Privacy Policy

Last updated: May 12, 2026

What we collect

• The contents of CSV files you upload (HubSpot Deals and QuickBooks Customers/Invoices)
• Your email address — required to deliver the report and the monthly digest
• Decisions you make on each surfaced conflict, exported in the corrected CSV
• Payment information via Stripe (we never see card numbers)
• Authentication state via Clerk (we receive a JWT, not your password)

Lawful basis

Article 6(1)(b) GDPR — processing is necessary for the performance of the contract you enter into when you upload a CSV to Crossbook.

Subprocessors

These third parties process your data on our behalf. Their privacy and security practices are governed by their own DPAs:

• Anthropic — Claude inference on the CSV records we send for analysis (US-hosted)
• Supabase — Postgres storage of reports + decisions (US-East)
• Stripe — payments + subscription billing (US-hosted)
• Clerk — authentication + user management (US-hosted)
• Resend — transactional + monthly digest email delivery
• Vercel — application hosting + edge cache

Retention

• Raw CSV file content is deleted from your report record after 30 days. Aggregate counts and the corrected-CSV-ready summary remain so the monthly delta still works.
• Reports themselves are retained while your account is active.
• Deletion requests (see below) are processed within 30 days of confirmation.

Your rights

Under GDPR (and equivalent laws elsewhere) you have the right to access, rectify, port, and erase your data. To exercise these rights, use thedelete-my-dataflow or email dawiddeveloper@gmail.com.

International transfers

Anthropic, Stripe, Clerk, Resend, and Vercel are US-based. Cross-border transfers are covered by Standard Contractual Clauses (SCCs) in their respective DPAs.

Contact

Questions or complaints: dawiddeveloper@gmail.com. You can also lodge a complaint with your local Data Protection Authority.

See also: Data Processing Agreement