Skip to content
Crescence

Legal

Privacy policy

Effective May 20, 2026

Crescence Inc. (“Crescence,” “we,” or “us”) operates the B2B marketplace at crescence.co (the “Service”). This policy explains what we collect, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (as amended by the CPRA). It applies wherever you are located.

1. Who this applies to

This policy covers visitors to crescence.co and authenticated users of the Service - both brand operators and the offices / retailers that buy from them. If you contact us by email or join a waitlist before creating an account, the information you share is also covered.

2. Controller, representative, and Data Protection Officer

For personal data processed through the Service, the data controller is Crescence Inc., 548 Market St #82130, San Francisco, CA 94104, United States. Contact: hellocrescence@gmail.com.

  • EU representative (Art. 27 GDPR). To be appointed. Until the appointment is published here, EU data subjects can reach us at hellocrescence@gmail.com and we will route the request to the controller directly.
  • UK representative (Art. 27 UK GDPR). To be appointed, on the same interim basis as above.
  • Data Protection Officer. To be appointed. Where a DPO is not yet in place, privacy requests are handled by the founding team at hellocrescence@gmail.com.

3. What we collect

We collect the following categories of personal information:

  • Identifiers. Name, email, phone number, mailing or shipping address, company name, role (brand operator vs. office buyer).
  • Commercial information. Orders placed, products listed, sample requests, payment status, payout history, dispute records.
  • Internet / device information. IP address, user agent, referring URL, pages visited, approximate location (city-level via IP), session timestamps, browser cookies (see section 9 below).
  • Communications. Messages you send through the in-app messenger, support tickets you open with us, drafts you accept or reject from Maia (our AI assistant).
  • Inferences. Preferences derived from your activity - dietary tags you avoid, brands you favor, suggested matches Maia has learned from edits you make to her drafts. Used to personalize your workspace; never sold.
  • Financial information. Stripe-tokenized payment methods, bank account information for payouts (brand operators), tax identification numbers (W-9 / 1099-K reporting). The card number itself never touches our servers - Stripe handles tokenization.
  • Sensitive personal information.Account credentials (password hash, salt) and government-issued ID images if a brand uploads them as part of verification. Stored encrypted; access logged. This category is “sensitive personal information” under the CPRA and may include special-category data under Article 9 of the GDPR where an ID document reveals such data.

A field-by-field map of each data point to its GDPR category, CCPA category, lawful basis, retention, and receiving sub-processor is at /legal/data-inventory.

4. How we use it

  • To provide the Service - matching brands with offices, processing orders, sending transactional emails (receipts, shipping notifications).
  • To run Maia, our AI assistant - drafts you see use your preferences and history as context. Maia never sells your data or uses it to train any third-party model.
  • To verify brand identities and prevent fraud - checking submitted business documents against public records, scoring sign-up signals.
  • To improve the Service - aggregated analytics that don't identify any single account.
  • To comply with the law - tax reporting, response to lawful subpoenas, audit trails.

We do not: sell your personal information; share your personal information for cross-context behavioral advertising; subject you to a decision based solely on automated processing that produces a legal or similarly significant effect (see section 11).

5. Lawful bases for processing (GDPR and UK GDPR)

Where the GDPR or UK GDPR applies, we rely on one of the following lawful bases under Article 6(1) for each purpose:

  • Performance of a contract (Art. 6(1)(b)). Creating and running your account, processing orders, handling payouts and disputes, and providing support.
  • Legitimate interests (Art. 6(1)(f)). Securing the Service, preventing fraud and abuse, maintaining audit logs, and improving the product with aggregated insights. We balance these interests against your rights and describe them so you can object.
  • Consent (Art. 6(1)(a)). Analytics and error-tracking cookies, and any optional marketing email. You can withdraw consent at any time without affecting prior processing. See the Cookie Policy.
  • Legal obligation (Art. 6(1)(c)). Tax reporting, retention of financial records, and responses to lawful legal process.

Where we process special-category data under Article 9 (for example, an ID document that reveals such data during verification), we rely on your explicit consent or another Article 9 condition, and we limit the processing to what verification requires.

6. Where it comes from

Most personal information comes directly from you - when you sign up, when you place an order, when you write a message. Some comes from our service providers: Stripe surfaces payment status, Resend reports delivery / bounce / complaint events, Sentry forwards error traces (scrubbed of PII), PostHog captures page-view analytics (opt-in via the cookie banner).

7. Who we share it with

Crescence shares personal information only with the service providers necessary to run the platform. Each is contractually bound (via a Data Processing Addendum) to use it only for our instructions and to apply security controls equivalent to ours. The current list is at /legal/subprocessors.

We disclose information to law enforcement only when legally compelled (subpoena, court order, statutory production demand) and we notify you unless the order forbids it.

8. International transfers

Crescence is based in the United States, and our primary infrastructure is US-hosted, so personal data of EU and UK individuals is transferred to the United States and may be processed by sub-processors in other countries. Where we transfer personal data out of the EEA or the UK to a country without an adequacy decision, we rely on appropriate safeguards under Article 46 of the GDPR:

  • Standard Contractual Clauses (SCCs). The European Commission module-2 and module-3 SCCs, incorporated into our Data Processing Addendum with each importing sub-processor.
  • UK International Data Transfer Addendum (IDTA). The UK Addendum to the EU SCCs, or the standalone IDTA, for transfers subject to the UK GDPR.
  • Transfer impact assessment.Where required, we assess the destination country's laws and add supplementary measures such as encryption in transit and at rest and access controls.

You can request a copy of the relevant safeguard by emailing hellocrescence@gmail.com.

9. Cookies and tracking

Crescence uses three categories of cookies:

  • Strictly necessary. Authentication, CSRF protection, preference persistence. Always active. Cannot be disabled - without these the Service does not work.
  • Analytics. PostHog page-view + interaction events. Off by default. The cookie banner you saw on first visit asks you to opt in. Sending the Global Privacy Control header from your browser is equivalent to opting out.
  • Error tracking. Sentry exception capture (PII scrubbed before send). Off by default; same consent gate as analytics.

We do not use cross-site advertising cookies, and we do not embed third-party tracking pixels on any page. For the full detail, including how prior consent is obtained under the GDPR and the ePrivacy rules, see the Cookie Policy.

10. Your rights under the GDPR and UK GDPR

If you are in the EU, the UK, or another jurisdiction with comparable rights, you have the following rights over your personal data. We honor these rights for every Crescence user, regardless of residency:

  • Access (Art. 15). Confirm whether we process your data and receive a copy. Download it at /account/data-export.
  • Rectification (Art. 16). Correct inaccurate or incomplete data. Most fields are editable in your account settings.
  • Erasure (Art. 17). Ask us to delete your data where one of the statutory grounds applies. Legally retained records (orders, invoices, payouts) are pseudonymized rather than deleted where the law requires us to keep them.
  • Restriction (Art. 18). Ask us to limit processing while a dispute about accuracy or lawfulness is resolved.
  • Data portability (Art. 20). Receive the data you provided in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
  • Objection (Art. 21). Object to processing based on our legitimate interests, and to any direct marketing, at any time.
  • Withdraw consent (Art. 7(3)). Where we rely on consent, withdraw it at any time without affecting processing that already happened.
  • Lodge a complaint (Art. 77).Complain to your local supervisory authority. In the UK that is the Information Commissioner's Office (ico.org.uk). We would welcome the chance to address your concern first at hellocrescence@gmail.com.

We respond to rights requests without undue delay and within one month, with a possible two-month extension for complex requests, and we will tell you if an extension applies. There is no fee unless a request is manifestly unfounded or excessive.

11. Automated decision-making and Maia (our AI assistant)

Crescence does not make decisions that produce legal or similarly significant effects about you based solely on automated processing without a human in the loop, within the meaning of Article 22 of the GDPR. Maia, our AI assistant, drafts messages, suggests product matches, and summarizes feedback using your preferences and history as context. Maia's outputs are suggestions: she never auto-sends a message or auto-executes a transaction, and a person always approves before anything takes effect.

Fraud-prevention signals may be scored automatically, but a human reviews any adverse outcome, such as a verification refusal or an account suspension, before it takes effect. You can ask for that human review, express your point of view, and contest the outcome by emailing hellocrescence@gmail.com. We do not use your account data to train any third-party AI model.

12. Your CCPA / CPRA rights

California residents have the following rights under the CCPA (as amended by the CPRA). We honor these rights for every Crescence user, regardless of residency:

  • Right to know.Request the categories and specific pieces of personal information we've collected about you. Download a copy at /account/data-export - you'll receive an email with a 7-day signed download link.
  • Right to delete. Request deletion of personal information we collected from you. Submit a request from Account Settings, then Privacy, then Delete account. There is a 30-day cooling window during which you can cancel; after that the request is processed. Legally retained records (orders, invoices, payouts) are pseudonymized rather than deleted.
  • Right to correct. Request correction of inaccurate information. Most fields you can edit directly from your account settings; for fields you cannot edit, email hellocrescence@gmail.com.
  • Right to opt out of sale / sharing. We do not sell or share your personal information. The opt-out toggle at /legal/do-not-sell is provided as a backstop. Crescence honors the Global Privacy Control (GPC) signal automatically.
  • Right to non-discrimination. Exercising any of the rights above does not change the price you pay or the features available to your account.
  • Right to limit use of sensitive personal information. You can ask us to use the sensitive categories listed in section 3 only for the services you requested. Contact hellocrescence@gmail.com.

We verify identity before honoring requests by matching the request to a signed-in session or by emailing a confirmation link to the address on file. Authorized agents may submit requests on your behalf with a notarized authorization. We respond within 45 days of receipt; complex requests may extend to 90 days with notice.

13. Retention

  • Account data: kept while your account is active.
  • Orders / invoices / payouts: 7 years (US tax retention).
  • Billing invoices (PDF artifacts): 7 years (US tax retention).
  • Messages: 3 years from last activity.
  • Audit records: retained as long as required for security and compliance.
  • Server access logs: a short rolling window (about 30 days).
  • Cookie-consent records: at least 13 months (CCPA evidence).
  • Email delivery records: about 13 months from send date, then automatically purged.

On account deletion, we pseudonymize the legally-retained records (replace your account ID and PII fields with placeholder values) so the row stays present for accounting + audit but is no longer linked to you.

14. Security

We maintain administrative, technical, and organizational safeguards designed to protect your information. These include encryption of data in transit and at rest, strict access controls on a least-privilege basis, isolation of each account's data, signed and verified webhooks, continuous monitoring, and tamper-evident audit logging. We use reputable infrastructure and payment providers and require each to maintain security protections appropriate to the data they handle. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security.

We have a coordinated disclosure policy at /.well-known/security.txt. If you find a vulnerability, please report it there before public disclosure.

15. Breach notification

If a personal-data breach is likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to you, we also notify you without undue delay under Article 34, describing the nature of the breach, the likely consequences, and the steps we have taken. We maintain an internal record of every breach regardless of whether notification is required.

16. Children

The Service is not directed at anyone under 18. We do not knowingly collect information from minors. If you believe a minor has signed up, please email hellocrescence@gmail.com and we will delete the account.

17. Changes to this policy

We may update this policy as the Service evolves. Material changes (new categories of information, new sharing arrangements, removal of a right) are notified by email to every active account at least 30 days before they take effect.

18. Contact

Privacy questions: hellocrescence@gmail.com.

Crescence Inc.
548 Market St #82130
San Francisco, CA 94104
United States

← Back to home