Privacy Policy for Crossly

Effective Date: September 22, 2025

This Privacy Policy describes how we collect, use, and protect your data when you use Crossly (https://crossly.app) and any related services. We are committed to complying with the General Data Protection Regulation (GDPR), the Czech Data Protection Act, and other relevant laws.

1. Who We Are

We do not currently appoint a Data Protection Officer (DPO) as we are not legally required to.

2. What Data We Collect

A. On the Landing Page (https://crossly.app)

We collect the following data only after you give consent:

• Google Analytics 4: anonymous usage statistics
• Microsoft Clarity: heatmaps and session replays
• Sentry: client-side error tracking

We do not collect any personal data or run newsletter signup forms on the landing page.

B. In the Application (app.crossly.app)

To provide our core functionality, we collect:

• Your email address (used for authentication and communication, including transactional emails via Resend)
• OAuth tokens (access/refresh tokens, account handle) for platforms like Twitter, LinkedIn, Threads, BlueSky, and Mastodon
• User-generated content, including:
  • Post drafts
  • Scheduled posts
• Usage events (e.g., account connected, post scheduled)
• Optional: payment-related data via Lemon Squeezy (we do not store payment credentials). All payments are processed securely by Lemon Squeezy. We do not collect or store your credit card details on our servers.

In the future, we may enable media uploads.

3. Third-Party Services We Use

• Google Analytics 4 (Analytics, LP only, after consent)
• Microsoft Clarity (Session recording, LP only, after consent)
• Sentry (Error tracking, LP and App)
• Supabase (Database and authentication platform, hosted in EU)
• Vercel (Frontend hosting, EU-first policy)
• Lemon Squeezy (Payment handling)
• Resend (Transactional emails - password reset, onboarding emails)

OAuth login is provided via: Twitter, LinkedIn, Threads, BlueSky, and Mastodon.

4. Data Retention

• We currently retain user accounts and their tokens indefinitely.
• We plan to implement a 30-day inactivity expiration in the future.
• Users can request account deletion at any time either via the in-app "Delete Account" option or by emailing us at hello@crossly.app. We will permanently erase all associated data within 30 days of the request.
• We do not delete user data automatically after a period of inactivity.

5. Your Rights

You have the right to:

• Request access to your data
• Request correction or deletion of your data
• Withdraw consent (on the landing page via the consent banner)
• Lodge a complaint with a supervisory authority

To exercise your rights, please contact hello@crossly.app.

6. Security

We take security seriously:

• Data is encrypted in transit and at rest using industry-standard AES encryption
• We do not yet implement rate limiting or audit logs, but we plan to enhance these protections in future versions

7. Data Transfer Outside the EU

We prioritize EU-first infrastructure. Currently:

• All Supabase and Vercel services we use are hosted within the EU
• OAuth tokens and user data are not transferred or stored outside the EU

If this changes, we will update this policy accordingly.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Effective Date" at the top and notify users via the website or email.