Privacy Policy

Who we are

For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and equivalent regimes worldwide, the data controller for personal data processed through the Criora platform is Criora, the organisation that operates the Service.

Where Criora processes personal data on behalf of a business customer (for example, end-user data your organisation uploads), Criora acts as a processor and the customer organisation is the controller. In that case our standard Data Processing Addendum applies; request a signed copy at [email protected].

Scope of this policy

This Privacy Policy applies to personal data we process when you visit our website, create a Criora account, use the Service, contact our team, or otherwise interact with us. It does not apply to third-party services that we link to, please consult their own privacy notices.

What data we collect

You provide directly

• Account data, name, work email, organisation name, preferred language. We do not store passwords; sign-in is verified via one-time codes sent to your email or via Google OAuth.
• Authentication data, OAuth identifiers from Google or other identity providers, where you choose social login.
• Sign-in audit log, for each successful sign-in we record the timestamp, authentication method (email PIN or OAuth provider), the email or provider account used, IP address, and User-Agent string. This is shown to you in your profile and used to detect suspicious activity.
• Billing data, billing email, VAT/tax identifier, country, plan tier. Card numbers are processed by our payment processor and never touch our servers.
• Project data, addresses, coordinates, project names, notes and uploaded files. Treat these as Customer Content under the Terms.
• Communications, messages, support tickets, survey responses.

Collected automatically

• Device & usage, browser, OS, screen size, device tier, language, anonymised IP, referring URL, in-product events (page views, feature usage, errors).
• Logs, technical logs needed to operate, secure and audit the Service. We minimise sensitive fields and rotate logs on a fixed schedule.

Received from third parties

• Identity providers, basic profile (name, email, avatar) when you sign in via Google.
• Geocoding & map services, coordinates and place metadata derived from addresses you enter, returned to your browser to render maps.

How we use it

• Provide the Service: authentication, scoring, layer rendering, report generation, billing.
• Communicate with you about service updates, security alerts and (where you've opted in) product news.
• Improve the Service through aggregated, de-identified analytics, measuring feature adoption, performance, and error rates.
• Maintain security: prevent fraud, abuse and unauthorised access, and respond to incidents.
• Comply with legal obligations including tax, accounting, sanctions, anti-money-laundering, and lawful requests from authorities.

We do not sell personal data, do not share it with advertising networks, and do not use Customer Content to train third-party generative-AI models.

Legal basis (GDPR)

Under GDPR Article 6, we rely on the following legal bases:

• Contract, to deliver the Service you've signed up for and to bill you (Art. 6(1)(b)).
• Legitimate interests, to secure the Service, prevent abuse, run aggregated analytics and protect our business (Art. 6(1)(f)). You may object at any time.
• Consent, for non-essential cookies, marketing emails, and any optional features that require it (Art. 6(1)(a)). You may withdraw at any time.
• Legal obligation, to retain billing records, respond to authorities, and comply with sanctions (Art. 6(1)(c)).

Cookies & similar technologies

We use a minimal set of first-party cookies and local storage for: authentication (necessary), remembering your preferred locale (necessary), and storing UI preferences such as map layer state (functional). We do not set third-party advertising or cross-site tracking cookies.

Where required by the ePrivacy Directive or local law, we obtain consent before setting any non-essential cookies. You can clear cookies at any time via your browser settings; doing so will sign you out and reset preferences.

Sharing & sub-processors

We share personal data only with vetted sub-processors that need it to deliver the Service, under contractual data-protection obligations equivalent to ours. Categories of sub-processors include:

• Cloud hosting, to operate compute, storage and networking.
• Email delivery, for transactional and (where opted in) marketing email.
• Payment processing, to handle subscription billing and tax compliance.
• Identity providers, when you choose social sign-in.
• Geospatial & tile providers, to render base maps and resolve addresses.
• Error monitoring & security, to keep the Service stable and safe.

A current list of sub-processors is available on request to [email protected]. We give business customers reasonable notice before adding new sub-processors of Customer Content.

International transfers

Some of our sub-processors are located outside the European Economic Area, the United Kingdom or Switzerland. Where we transfer personal data outside these regions, we rely on appropriate safeguards under GDPR Chapter V, typically the European Commission's Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and (where applicable) adequacy decisions. Copies of the safeguards used for a specific transfer are available on request.

Retention

• Account data, retained while your account is active and for up to 24 months after closure (or longer where required for legal claims).
• Customer Content, retained while your account is active. Deleted within 30 days of account closure unless you export it first.
• Billing records, retained for the period required by tax law (typically 10 years in the EU).
• Logs, operational logs retained for up to 90 days; security audit logs for up to 12 months.
• Marketing consents, retained until you withdraw, then deleted within 30 days.

Security

We apply technical and organisational measures appropriate to the risk, including: encryption in transit (TLS 1.2+) and at rest, network segmentation, access control with principle of least privilege, regular dependency and container scanning, security headers and CSP at the edge, audit logging, and a documented incident-response procedure.

Authentication is passwordless: we do not store passwords, eliminating credential-theft and password-reuse risks entirely. Sign-in uses single-use, time-bound 6-digit codes delivered to your verified email, with strict rate limiting and lockout on repeated failures.

No system is perfectly secure. In the event of a personal-data breach likely to result in risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and affected users without undue delay, in line with GDPR Articles 33 and 34.

Your rights

Subject to applicable law, you have the right to: access your personal data; rectify inaccurate data; erase data ("right to be forgotten"); restrict or object to processing; portability of data you provided; and to withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise these rights, write to [email protected] from the email associated with your account. We respond within 30 days; we may extend by a further 60 days for complex requests, and we will tell you if we do.

If you believe we have not handled your data properly, you have the right to lodge a complaint with your local supervisory authority, for example, the Datenschutzkonferenz in Germany, the ICO in the United Kingdom, the FDPIC in Switzerland, or the relevant data protection authority in your country of residence.

California (CCPA / CPRA)

If you are a California resident, you have additional rights under the CCPA / CPRA:

• the right to know what personal information we have collected, used, disclosed and (where applicable) sold or shared;
• the right to delete personal information we collected from you, subject to legal exceptions;
• the right to correct inaccurate personal information;
• the right to limit use and disclosure of sensitive personal information;
• the right to opt out of the "sale" or "sharing" of personal information, Criora does not sell or share personal information for cross-context behavioural advertising;
• the right not to receive discriminatory treatment for exercising any of these rights.

Submit a verifiable consumer request to [email protected]. You may use an authorised agent; we will verify their authority.

Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children under that age. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it.

Automated decision-making

Criora produces risk scores using statistical and machine-learning models. These outputs are provided as decision support only and do not, in themselves, produce legal or similarly significant effects on you within the meaning of GDPR Article 22. Where you or your organisation use Criora outputs in an automated decision pipeline that would have such effects, you remain responsible for human oversight, fairness review and compliance with the EU AI Act and applicable sectoral law.

Changes to this policy

We may update this Privacy Policy as the Service or applicable law evolves. The "Effective" date at the top of this page reflects the latest revision. Material changes will be announced by email or in-product notice at least 30 days before they take effect.

Contact & complaints

Privacy questions, rights requests, security disclosures and other legal matters: [email protected].