Crestento

Legal

Privacy Policy

Last updated: May 2026

This Privacy Policy describes how Crestento(“we”, “us”) collects, uses, and protects information when you use our service. By using Crestento, you agree to the practices described here.

Information we collect

Account information

  • Email address (for sign-in via magic link)
  • Display name (optional, editable in settings)
  • Workspace name (auto-created on signup)
  • Subscription details (plan, billing period)

Content you create

  • Performance review inputs you enter (employee names, period, structured fields, attachments, sensitive notes)
  • Generated review drafts
  • Writing-style samples (if you choose to add them)
  • Files you upload as reference material

Usage data

  • API calls (for rate limiting and quota enforcement)
  • Aggregate AI usage telemetry (used internally for capacity planning and abuse detection)
  • Audit log of subscription lifecycle events

Payment information

We do not store credit card details. Lemon Squeezy is our Merchant of Record and processes all payments on PCI-DSS-compliant systems. We receive only a customer reference ID and subscription status. Lemon Squeezy also handles all sales tax / VAT / GST collection and remittance globally on our behalf.

How we use your information

  • To provide the service: generate drafts, save history, export.
  • To enforce plan quotas, prevent abuse, and surface usage telemetry on your billing page.
  • To send transactional email (sign-in links, payment receipts, quota warnings).
  • To respond to support requests.
  • To comply with legal obligations (e.g., tax records for paid subscriptions).

We do not train AI models on your content. Our AI provider (Anthropic) does not retain prompts for training.

Who we share with (sub-processors)

We rely on third-party providers to operate the service. They process your data on our behalf under contractual privacy obligations. The current list lives at /sub-processors and includes:

  • Anthropic — generates draft text from prompts
  • Supabase — database, authentication, file storage
  • Vercel — application hosting
  • Lemon Squeezy — Merchant of Record: payments, subscription management, and global tax compliance
  • Brevo — transactional email delivery

Data retention

  • Active accounts: data retained while your subscription (or free tier) is active.
  • Cancelled subscriptions: data retained for 30 days after cancellation, then permanently deleted unless you reactivate.
  • Manual deletion: you can delete your workspace and all associated data at any time from settings (we honour this within 30 days).
  • Billing records: retained for 7 years after the relevant transaction to meet tax-record obligations.

Your rights

Depending on your jurisdiction (EU/UK GDPR, California CCPA, etc.), you have rights including:

  • Access to the personal data we hold about you
  • Correction of inaccurate data
  • Deletion of your data ("right to be forgotten")
  • Data portability (export of your data)
  • Objection to processing
  • Withdrawal of consent

To exercise any of these rights, contact us. We respond within 30 days. Most rights are also self-serve in settings (delete workspace, clear writing samples, etc).

Security

See /security for our infrastructure security baseline (HTTPS, Row-Level Security on every table, signed webhooks, encrypted secrets, no model training on customer data).

International transfers

Crestento infrastructure is hosted in the United States. If you are based in the EU/UK, your data is transferred to the US under Standard Contractual Clauses with our sub-processors. EU/UK customers signing a paid contract can request a Data Processing Agreement at /dpa.

Children’s privacy

Crestento is not intended for use by individuals under 16. We do not knowingly collect data from children.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to active users at least 30 days before taking effect. The "Last updated" date above always reflects the current version.

Contact

Questions about privacy? Get in touch via the support email listed on your billing receipts. We respond within two business days.

Other legal pages:Privacy·Terms·DPA·Security·AI disclosure·Sub-processors