Privacy Policy

The data controller is Crossary, operated as a sole trader. For any privacy question or to exercise your rights, contact support@crossary.com. Our postal address is available on request.

We collect only what is needed to run the service:

• Account data — your name, email address, and a one-way hashed password (we never store your password in plain text).
• Billing data — your plan and subscription status, and identifiers from our payment processor (Stripe). Card details are entered with and held by Stripe; we never see or store full card numbers.
• Uploaded content — the source and target specification files you upload (Excel, CSV, JSON, XML, PDF), the text and field inventory extracted from them, the mapping rows, questions, notes, and exported workbooks you produce.
• Usage & metering — AI compute consumed per run, run status, and similar operational counters used to meter your plan.
• Technical data — application error reports (via Sentry) and server logs, including IP address, used for security, abuse-prevention, and rate-limiting.
• Product analytics — pseudonymous usage events (pages viewed and product steps such as creating an integration or exporting a workbook), captured via a cookieless, EU-hosted analytics tool (PostHog) so we can understand usage and improve the product. No cookies or device storage, and never used for advertising.

• To provide the service (create your account, process your artifacts, generate and store mappings, produce exports) — legal basis: performance of our contract with you.
• To secure the service (authentication, login and signup rate-limiting, abuse prevention, error monitoring) — legal basis: our legitimate interest in keeping the service safe and available.
• To bill you and manage your subscription — legal basis: performance of our contract and compliance with legal obligations (e.g. tax).
• To communicate essential service messages (verification, password resets, invitations, account changes) — legal basis: contract and legitimate interest.
• To improve the product using privacy-first, cookieless analytics — legal basis: our legitimate interest in understanding how the service is used and making it better.

To extract fields and suggest mappings, the relevant parts of your uploaded artifacts are sent to our AI provider (OpenAI, a US service) for inference. Your content is not used to train shared or third-party models. OpenAI may retain prompts (which can include uploaded spec content) for a limited period (up to ~30 days) for abuse monitoring, then deletes them; deleting an integration in Crossary does not purge a copy OpenAI has already processed. Our reuse feature (“Mapping Memory”) is scoped to your own workspace and stores only field-pair decisions you have approved — never across customers, and never to train a shared model.

We rely on a small set of third-party providers to operate the service. The current list, their purpose, and their location is on our Subprocessors page.

Your uploaded content and our primary database are hosted in the European Union (Frankfurt). Some subprocessors (for example, AI inference and payment processing) may process data in the United States. Where personal data leaves the European Economic Area, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework where the recipient is certified.

We keep your account data and content for as long as your account is active. When you delete your account, we cancel any active subscription, then delete your workspaces, projects, integrations, uploaded artifacts, and export packages, and remove the associated files from storage. Backups and server logs are cycled out on a rolling short-term basis. We may retain limited records where required for legal or accounting purposes.

You can also delete an individual integration or project at any time; this erases its data and the uploaded files behind it. We do not run a separate scheduled purge — your content persists until you remove it (per integration/project) or delete your account.

Subject to applicable law, you have the right to access, correct, delete, export (port), restrict, and object to the processing of your personal data. How to exercise them:

• Deletion — you can delete your account yourself from Account settings, which removes your data as described above. You can also delete individual integrations or projects from within the app.
• Portability — from Account settings, use Download my data to export a machine-readable (JSON) copy of your account and the workspaces you own.
• Access, correction, or any other right — email support@crossary.com and we will respond within the time required by law.
• You may also lodge a complaint with your data-protection authority (our lead authority: the Comissão Nacional de Proteção de Dados (CNPD)).

We use only a strictly-necessary session cookie. See our Cookie Policy.

We protect your data with industry-standard measures: passwords hashed with bcrypt, encryption in transit (TLS), EU-hosted storage and database, login/signup rate-limiting, and continuous error monitoring. No system is perfectly secure, but we treat protecting your work as core to the product.

Crossary is a business tool and is not directed to children. You must be at least 18 to use it.

We may update this policy; the version and date appear at the top. For material changes we will take reasonable steps to notify you.

Privacy questions or requests: support@crossary.com.