Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: Email address, username, and password when you create an account, or profile data from Google or GitHub when you authenticate via OAuth.
• Payment Information: Billing name, billing address, and payment method details. Payment card information is processed and stored securely by our payment processor, Dodo Payments — we do not store complete card numbers on our servers.
• Profile Information: Optional data such as display name, profile picture, and preferences.
• Communications: Information you provide when contacting our support team, submitting feedback, or participating in surveys.
• Environment Variables: API keys and secrets you configure for your projects, which are encrypted at rest using AES-256 encryption.

1.2 Information Generated Through Your Use

• Projects and Code: All code, files, configurations, and assets you create, upload, or generate through the platform.
• AI Prompts and Conversations: Your interactions with our AI assistant, including prompts, instructions, and the AI-generated responses.
• User Memory: Context and preferences stored to provide better AI assistance across sessions.

1.3 Information Collected Automatically

• Usage Data: Features used, projects created, pages visited, actions taken, and time spent on the platform.
• Device Information: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
• Log Data: Server logs, error reports, performance data, and diagnostic information.
• Cookies and Similar Technologies: We use essential cookies for authentication and session management, and analytics cookies to understand usage patterns. See Section 7 for details.

1.4 Information from Third-Party Integrations

• GitHub: Repository metadata, file contents (when you import a project), and profile information (when you authenticate via GitHub).
• Figma: Design file data accessed via Figma's API when you use the design import feature.
• Google: Basic profile information (name, email, avatar) when you authenticate via Google OAuth.

2. How We Use Your Information

2.1 To Provide and Operate the Services

• Create and manage your Account, authenticate sessions, and enforce security
• Execute AI code generation, sandbox environments, database provisioning, deployments, and email delivery
• Process payments, track credit balances, and manage subscriptions via Dodo Payments
• Facilitate integrations with GitHub, Figma, Vercel, and other third-party services

2.2 To Improve and Personalise

• Analyse usage patterns and performance metrics to improve platform reliability and features
• Store AI conversation context (User Memory) to provide more relevant and accurate assistance
• Customise your experience based on your preferences and usage history

2.3 For AI Model Improvement

• Your prompts and AI interactions may be used to improve AI quality and platform features using privacy-preserving techniques (e.g., aggregation, anonymisation)
• We do not sell your prompts or code to third-party AI providers for their model training
• Enterprise customers may opt out of AI data usage entirely under their Enterprise Agreement

2.4 For Communication

• Send transactional emails: account verification, password resets, billing receipts, security alerts
• Notify you of service updates, maintenance windows, policy changes, and new features
• Send marketing communications (with your consent; you may opt-out at any time)

2.5 For Security and Legal Compliance

• Detect, prevent, and respond to fraud, abuse, security incidents, and technical issues
• Enforce our Terms of Service and Acceptable Use Policy
• Comply with applicable legal obligations, regulatory requirements, and lawful requests

3. Legal Bases for Processing (GDPR/DPDPA)

Where applicable data protection law requires a legal basis, we process your personal data on the following grounds:

• Contract Performance: Processing necessary to provide the Services you have requested (account management, code execution, billing).
• Legitimate Interests: Improving our platform, preventing fraud, ensuring security, and analytics — balanced against your privacy rights.
• Consent: Marketing communications, optional analytics, and AI training where consent is specifically obtained.
• Legal Obligation: Tax record keeping, fraud prevention, and responding to lawful requests from authorities.

4. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

4.1 Service Providers and Infrastructure Partners

• Dodo Payments: Payment processing, billing, and tax compliance
• E2B: Sandbox compute — your code is executed in isolated E2B environments
• Neon: Managed PostgreSQL databases for your applications
• Vercel: Platform hosting and production deployments for your projects
• Cloudflare R2: Object storage for project files and backups
• Resend: Transactional email delivery (OTP codes, password resets, project emails)
• Upstash: Redis for rate limiting, distributed locks, and caching (no personal data stored)
• AI Model Providers (Anthropic, OpenAI, Google, xAI): Your prompts are sent to these providers for AI processing; each provider has its own data handling policies
• PostHog: Product analytics and LLM performance tracing
• Vercel Analytics & Speed Insights: Anonymised web performance and usage metrics

4.2 Legal Requirements

We may disclose your information when required by law, regulation, subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the successor entity. We will notify you of any such transfer and any choices you may have regarding your information.

4.4 With Your Consent

We may share your information with third parties when you explicitly consent or direct us to do so (e.g., connecting a GitHub or Figma integration).

4.5 Public Content

If you publish a project or deploy an application, the associated code and content will be accessible to anyone with the deployment URL. You control what you publish.

5. Data Retention

We retain your data only for as long as necessary to fulfil the purposes described in this policy:

When you delete your Account, we initiate deletion of your personal data within 30 days. Some data may be retained longer where required by law, for legitimate business purposes (e.g., fraud prevention), or where technically infeasible to delete immediately (e.g., data in backups that are overwritten on a rolling basis).

6. Data Security

We implement industry-standard technical and organisational measures to protect your information:

• Encryption: TLS/SSL for data in transit; AES-256 for sensitive data at rest (environment variables, secrets)
• Authentication: Secure password hashing, optional TOTP two-factor authentication, OAuth 2.0 for third-party login
• Access Controls: Least-privilege principles, role-based access, and regular access reviews
• Infrastructure: Isolated sandbox environments, network segmentation, and firewalled databases
• Monitoring: Security event logging, anomaly detection, and incident response procedures
• Rate Limiting: Protection against brute-force attacks and abuse

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and enable two-factor authentication.

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, session management, and security. These cannot be disabled.
• Analytics Cookies: Used by Vercel Analytics, Speed Insights, and PostHog to understand usage patterns and improve performance. These can be controlled via your browser settings.

7.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Services. Disabling analytics cookies will not affect your access to the platform.

8. Your Rights and Choices

8.1 All Users

• Access: View and download your personal data, projects, and code through your Account dashboard
• Correction: Update your Account information and profile at any time
• Deletion: Delete individual projects or your entire Account via settings, or contact privacy@craft.fast
• Marketing Opt-Out: Unsubscribe from promotional emails using the link in each message
• Cookie Preferences: Control non-essential cookies through your browser settings

8.2 Rights Under GDPR (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you have the following additional rights:

• Right of Access: Obtain confirmation of whether we process your data and receive a copy
• Right to Rectification: Request correction of inaccurate personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Request restriction of processing in certain circumstances
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format
• Right to Object: Object to processing based on legitimate interests, including profiling
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority

8.3 Rights Under CCPA (California Residents)

• Right to Know: Request information about the categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of personal information we have collected
• Right to Opt-Out: We do not sell personal information as defined by the CCPA
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights

8.4 Rights Under DPDPA (India Residents)

• Right to Information: Obtain a summary of your personal data being processed and processing activities
• Right to Correction and Erasure: Request correction of inaccurate data or erasure of data no longer necessary
• Right to Grievance Redressal: You may raise grievances with our Data Protection Officer at dpo@craft.fast
• Right to Nominate: Nominate any other individual to exercise your rights in case of death or incapacity

8.5 Exercising Your Rights

To exercise any of these rights, contact us at privacy@craft.fast. We will respond within 30 days (or the timeframe required by applicable law). We may need to verify your identity before processing your request.

9. Children's Privacy

Craft is not directed to children under 13 years of age (or 16 in the EU/EEA). We do not knowingly collect personal information from children below these age thresholds. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@craft.fast. We will promptly investigate and delete any such information.

10. International Data Transfers

Craft is operated from India and uses infrastructure providers located in various countries, including the United States and the European Union. Your information may be transferred to and processed in countries with different data protection laws than your country of residence.

Where such transfers occur, we use appropriate safeguards to protect your data, including Standard Contractual Clauses (SCCs) approved by the European Commission, data processing agreements with our service providers, and compliance with applicable data transfer frameworks.

11. AI-Specific Privacy Considerations

11.1 How AI Processes Your Data

• Your prompts are sent to third-party AI model providers (Anthropic, OpenAI, Google, xAI) through our AI Gateway for processing
• Each AI provider processes your prompts according to their own privacy policies and data handling agreements
• We store your AI conversation history to provide continuity within projects

11.2 AI Training and Improvement

• We may use anonymised and aggregated interaction patterns to improve platform features and AI quality
• We do not use your code or project files to train third-party AI models
• Enterprise customers can fully opt out of any AI data usage under their Enterprise Agreement

11.3 Recommendations

• Do not include passwords, API keys, personal identification numbers, or other sensitive credentials in your AI prompts
• Avoid sharing personal data of third parties in prompts
• Review AI-generated code for any inadvertently included sensitive information before deploying

12. Third-Party Links and Services

Our platform may contain links to third-party websites and integrates with external services. We are not responsible for the privacy practices, content, or security of third-party services. We encourage you to review their privacy policies before providing them with your information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you by email for material changes at least 30 days before they take effect
• Post the revised policy on our website

Your continued use of Craft after the effective date constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

15. Additional Resources

• Terms of Service
• Cancellation & Refund Policy
• Help Center
• Dodo Payments Privacy Policy
• E2B Privacy Policy
• Neon Privacy Policy
• Vercel Privacy Policy