CRAge Privacy Policy

At Naibu LLC, we treat your business data with the highest level of respect. Our product, CRAge, is designed to democratize knowledge within your organization and act as an intelligent co-pilot for your CRM data. To do that effectively, we process data, but we are committed to doing so transparently and securely.

For the purposes of data protection laws including the GDPR, Naibu LLC (''We'', or ''Us'') is the data controller of your personal data. Our registered address is: 402 San Francisco Blvd, 94960 San Anselmo, CA USA.

The CRAge Platform (or Platform) is an AI-powered co-pilot designed to democratize knowledge within your organization and act as an intelligent interface for your MethodCRM data. It allows you to converse with your data and internal knowledge base using natural language.

• Conversing with your Data: CRAge allows you to ask natural language questions about your business data. We use artificial intelligence (Google Gemini) to interpret your questions and fetch answers.
• CRM Integration: By adding your API key, CRAge connects to MethodCRM to answer questions based on your live customer and business data. It also allows CRAge to store data to your MethodCRM if you ask it to do so. CRAge will always ask before storing data and provide an overview of the data to be stored. CRAge cannot delete your data from MethodCRM.
• Knowledge Base: You can upload documents (PDFs, CSVs, Word docs, etc.) which we process and embed, allowing the AI to answer questions based on your internal files.

Our Policy covers the usage of the CRAge web application available at https://crage.me.

We try to limit our collection of data as much as possible, focusing on what is needed to provide accurate AI responses and manage your business subscription.

Information you voluntarily provide to Us:

Account Information	Company Information
Email Address	Company Name
First Name & Last Name	Company Description
Password (Hashed)	Company Website

Information collected through your use of the Platform:

Category	Description
MethodCRM Integration Data	API Keys: You provide MethodCRM API keys to enable the integration. These are stored using strict encryption. Read & Write Operations: Depending on your subscription tier, we process data retrieved from your CRM and transmit data to your CRM (e.g., updating records) based on your explicit instructions. Metadata: We sync table names and field structures (schema) from MethodCRM so our agents know how to query your data. We do not mirror your entire CRM database; we fetch specific data on-demand to answer user queries.
Knowledge Base	Documents you upload (PDF, Word, CSV, PPT, Images, Audio). These are processed, embedded (converted to vector representations), and stored to enable the AI to search your knowledge base. Note: You are responsible for ensuring you have the right to upload this content. We process these files to generate embeddings for AI search.
Chat & Interaction Logs	We store the chat messages exchanged between you and CRAge. This includes the questions you ask and the answers the AI provides.
Payment Information	We use Stripe as our Payment Processor. We collect information regarding the status of your subscription and transaction dates. We do not collect or store your credit card number.
Technical Data	IP address, browser type, device type, and information about how you interact with the interface.

Information about users in your organization:
Since CRAge supports multi-tenancy, if you are an administrator adding users to your company workspace, we collect the email addresses and names of those team members to create their accounts.

We do not process personal data of individuals who are younger than 16 years of age.

We will use information listed in section 3 for the following reasons:

• To provide the Service: Allowing you to log in, connecting to MethodCRM via the API key provided, and processing your natural language queries.
• To answer your questions (RAG): We use "Retrieval Augmented Generation." When you ask a question, we fetch relevant data from your MethodCRM or your uploaded Knowledge Base to construct an answer using AI models.
• To execute your commands: If your subscription tier allows, we use your API credentials to create or update records within your MethodCRM account upon your confirmation.
• To provide Technical Support: Our support engineers may access your account logs or metadata to resolve specific tickets you submit or to fix critical system bugs.
• To improve AI accuracy: We use observability tools (like LangSmith) to monitor the performance of our agents, debug errors, and ensure the AI is fetching the correct data structures.
• To communicate with you: We use SendGrid to send system updates, security alerts, welcome emails, and support responses.
• To manage subscriptions: To process monthly payments via Stripe and manage user access rights (multi-tenancy).
• Google Grounding: We use Google Grounding services to ensure the AI provides up-to-date and factually accurate information from the web where applicable.
• To optimize our services: Using Google Analytics to understand how users navigate our web application.

In order to process your information under the data protection laws, we need a legal reason. We primarily rely on Contractual Necessity (providing the SaaS service you subscribed to) and Legitimate Interests (improving our AI models, security, and debugging). In some cases, for instance, if we are required to do so by a court or government, we may need to process your information to comply with our legal obligations.

Sometimes, we need to share your information with other companies in order to provide you with a high-quality service. For example, we host our Platform on Google Cloud, and we use AI models provided by Google.

In all cases, we rely on contracts we have with these 3rd parties (Data Processing Agreements), which promise that they also will meet the same data protection standards we’re bound by.

Our key service providers include:

1. Google Cloud Platform (GCP): For hosting the application, database, raw documents and vector stores.
2. Google Vertex AI (Gemini Models): We send your queries and relevant context retrieved from your data to the AI model to generate answers. Note: Google does not use your data sent via the API to train their foundational models.
3. LangChain (LangSmith): Used for application tracing and debugging AI agent performance.
4. Stripe: Used as our Payment Processor to handle payments and subscriptions.
5. SendGrid: Used to send transactional emails (password resets, welcome emails).
6. Google Analytics: Used for website usage statistics.

Privacy Policies of our providers:

• Google (Cloud, Analytics, Gemini): https://policies.google.com/privacy
• LangChain: https://www.langchain.com/privacy-policy
• Stripe: https://stripe.com/privacy
• SendGrid (Twilio): https://www.twilio.com/en-us/legal/privacy

If we are compelled by a court order, warrant, or other legal obligation, we may need to share information in those cases. If we are allowed to do so, we will inform you in those cases.

We believe that it’s important for people to be knowledgeable about their rights under the data protection laws. And we work to make sure you can exercise your rights as easily as possible.

Under the GDPR and relevant data protection laws, you have the right:

1. Right of Access: To ask us to provide you with information about our activities and handling of your personal information (including copies) about the specific information we have about you.
2. Right to Rectification: To ask us to fix information regarding your account that is incorrect.
3. Right to Erasure: To delete your personal information, including your account on the Platform. Note: If you delete your account, embeddings and uploaded knowledge base files are also removed.
4. Right to Portability: To receive your information in an easily sharable format.
5. Right to Withdraw Consent: To withdraw your consent when we rely on consent as our legal reason for processing your data (e.g., marketing emails).
6. Right to Opt-out: To opt-out when receiving email notifications and marketing materials.

If Our company changes in a legal way (for example, if we get acquired, sold, or merged with another organization), your Information may be among the assets transferred to that other company. In such a case we will inform you about the process and you will have time to decide if you want to continue using the Platform and services. If we go out of business, we will send you an email letting you know that your account will be deleted. We will give you one month to obtain your information from the site before we shut down.

We need to keep your information while you have an account with us.

• Chat History: Retention is determined by your Subscription Tier.
  • Tier 1: Chat history is retained for 90 days, after which it is automatically deleted.
  • Tier 2: Chat history is retained for 1 year.
  • Tier 3: Chat history is retained indefinitely while the account is active.
• Knowledge Base: Documents and their associated AI embeddings are retained as long as they remain stored in your Workspace. If you delete a file, the data is removed from our systems.
• MethodCRM Data: We do not retain your MethodCRM database. We fetch data on-demand. Schema metadata is retained as long as the integration is active.
• Account Deletion: If you delete your account, we will delete your personal data within 30 days, retaining only what is required by tax laws or legal obligations (e.g., payment records).

Your data is primarily stored in Google Cloud in Iowa, USA data centers. Depending on the configuration of our AI services (Gemini) and observability tools (LangSmith), data processing may occur in data centers located in the US or EU. We are based in California, USA.

The US is located outside of the European Economic Area (EEA). That means, legally-speaking, if you live in the EU, your information is being transferred (or shared) with organizations located in a third country. That means we need to do a little more work to protect your data.

Specifically, We have to meet additional obligations, including having strong technical, organizational, and other security measures in place internally to protect your data when our staff access, use, or do things with your information, and appropriate agreements in place with our providers (Standard Contractual Clauses) to ensure they also protect your data.

We don’t just protect your data ''on paper'', we also have strong security measures in place. This is especially critical given that CRAge integrates with your CRM.

We have the following security measures and standards in place:

• Encryption: MethodCRM API keys are encrypted at rest in our database.
• Transmission: Data shared between the application, website, and our servers is transmitted over HTTPS protocol.
• Access Control: Only company employees can access the user data using their business accounts which need to have two-factor authentication enabled. We limit access to our databases to employees who have a "need to know" (e.g., Technical Support Engineers resolving a ticket).
• Logging: Access to user information and data is logged and subject to regular security audits.
• Infrastructure: The Google infrastructure we use to host the Platform is compliant with ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27701, and ISO/IEC 27018 standards.

Unfortunately, sharing information on the internet is never 100% secure. You can play your part in safeguarding your personal information by never disclosing your login password to others and ensuring your MethodCRM API keys have only the necessary permissions.

Our job does not end here, we encourage you to contact us if you are not satisfied with the way we process and safeguard your data. We try very hard to do a good job, but we can always do better with your help.

If you have a question about how your personal information is being processed by us or our partners, or you wish to exercise your rights (e.g., access, deletion, rectification), you can contact us at tands@naibuagency.com.

You can also contact our regulator (California Privacy Protection Agency (CPPA)), if you need to file a complaint against us under the data protection laws.

If We make changes to the Policy and/or procedures, We will post those changes on Our Platform and/or Company’s Website, as well as inform you via email to keep you aware of all updates related to Information We collect, how We use it and under what circumstances We may disclose it.