Privacy Policy
Effective date: May 18, 2026
This Privacy Policy explains how CrystalSpec, provided by ORGANIZING GROUP SRL, a Romanian limited liability company, registered with the Romanian Trade Registry under no. J22/1300/2015, having CUI/CIF 34809309 and VAT ID RO34809309, with registered office at Str. Mihail Sadoveanu 44, Valea Ursului, Iași, Romania, collects and uses personal data when you visit https://crystalspec.com or use the CrystalSpec application.
For account registration, billing, service administration, security, support, website, and our own service analytics, ORGANIZING GROUP SRL acts as controller. For Customer Content processed inside a workspace on behalf of a customer organization, that organization is normally the controller and CrystalSpec acts as processor, processing Customer Content only to provide and secure the service, on the customer's documented instructions, subject to the applicable Data Processing Agreement. Customers are responsible for ensuring they have a lawful basis for personal data they upload or submit to CrystalSpec.
1. Data We Collect
- Account data: name, email address, password authentication data, avatar or profile details, account status, and role.
- Social login data: provider, provider account ID, email, and profile details returned by the provider, if you use social login.
- Organization data: team/workspace name, owner/admin/member roles, invitations, subscription tier, quota usage, and audit/security events.
- Workspace and project data: team memberships, permissions, invitations, project structures, specifications, resources, comments, files, prompts, AI responses, and proposed actions.
- Billing data: customer identifiers, subscription status, invoices, plan selections, payment metadata, tax-related details, and payment provider references. We do not store full payment card numbers.
- Usage and diagnostic data: log data, IP address, browser/device information, timestamps, feature usage, error reports, security events, and AI token or quota usage.
- Communications: support requests, transactional emails, notices, feedback, and other messages you send us.
- Cookies and similar technologies: information described in our Cookie Policy.
2. How We Use Data
- provide, operate, secure, and maintain CrystalSpec;
- authenticate users, manage teams and permissions, and prevent unauthorized access;
- process subscriptions, payments, invoices, refunds, credits, and tax records;
- provide AI features, including generating responses and proposed project actions;
- send service emails, invites, security notices, billing notices, and support replies;
- monitor reliability, debug errors, prevent abuse, and improve the product;
- comply with legal obligations and enforce our terms.
3. Legal Bases Under GDPR
- Contract: account creation and authentication, team membership, core workspace features, subscriptions, and AI features requested by users.
- Processor processing: Customer Content processed under the customer organization's documented instructions where the organization is the controller.
- Legitimate interests: security, abuse prevention, debugging, service reliability, product improvement using limited telemetry, and service-related communications, where those interests are not overridden by your rights.
- Consent: optional analytics or marketing cookies, marketing emails, and other processing where consent is requested.
- Legal obligation: billing, accounting, tax records, sanctions checks, compliance, and lawful requests.
4. AI Providers and Customer Content
CrystalSpec currently uses OpenRouter for AI API access and may add or replace AI providers over time. When you use AI features, we send the relevant prompts, chat history, project/workspace context, and requested structured-output schema to the AI provider so the feature can respond. Depending on the selected model, the AI provider may route requests to underlying model operators. We do not use Customer Content to train CrystalSpec-owned models unless we separately state this and obtain any required rights or consent. Provider training, retention, and abuse-monitoring handling are governed by the applicable provider terms/DPA and our subprocessor list.
You should not submit sensitive personal data, special category data, secrets, credentials, or content you are not authorized to process through AI features.
5. Sharing Data
We share personal data only as needed to operate CrystalSpec, comply with law, or protect rights and safety. Recipients may include:
- hosting, database, infrastructure, logging, and security providers;
- Stripe or other payment processors for billing and payment handling;
- email and notification providers for transactional messages;
- storage providers for uploaded files and backups;
- AI model/API providers for AI features you use;
- professional advisers, authorities, or courts where legally necessary.
We do not sell personal data.
6. Subprocessors
We use subprocessors to provide hosting, storage, email, payments, logging/security, support, analytics if enabled, and AI functionality. A current subprocessor list, including provider name, purpose, location, and transfer mechanism, is available on request at support@crystalspec.com. For business customers, our DPA governs processor/subprocessor terms. We will provide notice of material subprocessor changes where required by the DPA or applicable law.
7. International Transfers
Some providers may process data outside Romania or the European Economic Area. Where providers or their subprocessors process data outside the EEA, we rely on adequacy decisions, the EU Standard Contractual Clauses, and supplementary measures where appropriate. For AI providers, model routing may involve onward transfers as described in the subprocessor list.
8. Retention
We keep personal data only as long as needed for the purposes described in this Policy. Account and workspace data is retained while the account or workspace is active and is then deleted or anonymized within 90 days after verified deletion, unless we must retain it for legal, security, billing, dispute, or backup reasons. Backups are overwritten or deleted within 90 days. Security logs are typically retained for up to 12 months unless needed for investigation. Billing, invoice, and tax/accounting records are retained for the period required by Romanian and EU law.
9. Security
We use technical and organizational measures designed to protect personal data, including access controls, transport encryption, password hashing, role-based permissions, and operational monitoring. No service can be guaranteed perfectly secure, so you should use strong passwords and protect your account credentials.
10. Your Rights
Subject to legal conditions and limits, you may have the right to access, correct, delete, restrict, or receive a copy of your personal data, object to certain processing, and withdraw consent where processing is based on consent. To exercise rights, contact support@crystalspec.com.
We will respond to GDPR rights requests within one month unless an extension is permitted by GDPR. Where we process Customer Content as processor, we may refer the request to the relevant customer/controller or assist them in responding.
You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral Gheorghe Magheru nr. 28-30, Sector 1, Bucharest 010336, Romania; email: anspdcp@dataprotection.ro; website: www.dataprotection.ro.
11. Children
CrystalSpec is not directed to children under 16, and we do not knowingly collect personal data from children under 16.
12. Data Protection Officer
We have not appointed a Data Protection Officer because we do not currently consider one mandatory for CrystalSpec. Privacy requests can be sent to support@crystalspec.com.
13. Changes
We may update this Privacy Policy from time to time. We will post the updated version in the service and update the effective date when appropriate.
14. Contact
Data controller: ORGANIZING GROUP SRL, a Romanian limited liability company, registered with the Romanian Trade Registry under no. J22/1300/2015, having CUI/CIF 34809309 and VAT ID RO34809309, with registered office at Str. Mihail Sadoveanu 44, Valea Ursului, Iași, Romania.
Privacy contact: support@crystalspec.com.