you

6. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only with:

  • AI Model Providers (as Processors): We use third-party AI models (such as OpenAI, Anthropic, or Google) to power our assistant. Conversation data is sent to these providers transiently to generate responses. These providers process data under our instructions and do not retain your data for their own training purposes per our data processing agreements.
  • Infrastructure Providers: Cloud hosting (AWS, Vercel), database providers (Supabase), and payment processors (Stripe) who process data on our behalf under strict confidentiality and data processing agreements.
  • Legal Requirements: When required by law, court order, or to protect our rights, safety, property, or the rights, safety, or property of others.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice and the opportunity to opt out where required by law.

7. Overseas Disclosure

Your personal information may be disclosed to, and processed by, recipients located outside Australia. We use service providers and infrastructure located in:

  • United States: Cloud infrastructure (AWS, Vercel), AI model providers (OpenAI, Anthropic), payment processing (Stripe), database services (Supabase)
  • European Union: Some data processing and backup services

Before disclosing your personal information overseas, we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information. This includes entering into data processing agreements that require the recipient to handle your information in accordance with standards substantially similar to the APPs.

By using our Service, you consent to the disclosure of your personal information to these overseas recipients. You may withdraw this consent at any time by closing your account, but this may affect our ability to provide the Service to you.

8. Data Security

We implement technical and organizational measures designed to protect your data:

  • Encryption: All data is encrypted in transit (TLS 1.2/1.3) and at rest (AES-256)
  • OAuth 2.0: We use secure OAuth 2.0 for all third-party integrations. We never store your Google, Microsoft, or other service passwords.
  • Secure Token Storage: Connection tokens are encrypted and stored with access controls
  • Access Controls: Strict internal access controls and employee training
  • Monitoring: Security monitoring and logging for suspicious activity

While we implement reasonable security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to protecting your information using commercially reasonable means and will notify you of any data breach affecting your personal information as required by law.

9. Data Retention and Deletion

9.1 Retention Period

We retain your data only for as long as necessary to provide our services or as required by law:

  • Account Data: Retained while your account is active plus 30 days after deletion request
  • Conversation History: Retained while your account is active to provide continuity
  • Connection Tokens: Retained while the integration is active; deleted immediately upon disconnection
  • Usage Logs: Retained for 90 days for debugging and billing purposes
  • Google API Data: Processed transiently to complete your requests; not stored permanently beyond conversation logs
  • Billing Records: Retained for 7 years as required by Australian tax law

9.2 Account Deletion Process

When you delete your account (via Settings or by contacting support):

  1. Immediate Invalidation: All OAuth tokens and connections are immediately revoked
  2. Data Deletion: All personal data, conversations, files, and connection credentials are permanently deleted within 30 days
  3. Third-Party Notification: We revoke access grants with connected services (Google, Microsoft, etc.)
  4. Backup Purge: Backup systems are purged within 30 days
  5. Confirmation: You will receive email confirmation when deletion is complete

Some data may be retained if required by law (e.g., billing records for tax purposes), but this data will be minimal and used only for the required purpose.

10. Your Rights

Under Australian Privacy Principles and applicable law, you have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate, incomplete, or out-of-date information
  • Deletion: Request deletion of your data (see Section 9.2)
  • Portability: Request your data in a commonly used, machine-readable format
  • Withdraw Consent: Withdraw consent at any time by disconnecting integrations or deleting your account
  • Anonymity: In some circumstances, you may deal with us anonymously or using a pseudonym, though this may limit the services we can provide

To exercise any of these rights, contact us at privacy@cruxlogic.ai or use the settings in your dashboard. We will respond to your request within 30 days.

11. Third-Party Integrations

Our service integrates with various third-party platforms. When you connect these services:

  • You grant us specific, limited permissions to access data from those services
  • We only access data necessary to perform the features you request
  • You can disconnect integrations and revoke access at any time from your dashboard
  • Each integration has granular permission controls you can configure
  • Third-party services have their own privacy policies that govern their use of your data

12. Cookies and Tracking

We use only essential cookies required to maintain your session, authenticate you, and remember your preferences. We do not use:

  • Advertising or marketing cookies
  • Third-party tracking cookies
  • Analytics that track individual users across sites

We may use basic, privacy-respecting analytics to understand aggregate usage patterns and improve the Service.

13. Privacy Complaints

If you have a complaint about how we handle your personal information:

  1. Contact Us First: Please email privacy@cruxlogic.ai with details of your complaint. We take all complaints seriously.
  2. Acknowledgment: We will acknowledge your complaint within 5 business days.
  3. Investigation: We will investigate your complaint and respond within 30 days with our findings and any actions we will take.
  4. Escalation: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

14. Children's Privacy

Our Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us at privacy@cruxlogic.ai.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes:

  • We will notify you by email at least 30 days before the changes take effect
  • We will post the new policy on this page and update the "Last updated" date
  • For significant changes, we may also provide notice within the Service
  • Continued use of the Service after the effective date constitutes acceptance

16. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Crux Logic Pty Ltd
Privacy Officer
Email: privacy@cruxlogic.ai
Address: Level 19, 263 William St, Melbourne VIC 3000, Australia

← Back to Home