Full name, work email, phone number, business name, role, country, time zone.
Privacy you can read.
A complete account of what we collect, why we collect it, how we use it, and what your rights are. Worldwide-applicable. Built to comply with all major privacy regimes — including Singapore's PDPA (our home regulator), the EU General Data Protection Regulation (GDPR), the UK GDPR / Data Protection Act 2018, California's CCPA/CPRA, Canada's PIPEDA, the Australian Privacy Act, and equivalent laws wherever you and your customers are based.
1. Who we are
This Privacy Policy is published by CrewRun Pte. Ltd. ('CrewRun', 'we', 'us', or 'our'), a private company incorporated in Singapore. CrewRun provides a software-as-a-service platform for service businesses worldwide, including unified messaging, dispatch, GPS tracking, document templates, AI assistance, and invoicing.
We act as the data controller (or 'business' under CCPA terminology) for personal data we collect about visitors to our marketing site and account holders of the CrewRun platform. When our customers (service businesses) use the platform to manage their own end-users' data, the customer is the data controller and we act as the data processor (or 'service provider' under CCPA) under their instructions. See our Data Processing Agreement at /dpa for the processor-side terms — that DPA incorporates the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and CCPA service-provider clauses as appropriate.
Our registered address and full contact details — including our EU and UK Representative under GDPR Article 27 (where applicable) — are at the end of this policy.
2. What personal data we collect
Only what we need to provide and improve the service. No tracking pixels on customer chats. No third-party analytics that can identify your customers.
Business registration number, service category, website, billing address, GST registration.
Pages visited, features used, click patterns, device type, browser, IP address (truncated for analytics).
WhatsApp / Instagram / Facebook conversations you choose to route through CrewRun, including sender name, phone, profile picture, message bodies, attachments, and timestamps. Stored encrypted.
Card details handled directly by Stripe under PCI DSS Level 1. We see only the last 4 digits, brand, and expiry.
Session cookies for sign-in, preference cookies. No advertising cookies. No third-party tracking on the marketing site.
Logos, contract templates, photos taken in the mobile app, customer signatures, invoices, service reports.
Postal codes you enter; the resolved street + lat/lng from a country-appropriate geocoder (OneMap for Singapore, Google Maps Geocoding elsewhere) for dispatch routing.
When you connect Traccar: vehicle/device latitude, longitude, speed, heading, timestamp. Most-recent fix only; trail stays on your Traccar server.
When AI features are enabled: the message body, recent conversation tail, matched customer record, service catalogue, and AI's draft reply. Logged for quality + abuse review.
Crash reports and error logs. Stripped of personally identifying information before storage. Used for product reliability only.
3. How we collect personal data
Directly from you: when you sign up, configure your account, run the setup wizard, or submit forms (waitlist signup, contact, support).
From your use of the service: as you and your team use the dashboard, mobile app, and integrations, we collect activity logs and feature usage telemetry.
From your customers (indirectly): when your customers message you on a connected channel, the message content and metadata flow into CrewRun. The customer is interacting with you, not with CrewRun, but we process the data on your behalf.
From integration partners (only with your authorization): when you connect Xero, Google Calendar, Traccar, or other third-party services, we receive the data those services share via their APIs, scoped to what you've authorized.
4. Why we collect personal data (purposes and legal bases)
We process personal data for the purposes below. Each purpose maps to a lawful basis under whichever privacy regime applies to you. The brackets show the equivalents in the laws we most commonly deal with:
- Providing the service — running your account, dispatching jobs, sending messages, generating documents. [GDPR Art. 6(1)(b) contract · UK GDPR contract · PDPA contractual necessity · CCPA business purpose · PIPEDA reasonable purpose].
- Billing and account management — processing payments, sending invoices, managing subscriptions. [GDPR Art. 6(1)(b) contract · PDPA contractual necessity · CCPA business purpose · Australian APP 6 primary purpose].
- Customer support — responding via email, in-app chat, or phone. [Same contract/business-purpose basis as the previous two].
- Product analytics and improvement — aggregated usage statistics, never used to identify any individual customer's end-users. [GDPR Art. 6(1)(f) legitimate interest · UK GDPR same · PDPA legitimate interest · CCPA service-improvement business purpose].
- Marketing communications to existing customers — product updates, occasional newsletters. Opt-out link in every email. [GDPR Art. 6(1)(f) legitimate interest with soft opt-in · PECR / EU ePrivacy where applicable · CASL implied consent for existing-customer relationship · CCPA right-to-opt-out honoured].
- Compliance with legal obligations — tax records, court orders, fraud prevention. [GDPR Art. 6(1)(c) legal obligation · UK GDPR same · PDPA legal compliance · CCPA legal-obligation business purpose].
- Security and abuse prevention — detecting and preventing fraud, account compromise, platform abuse. [GDPR Art. 6(1)(f) legitimate interest · CCPA security business purpose · PDPA legitimate interest].
5. How we use personal data
To deliver and operate CrewRun for you: signing you in, processing your dispatch decisions, drafting AI replies, generating documents, sending notifications.
To improve the product: aggregated, de-identified analytics on what features get used, where users get stuck, what's broken. We never use the content of customer messages or any personally identifying analytics for product development.
To communicate with you: operational emails (billing, security alerts, downtime notices), product updates, and occasional research invitations. You can opt out of non-essential emails from your settings or via the unsubscribe link.
To comply with our legal obligations: tax filings, responses to lawful requests from authorities, defending against legal claims.
We do not sell personal data. We do not share customer message content with third parties beyond what is strictly necessary to deliver the message (for example, transmitting via WhatsApp's Cloud API to reach a customer's WhatsApp number).
6. Sub-processors and third parties we share data with
A complete list of the third-party services that touch your data, what they do, and where they're based.
Primary database + file storage. Default region: Singapore (ap-southeast-1). EU / US / other regional residency available on Enterprise — contact us.
Payment processing and card storage. PCI DSS Level 1 certified.
DNS, content delivery, edge security. SOC 2 Type II certified.
Transactional email delivery (invoices, alerts, notifications).
AI model provider for message drafting, only when AI features are enabled. Zero-retention agreement in place.
Backup AI model provider. Same zero-retention agreement.
Sign-in and account security. Operated by Google.
Channel APIs for receiving and sending customer messages on each platform.
Singapore postal-code geocoding — turns 6-digit SG postals into street addresses + lat/lng. SG customers only. No customer-identifying data sent.
Map rendering on the dispatch + map pages, plus geocoding for non-Singapore postal codes. Lat/lng + postal coordinates only; never customer names or contact info.
When you connect your own Traccar server, we make outbound API calls to read device positions. We never push your data to Traccar.
7. Messaging channel data (WhatsApp, Facebook, Instagram)
When you connect a Meta channel (WhatsApp Business, Facebook Messenger, Instagram Direct) to CrewRun, we receive inbound messages addressed to your business and send outbound messages on your behalf. The data flowing through each channel includes: the end-user's phone number (WhatsApp) or platform user-id (FB/IG), their display name + profile picture, the message body, any attachments (images, documents, voice notes, location pins), and message timestamps.
We process and store this data for the purposes of: rendering the conversation in your inbox, routing it to the AI for classification + drafting, and persisting the thread so you can refer back to it. Messages are stored encrypted at rest in your tenant's database row.
We do not use the content of customer messages for advertising, model training, or any purpose beyond delivering the service to you. We do not share message content with Meta beyond what's needed to deliver an outbound message to its destination platform (Meta's API requires the message body + recipient id to route the message).
Channel-level enforcement actions taken by Meta (account suspensions, template rejections, conversation-quality flags) are passed through to your dashboard. We are not responsible for Meta's enforcement decisions.
8. GPS and location data
When you connect a Traccar GPS server to CrewRun (via Settings → Integrations), we make outbound API calls to read the most-recent position of each device you pair to a team. The data we receive per device is: latitude, longitude, speed, heading, last-fix timestamp, and an optional reverse-geocoded address. We hold only the most-recent fix in memory; the full historical trail stays in your Traccar server and is never replicated to CrewRun's database.
We use GPS data for: live vehicle pins on the dispatch + /map pages, the slot-finder's 'nearest team' distance calculations, and proximity-alert notifications (where enabled) when a technician is close to their next appointment.
GPS tracking of individuals (drivers, technicians, employees) is heavily regulated worldwide. You — the business — are responsible for obtaining lawful consent from every tracked person and for providing them clear notice of what is being collected, why, how long it's kept, and how to opt out where required. The applicable rules vary by jurisdiction — Singapore PDPA, EU/UK GDPR (including consultation with works councils in Germany / France / Italy), California CCPA + the CPRA's sensitive-PI category, Canada PIPEDA, the Australian Privacy Act, US state-level employee-monitoring laws (e.g. NY, Connecticut, Texas) — and you should consult local counsel for your specific obligations. CrewRun provides the technical interface; we do not audit, warrant, or take responsibility for your tracking program's compliance.
Customer addresses are geocoded via a country-appropriate provider — OneMap (data.gov.sg) for Singapore postal codes, Google Maps Geocoding for everywhere else. The data sent to the geocoder is the bare postal code (and, for some non-SG countries, the city + country to disambiguate) — never the customer's name, phone, or any other identifier.
9. AI processing
CrewRun's AI features (intent classification, FAQ drafting, quote drafting, complaint triage, booking field extraction, slot suggestions) send relevant context to third-party LLM providers (currently Anthropic Claude; we may also use OpenAI, Google, or comparable providers).
The context typically includes: the latest inbound customer message, the recent conversation tail (last ~10 messages), the matched customer record (name, phone, address, recent jobs, contract status if any), your business's service catalogue with prices, and your AI behaviour settings (FAQ knowledge base, tone, escalation keywords). We send only what the AI needs to draft a sensible reply for that specific message — never your full customer database.
All AI providers we use have committed via written agreement to NOT train their models on data we send. Inputs and outputs are processed transiently to generate a response; the provider retains nothing beyond ephemeral logs (typically <30 days) for abuse detection. Anthropic and OpenAI's terms for CrewRun are available on request.
We log AI requests internally to our `ai_call_log` table for: quality monitoring (catching regressions when we upgrade models), debugging (the operator opens a draft that looks wrong and we can trace what context drove it), and abuse review (detecting prompt injection or attempts to extract data via the AI). Logs are retained for 90 days then aggregated + de-identified. Operators can request deletion of specific log entries via privacy@crewrun.ai.
Where AI is used in an automated decision-making capacity (auto-replies enabled in Workflows, automated booking confirmations, AI-recommended slot assignments), you have the right to request human review and meaningful explanation. This right is recognised under GDPR Art. 22 (EU/UK), the equivalent PDPA provisions (Singapore), the CCPA/CPRA's automated decision-making opt-out (California, taking effect with the CPPA's ADMT regulations), Québec Law 25 (Canada), and similar rules elsewhere. In practice, you control the auto-reply gate per intent in Workflows — turning auto-reply OFF moves every AI draft into the magic-wand review queue, restoring full human oversight.
10. Public API data exposure
CrewRun exposes a read-only public API (at /public/*) for partner integration, marketing-site embeds, and Meta tech-provider review. The endpoints return aggregate availability + non-identifying address-level data only.
The data exposed via the public API: business name + id, job counts grouped by area, postal codes + street address-line-1 of recent jobs, next-available appointment slots + nearest-team distances. The API NEVER returns customer names, phone numbers, email addresses, contract details, prices, internal team names, technician names, or any other personally-identifiable information.
Production deployments may gate the public API behind an API key (see /security). Rate limiting and abuse detection apply regardless of authentication state. We may revoke API access for any caller engaged in scraping, deanonymisation attempts, or denial-of-service.
11. International transfers
By default, your account data is stored in Singapore (Supabase ap-southeast-1). Enterprise customers can request regional data residency (EU-Frankfurt, US-East, Australia, etc.) — contact sales@crewrun.ai. Some sub-processors operate globally regardless of where your data lives: Stripe is based in the United States; Anthropic and OpenAI process AI requests in the United States; Cloudflare's network is global with regional caching; Google Maps' geocoding endpoints route to the nearest Google region.
Cross-border transfers are governed by appropriate safeguards depending on the source jurisdiction:
- EU / EEA / UK → outside the EEA: we use the EU Standard Contractual Clauses (Commission Decision 2021/914) plus the UK International Data Transfer Addendum, with supplementary measures where required by Schrems II.
- Singapore → outside Singapore: we rely on PDPA Section 26's transfer requirements — contractually-binding clauses with each recipient ensuring comparable protection.
- California → other US states / outside: contractual service-provider clauses under CCPA Cal. Civ. Code § 1798.140(ag).
- Canada → outside: PIPEDA accountability principle — we remain accountable for personal data transferred to processors abroad.
- Australia → outside: APP 8 cross-border disclosure — we take reasonable steps to ensure overseas recipients don't breach the APPs.
- Other jurisdictions: equivalent legally-binding transfer mechanisms, applied locally.
12. How long we keep personal data (retention)
We retain personal data only for as long as needed for the purpose it was collected, plus any period required by law (typically tax law).
- Account information: while your account is active and for 30 days after deletion (soft-delete window), then permanently deleted.
- Customer message content: same as account information. Messages older than 24 months are auto-archived to cold storage with reduced access. You can purge specific threads anytime.
- Billing records: retained for the longer of (a) 5 years after the last invoice — the global minimum, (b) the tax-record retention period your jurisdiction requires. Common ranges: Singapore 5 years, UK 6 years, US 7 years (IRS), Germany 10 years, France 10 years, Australia 5 years. We honour the longest applicable.
- Server logs: 90 days, then aggregated and de-identified.
- Backups: 30-day rolling retention, encrypted, regional secondary copy for disaster recovery only.
- Marketing analytics (aggregated): kept indefinitely as it cannot be re-identified.
13. Cookies and tracking technologies
On the marketing site (crewrun.ai), we use only first-party session cookies and a minimal preference cookie. We do not use Google Analytics, Facebook Pixel, or any third-party tracking on the marketing site.
On the dashboard (app.crewrun.ai), we use first-party cookies for sign-in (Firebase Auth), session management, and remembering your in-app preferences (theme, language, default views).
We honour Do Not Track (DNT) browser signals where technically possible. We do not respond to DNT for cookies that are strictly necessary for the service to function.
14. Marketing communications
We send three categories of email: (1) operational (billing, security, breach notification, account changes), (2) product updates and announcements, (3) occasional research and feedback invitations.
Operational emails cannot be opted out of while you have an active account, as they are essential to the service. Categories 2 and 3 can be turned off from Settings, Email preferences or via the unsubscribe link in every such email.
We do not send marketing emails to your customers. The messages your customers receive are sent on your behalf, in the conversations you control, never as CrewRun marketing.
15. Your rights
Under the major privacy regimes (GDPR / UK GDPR, PDPA, CCPA/CPRA, PIPEDA, Australian Privacy Act, LGPD, and similar laws elsewhere), you have the following rights with respect to your personal data. We honour all of them regardless of where you're based — even if your jurisdiction's law doesn't strictly require us to.
Request a copy of all personal data we hold about you. Self-service via Settings, Data export.
Receive your data in a structured, machine-readable format. JSON + CSV exports, anytime.
Update inaccurate or incomplete data. Most editable directly in the dashboard.
Delete your account and all associated data, honoured within 30 days.
Pause processing while a complaint or correction is being investigated. Contact privacy@crewrun.ai.
Object to processing based on legitimate interest, including marketing communications.
Where AI is used to make decisions affecting you, you can request human review and explanation.
16. How to exercise your rights
Most rights can be exercised directly from your CrewRun account: data export, correction, account deletion, marketing preferences. For anything beyond what the dashboard supports, email privacy@crewrun.ai.
We respond to most data subject requests within 7 calendar days. Complex requests may take up to 30 days, in which case we'll send an interim status update at day 7. If we need to verify your identity, we'll request reasonable proof before processing the request.
If you are an end-user (a customer of one of our customers) and want to exercise rights over data your service provider has stored in CrewRun, please contact your service provider directly. They are the data controller for that data; we act as their processor and can only act on their instructions.
17. Children's data
CrewRun is a business product not intended for personal use by children. We do not knowingly collect personal data from anyone under the age of 16. If you become aware that a child has provided personal data to CrewRun, please contact privacy@crewrun.ai and we will delete it within 7 days.
18. Security measures
We protect personal data with measures appropriate to the risk: AES-256 encryption at rest, TLS 1.3 in transit, multi-factor authentication available on all accounts, audit logs on all administrative actions, role-based access control internally, quarterly access reviews, annual third-party penetration testing.
Our infrastructure is hosted by default in Singapore (Supabase ap-southeast-1), with backups replicated to a secondary region for disaster recovery. Enterprise customers can request alternative regions (EU-Frankfurt, US-East, Australia, etc.). Production access is limited to a 2-person team with hardware-key 2FA and quarterly access review, regardless of region.
For full security details, see /security and /data-security.
19. Data breach notification
If we become aware of a personal data breach that affects your data, we commit to: (a) notify you by email within 72 hours of confirming the breach — meeting the tightest applicable window (GDPR Art. 33, UK GDPR, PDPA, CCPA, PIPEDA, Australian Privacy Act all converge around 72 hours), (b) explain clearly what data was affected and what we believe happened, (c) describe the steps we're taking to contain and remediate, (d) issue a post-incident report within 30 days of containment, (e) cooperate with your own breach-notification obligations to the relevant supervisory authority and to affected end-users where required by law.
We test our incident response plan annually with a tabletop exercise. The most senior available founder leads incident response.
20. Changes to this policy
We may update this Privacy Policy from time to time. Material changes (changes that expand the data we collect, change the lawful basis for processing, or affect your rights) require: (a) at least 14 days' email notice before they take effect, sent to all account holders, (b) a new 'Last updated' date at the top of this page, (c) a redline summary on request from privacy@crewrun.ai.
Continued use of CrewRun after the notice period means you accept the updated policy. If you do not agree, you can cancel your account before the change takes effect with no penalty and request a pro-rata refund of any prepaid period.
21. Complaints and supervisory authorities
If you believe we have processed your personal data in a way that breaches any applicable privacy law, you have the right to lodge a complaint with the relevant supervisory authority. The most common ones:
- Singapore — Personal Data Protection Commission (PDPC), https://www.pdpc.gov.sg
- European Union — your local Data Protection Authority. Full list at https://edpb.europa.eu/about-edpb/about-edpb/members_en
- United Kingdom — Information Commissioner's Office (ICO), https://ico.org.uk
- California — California Privacy Protection Agency (CPPA), https://cppa.ca.gov, plus the California Attorney General
- Other US states — your State Attorney General, plus the FTC for federal-level concerns at https://reportfraud.ftc.gov
- Canada — Office of the Privacy Commissioner of Canada (OPC), https://www.priv.gc.ca, or your provincial commissioner (e.g. Québec CAI, Alberta OIPC, BC OIPC)
- Australia — Office of the Australian Information Commissioner (OAIC), https://www.oaic.gov.au
- New Zealand — Office of the Privacy Commissioner, https://www.privacy.org.nz
- Brazil — Autoridade Nacional de Proteção de Dados (ANPD), https://www.gov.br/anpd
- Other jurisdictions — your country's data protection authority. If none exists, contact us and we'll help identify the right channel.
We'd appreciate the chance to address your concern first. Email privacy@crewrun.ai and we'll respond within 7 calendar days.
22. Contact us
All privacy-related questions, requests, and complaints can be sent to:
- Email: privacy@crewrun.ai
- Postal: CrewRun Pte. Ltd., Singapore. Full registered address available on request.
- Data Protection Officer: dpo@crewrun.ai (for formal DPO matters).
We aim to respond to every email within 1 business day and to formal data subject requests within 7 calendar days as described in section 16.
Ready to run on autopilot?
Drop your email, we'll send your invite as a slot opens.