Privacy Policy

Who we are

crematic is the data controller (or equivalent business entity under applicable privacy laws) for personal data processed through this website and application. The service is designed for U.S.-based business use. For privacy inquiries, rights requests, or notices, use our contact page and select the privacy topic.

What we collect

We collect account details, usage events, and documents you upload to generate underwriting outputs and investment memos. We also store billing and subscription metadata needed to run your account.

Uploaded deal files may include operating statements, rent rolls, broker narratives, and other supporting attachments. We process this information only to provide requested product functionality, including extraction, modeling, memo drafting, and audit traces for your team.

Data categories may include identifiers (for example name and email), professional information, device and usage data, billing metadata, integration credentials, and customer-uploaded business documents.

How and why we process data

We use your data to operate the product, improve reliability, generate requested outputs, and provide support. We do not sell your data.

Product telemetry is used to diagnose failures, monitor uptime, enforce rate limits, and protect account integrity. We do not use customer deal files for advertising, and we do not share deal content with third parties except when required to execute features you explicitly trigger.

Where required by law, our legal bases for processing include: providing requested services, business operations and security, legal obligations, and consent where required.

Categories of sources and disclosures

We collect personal data from you directly, from authorized users in your workspace, from connected integrations you enable, and from automated telemetry generated by your use of the service.

We disclose data to service providers and subprocessors that support hosting, billing, analytics, customer support, and integrations. Where required, we also disclose data for legal compliance, fraud prevention, or protection of rights and safety.

We do not sell personal information. We also do not share personal information for cross-context behavioral advertising.

Security

We apply encryption in transit and at rest, role-based access controls, and audit logging on key account events.

Access to production infrastructure is restricted to authorized operators. Critical actions such as role changes, integrations, and billing updates are recorded in immutable logs to support governance and compliance workflows.

Retention and deletion

We retain account data while your subscription is active and for defined periods afterward based on data category and legal requirements.

Typical retention periods: account and workspace profile data up to 24 months after account closure; billing and transaction records up to 7 years where required; security logs up to 24 months; and customer-uploaded files and generated outputs according to your plan configuration and deletion requests. We may retain limited data longer when required by law, to resolve disputes, or to enforce agreements.

You may request deletion of workspace data according to applicable law and contractual terms. We will notify relevant processors and subprocessors where deletion is required.

Data location and transfers

We primarily process and store customer data in the United States. If a service provider processes data outside the U.S., we use contractual and security safeguards appropriate to the data and use case.

Subprocessors and integrations

When you enable integrations such as Google Workspace or Salesforce, we process only the scopes required to fulfill those actions. OAuth tokens and integration metadata are handled using application security controls and can be revoked at any time from settings.

Your privacy rights

Depending on your location, you may have rights to access, correct, delete, export, or object to certain processing of your personal data. You may also have rights to limit use of sensitive personal information and to appeal privacy request decisions where required by law.

California residents may exercise rights under the CCPA/CPRA, including rights to know, delete, correct, and non-discrimination. Requests are generally fulfilled within 45 days, with extension where permitted by law.

Residents of other U.S. states with applicable privacy laws may also have rights such as access, deletion, correction, portability, and appeal of certain request decisions. We process and respond to those requests according to applicable state timelines and exceptions.

How to submit and verify requests

To submit a request, use our contact page and select the privacy topic. We may verify your identity before processing certain requests and may request additional information solely for verification and fraud prevention.

Incident response and notifications

We maintain operational procedures for security events, including triage, containment, recovery, and post-incident review. When an event materially affects customer data, we provide notice according to contractual and legal requirements, including known impact scope and next actions.

Security updates may include temporary access restrictions, forced credential resets, or integration token rotation to protect your workspace. We document relevant incident actions in audit trails so firms can support internal governance reviews.

Children's privacy

The service is intended for business users and is not directed to children under 16. If you believe personal data from a child has been provided to us in error, contact us so we can investigate and delete data as required.

Policy changes

We may update this policy to reflect product, legal, or regulatory changes. We will update the date shown on this page and provide additional notice when required by law or contract.

Contact

For privacy requests, data access inquiries, or deletion requests, use the contact page and select the privacy topic.