Privacy Policy

The data controller for the personal data processed through crewkit is:

This Privacy Policy describes how we collect, use, and protect your information when you use crewkit services. It applies to our website, dashboard, API, and CLI. By using crewkit, you agree to the practices described in this policy and our Terms of Service.

We collect information you provide directly to us, including:

• Account Information: Email address, name, organization details
• Usage Data: Agent configurations, experiment results, session logs
• Technical Data: IP addresses, browser type, device information
• Project Data: Git repository information, project metadata
• Payment Data: Billing details processed securely through Stripe (we do not store full card numbers)

When you use the crewkit CLI, we collect additional data to provide analytics and improve the service:

• Session Telemetry: Token counts (input/output), estimated costs, session duration, agent used, and outcome status
• Session Files: JSONL session files may be uploaded to provide session history and analytics features
• Error Reports: Crash reports and error details are sent to our error tracking service (Sentry) to help us fix bugs
• Git Metadata: Repository remote URL and branch information for project detection (not repository contents)

LLM Gateway (Optional): If enabled by your organization, the LLM Gateway feature routes AI requests through our servers. When active, prompts and responses are processed by both crewkit and Anthropic for cost tracking and analytics. This feature is opt-in and disabled by default. When enabled, data is subject to both this Privacy Policy and Anthropic's Privacy Policy.

We process your personal data under the following legal bases (GDPR Article 6):

We use collected information to:

• Provide, maintain, and improve crewkit services
• Process transactions and send related information
• Send technical notices, updates, and support messages
• Monitor and analyze usage patterns and trends
• Calculate and display cost analytics and session metrics
• Detect, prevent, and address technical issues and security threats

We use the following third-party services to process your data:

Subprocessor updates: We will update this list when adding or changing subprocessors. Subscribe to subprocessor change notifications by emailing privacy@crewkit.io with the subject line "Subscribe: Subprocessor Updates."

For enterprise customers requiring a Data Processing Agreement (DPA), contact us at privacy@crewkit.io.

crewkit is operated from the United States. If you access our services from outside the United States, your data will be transferred to and processed in the United States and other countries where our subprocessors operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to the United States, we rely on:

• EU-US Data Privacy Framework (DPF): Where our subprocessors are certified under the DPF
• Standard Contractual Clauses (SCCs): As approved by the European Commission, incorporated into our Data Processing Agreements

By using crewkit, you consent to the transfer of your information to the United States and other countries as described above.

We do not sell your personal information. We may share information:

• With your consent: When you explicitly authorize sharing
• Within your organization: With team members in your organization as determined by your admin's settings
• Service providers: Third parties listed in our subprocessor list who perform services on our behalf, under contractual obligations to protect your data
• Legal requirements: When required by law, regulation, or legal process, or to protect the rights, safety, or property of crewkit, our users, or the public
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users

We implement appropriate technical and organizational measures to protect your information:

• Encryption in transit (TLS) and at rest
• Regular security audits and vulnerability assessments
• Access controls and authentication requirements
• Secure data centers and infrastructure

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

You have control over what data is collected by crewkit:

• Privacy Mode: Enable privacy mode in your organization settings to prevent logging of prompts and responses. Metrics like token counts, costs, and session duration are still collected to power analytics features.
• Session Uploads: JSONL session file uploads can be disabled in your organization settings. This will prevent session replay and detailed session history features.
• LLM Gateway: This feature is opt-in and must be explicitly enabled by your organization admin. When disabled, no prompts or responses are routed through crewkit servers.

Note: These settings only affect data collected by crewkit. Claude Code has its own telemetry which is governed by Anthropic's privacy policy.

We use cookies and similar technologies to:

• Essential cookies: Maintain your session and authentication state (required for service functionality)
• Preference cookies: Remember your settings and preferences
• Analytics cookies: Analyze site traffic and usage patterns to improve the service

You can control non-essential cookies through your browser settings. Disabling essential cookies may prevent you from using the service. We do not use third-party advertising cookies.

We retain your information for as long as your account is active or as needed to provide services:

• Session telemetry: Retained for 90 days by default, configurable per organization
• JSONL session files (S3): Retained for 90 days by default, following the same retention policy as session telemetry. Files are permanently deleted after the retention period expires.
• Error reports (Sentry): Retained for 90 days
• Account data: Retained until account deletion
• Payment records: Retained as required by applicable tax and financial regulations

You may request deletion of your data by contacting us. We will process deletion requests within 30 days. Some information may be retained where required by law or for legitimate business purposes (e.g., fraud prevention, financial records).

crewkit is designed for professional use by software developers and engineering teams. Our services are not directed at individuals under 18 years of age, and we do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@crewkit.io.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data
• Restriction: Request that we limit processing of your data
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interest
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise your rights: Contact privacy@crewkit.io with your request. We will respond within 30 days. We may need to verify your identity before processing your request.

Right to lodge a complaint: If you are located in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed in violation of applicable data protection laws.

California residents: Under the CCPA, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR
• Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Provide details of the breach, its likely consequences, and the measures taken to address it

For enterprise customers with a Data Processing Agreement (DPA), breach notification procedures may be governed by the terms of that agreement.

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice by posting the updated policy on this page, through in-app notification, or by email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of crewkit after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, contact us: