Privacy Policy

1. Data Controller

Cryptology LLC is the data controller responsible for your personal information. For any privacy-related inquiries, you can contact us at:

Contact: Submit a privacy request

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, password (stored in hashed form), and optional display name when you create an account.
• Content: Screenshots, text descriptions, and other materials you upload for issue generation.
• Project Data: Project names, settings, and generated issues.
• Communications: Information you provide when contacting us for support.
• Consent Records: Records of your agreement to our Terms of Service and this Privacy Policy, including timestamp, IP address, and document versions.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, timestamps, and interaction patterns.
• Device Information: Browser type, operating system, device type, and screen resolution.
• Log Data: IP address, access times, referring URLs, and error logs.
• Cookies: We use essential cookies for authentication and session management. See Section 9 for details.

3. Legal Basis for Processing (EEA/UK Users)

If you are in the European Economic Area or United Kingdom, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested (Article 6(1)(b) GDPR).
• Legitimate Interests: Processing for our legitimate business interests, such as security, fraud prevention, and service improvement, where these interests are not overridden by your rights (Article 6(1)(f) GDPR).
• Legal Obligations: Processing required to comply with applicable laws (Article 6(1)(c) GDPR).
• Consent: Where you have given explicit consent for specific processing activities (Article 6(1)(a) GDPR).

4. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service.
• Process your uploaded content using AI to generate issue tickets.
• Authenticate your identity and manage your account.
• Send essential service communications (account verification, security alerts, important notices).
• Detect, prevent, and address security threats, fraud, and abuse.
• Comply with legal obligations.
• Enforce our Terms of Service.

We do not: Sell your personal information, use your content to train AI models, or share your data for third-party marketing purposes.

5. AI Processing and Third-Party Services

Our Service uses third-party artificial intelligence providers, including OpenAI, to process your content. When you use AI features:

• Your content is transmitted to OpenAI's servers for processing.
• OpenAI processes this data according to their data usage policies (API data is not used to train their models by default).
• We do not use your content to train or improve AI models.
• Generated outputs are returned to our servers and stored in your account.

Other service providers we use:

• Vercel: Hosting and infrastructure (data may be processed in the US).
• Neon: Database hosting (PostgreSQL).
• Cloudflare: Security and bot protection.

All third-party providers are bound by data processing agreements and are required to protect your information in accordance with applicable laws.

6. Data Sharing and Disclosure

We may share your information only in the following circumstances:

• Service Providers: With vendors who assist in providing the Service, subject to confidentiality obligations.
• Legal Requirements: When required by law, subpoena, court order, or government request. We will notify you when legally permitted.
• Protection of Rights: To protect our rights, property, or safety, or that of our users or the public.
• Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets, where your data may be transferred to a successor entity.
• With Your Consent: When you explicitly authorize sharing.

7. International Data Transfers

Your information may be transferred to and processed in countries outside your country of residence, including the United States, where data protection laws may differ from those in your jurisdiction.

For transfers from the EEA/UK, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.
• Other lawful transfer mechanisms as permitted by applicable law.

By using the Service, you consent to the transfer of your information to the United States and other countries as described in this policy.

8. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit (TLS/SSL) and at rest.
• Secure password hashing algorithms.
• Regular security assessments and monitoring.
• Access controls and authentication requirements.
• Rate limiting and abuse prevention.

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You acknowledge that you provide personal information at your own risk.

Limitation of Liability for Data Breaches: To the maximum extent permitted by law, our liability for any data breach shall be limited as set forth in our Terms of Service. We shall not be liable for unauthorized access resulting from your failure to maintain account security, phishing attacks, or other social engineering, or circumstances beyond our reasonable control.

9. Cookies and Tracking

We use the following types of cookies:

• Essential Cookies: Required for authentication, security, and basic functionality. These cannot be disabled.
• Analytics Cookies: Help us understand usage patterns (via Vercel Speed Insights). These are anonymized and do not track individuals.

We do not use advertising cookies or sell data to advertisers. You can control non-essential cookies through your browser settings.

10. Data Retention

We retain your data as follows:

• Account Data: Retained while your account is active and for a reasonable period after deletion to comply with legal obligations.
• User Content: Retained until you delete it or your account is closed.
• Log Data: Retained for up to 90 days for security and debugging purposes.
• Consent Records: Retained for the duration required by applicable law (typically 3-7 years) to demonstrate compliance.

We may retain anonymized or aggregated data indefinitely for analytics purposes.

11. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

11.1 All Users

• Access: Request a copy of your personal data.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your account and data.
• Data Portability: Receive your data in a structured format.

11.2 EEA/UK Users (GDPR)

• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Withdraw consent at any time (where processing is based on consent).
• Complaint: Lodge a complaint with your local data protection authority.

11.3 California Users (CCPA/CPRA)

• Know: Right to know what personal information is collected, used, disclosed, or sold.
• Delete: Right to request deletion of personal information.
• Correct: Right to correct inaccurate personal information.
• Opt-Out: Right to opt-out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising).
• Limit Sensitive Data: Right to limit use and disclosure of sensitive personal information (we do not collect sensitive personal information as defined by CPRA beyond account credentials).
• Non-Discrimination: Right not to be discriminated against for exercising privacy rights.

California "Shine the Light" (Civil Code § 1798.83): California residents may request information regarding disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

11.4 Other U.S. State Privacy Laws

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or other states with comprehensive privacy laws, you may have similar rights including: access, correction, deletion, data portability, and the right to opt-out of targeted advertising, sale of personal data, and profiling. Contact us to exercise these rights.

11.5 Exercising Your Rights

To exercise any of these rights, submit a privacy request. We will respond within the timeframe required by applicable law (typically 30 days, or 45 days for CCPA/CPRA).

Identity Verification: To protect your privacy, we will verify your identity before processing requests. Verification may include confirming your email address, providing account information, or other reasonable methods. For requests made by authorized agents, we require written authorization from the account holder.

Appeals: If we deny your request, you may appeal by contacting us within 30 days. We will respond to appeals within the timeframe required by applicable law. If your appeal is denied, you may contact your local data protection authority.

12. Automated Decision-Making

Our Service uses artificial intelligence to generate content based on your inputs. This processing:

• Does not make decisions that produce legal effects or similarly significant effects on you.
• Is based on your explicit request to use AI features.
• Can be reviewed and modified by you before any use.

If you are in the EEA/UK and believe automated processing has significantly affected you, you may contact us to request human review of any decision.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify relevant supervisory authorities within 72 hours where required by applicable law (e.g., GDPR Article 33).
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Document all breaches and remediation actions taken.

We maintain security incident response procedures and will take appropriate steps to mitigate any harm.

14. Children's Privacy

The Service is not intended for children under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will promptly delete it. If you believe a child has provided us with personal information, please contact us.

15. Do Not Track

Some browsers have a "Do Not Track" (DNT) feature. We do not currently respond to DNT signals because there is no industry standard for handling them. We will update this policy if a standard is established.

16. Jurisdiction-Specific Provisions

16.1 United Kingdom (UK GDPR)

If you are in the United Kingdom, your personal data is protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. You have the same rights as EEA users described in Section 11.2 above. The relevant supervisory authority is the Information Commissioner's Office (ICO): https://ico.org.uk.

16.2 Brazil (LGPD)

If you are in Brazil, your personal data is protected under the Lei Geral de Proteção de Dados (LGPD). You have rights including: access, correction, deletion, portability, information about sharing, consent withdrawal, and the right to petition the ANPD (Autoridade Nacional de Proteção de Dados).

16.3 Australia (Privacy Act)

If you are in Australia, we handle your personal information in accordance with the Privacy Act 1988 and the Australian Privacy Principles (APPs). You have the right to access and correct your personal information. Complaints can be made to the Office of the Australian Information Commissioner (OAIC).

16.4 Canada (PIPEDA)

If you are in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) or applicable provincial legislation. You have the right to access and correct your personal information. Complaints can be made to the Office of the Privacy Commissioner of Canada.

16.5 Other Jurisdictions

If you are located in a jurisdiction with specific privacy laws not listed above, we will comply with applicable requirements. Contact us for information about your specific rights.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the version number and "Last updated" date at the top of this page. For significant changes, we may notify you via email or through the Service.

Your continued use of the Service after changes take effect constitutes acceptance of the revised policy. We encourage you to review this policy periodically.

18. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please submit a request through our contact form.

For EEA/UK users: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.