Privacy Policy
Last updated: June 20, 2026
The short version
We collect what we need to run the product, respond to you, and improve this website. On crutan.com we do not load analytics or identify you until you give consent through our cookie banner, and if you consent, we may recognize your organization (from what you share, your email/website domain, and a reverse-IP lookup) and store it in our database. We never sell your personal information. You can change or withdraw your consent at any time using the Cookie settings link in the footer.
1. Who we are
This policy is issued by Crutan LLC("Crutan", "we", "us"), 228 Faulkner St, Liberty Hill, TX 78642, USA. For any privacy request or question, contact legal@crutan.com. Crutan is the data controller for this website and for our customers' account data; we are a data processor for the prospect data our customers put into the product (see section 8).
2. Scope
- This website (crutan.com): marketing site, demos, free tools, and lead forms.
- The product (app.crutan.com): the application our customers use to generate, host, and measure personalized pages.
- Generated pages: the per-prospect pages our customers create and send. Data on those pages is governed by the customer's privacy policy; we process it on their behalf under our DPA.
3. Information we collect on this website
- Information you give us: name, work email, company, website, role, team size, and message contents when you submit a form (demo, contact, trial start, free tools, quizzes).
- Analytics & personalization data (only with your consent): pages viewed, clicks, events, and an on-device journey profile stored in your browser, plus product analytics through PostHog and our own first-party event log. This powers the personalized experience the site demonstrates and helps us improve it.
- Identity & enrichment data (only with your separate consent): we associate the above with an identity. We derive your organization domain from your email or website, perform a reverse-IP company/organization lookup (via IPinfo), capture device context (browser, language, time zone, screen size, referrer, landing page, UTM parameters), and store this in our database to recognize you, personalize your experience, and follow up. We store a hashed version of your IP address, never the raw address.
- Standard logs & security data: IP address, user agent, and request metadata, used to operate, secure, and rate-limit the service and to prevent abuse. This is necessary to run the site and is not used to track you across other websites.
- Consent records: we log each consent choice you make (which categories, the method, time, and a hashed IP) so we can honor and demonstrate it.
4. Cookies, storage & consent
Until you choose, only strictly-necessary storage runs (including the cookie that records your consent choice). Analytics, on-device personalization, and identity enrichment are off by default and run only for the categories you accept. The full inventory, lifetimes, and how to clear or block each item is in our Cookie Policy. We honor Global Privacy Control and Do Not Track signals by defaulting optional categories to off.
5. How we use information
- To respond to your requests and provide and secure the product.
- To personalize this website and recognize returning or identified visitors (with consent).
- To understand and improve site and product performance (with consent).
- To contact you about your inquiry, trial, or account, and to send marketing you can opt out of (every email has an unsubscribe).
- To detect, prevent, and investigate fraud, abuse, and security incidents.
- To comply with law and enforce our Terms and Acceptable Use Policy.
6. Legal bases (GDPR / UK GDPR)
- Consent — analytics, personalization, identity enrichment, and marketing cookies on this site. You may withdraw it at any time.
- Contract — providing the product and account to customers.
- Legitimate interests — security, fraud prevention, basic server logging, and B2B relationship management, balanced against your rights.
- Legal obligation — tax, accounting, and responding to lawful requests.
7. AI processing
The product uses third-party large-language-model providers (Anthropic and OpenAI) to research companies from public sources and generate page copy. Inputs are limited to business context needed for the task; this data is not used by those providers to train their models under our agreements. Providers are listed on the Subprocessors page.
8. Product data (where we are a processor)
In the Crutan application, customers import prospect data to generate pages. The customer is the controller of that data; Crutan processes it solely to provide the service, with workspace isolation enforced at the database layer (row-level security). We process prospect records (names, work emails, companies, roles, domains, notes), research artifacts derived from public sources, and engagement events on generated pages (views, clicks, return visits, referrer, with IP addresses stored only as a salted hash). Our obligations are set out in the Data Processing Addendum. If you received a generated page and want to exercise rights, see Your Privacy Rights; we will route your request to the customer who controls that page.
9. Sharing & disclosure
We share personal information only with the service providers (subprocessors) that help us operate, each under a contract that limits their use of the data, listed on the Subprocessors page. We may also disclose information to comply with law, enforce our agreements, protect rights and safety, or in connection with a merger or acquisition (with notice). We do not sell personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.
10. International transfers
We operate primarily from the United States. Where personal data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (and the UK Addendum where applicable). See the DPA.
11. Retention
Lead and contact records: 24 months from last interaction. Analytics events and identity-enrichment records: 12 months. Consent logs: up to 24 months. Customer workspace data: the lifetime of the contract plus 30 days. Backups roll off within 35 days of deletion. We keep some records longer where law requires.
12. Your rights
Depending on where you live, you can request access, correction, deletion, portability, restriction, or objection, and withdraw consent at any time, without discrimination. One email does it: legal@crutan.com. The full process, including California (CCPA/CPRA) disclosures, is on the Your Privacy Rights page.
13. Children
Crutan is a business tool not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child provided us information, email legal@crutan.com and we will delete it.
14. Changes
We will update this policy as the product evolves and post the new date above. For material changes we will provide reasonable notice and, where required, ask for renewed consent.
15. Contact
Crutan LLC, 228 Faulkner St, Liberty Hill, TX 78642, USA · legal@crutan.com.
Related policies
Terms of Service · Cookie Policy · Your Privacy Rights · DPA · Subprocessors · Acceptable Use