Privacy Policy

At Croi ("we," "our," or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, process, and protect your personal information when you use our AI-powered diagram generation service.

This policy applies to our website, application, and all related services. By using Croi, you consent to the practices described in this Privacy Policy.

Key Commitment: We believe in transparency, data minimization, and giving you control over your personal information.

1.1 Information We Collect

Account Information (via GitHub OAuth)

• GitHub username and profile information
• Email address associated with your GitHub account
• Profile picture/avatar from GitHub
• Public GitHub profile data (name, bio)

Service Usage Data

• Diagram prompts and text inputs you provide
• Generated diagrams and their metadata
• Chat history and conversation logs
• Token usage and billing information
• Feature usage patterns and preferences

Technical and Analytics Data

• IP address and geolocation (country/region level)
• Device type, browser information, and operating system
• Session duration and page interactions
• Error logs and performance metrics
• API response times and system performance data

Payment Information

• Stripe customer ID and payment metadata
• Transaction history and payment status
• Billing address (processed by Stripe)
• Note: We do not store credit card details directly

1.2 How We Use Your Data

Service Delivery

• Process your prompts through OpenAI's API to generate diagrams
• Store and retrieve your diagrams and conversation history
• Manage your account and authentication
• Process payments and manage token balances

Service Improvement

• Analyze usage patterns to improve features and performance
• Monitor system health and identify technical issues
• Conduct beta testing and feature development
• Provide customer support and troubleshooting

Communication

• Send important service updates and security notifications
• Respond to support requests and feedback
• Notify about beta program updates (if applicable)

1.3 OpenAI API Integration

Your diagram prompts are sent to OpenAI's API for processing. This data is subject to OpenAI's data usage policies. We recommend reviewing OpenAI's privacy policy for details on how they handle API requests.

• Prompts are processed in real-time and not permanently stored by OpenAI
• We do not share personal identifying information with OpenAI
• API responses are used solely to provide diagram generation services

1.4 Beta Testing Data Handling

• Beta usage data helps us identify bugs and improve functionality
• We may collect additional diagnostic information during beta phases
• Beta feedback and reports are stored securely and used for development
• Data collected during beta may be retained for service improvement

2.1 Data Encryption

• In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3
• At Rest: Stored data is encrypted using AES-256 encryption standards
• Database Security: PostgreSQL databases with encrypted storage and secure connections
• API Communications: All third-party API calls use encrypted channels

2.2 Storage Security Protocols

• Infrastructure: Hosted on secure, SOC 2 compliant cloud infrastructure
• Access Controls: Role-based access controls and principle of least privilege
• Monitoring: 24/7 security monitoring and intrusion detection
• Backups: Regular encrypted backups with secure off-site storage
• Data Isolation: User data is logically separated and access-controlled

2.3 Authentication Safeguards

• OAuth Security: GitHub OAuth 2.0 with secure token handling
• Session Management: Secure session tokens with appropriate expiration
• CSRF Protection: Cross-site request forgery protection on all forms
• Rate Limiting: API rate limiting to prevent abuse and DoS attacks

2.4 Beta Testing Security Considerations

• Enhanced logging and monitoring during beta phases
• Additional security reviews for new features
• Secure feedback channels for reporting security issues
• Regular security assessments and penetration testing

2.5 Incident Response

In the event of a security breach, we will:

• Immediately assess and contain the incident
• Notify affected users within 72 hours
• Provide clear information about what data was affected
• Take steps to prevent similar incidents
• Comply with applicable breach notification regulations

3.1 Data Access Rights

You have the right to:

• Access: Request a copy of all personal data we hold about you
• Portability: Receive your data in a structured, machine-readable format
• Review: View your account information, diagrams, and usage history through your dashboard
• Export: Download your created diagrams in various formats (PNG, SVG, etc.)

3.2 Data Correction and Deletion

• Correction: Update incorrect or incomplete personal information
• Deletion: Request complete deletion of your account and associated data
• Selective Deletion: Delete specific diagrams or conversation history
• Right to be Forgotten: Complete removal from our systems (subject to legal requirements)

3.3 Privacy Preferences Management

• Analytics Opt-out: Disable usage analytics and tracking
• Communication Preferences: Control email notifications and updates
• Data Processing Consent: Withdraw consent for non-essential processing
• Third-party Sharing: Control how your data is shared with service providers

3.4 Beta Tester Specific Rights

• Enhanced Data Access: Additional access to beta testing data and feedback
• Withdrawal Rights: Right to withdraw from beta testing at any time
• Data Migration: Assistance with data migration when beta features become stable
• Special Deletion Rights: Request deletion of beta-specific data collections

3.5 Communication Opt-out Choices

• Service Updates: Opt-out of non-critical service announcements
• Beta Communications: Unsubscribe from beta testing communications
• Marketing: Opt-out of promotional emails (we currently don't send marketing emails)
• Support Communications: Manage support ticket notifications

3.6 How to Exercise Your Rights

To exercise any of these rights:

• Contact us through our support page
• Use the account settings in your dashboard
• We will respond to requests within 30 days

4.1 OpenAI API Integration

• Purpose: AI-powered diagram generation from text prompts
• Data Shared: Text prompts, system messages for diagram generation
• Data Retention: OpenAI processes requests in real-time, data not permanently stored
• Privacy Policy: OpenAI Privacy Policy
• Location: Data processed in OpenAI's global infrastructure

4.2 GitHub OAuth (Authentication)

• Purpose: Secure user authentication and account creation
• Data Shared: Public profile information, email address
• Data Retention: Profile data cached during active sessions
• Privacy Policy: GitHub Privacy Statement
• Location: Global GitHub infrastructure

4.3 Stripe (Payment Processing)

• Purpose: Secure payment processing for token purchases
• Data Shared: Customer ID, transaction amounts, payment metadata
• Data Retention: Payment records retained per financial regulations
• Privacy Policy: Stripe Privacy Policy
• Location: EU and US data centers (GDPR compliant)
• Compliance: PCI DSS Level 1 certified

4.4 Hosting and Infrastructure

• Service: Vercel (hosting), Supabase (database), Redis Cloud (caching)
• Purpose: Application hosting, data storage, and performance optimization
• Data Shared: All application data and user content
• Security: SOC 2 Type II compliant infrastructure
• Location: EU and US data centers with GDPR compliance

4.5 Analytics and Monitoring

• Purpose: Application performance monitoring and usage analytics
• Data Collection: Anonymized usage patterns, error logs, performance metrics
• Retention: Analytics data retained for 12 months
• Opt-out: You can disable analytics tracking in your account settings

4.6 Beta Testing Platforms

• Internal Tools: We use internal feedback collection and bug tracking
• Data Sharing: Beta feedback shared only with our development team
• External Tools: No external beta testing platforms currently used
• Security: Beta data encrypted and access-controlled

4.7 Third-Party Data Processing Agreements

All third-party service providers are bound by data processing agreements that ensure:

• GDPR and CCPA compliance
• Appropriate security measures
• Limited data usage for specified purposes only
• Data deletion upon contract termination
• Regular security audits and assessments

5.1 Retention Periods

• Account Data: Retained while your account is active
• Diagrams and Content: Retained until you delete them or close your account
• Usage Analytics: Anonymized data retained for 12 months
• Payment Records: Retained for 7 years per financial regulations
• Support Communications: Retained for 3 years
• Security Logs: Retained for 1 year

5.2 Automated Deletion

• Inactive accounts (no login for 2+ years) are flagged for deletion
• Temporary data (sessions, caches) automatically expires
• Old analytics data is automatically purged
• Expired tokens and billing data are archived

5.3 Account Deletion Process

When you delete your account:

• Account data is immediately deactivated
• Personal information is deleted within 30 days
• Diagrams and content are permanently deleted
• Payment records are retained per legal requirements
• Anonymized analytics data may be retained

6.1 Data Processing Locations

Your data may be processed in:

• European Union: Primary data processing location
• United States: OpenAI API processing, Stripe payments
• Global CDN: Content delivery for performance optimization

6.2 Transfer Safeguards

• Standard Contractual Clauses (SCCs) for EU-US transfers
• Adequacy decisions where applicable
• Binding Corporate Rules for service providers
• Additional security measures for sensitive data

6.3 Your Rights Regarding Transfers

• Right to be informed about transfer destinations
• Right to object to transfers to specific countries
• Right to request data localization (where technically feasible)

Croi is not intended for use by children under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately.

8.1 Policy Updates

We may update this Privacy Policy from time to time. When we do:

• We will post the updated policy on this page
• We will update the "Last Updated" date
• For significant changes, we will notify you via email or service notification
• You will have the opportunity to review changes before they take effect

8.2 Notification of Changes

• Minor Changes: Posted on this page with 7 days notice
• Material Changes: Email notification 30 days in advance
• Emergency Changes: Immediate notification for security reasons

8.3 Your Options

If you disagree with changes to this Privacy Policy, you may:

• Contact us to discuss your concerns
• Adjust your privacy settings
• Delete your account before changes take effect

9.1 Privacy Questions and Requests

For privacy-related questions, requests, or concerns, contact us at:

• Email:
• Support Portal: s
• Response Time: We respond to privacy requests within 30 days

9.2 Data Protection Officer

For EU residents, you can contact our Data Protection Officer at:

• Email:
• Subject Line: "GDPR Request" or "Data Protection Inquiry"

9.3 Regulatory Authorities

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. For EU residents, you can find your local data protection authority at the European Data Protection Board website.

9.4 Emergency Contact

For urgent privacy or security issues (such as suspected data breaches affecting your account):

• Email:
• Subject Line: "URGENT - Security Issue"
• Response Time: 24-48 hours for security issues