Privacy Policy

Information We Collect

• Account information: email address, profile information from SSO providers (such as Google), and linked social media account identifiers and display names.
• Linked account data: if you connect social accounts, we store account identifiers, display information, and encrypted authentication tokens to enable cross-platform functionality.
• Content data: posts you create or that are detected from connected source platforms for crossposting.
• Usage data: feature usage, post counts, service interaction logs.
• Identity associations: publicly available handle and username information across connected platforms, used to facilitate cross-platform features such as mention resolution.
• Service logs: basic technical logs and error reports to operate and secure the Service.
• Reputation scores: scores retrieved from third-party providers such as Neynar and Ethos to display in your analytics dashboard. These scores are calculated by the respective providers based on their own methodologies.
• Engagement data: likes, reposts, replies, and follower counts collected from your connected platforms to power engagement analytics and growth tracking.
• Usage analytics: product analytics via PostHog (hosted in the EU) and error/performance monitoring via Sentry (EU) to understand how the Service is used, maintain reliability, and improve user experience.

How We Collect Information

• Directly from you when you create an account, link social media platforms, or use Service features.
• Automatically from connected third-party platforms when you enable crossposting features.
• From publicly available third-party platform data to support cross-platform features such as mention resolution.
• From infrastructure providers for runtime logs and performance metrics.
• Through PostHog analytics (hosted in the EU) and Sentry monitoring (EU) to collect usage, error, and performance data and improve the Service.

Linked Social Accounts

When you link a social account:

• We store account identifiers and display information to identify the linked account.
• Authentication tokens are encrypted before storage and used only to act on your behalf as you direct.
• We only request permissions necessary to provide the features you use.
• When crossposting is enabled, the Service monitors your connected source accounts for new public posts and republishes content to your designated destinations on your behalf.
• You can disconnect linked accounts at any time through Settings.

Cookies and Similar Technologies

We use a session cookie to keep you signed in on the web. This cookie is HttpOnly and set with security attributes where supported. You can delete it by logging out or clearing your browser cookies.

Our product analytics provider (PostHog) may set cookies or use local storage to assign a device or session identifier, so we can understand aggregate usage patterns and detect errors. Our error and performance monitoring provider (Sentry) may use local storage to correlate errors across a session. We do not use third-party advertising cookies.

How We Use Information

• Provide and operate the Service, including crossposting and analytics features.
• Authenticate you and secure your account.
• Adapt content for compatibility with destination platforms.
• Resolve user references across platforms using publicly available information.
• Analyze usage to improve the Service.
• Monitor performance and diagnose issues.
• Communicate with you about the Service when needed.

Legal Bases for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR or UK GDPR to process your personal information:

• Performance of a contract (Art. 6(1)(b)): to create and maintain your account, deliver the crossposting and analytics features you request, and act on your behalf on connected platforms.
• Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse, measure and improve product quality via analytics and error monitoring, and communicate about the Service. We balance these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): where required by applicable law, for optional analytics cookies and for any marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c)): to comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms.

How We Share Information

We do not sell your personal information. We share information only as necessary to operate the Service:

• Connected third-party platforms: when crossposting is enabled, your content (including text, media, and mentions) is sent to connected destination platforms as directed by your configuration.
• Service providers: third-party providers for infrastructure, core functionality, and platform integrations as necessary to deliver features you use, including PostHog for product analytics (hosted in the EU), Sentry for error and performance monitoring (EU), and reputation score providers such as Neynar and Ethos.
• Legal and safety: when required by law or to protect rights, safety, and security.

Subprocessors

We engage the following third-party service providers ("subprocessors") to help us operate the Service. Each is contractually required to protect your information and may only process it for the purposes described below:

• Supabase — database, authentication, and storage infrastructure (United States).
• Railway — application hosting and request logs (United States).
• PostHog — product analytics (European Union).
• Sentry — error and performance monitoring (European Union).
• Neynar — Farcaster data and identity resolution (United States).
• Ethos — reputation scoring (United States).
• Connected social platforms — Farcaster, X (Twitter), Mastodon, and Bluesky, to deliver crossposting features you configure.
• SSO providers — such as Google, when you choose to sign in using their service.

We may update this list from time to time. Material changes will be reflected in the "Last updated" date above.

Crossposting Data

When you enable crossposting, the Service processes content from your connected source platforms and republishes it to your designated destinations. Content may be adapted for platform compatibility. The Service retains crossposting activity records while your account is active. Operational logs are retained for a limited period for security and debugging purposes and are automatically purged.

Analytics and Reputation Data

The Service collects and displays analytics data including follower counts, engagement metrics (likes, reposts, replies), and reputation scores from third-party providers. Shareable image snapshots of your analytics data may be generated at your request and stored temporarily to facilitate sharing. Reputation scores are retrieved from providers such as Neynar and Ethos and are subject to those providers' data practices. The Service does not share your personal data with reputation score providers beyond what is necessary to retrieve your scores.

Cross-Platform Identity Data

The Service may associate your usernames across connected platforms to facilitate cross-platform features such as mention resolution. These associations are derived from your account connections and publicly available information. You may request deletion of these associations at any time by contacting us.

Data Retention

We retain personal information only for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements:

• Account and profile data: retained while your account is active. When you delete your account, this data is removed immediately from production systems; encrypted backups are purged on their normal rotation (up to 30 days).
• Crossposting configurations and activity logs: retained while your account is active and deleted with the account.
• Authentication tokens: retained while the linked account is connected; deleted when you disconnect the account or delete your account.
• Session data: deleted when you sign out, or automatically expired per our session configuration.
• Operational and security logs (Sentry, Railway, Supabase): retained for up to 90 days for security, debugging, and abuse prevention, then automatically purged.
• Product analytics (PostHog): event-level data retained for up to 12 months; aggregated, non-identifying metrics may be retained longer.
• Legal-hold data: where we are legally required to retain information (e.g., for tax, accounting, or law-enforcement requests), we retain it for the period required by applicable law.

Content you have posted to third-party platforms through the Service remains on those platforms and is subject to their own policies; we cannot delete it on your behalf.

Data Security

We take reasonable administrative, technical, and organizational measures to protect personal information, including encrypting authentication tokens at rest, using HTTPS in transit, applying least-privilege access controls, and monitoring for unauthorized activity. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

If we become aware of a security incident involving unauthorized access, use, or disclosure of your personal information, we will notify you and any applicable regulators without undue delay and in accordance with applicable law (including GDPR Art. 33–34 and state data-breach notification statutes).

Your Privacy Rights

You can exercise the following controls directly in the Service:

• Delete your account at any time from Settings. Account deletion is self-serve, immediate, and irrevocable — it removes your profile, linked social accounts, encrypted authentication tokens, crossposting configurations and logs, session data, and cross-platform identity associations from our production systems. Encrypted backups are purged on their normal rotation.
• Log out to clear your session on the device.
• Disable crossposting for any or all connected platforms at any time.
• Disconnect linked social accounts through Settings.
• Manage email communication preferences.

Subject to applicable law, you also have the following rights. To exercise any of these, email privacy@crenel.xyz from the address associated with your account:

• Access: request a copy of the personal information we hold about you.
• Rectification: correct inaccurate or incomplete information.
• Erasure: request deletion of your information (you can also do this yourself via Settings).
• Portability: receive your information in a structured, commonly used, machine-readable format.
• Restriction: ask us to restrict processing of your information.
• Objection: object to processing based on legitimate interests, including for analytics.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.
• Lodge a complaint: if you are in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority.

We will respond to verified requests within the timeframe required by applicable law (generally within 30 days for GDPR and 45 days for CCPA, extendable where permitted). We may need to verify your identity before acting on a request. We will not discriminate against you for exercising your rights.

California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you specific rights regarding your personal information. In addition to the rights listed above (access, correction, deletion, portability), you have the right to know what categories of personal information we collect, the sources, purposes, and categories of recipients, and the right to opt out of "sale" or "sharing" as defined by California law.

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising. We have not done so in the preceding 12 months.

Categories of personal information we collect: identifiers (email address, social-platform identifiers, device identifiers), internet activity (usage and interaction logs), and inferences drawn from public profile data (e.g., cross-platform identity associations). We do not knowingly collect sensitive personal information, biometrics, or precise geolocation.

Sources and purposes are described in the "Information We Collect," "How We Collect Information," and "How We Use Information" sections above. Categories of recipients are described in "How We Share Information" and "Subprocessors."

To exercise your California rights, email privacy@crenel.xyz. You may designate an authorized agent to submit requests on your behalf; we may require verification of the agent's authority. We will not discriminate against you for exercising your rights.

International Data Transfers

Crenel FL LLC is based in the United States. When you use the Service, your personal information may be transferred to, stored in, and processed in the United States or other countries where our subprocessors operate (see "Subprocessors" above). Some of these countries may not provide the same level of data protection as your country of residence.

Where we transfer personal information of individuals in the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards required by applicable law, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement or UK Addendum, and, where applicable, participation in the EU–U.S. Data Privacy Framework and its UK and Swiss extensions. You may request a copy of the relevant transfer mechanism by emailing privacy@crenel.xyz.

Minors

The Service is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 18, and the Service is not directed to children.

If we learn that we have collected personal information from a person under 18, we will delete it as soon as reasonably possible. If you believe a minor has provided us with personal information, please email privacy@crenel.xyz.

Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to provide notice, such as updating the date above or notifying within the app.

Contact

Questions about privacy? Email privacy@crenel.xyz.