Privacy Policy
Last updated: May 3, 2026
Your data is yours. This policy explains exactly what we collect, why, who else sees it, and what rights you have over it.
Summary
Short version, in case you don't read the rest:
- We collect the minimum data we need to run the Service.
- We never sell your data, and we don't use it to train AI models.
- Billing runs through Paddle (our Merchant of Record). Email runs through Resend.
- You can export everything you've added and delete your account any time.
The full detail follows.
Who we are
Machine Republic (Pty) Ltd ("we", "us") operates the Service. For privacy questions, write to support@craaft.io. For users in the EU/UK, that address is also our point of contact for data protection matters.
Data we collect
Account information: your name, email address, and a hashed password. You can also set a username, used for @mentions.
Content: the projects, columns, cards, comments, and attachments you create. We treat this as yours - see the Terms for licensing.
Usage data: minimal server logs (request paths, timing, status codes, anonymised IP) used to operate and debug the Service. We do not run third-party advertising trackers, analytics SDKs, or tag managers.
Billing data: handled by Paddle, our Merchant of Record. We receive your subscription status, plan, and an opaque customer identifier - we never see your card details.
Email delivery data: when we send transactional email (mention notifications, invitations, password reset), the recipient address and subject line are processed by Resend on our behalf.
Cookies: a session cookie (`craaft_session`) and a CSRF cookie (`csrf_token`). Both are HTTP-only, same-site, and used solely to keep you logged in and to defeat cross-site request forgery. We do not use third-party cookies.
How we use it
We use the data above to:
- Provide the Service - sign you in, render your boards, deliver notifications you've opted into.
- Bill you for the plan you've chosen.
- Diagnose problems and improve reliability.
- Communicate with you about your account and material changes to the Service.
Our legal bases (for users in the EU/UK) are: performance of contract for account and billing data; legitimate interests for security logging and operational diagnostics; consent for any future optional features that go beyond this list.
Who we share data with
We share data only with sub-processors needed to run the Service:
- Paddle (paddle.com) - payment processing, tax compliance, subscription management.
- Resend (resend.com) - transactional email delivery.
- Google Cloud Platform - hosting (Cloud Run) and file storage (Cloud Storage) in the region we've chosen.
Each sub-processor is contractually bound to handle data only on our instructions and to apply security controls comparable to ours.
We don't sell personal data, and we don't share it with advertisers.
Security
Data in transit is encrypted with TLS. Data at rest in our database and object storage is encrypted by the cloud provider. Passwords are hashed with bcrypt. Sessions are server-side, identified by an opaque cookie. Webhooks are signed with HMAC-SHA256 and verified before processing.
No system is invulnerable. If we discover a security incident affecting your account, we'll notify you within 72 hours of becoming aware, with the information available at the time.
Retention
Account and content data are kept for as long as your account is active. When you delete your account, we remove personal data from primary storage within 30 days and from backups within 90 days.
Some records are kept longer when required by law: invoices and tax records for up to 7 years; security logs for 90 days.
Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Export your data in a portable format (JSON, from Settings).
- Delete your account and your data.
- Object to or restrict certain processing.
- Withdraw consent where we relied on it.
- Lodge a complaint with your local data-protection authority.
To exercise any of these, email support@craaft.io. We'll respond within 30 days.
International transfers
Our infrastructure runs on Google Cloud Platform in the region we've chosen for the workspace. If your data is transferred outside your home jurisdiction (for example, between EU and US), we rely on the Standard Contractual Clauses or equivalent transfer mechanisms.
Children
Machine Republic (Pty) Ltd is not directed at children under 16, and we don't knowingly collect data from them. If you believe a child has created an account, contact us and we'll delete it.
Changes to this policy
We may update this policy occasionally. Material changes get at least 30 days' notice by email or in-app banner. The 'Last updated' date at the top of this page always reflects the current version.
Questions? Reach us at support@craaft.io.