Legal

Data inventory

Effective May 20, 2026

This page is the plain-language version of our record of processing. It lists every personal-data point Crescence collects and maps each one to its category under the GDPR, its category under the CCPA (as amended by the CPRA), the lawful basis we rely on under Article 6 of the GDPR, how long we keep it, and which sub-processors receive it. It is sourced from the “What we collect” section of the Privacy Policy and the sub-processor registry, and the three are kept in lockstep.

Name and company nameGDPR category: Identity dataCCPA category: IdentifiersLawful basis: Performance of a contract (Art. 6(1)(b))Retention: While the account is active.Sub-processors: Supabase, Stripe

Email addressGDPR category: Contact dataCCPA category: IdentifiersLawful basis: Performance of a contract (Art. 6(1)(b))Retention: While the account is active.Sub-processors: Supabase, Resend, Plain

Phone numberGDPR category: Contact dataCCPA category: IdentifiersLawful basis: Performance of a contract (Art. 6(1)(b))Retention: While the account is active.Sub-processors: Supabase, Twilio

Phone carrier and line type (sign-up anti-fraud lookup)GDPR category: Profile dataCCPA category: Identifiers; inferencesLawful basis: Legitimate interests (Art. 6(1)(f))Retention: While the account is active.Sub-processors: Supabase, Twilio

Mailing and shipping addressGDPR category: Contact dataCCPA category: Identifiers; commercial informationLawful basis: Performance of a contract (Art. 6(1)(b))Retention: With the related order: 7 years (tax).Sub-processors: Supabase, US Census Bureau Geocoder, Komoot, Veeqo, Warp

Role (brand operator vs. office buyer)GDPR category: Profile dataCCPA category: IdentifiersLawful basis: Performance of a contract (Art. 6(1)(b))Retention: While the account is active.Sub-processors: Supabase

Account credentials (password hash, salt)GDPR category: Authentication dataCCPA category: Sensitive personal informationLawful basis: Performance of a contract (Art. 6(1)(b))Retention: While the account is active.Sub-processors: Supabase

Government-issued ID images (brand verification)GDPR category: Identity verification dataCCPA category: Sensitive personal informationLawful basis: Legal obligation (Art. 6(1)(c))Retention: Duration of verification plus the statutory KYC window.Sub-processors: Supabase, Stripe

Orders, listings, sample requests, dispute recordsGDPR category: Transaction dataCCPA category: Commercial informationLawful basis: Performance of a contract (Art. 6(1)(b))Retention: 7 years (US tax retention).Sub-processors: Supabase, Stripe

Payment status and payout historyGDPR category: Financial dataCCPA category: Commercial informationLawful basis: Performance of a contract (Art. 6(1)(b))Retention: 7 years (US tax retention).Sub-processors: Stripe, Supabase

Stripe customer and connected-account identifiersGDPR category: Financial dataCCPA category: Identifiers; commercial informationLawful basis: Performance of a contract (Art. 6(1)(b))Retention: While the account is active.Sub-processors: Stripe, Supabase

Tokenized payment methods and bank details for payoutsGDPR category: Financial dataCCPA category: Sensitive personal informationLawful basis: Performance of a contract (Art. 6(1)(b))Retention: Held by Stripe per Stripe's retention policy.Sub-processors: Stripe

Tax identification numbers (W-9 / 1099-K)GDPR category: Financial dataCCPA category: Sensitive personal informationLawful basis: Legal obligation (Art. 6(1)(c))Retention: 7 years (US tax retention).Sub-processors: Stripe

Invoice PDFsGDPR category: Transaction dataCCPA category: Commercial informationLawful basis: Legal obligation (Art. 6(1)(c))Retention: 7 years (US tax retention).Sub-processors: Supabase, QuickBooks Online, Xero

IP addressGDPR category: Technical dataCCPA category: Internet or other network activityLawful basis: Legitimate interests (Art. 6(1)(f))Retention: Server access logs: about 30 days.Sub-processors: Vercel, Cloudflare, Supabase

User agent, referring URL, pages visited, session timestampsGDPR category: Usage dataCCPA category: Internet or other network activityLawful basis: Consent (Art. 6(1)(a))Retention: PostHog: up to 13 months.Sub-processors: PostHog

Sign-up IP address and user agent (anti-fraud signals)GDPR category: Technical dataCCPA category: Internet or other network activityLawful basis: Legitimate interests (Art. 6(1)(f))Retention: While the account is active (fraud-prevention signal).Sub-processors: Supabase

Approximate (city-level) location from IPGDPR category: Location dataCCPA category: Geolocation dataLawful basis: Legitimate interests (Art. 6(1)(f))Retention: Not stored beyond the access-log window.Sub-processors: Cloudflare

Cookie identifiers and consent recordGDPR category: Technical dataCCPA category: Internet or other network activityLawful basis: Consent (Art. 6(1)(a))Retention: Consent record: at least 13 months.Sub-processors: None

In-app messagesGDPR category: Communications dataCCPA category: Electronic communications informationLawful basis: Performance of a contract (Art. 6(1)(b))Retention: 3 years from last activity.Sub-processors: Supabase

Support ticketsGDPR category: Communications dataCCPA category: Electronic communications informationLawful basis: Legitimate interests (Art. 6(1)(f))Retention: 3 years from last activity.Sub-processors: Plain

Email delivery, bounce, and complaint eventsGDPR category: Communications metadataCCPA category: Internet or other network activityLawful basis: Legitimate interests (Art. 6(1)(f))Retention: About 13 months from send date.Sub-processors: Resend

Maia drafts accepted or rejected, and edits you makeGDPR category: Profile dataCCPA category: InferencesLawful basis: Legitimate interests (Art. 6(1)(f))Retention: While the account is active.Sub-processors: Anthropic, Supabase

Inferred preferences (dietary tags, favored brands, matches)GDPR category: Profile dataCCPA category: InferencesLawful basis: Legitimate interests (Art. 6(1)(f))Retention: While the account is active.Sub-processors: Supabase

Error traces (personal data scrubbed before send)GDPR category: Technical dataCCPA category: Internet or other network activityLawful basis: Consent (Art. 6(1)(a))Retention: Sentry: up to 90 days.Sub-processors: Sentry

OAuth tokens for connected integrationsGDPR category: Technical dataCCPA category: IdentifiersLawful basis: Performance of a contract (Art. 6(1)(b))Retention: Until you disconnect the integration.Sub-processors: Google LLC, Slack Technologies, Microsoft, QuickBooks Online, Xero

Uptime and on-call alert metadataGDPR category: Operational dataCCPA category: Internet or other network activityLawful basis: Legitimate interests (Art. 6(1)(f))Retention: Per BetterStack's retention policy.Sub-processors: BetterStack

Data point	GDPR category	CCPA category	Lawful basis	Retention	Sub-processors
Name and company name	Identity data	Identifiers	Performance of a contract (Art. 6(1)(b))	While the account is active.	Supabase, Stripe
Email address	Contact data	Identifiers	Performance of a contract (Art. 6(1)(b))	While the account is active.	Supabase, Resend, Plain
Phone number	Contact data	Identifiers	Performance of a contract (Art. 6(1)(b))	While the account is active.	Supabase, Twilio
Phone carrier and line type (sign-up anti-fraud lookup)	Profile data	Identifiers; inferences	Legitimate interests (Art. 6(1)(f))	While the account is active.	Supabase, Twilio
Mailing and shipping address	Contact data	Identifiers; commercial information	Performance of a contract (Art. 6(1)(b))	With the related order: 7 years (tax).	Supabase, US Census Bureau Geocoder, Komoot, Veeqo, Warp
Role (brand operator vs. office buyer)	Profile data	Identifiers	Performance of a contract (Art. 6(1)(b))	While the account is active.	Supabase
Account credentials (password hash, salt)	Authentication data	Sensitive personal information	Performance of a contract (Art. 6(1)(b))	While the account is active.	Supabase
Government-issued ID images (brand verification)	Identity verification data	Sensitive personal information	Legal obligation (Art. 6(1)(c))	Duration of verification plus the statutory KYC window.	Supabase, Stripe
Orders, listings, sample requests, dispute records	Transaction data	Commercial information	Performance of a contract (Art. 6(1)(b))	7 years (US tax retention).	Supabase, Stripe
Payment status and payout history	Financial data	Commercial information	Performance of a contract (Art. 6(1)(b))	7 years (US tax retention).	Stripe, Supabase
Stripe customer and connected-account identifiers	Financial data	Identifiers; commercial information	Performance of a contract (Art. 6(1)(b))	While the account is active.	Stripe, Supabase
Tokenized payment methods and bank details for payouts	Financial data	Sensitive personal information	Performance of a contract (Art. 6(1)(b))	Held by Stripe per Stripe's retention policy.	Stripe
Tax identification numbers (W-9 / 1099-K)	Financial data	Sensitive personal information	Legal obligation (Art. 6(1)(c))	7 years (US tax retention).	Stripe
Invoice PDFs	Transaction data	Commercial information	Legal obligation (Art. 6(1)(c))	7 years (US tax retention).	Supabase, QuickBooks Online, Xero
IP address	Technical data	Internet or other network activity	Legitimate interests (Art. 6(1)(f))	Server access logs: about 30 days.	Vercel, Cloudflare, Supabase
User agent, referring URL, pages visited, session timestamps	Usage data	Internet or other network activity	Consent (Art. 6(1)(a))	PostHog: up to 13 months.	PostHog
Sign-up IP address and user agent (anti-fraud signals)	Technical data	Internet or other network activity	Legitimate interests (Art. 6(1)(f))	While the account is active (fraud-prevention signal).	Supabase
Approximate (city-level) location from IP	Location data	Geolocation data	Legitimate interests (Art. 6(1)(f))	Not stored beyond the access-log window.	Cloudflare
Cookie identifiers and consent record	Technical data	Internet or other network activity	Consent (Art. 6(1)(a))	Consent record: at least 13 months.	None
In-app messages	Communications data	Electronic communications information	Performance of a contract (Art. 6(1)(b))	3 years from last activity.	Supabase
Support tickets	Communications data	Electronic communications information	Legitimate interests (Art. 6(1)(f))	3 years from last activity.	Plain
Email delivery, bounce, and complaint events	Communications metadata	Internet or other network activity	Legitimate interests (Art. 6(1)(f))	About 13 months from send date.	Resend
Maia drafts accepted or rejected, and edits you make	Profile data	Inferences	Legitimate interests (Art. 6(1)(f))	While the account is active.	Anthropic, Supabase
Inferred preferences (dietary tags, favored brands, matches)	Profile data	Inferences	Legitimate interests (Art. 6(1)(f))	While the account is active.	Supabase
Error traces (personal data scrubbed before send)	Technical data	Internet or other network activity	Consent (Art. 6(1)(a))	Sentry: up to 90 days.	Sentry
OAuth tokens for connected integrations	Technical data	Identifiers	Performance of a contract (Art. 6(1)(b))	Until you disconnect the integration.	Google LLC, Slack Technologies, Microsoft, QuickBooks Online, Xero
Uptime and on-call alert metadata	Operational data	Internet or other network activity	Legitimate interests (Art. 6(1)(f))	Per BetterStack's retention policy.	BetterStack

How to read this table

“Lawful basis” is the ground in Article 6(1) of the GDPR that permits the processing: a contract you entered into, our legitimate interests, your consent, or a legal obligation. Where the basis is consent, we do not collect the data until you opt in, and you can withdraw consent at any time. Retention periods are maximums; we delete or pseudonymize data sooner where it is no longer needed. “Sub-processors” lists the third parties that receive the data point in the course of providing their service to us.

Exercising your rights over this data

You can request access, correction, erasure, portability, restriction, or object to processing for any data point above. The full list of rights and how to use them is in the Privacy Policy. For a request that spans a specific sub-processor, email hellocrescence@gmail.com and we coordinate it on your behalf.

← Back to home