← Back to Home

Privacy Policy

Last updated: February 20, 2026

1. Introduction

Crew ("we", "our", or "the Service") is a personal AI agent platform that connects to your messaging apps and productivity tools. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service. By using Crew, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Account Information

When you sign in with Google or Microsoft, we receive and store your name, email address, and profile picture as provided by the identity provider. We also generate and store a unique user ID and referral code for your account.

2.2 OAuth Tokens

To access Google Workspace (Gmail, Calendar, Drive, Contacts) or Microsoft 365 (Outlook, OneDrive, Teams, Calendar) on your behalf, we store OAuth access and refresh tokens. These tokens are encrypted at rest using AES-256-GCM and are never exposed to third parties. Data accessed through Google Workspace APIs is used solely to provide the Service to you and is not used to develop, improve, or train generalized AI and/or ML models.

2.3 Chat Messages and Voice Data

Messages you send to the AI agent (via web chat or connected channels) and responses generated are stored in our database to provide conversation history. You may delete individual conversations at any time.

When you send voice or audio messages through connected messaging channels (such as LINE, WhatsApp, or Telegram), the audio data is transmitted to OpenAI's Whisper API for transcription. The transcribed text is then processed by our AI agent. Audio files are temporarily stored in your sandboxed workspace during the session and are not retained by OpenAI for model training. We do not create or store voice prints or other biometric identifiers from your audio data.

2.4 Connected Channel Data

When you connect messaging channels (Telegram, Discord, Slack, KakaoTalk, LINE, WhatsApp), we store the credentials and configuration necessary to route messages between the channel and your AI agent. Channel messages are processed in real time and stored as part of your conversation history.

2.5 Workspace Files

Files you upload or that the AI agent creates during a session are stored in your sandboxed workspace. Files are encrypted at rest using per-user encryption keys derived via HKDF. Each user's workspace is fully isolated — no cross-tenant data access is possible.

2.6 Usage and Billing Data

We track credit consumption, subscription status, referral activity, and payment transaction history to operate our billing system. Payment processing is handled by Stripe; we do not store your full credit card number or payment method details on our servers.

2.7 Activity Logs

We maintain activity logs (message counts, tool usage, channel interactions) for operational monitoring and to help you review your own usage history. These logs do not contain the full content of your messages.

3. How We Use Your Information

  • To authenticate you and manage your account
  • To operate the AI agent on your behalf (reading emails, managing calendar, accessing files, searching the web)
  • To route messages between your connected channels and the AI agent
  • To transcribe voice messages so the AI agent can process them
  • To execute scheduled tasks you configure
  • To track and enforce usage limits under your subscription plan
  • To process referral rewards and credit transactions
  • To improve the Service, diagnose issues, and prevent abuse

We do not use your personal data, messages, files, or AI interactions to train or improve AI models. Your content is processed solely to provide the Service to you.

4. Data Security

We take the security of your data seriously:

  • OAuth tokens are encrypted with AES-256-GCM before storage
  • Workspace files are encrypted at rest with per-user keys derived via HKDF
  • All communication between your browser and our servers uses HTTPS/TLS
  • AI agent sandboxes are isolated per user — no cross-tenant data access
  • Internal API endpoints are protected with secret-based authentication and timing-safe comparison
  • Database connections use TLS encryption in transit
  • Security headers (X-Frame-Options, CSP, HSTS) are applied to all responses

While we implement commercially reasonable security measures, no online service can guarantee absolute security. We encourage you to use strong passwords and protect your account credentials.

5. Third-Party Services

The Service integrates with the following third-party providers. Each has its own privacy policy:

5.1 AI and Processing

  • AI model providers — Your messages are sent to third-party AI model APIs to generate responses. We select providers whose API terms prohibit using inputs/outputs for model training.
  • Speech-to-text providers — Voice messages from messaging channels are sent to a third-party speech recognition API for transcription. The provider does not retain audio data for model training.
  • Web search providers — When the AI agent performs web searches, queries are sent to a third-party search API.

5.2 Productivity Integrations

  • Google APIs — Gmail, Calendar, Drive, Contacts access on your behalf, within the scopes you authorize.
  • Microsoft Graph API — Outlook, OneDrive, Teams, Calendar access on your behalf, within the scopes you authorize.

5.3 Payments

  • Stripe — Payment processing for subscriptions and credit packs. Stripe may collect device information for fraud prevention.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account:

  • Personal data, chat history, workspace files, channel connections, and stored tokens are deleted within 30 days
  • Billing records may be retained as required by applicable tax and financial regulations
  • Anonymized, aggregated usage statistics (not linked to your identity) may be retained for operational purposes

7. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We share data only in the following circumstances:

  • With the third-party service providers listed in Section 5, solely to operate the Service
  • When required by law, regulation, legal process, or governmental request
  • To protect the rights, safety, or property of Crew, our users, or the public
  • In connection with a merger, acquisition, or sale of assets (with prior notice)

8. Your Rights

Regardless of where you are located, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your account and all associated data
  • Disconnect any connected channel or revoke OAuth access at any time
  • Export your conversation history
  • Object to or restrict certain data processing
  • Withdraw consent for optional data processing at any time

8.1 For EEA/UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you additionally have the right to data portability, the right to lodge a complaint with your local data protection authority, and the right to request restriction of processing. Our legal basis for processing your data is: (a) performance of a contract (providing the Service), (b) your consent (for optional features), and (c) legitimate interests (security and fraud prevention).

8.2 For California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion of your data, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at the email address below.

To exercise any of these rights, please contact us at privacy@crew.you. We will respond within 30 days.

9. International Data Transfers

Your data may be processed and stored in multiple regions, including Asia-Pacific (primary compute) and the United States (AI processing and other services). We ensure that all international data transfers are protected by appropriate safeguards, including standard contractual clauses and encryption in transit and at rest.

10. Cookies

We use only essential cookies for authentication (session tokens), user preferences (theme, locale), and admin access. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. No third-party tracking scripts (Google Analytics, Meta Pixel, etc.) are loaded by the Service.

11. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service at least 14 days before they take effect. Your continued use after changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact

If you have questions about this Privacy Policy or your data, please contact us at privacy@crew.you.