Legal
Privacy policy
Effective May 20, 2026
Crescence Inc. (“Crescence,” “we,” or “us”) operates the B2B marketplace at crescence.co (the “Service”). This policy explains what we collect, how we use it, and the rights you have under the California Consumer Privacy Act (as amended by the CPRA). Crescence is US-only; we do not offer service to consumers in the EU or UK.
1. Who this applies to
This policy covers visitors to crescence.co and authenticated users of the Service - both brand operators and the offices / retailers that buy from them. If you contact us by email or join a waitlist before creating an account, the information you share is also covered.
2. What we collect
We collect the following categories of personal information:
- Identifiers. Name, email, phone number, mailing or shipping address, company name, role (brand operator vs. office buyer).
- Commercial information. Orders placed, products listed, sample requests, payment status, payout history, dispute records.
- Internet / device information. IP address, user agent, referring URL, pages visited, approximate location (city-level via IP), session timestamps, browser cookies (see § 7 below).
- Communications. Messages you send through the in-app messenger, support tickets you open with us, drafts you accept or reject from Maia (our AI assistant).
- Inferences. Preferences derived from your activity - dietary tags you avoid, brands you favor, suggested matches Maia has learned from edits you make to her drafts. Used to personalize your workspace; never sold.
- Financial information. Stripe-tokenized payment methods, bank account information for payouts (brand operators), tax identification numbers (W-9 / 1099-K reporting). The card number itself never touches our servers - Stripe handles tokenization.
- Sensitive personal information (CCPA-defined). Account credentials (password hash, salt) and government-issued ID images if a brand uploads them as part of verification. Stored encrypted; access logged.
2.1 Internal data tables that hold personal information
The following tables in our database hold personal information about you. This inventory is updated as the Service evolves. Each entry lists the table name, the category of personal information it holds, and the retention period that applies on account deletion.
| Table | Data held | On deletion |
|---|---|---|
| accounts | Name, email (via auth.users), app role, timestamps. | Pseudonymized (PII fields nulled); row retained for audit FK integrity. |
| brands / offices | Business name, address, contact details, tax IDs, onboarding state. | Pseudonymized in place (legally-retained orders block hard-delete). |
| login_devices | Device fingerprint, IP address, city, country, user-agent, first and last seen timestamps. | Hard-deleted on account deletion. |
| suspicious_login_tokens | SHA-256 hash of a one-time password-reset token; linked to the login_device that triggered the alert. No plaintext token or email is stored. | Hard-deleted on account deletion (cascade from accounts). |
| contact_change_requests | Old and new email or phone values submitted during a contact-change ceremony; one-time HMAC confirmation tokens. | Hard-deleted on account deletion. |
| step_up_audit | Account ID, action key (e.g. bank_account_change), MFA challenge outcome, IP address, timestamp. Immutable audit trail. | Hard-deleted on account deletion (cascade). |
| cart_abandonment_dispatches | Office ID, brand ID, abandonment stage, dispatched-at timestamp. No message content. | Hard-deleted when the office account is deleted (cascade). |
| feature_flag_audit_log | Actor account ID (nullable), flag key, before and after values, timestamp. No PII beyond the actor account reference. | Actor reference nulled on account deletion (SET NULL FK); log rows are retained for audit integrity. |
| experiment_assignments | Account ID, experiment key, variant name, assigned-at timestamp. | Hard-deleted on account deletion (cascade). |
| billing_invoices | Account ID, order reference, storage path to PDF artifact, invoice total, issued-at timestamp. | Retained 7 years (US tax); account ID pseudonymized after deletion cooling period. |
| subscriptions | Office ID, brand ID, frequency, status, schedule timestamps. No message content or payment card data. | Hard-deleted when the office account is deleted (cascade). |
| subscription_items | Subscription reference, product reference, quantity. No direct PII. | Hard-deleted via cascade from subscriptions. |
| subscription_tick_locks | Subscription reference, period-start timestamp. Idempotency ledger only; no PII. | Hard-deleted via cascade from subscriptions. |
| accounting_sync_state | Invoice reference, accounting provider name (quickbooks or xero), sync status, external invoice ID. No buyer PII. | Hard-deleted via cascade from invoices on order deletion (legally retained 7 years). |
| offices.address_verified_at, offices.address_is_po_box | Timestamp of last successful address validation; boolean flag for P.O. Box detection. Part of the offices row. | Pseudonymized with the offices profile row. |
| offices.paused_until | Timestamp until which the office account is paused from receiving new sample shipments. Part of the offices row. | Pseudonymized with the offices profile row. |
| shipments.label_url, shipments.voided_at | Carrier label URL (signed, time-limited) and void timestamp. Part of the shipments row. | Retained with order records (7-year tax retention). |
| brands.paused_at | Timestamp at which the brand voluntarily paused its storefront. Part of the brands row. | Pseudonymized with the brands profile row. |
3. How we use it
- To provide the Service - matching brands with offices, processing orders, sending transactional emails (receipts, shipping notifications).
- To run Maia, our AI assistant - drafts you see use your preferences and history as context. Maia never sells your data or uses it to train any third-party model.
- To verify brand identities and prevent fraud - checking submitted business documents against public records, scoring sign-up signals.
- To improve the Service - aggregated analytics that don't identify any single account.
- To comply with the law - tax reporting, response to lawful subpoenas, audit trails.
We do not: sell your personal information; share your personal information for cross-context behavioral advertising; profile you for decisions that produce legal effects without a human reviewer.
4. Where it comes from
Most personal information comes directly from you - when you sign up, when you place an order, when you write a message. Some comes from our service providers: Stripe surfaces payment status, Resend reports delivery / bounce / complaint events, Sentry forwards error traces (scrubbed of PII), PostHog captures page-view analytics (opt-in via the cookie banner).
5. Who we share it with
Crescence shares personal information only with the service providers necessary to run the platform. Each is contractually bound to use it only for our instructions and to apply security controls equivalent to ours. The current list is at /legal/subprocessors.
We disclose information to law enforcement only when legally compelled (subpoena, court order, statutory production demand) and we notify you unless the order forbids it.
6. Your CCPA rights
California residents have the following rights under the CCPA / CPRA. We honor these rights for every Crescence user, regardless of residency:
- Right to know.Request the categories and specific pieces of personal information we've collected about you. Download a copy at /account/data-export - you'll receive an email with a 7-day signed download link.
- Right to delete. Request deletion of personal information we collected from you. Submit a request from Account Settings → Privacy → Delete account. There is a 30-day cooling window during which you can cancel; after that the request is processed. Legally retained records (orders, invoices, payouts) are pseudonymized rather than deleted.
- Right to correct. Request correction of inaccurate information. Most fields you can edit directly from your account settings; for fields you cannot edit, email privacy@crescence.co.
- Right to opt out of sale / sharing. We do not sell or share your personal information. The opt-out toggle at /legal/do-not-sell is provided as a backstop. Crescence honors the Global Privacy Control (GPC) signal automatically.
- Right to non-discrimination. Exercising any of the rights above does not change the price you pay or the features available to your account.
- Right to limit use of sensitive personal information. You can ask us to use the sensitive categories listed in § 2 only for the services you requested. Contact privacy@crescence.co.
We verify identity before honoring requests by matching the request to a signed-in session or by emailing a confirmation link to the address on file. Authorized agents may submit requests on your behalf with a notarized authorization. We respond within 45 days of receipt; complex requests may extend to 90 days with notice.
7. Cookies and tracking
Crescence uses three categories of cookies:
- Strictly necessary. Authentication, CSRF protection, preference persistence. Always active. Cannot be disabled - without these the Service does not work.
- Analytics. PostHog page-view + interaction events. Off by default. The cookie banner you saw on first visit asks you to opt in. Sending the Global Privacy Control header from your browser is equivalent to opting out.
- Error tracking. Sentry exception capture (PII scrubbed before send). Off by default; same consent gate as analytics.
We do not use cross-site advertising cookies. We do not embed third-party tracking pixels on any page.
8. Retention
- Account data: kept while your account is active.
- Orders / invoices / payouts: 7 years (US tax retention).
- Billing invoices (PDF artifacts): 7 years (US tax retention).
- Messages: 3 years from last activity.
- Audit log: append-only; retained indefinitely.
- Server access logs (raw): 30 days.
- Cookie consent records: 13 months minimum (CCPA evidence).
- Email delivery log (
email_log): 13 months from send date (aligns with CCPA consent-log retention; purged automatically by the retention cron).
On account deletion, we pseudonymize the legally-retained records (replace your account ID and PII fields with placeholder values) so the row stays present for accounting + audit but is no longer linked to you.
9. Security
Crescence runs on Supabase (Postgres + storage), Vercel (compute), and Cloudflare (edge). Row-level security policies scope every database read and write to the owning account. Service-role keys live only in server-side environments. Webhooks are signature-verified; sensitive endpoints require a CRON_SECRET. The audit log is append-only at the database trigger level.
We have a coordinated disclosure policy at /.well-known/security.txt. If you find a vulnerability, please report it there before public disclosure.
10. Children
The Service is not directed at anyone under 18. We do not knowingly collect information from minors. If you believe a minor has signed up, please email privacy@crescence.co and we will delete the account.
11. Changes to this policy
We may update this policy as the Service evolves. Material changes (new categories of information, new sharing arrangements, removal of a right) are notified by email to every active account at least 30 days before they take effect.
12. Contact
Privacy questions: privacy@crescence.co.
Crescence Inc.
548 Market St #82130
San Francisco, CA 94104
United States