crusaderbase

Privacy Policy

Last updated: 2026-05-01

DRAFT — review with counsel before publishing. This document is provided as a starting point and has not been reviewed by an attorney.

This Privacy Policy explains how Not Beer Inc. ("CrusaderBase," "we," "us") collects, uses, shares, and protects information in connection with the CrusaderBaseplatform (the "Service"). It applies to (i) representatives of customer organizations that use the Service (each, a "Customer" or "tenant") and (ii) end-users whose information is processed by an agent on behalf of a Customer (for example, a creator who messages a Customer's Instagram account).

1. Who is responsible for your data

For data submitted to the Service by a Customer or generated by an agent operating on behalf of a Customer, the Customer is the controller and Not Beer Inc. is the processor. Not Beer Inc.is the controller of account-management, billing, and platform-operations data it collects directly. Where there is a separate Data Processing Agreement ("DPA") between the Customer and CrusaderBase, that DPA governs in case of a conflict with this Policy as to the processing of Customer Data.

2. What we collect

We collect the following categories of data:

  • Account information. Name, email address, organization name, and authentication identifiers, collected through our identity provider Clerk when a user signs up or signs in.
  • Tenant content. Configuration, prompts, brand voice, product catalog, integration credentials, files, and other information a Customer or its users submit to the Service. Tenant content is stored in our Postgres database hosted on Supabase.
  • Agent conversations. Messages exchanged between users and agents (including system messages and tool calls) are stored in core.agent_messages so that you can review, audit, and continue prior conversations.
  • Usage telemetry. Per-action records of agent invocations — model used, tokens consumed, latency, error codes, and identifiers of the user and tenant — stored in core.usage_events for billing, quota enforcement, capacity planning, and abuse detection.
  • Integration data. When a Customer connects a third-party service (for example, Instagram, Gmail, or a 3PL), the Service receives data from that service as authorized by the Customer — for example, message content, public profile fields, order data, and tracking events.
  • Diagnostic and security data. Server logs, request metadata, IP address, user agent, and similar information collected automatically to operate and protect the Service.

3. How we use information

  • Provide the Service. Operate the agents you enable, route requests to model providers, store and retrieve tenant content, deliver messages, fulfill approved actions against integrations, and produce inspector and audit views.
  • Improve agents. Use aggregated and de-identified telemetry to evaluate agent quality, debug regressions, and improve prompts and tooling. We do not use Customer Data to train foundation models for any party other than your tenant.
  • Security and abuse prevention. Monitor for anomalous activity, investigate incidents, audit access, and enforce these terms.
  • Billing and account administration. Calculate usage, generate invoices once paid plans launch, and communicate with billing contacts.
  • Legal and compliance. Meet our obligations under applicable law, respond to lawful requests, and protect our rights.

4. How we share information

We share information only with the sub-processors and service providers necessary to deliver the Service, and only under contracts that limit their use of the data. Our current list of sub-processors is published at /legal/subprocessors and includes Anthropic (model inference), Supabase (database), Clerk (authentication), Amazon Web Services (workers and secrets), Vercel (web hosting), and — when added — Stripe (payments) and Google (Gmail API for tenants who connect it). Each sub-processor processes data on our documented instructions.

We disclose information to law enforcement or other authorities only when required by law or compelled by valid legal process, and will, where lawful and practical, give the affected Customer prior notice. We may disclose information in connection with a corporate transaction (merger, acquisition, financing, or asset sale) subject to confidentiality obligations and equivalent privacy protections.

We do not sell personal information and do not share it for cross-context behavioral advertising.

5. Retention and deletion

We retain Customer Data while the tenant's account is active and as needed to provide the Service. After a Customer requests termination of its tenant, we delete or anonymize Customer Data within 30 days, except where we are required by law to keep it longer (for example, to comply with tax, accounting, or dispute-resolution obligations). Backups containing Customer Data are overwritten on the regular backup-rotation cycle.

Audit logs and inspector traces are retained for a minimum of 12 months to support compliance and dispute resolution. Aggregated and de-identified data may be retained indefinitely.

Customers may request deletion or export of their data at any time by emailing dillon@enjoynotbeer.com. End-users whose data we hold on a Customer's behalf (including, for Instagram-connected tenants, creators who have messaged that account) may request removal through the same address or through the platform-specific data-deletion mechanisms we implement.

6. Security

We protect data with administrative, technical, and physical safeguards designed to be appropriate to the sensitivity of the data:

  • Encryption in transit. All traffic between the client and the Service uses TLS 1.2+.
  • Encryption at rest. Customer Data stored in Supabase is encrypted at rest using disk-level encryption provided by the underlying cloud infrastructure.
  • Access controls. Authentication is managed through Clerk. Tenant isolation is enforced through application logic and Postgres row-level security (RLS). Internal access to production data is limited to personnel who require it to perform their job duties and is logged.
  • Secrets management. Per-tenant integration credentials are stored in AWS Secrets Manager.
  • Future audits. Formal SOC 2 Type II attestation is planned but has not yet been completed; we will publish the report when available.

7. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict processing of your personal information, and to object to certain processing. Customers should contact us through their tenant administrator and end-users interacting with a Customer's connected accounts should contact that Customer first; in either case, requests can also be sent to dillon@enjoynotbeer.com. Data-subject access requests ("DSARs") will be handled within the period required by applicable law.

8. Cookies and similar technologies

We use a strictly necessary session cookie issued by Clerk to keep you signed in. We do not use third-party advertising cookies and do not track you across other websites. We may use first-party, aggregate analytics in the future; if we do, we will update this Policy.

9. International transfers (GDPR)

The Service is operated from the United States and most sub-processors are located in or serve from the United States. For Customer Data subject to the EU/UK General Data Protection Regulation, Not Beer Inc.acts as the processor on documented instructions from the Customer, who is the controller. Our sub-processors — Anthropic, Supabase, Clerk, AWS, Vercel, and, when added, Stripe and Google — act as further processors. Where we transfer personal data out of the European Economic Area or the United Kingdom, we rely on the European Commission's Standard Contractual Clauses (Module 2 — controller to processor, and Module 3 — processor to processor, as applicable), incorporated by reference in our DPA.

10. California (CCPA / CPRA)

California residents have rights under the California Consumer Privacy Act, as amended by the CPRA, to know, delete, correct, and limit certain processing of their personal information, and not to be discriminated against for exercising those rights. We do not "sell" personal information and do not "share" personal information for cross-context behavioral advertising as those terms are defined under California law. To exercise your rights, contact dillon@enjoynotbeer.com. We will verify the request through your account-of-record and will not require an account if not strictly necessary.

11. Children

CrusaderBase is a business-to-business platform intended for use by employees of customer organizations. The Service is not directed to children under 13 (or under 16 in jurisdictions where that is the higher threshold), and we do not knowingly collect personal information from them. If you believe we have collected information from a child in violation of applicable law, contact us and we will delete it.

12. Changes to this Policy

We may update this Policy. Material changes will be communicated by email to the address on file or through an in-app notice and will be effective on the date stated. The most current version is always posted at /legal/privacy.

13. Contact

Questions about this Policy or the data we hold can be directed to dillon@enjoynotbeer.com.