CrewCheck – AI Governance & Safety for Indian SaaS

Introduction

CrewCheck ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, disclose, store, and safeguard personal data when you use our website, product, scanner, demo flows, and support channels.

CrewCheck acts as a data fiduciary for its own website and product operations. We design our services for India-first privacy operations, DPDP-aligned controls, and accountable AI governance.

Information We Collect

We collect account data such as name, work email, organization name, role, billing contact details, and support correspondence. We may also collect website usage metadata such as request timing, device or browser information, IP address, token counts, rule outcomes, and security event logs.

Payment information is processed by Razorpay or Stripe. CrewCheck does not store full card details. Where customer teams connect third-party model providers, we may process provider configuration metadata needed to run the service securely.

How We Use Your Information

We process personal data only for specific stated purposes. These purposes include account creation and login, organization administration, product delivery, scanner report generation, customer support, invoice and payment handling, security monitoring, fraud prevention, audit logging, and legal or regulatory compliance.

Examples of purpose-limited processing include using work email and organization details to create and manage an account, using support correspondence to resolve support requests, using IP address and device metadata to secure sessions and investigate abuse, using billing contact details to issue invoices and reconcile payments, and using rule outcomes or audit evidence to generate compliance reports requested by the customer.

We do not use personal data for unrelated secondary purposes. Where we rely on consent for non-essential website storage or communications, that consent is free, informed, specific, and can be withdrawn.

CrewCheck may disclose when AI or machine learning is used in customer-facing compliance workflows, including automated policy checks, PII detection, and audit analysis.

Data Storage & Security

CrewCheck is designed for India-first data residency and data localization aware operations. Data is encrypted in transit using TLS and sensitive secrets are encrypted before storage.

Where third-party infrastructure is used, we apply access controls, least-privilege practices, environment segregation, audit logging, and incident response procedures. If a data breach or security incident affects regulated personal data, CrewCheck will follow its breach notification process and regulatory escalation obligations, including a 72-hour response workflow where required.

Your Content

CrewCheck does not store LLM prompts or responses by default unless a customer explicitly enables retention features. The proxy inspects content in memory for compliance checks and immediately discards it unless storage is required for a configured workflow.

Only metadata, token counts, rule violations, timestamps, and other audit-ready evidence are logged by default. Customer content is not used for unrelated training purposes by CrewCheck.

PII Handling

PII redaction is designed to run before content reaches downstream model providers. Detected PII categories may be logged for audit, such as Aadhaar detected and blocked, but actual sensitive values are not intentionally stored in routine logs.

If a workflow requires collection of identifiers such as Aadhaar, PAN, UPI, or other sensitive data, the purpose of processing must be documented, the collection must be necessary, and the data must be handled with additional safeguards.

Third-Party Services

We use third party service providers only where necessary to operate CrewCheck. This includes Supabase for authentication and managed database services, Railway and Vercel for application hosting and delivery, Razorpay or Stripe for payment processing, and model providers such as OpenAI or Anthropic only when a customer configures or invokes those services through CrewCheck.

Third party data sharing is purpose-bound and limited to the minimum data needed for each processor. For example, payment processors receive billing and transaction details needed to complete payments, hosting providers may process encrypted application or log data to run the service, support tooling may receive support-request context, and configured model providers may receive only the prompts, metadata, or redacted content required to complete a customer-requested AI workflow.

Named processor list: Supabase receives account identifiers, work email, and organization metadata for authentication and managed database operations. Railway and Vercel may process request metadata, IP address, encrypted application data, and operational logs for hosting and delivery. Razorpay or Stripe receive billing contact details, invoice references, and transaction metadata for payment processing. OpenAI or Anthropic may receive prompts, redacted content, and model request metadata only when a customer chooses those providers for a customer-requested AI workflow.

We do not sell personal data. We publish these processor categories so users understand what data may be shared, with whom, and for what purpose. Where personal data is transferred outside India or through cross-border processing infrastructure, we assess the transfer, apply contractual and technical safeguards, and document the purpose of the transfer.

Your Rights Under the DPDP Act

You may request access, correction, erasure, portability, grievance review, or withdrawal of consent by contacting privacy@crewcheck.ai or by using Privacy Controls. We will review and respond to valid requests in accordance with applicable law.

Withdrawing consent is designed to be as easy as giving it. You can withdraw consent for non-essential website processing at any time from the Privacy Controls page.

Children and Minor Data

CrewCheck is not intended for children under 18. We do not knowingly seek to collect personal data from minors without a lawful basis and parental consent where required.

If we learn that personal data relating to a child or minor has been provided without appropriate authorization, we will take steps to restrict use and delete the data where applicable.

Data Retention

Account data is retained while your account is active and for a reasonable retention period afterward where required for fraud prevention, dispute handling, legal compliance, or regulatory evidence.

Audit logs may be retained for up to 7 years where regulatory evidence is required. We review data retention needs periodically and apply deletion or de-identification where storage is no longer necessary.

Changes to This Policy

We will notify users of material policy updates by email, website notice, or in-app notification. The latest effective date will always be displayed on this page.

Contact

For privacy questions, access or erasure requests, grievance escalation, or consent withdrawal support, email privacy@crewcheck.ai. For security disclosures, contact security@crewcheck.ai.

CrewCheck operates from India. If you need a formal mailing address for a contract, invoice, or legal notice, contact the CrewCheck privacy team and we will provide the current registered office details through the appropriate channel.