1Who we are
AICrewKit B.V. (“AICrewKit”, “we”, “us”) is a company registered in the Netherlands. We provide an AI-augmented CRM and operations platform at app.aicrewkit.com. For privacy and data-protection questions, contact our Data Protection Officer at dpo@aicrewkit.eu.
For data you enter into your workspace (contacts, companies, deals, etc.) and for mail/calendar data you connect, you (the customer) are the data controller and AICrewKit acts as a data processor on your behalf under a Data Processing Agreement. For account and billing data, AICrewKit is the controller.
2What we collect
- Account data — name, email, hashed credentials, workspace membership and role.
- Workspace content — the CRM records, notes, tasks, documents, meetings, and timesheets you and your team create.
- Connected mailbox & calendar data — when you connect Google or Microsoft 365, the messages, calendar events, and contacts covered by the scopes you grant (read-only by default).
- Usage & technical data — log data, IP address, and device/ browser information needed to run and secure the service.
3How we use your data
- To provide, maintain, and secure the platform and its features.
- To power AI features you invoke (summaries, drafting, follow-ups) — processed only to deliver that feature to you, in the moment you request it.
- To provide support, send service notices, and bill for paid plans.
- To comply with legal obligations.
We do not sell your data, and we do not use the content of your connected mailboxes, calendars, or contacts to develop, improve, or train generalized or non-personalized AI/ML models.
4Google user data
When you connect a Google account, we request the minimum scopes needed for the features you enable (read-only by default; send/calendar-write only when you turn those on). We use Google data solely to provide the corresponding features inside your workspace, store it encrypted, and never share it with third parties except the sub-processors listed below that operate the service.
AICrewKit’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
You can revoke AICrewKit’s access at any time from Settings → Integrations, or from your Google Account permissions.
5Microsoft 365 data
When you connect a Microsoft 365 account, we request delegated Microsoft Graph permissions for the features you enable (read-only by default). Microsoft data is used only to provide those features, stored encrypted, and never sold or shared beyond the sub-processors that operate the service. You can revoke access from Settings → Integrations or your Microsoft account’s connected-apps page.
6Legal bases (GDPR)
We process personal data under one or more of: performance of a contract (Art. 6(1)(b)), legitimate interests in running and securing the service (Art. 6(1)(f)), consent where required for optional integrations (Art. 6(1)(a)), and legal obligations (Art. 6(1)(c)).
7Sub-processors & where data lives
We run on EU infrastructure and minimise sub-processors. Current sub-processors:
- Hetzner Online GmbH (Falkenstein, Germany) — hosting & storage.
- Mistral AI (Paris, France) — AI model inference for AI features.
- Google LLC / Microsoft Corporation — only for the accounts you explicitly connect, to access the data you authorise.
Workspace data is hosted in the EU. Where a connected provider or integration involves a transfer outside the EEA, it is governed by appropriate safeguards (Standard Contractual Clauses or an adequacy decision).
8Retention
We keep data for as long as your workspace is active. Connected-account data has a configurable retention window and is deleted when you disconnect the account or delete the workspace. Backups age out on a rolling schedule. You can trigger an export or erasure at any time (see your rights below).
9Security
OAuth tokens and connected-mailbox credentials are encrypted at rest with per- workspace keys (envelope encryption). Access is role-scoped and isolated per tenant at the database level. We follow ISO 27001-aligned practices and operate a coordinated vulnerability-disclosure process at security@aicrewkit.eu.
10Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data (Art. 15–22). Exercise any of these from Settings → Privacy (one-click export and erasure) or by emailing dpo@aicrewkit.eu. You also have the right to lodge a complaint with your supervisory authority (in the Netherlands, the Autoriteit Persoonsgegevens).
11Cookies
We use strictly-necessary cookies for authentication and security. We do not use advertising or cross-site tracking cookies.
12Changes
We may update this policy; material changes will be notified in-app or by email. The “effective” date above reflects the latest version.
Questions? Email dpo@aicrewkit.eu or see our Terms of Service.