Legal

Privacy Policy

Last updated: July 8, 2026

This Privacy Policy explains how Crumbtrail (“we”, “us”, or “our”) collects, uses, shares, and protects personal information in connection with the Service at crumbtrail.dev. It applies to information we handle as a business — for example, the account you create with us.

The Service also processes data you capture and submit through our SDK and connected integrations, which may include personal information relating to your own end users. For that data we act as a processor (service provider) on your behalf and under your instructions; you are the controller. If you are an end user of a product that uses Crumbtrail, please direct privacy requests to the company that operates that product.

1. Information we collect

Account and billing information. When you create an account, authentication is handled by our identity provider (Supabase Auth), which manages your email and password — we never see or store your password. We store your email, your organization/tenant membership, and, if you subscribe, billing identifiers from our payment processor (Stripe). We do not store full payment card numbers; Stripe processes payments.

Session and evidence data (Customer Data). Through our SDK and the sources you connect, the Service captures session evidence such as interactions, network requests and redacted payloads, console output and errors, environment and feature-flag state, and — where you enable them — backend spans and row-level database changes. This data can contain personal information about your end users. A client-side redaction layer masks common secrets and personal data before capture, on a best-effort basis, according to the capture and masking policy you configure.

Data from connected tools. When you authorize integrations such as Sentry, CloudWatch, Jira, or GitHub, the Service retrieves evidence (for example issue summaries, stack traces, commit diffs, or ticket contents) at the moment it is needed, and stores only the derived bundle after redaction.

Product metrics. We collect aggregate, server-side usage metrics (for example plan activity and volume events) keyed to project and tenant identifiers, not to individual end users. We do not use client-side analytics, session-replay trackers, or advertising cookies on the dashboard or marketing site.

Communications. If you contact us or submit our contact form, we receive the information you provide, such as your name, email, and company.

2. Cookies and local storage

The dashboard stores your authentication token in your browser to keep you signed in. We use only essential and functional storage of this kind. We do not set third-party advertising or cross-site tracking cookies.

3. How we use information

  • to provide, operate, secure, and maintain the Service;
  • to assemble fix-ready context and, where you enable it, AI-assisted diagnosis;
  • to process subscriptions, billing, and account administration;
  • to respond to support requests and communicate about the Service;
  • to monitor, prevent, and address security, fraud, and abuse; and
  • to comply with legal obligations and enforce our Terms.

4. Legal bases (EEA/UK)

Where the GDPR or UK GDPR applies to information for which we are the controller, we rely on: performance of a contract (to provide the Service you request); our legitimate interests (to secure and improve the Service), balanced against your rights; your consent (where required, such as certain optional features); and compliance with legal obligations. For Customer Data we process on your behalf, you are responsible for establishing the lawful basis with respect to your end users.

5. Optional AI processing

AI-assisted diagnosis is off by default. When you enable it, only derived candidate metadata — such as the detector, severity, score, confidence, a truncated anchor, and an evidence window — is sent through our AI gateway (OpenRouter) to a model provider. Raw evidence such as clipboard contents, keystrokes, transcripts, stored values, cookies, input values, console text, and unknown payloads is explicitly omitted from what is sent.

Similarity search uses an offline, on-device embedding method by default. Only if you configure a hosted embedding model is text sent to that provider, and only the already-redacted bundle text is used.

6. How we share information

We do not sell personal information, and we do not share it for cross-context behavioral advertising. We share information only with service providers (sub-processors) that help us run the Service, under contracts that limit their use of the data, and as required by law or to protect rights and safety. Our principal sub-processors are:

  • Supabase — authentication and database hosting;
  • Railway — application hosting;
  • Stripe — payment processing and billing;
  • OpenRouter and the AI model providers it routes to — optional AI-assisted diagnosis (redacted, derived metadata only);
  • PostHog — aggregate, tenant-level product metrics; and
  • Resend — transactional and product email.

7. Customer-directed integrations

When you connect third-party tools (such as Sentry, Jira, or GitHub), data flows to and from those tools at your direction and under their own privacy terms. In some flows the Service posts information back to a tool you connect — for example an advisory comment on a ticket. You control these integrations and can disconnect them at any time.

8. International transfers

We and our sub-processors are located primarily in the United States, and information may be processed there. Where we transfer personal information from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the Standard Contractual Clauses.

9. Data retention

Session and evidence data is retained for your plan’s retention window and then automatically purged from both storage and our database. Default windows are 7 days on the free tier, 30 days on Team, 90 days on Business, and 180 days on Enterprise, and can be adjusted for your tenant. Account and billing records are kept while your account is active and for as long as needed to meet legal, accounting, and security obligations, after which they are deleted or anonymized.

10. Security

We protect information with measures appropriate to its sensitivity, including encryption in transit and at rest through our infrastructure providers. Connector credentials are sealed with authenticated encryption (AES-256-GCM) and are not readable back by us. API keys and CLI tokens are stored only as one-way hashes, never in plaintext. Passwords are managed by our identity provider and never stored by us. The client-side redaction layer masks common secrets and personal data before capture. No system is perfectly secure, so we cannot guarantee absolute security.

11. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, to object to certain processing, and to withdraw consent. If you are in the EEA or UK, you may also lodge a complaint with your local data protection authority.

If you are a California resident, you have the right to know what personal information we collect, to delete it, to correct it, and to opt out of any sale or sharing of it — we do not sell or share personal information — and you will not be discriminated against for exercising these rights.

12. Exercising your rights

To make a request about information for which we are the controller, contact us at privacy@crumbtrail.dev; we will respond as required by applicable law and may need to verify your identity. If your request concerns end-user data captured by a company that uses Crumbtrail, we will refer you to that company, which is the controller of that data.

13. Children

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

14. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “last updated” date and, where appropriate, provide additional notice.

15. Contact

For privacy questions or requests, contact us at privacy@crumbtrail.dev.