Privacy Policy
This policy explains what information CRTX collects, why we collect it, who processes it on our behalf, and the choices and rights you have. Please read it carefully. By using CRTX, you agree to the practices described here.
1. Who we are
CRTX is operated by Lars Janssen, based at Dr.-Klaus-Kopfermann-Weg 8, 85521 Ottobrunn, Germany. You can reach us at privacy@crtx.live.
For users in the European Economic Area, the United Kingdom, and Switzerland, we are the data controller responsible for the processing described below.
2. What we collect
Account information
When you create an account, we collect:
- Your email address (or, if you sign in with Apple using a private relay address, the relay address Apple provides).
- Your display name, if you choose to set one.
- An anonymous user identifier we generate.
Content you save
CRTX is a personal and shared knowledge tool. The content you save is the core of the product. This includes:
- Text notes, including notes you record by voice (we transcribe the audio).
- Audio files you import and the transcripts we generate from them.
- Images and the descriptions our AI generates from them.
- PDFs and the text we extract from them.
- URLs you save and the summaries our AI generates for them.
- Tasks you create and any notes attached to them.
- People you add or import from your device contacts, including names, birthdays, and any notes or relationships you set.
- Pool names and color choices.
- Conversations you have with the in-app help assistant ("Cora").
Device and technical information
To deliver the service we collect:
- A push notification token, so we can deliver reminders and notifications to your device.
- Approximate request metadata such as IP address and timestamp, used for rate limiting and abuse prevention.
- Crash and performance data when you opt in to share it via TestFlight or the App Store.
Contacts (optional)
If you grant CRTX access to your device contacts, we read names, contact identifiers, and birthdays so we can match the people you mention to your existing contacts and remind you about birthdays. Your full address book is not uploaded; we sync only enough to perform matching.
Location (optional)
If you grant CRTX access to your location, we attach the latitude and longitude where a note was captured so you can recall where things happened. You can disable location capture at any time in your device's Settings app.
What we do not collect
We do not collect:
- Advertising identifiers (IDFA).
- Browsing history outside CRTX.
- Health, fitness, or financial data.
- Information that identifies you to advertising networks. CRTX has no advertising and we do not share data with advertisers.
3. How we use this information
| Purpose | Data used |
|---|---|
| Operating the service (storing your content, signing you in, syncing across your devices) | Account info, content you save, device tokens |
| AI features (search, summarisation, transcription, suggested labels, the Cora help assistant) | Content you save, search queries |
| Matching mentioned people to your contacts | Contacts (if granted) |
| Remembering where notes were taken | Location (if granted) |
| Sending reminders and notifications | Push token, account info |
| Rate-limiting and abuse prevention | IP address, timestamp |
| Diagnosing crashes and bugs | Diagnostic data (if you opt in) |
Our legal basis under GDPR is the performance of our contract with you for operating the service, your consent for optional features (contacts, location, push notifications, diagnostics), and our legitimate interests in preventing abuse and protecting the service.
4. Third-party processors
We work with the following service providers. Each processes your data only on our instructions and under written agreements. Some are based outside the EEA; transfers rely on Standard Contractual Clauses or equivalent safeguards.
| Provider | What they do | What they receive |
|---|---|---|
| Supabase, Inc. (USA) | Database, file storage, authentication | All content you save, account info |
| Vercel, Inc. (USA) | Application hosting, request logs | Request metadata, transient access to content while serving requests |
| Anthropic, PBC (USA) | AI model that powers retrieval, the Cora help assistant, and content suggestions | The text content of your queries and the relevant retrieved items |
| Voyage AI, Inc. (USA) | Generates the search index ("embeddings") that powers retrieval | The text content of items and queries |
| Google LLC (USA) | Transcribes your voice and audio recordings via the Gemini API; extracts text from PDFs and images | Audio files, PDFs, and images you submit for processing |
| Supadata Ltd. (UK) | Fetches transcripts for YouTube URLs you save | URLs you submit |
| Upstash, Inc. (USA) | Rate limiting | An anonymised request key |
| Apple, Inc. (USA) | Push notification delivery | Push tokens, notification payloads |
We do not sell your data and we do not share it with parties other than those listed above.
5. Where your data is stored
Your account information and saved content are stored in databases operated by Supabase in the EU region (Ireland). File uploads (PDFs, images, audio) are stored in Supabase Storage in the same region. Logs are retained transiently on Vercel.
Data is protected in transit by HTTPS and encrypted at rest by Supabase at the storage layer. CRTX is not end-to-end encrypted: Supabase, as our database operator, and CRTX operators have technical access to the contents in order to run the service, perform support, and prevent abuse.
Some processors listed in section 4 are located in the United States; data sent to them is in transit while they generate a response and is governed by their agreements with us, which include EU Standard Contractual Clauses where applicable.
6. Data retention
We retain your content for as long as your account is active. Specifically:
- Saved items, tasks, people, pools: kept until you delete them or until you delete your account.
- Cora help-assistant conversations: retained for 30 days, then automatically deleted.
- Failed-upload rows: automatically deleted within roughly 45 minutes of failing.
- Audio files used for transcription: the transcript is kept; the original audio is deleted after transcription unless you imported it as a playable audio item, in which case it is kept until you delete the item.
- Server logs: Vercel's default retention period applies (typically short, on the order of days).
- Push tokens: kept until you sign out or uninstall the app.
When you delete your account (Settings → Delete Account), we permanently remove your account record, your saved content, your file uploads, your Cora conversations, and your push tokens.
7. Children
CRTX is not directed to children under 16 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
8. Your rights
If you are in the EEA, the UK, or Switzerland, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete personal data.
- Delete your personal data (the in-app "Delete Account" option will do this; you may also email us).
- Restrict or object to certain processing.
- Data portability — receive your data in a structured, machine-readable format.
- Withdraw consent for optional features at any time.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email privacy@crtx.live. We will respond within one month.
Residents of California, Virginia, Colorado, Connecticut, and other US states with comparable privacy laws have similar rights, including the right to know what we collect and the right to delete. Email the same address to exercise them.
9. Security
We use HTTPS for all traffic. Authentication tokens on your device are stored in the iOS Keychain and are not included in iCloud or iTunes backups. Database content is encrypted at rest by Supabase. We restrict internal access to production systems to a small number of people who need it to operate the service.
No system is perfectly secure. If you become aware of a security issue, please email privacy@crtx.live.
10. Changes to this policy
If we make material changes we will notify you in the app or by email before the changes take effect. The "Last updated" date at the top of this policy reflects the most recent revision.
11. Contact
For any privacy question, write to privacy@crtx.live or to:
Lars Janssen
Dr.-Klaus-Kopfermann-Weg 8
85521 Ottobrunn
Germany