Privacy Policy

Cremit Inc. ("Cremit", "we", "us") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with our website, marketing activities, and the Cremit Non-Human Identity security platform (the "Services").

This Policy applies to information we process as a controller — for example, information collected from website visitors, prospects, and account administrators. When we process personal data contained in Customer Data (data our customers submit to the Services) we act as a processor on our customer's behalf; the customer's own privacy notice and any Data Processing Addendum (DPA) with Cremit governs that processing.

2.1 Information You Provide

• Account information: name, work email, company name, role, and password (hashed).
• Billing information: processed by our payment provider; we retain records of invoices and transactions, not full card numbers.
• Communications: messages you send us via email, support tickets, contact forms, or demo requests.
• Event and webinar registrations: the information you submit when registering.

2.2 Information Collected Automatically

• Usage data: pages viewed, features used, referring URLs, click paths, and approximate session duration.
• Device and log data: IP address, browser type, operating system, device identifiers, and timestamps.
• Cookies and similar technologies: see our Cookie Policy for details.

2.3 Information from Third Parties

We may receive information from partners and service providers — for example, enrichment data about a business from B2B data providers, or analytics from traffic-acquisition platforms. We do not purchase personal information about individual consumers.

We use personal information for the following purposes:

• to provide, maintain, secure, and improve the Services;
• to create and manage accounts and respond to support requests;
• to send transactional messages (account, security, billing);
• to send marketing communications where permitted by law, with the ability to opt out;
• to detect, prevent, and investigate fraud, abuse, and violations of our Terms;
• to comply with legal obligations and enforce our agreements;
• to conduct analytics and research that help us understand how the Services are used.

Our legal bases for processing (where GDPR applies) include: performance of a contract, legitimate interests (e.g., securing the Services, direct marketing to business contacts), consent (where required), and compliance with legal obligations.

We do not sell personal information. We share information only as follows:

• Service providers and subprocessors that host our infrastructure, process payments, send email, or provide analytics (see §5).
• Affiliates within the Cremit corporate group, subject to this Policy.
• Business transfers: in connection with a merger, acquisition, or sale of assets, subject to reasonable protections.
• Legal and safety: to comply with law, legal process, or government requests, or to protect the rights, property, or safety of Cremit, our users, or others.
• With your direction or consent: for example, when you ask us to connect the Services to a third-party integration.

We rely on a small, carefully selected set of subprocessors. The current categories include:

• Cloud hosting & infrastructure (e.g., AWS, Vercel) — to run the Services and the marketing website.
• Content management (e.g., Sanity) — for blog, documentation, and marketing content.
• Customer relationship management (e.g., Attio) — to manage sales inquiries and demo requests.
• Email & support — for transactional and marketing email, and customer support ticketing.
• Analytics (e.g., Google Analytics via GTM, Ahrefs Analytics, Apollo.io Website Tracker, Vercel Analytics) — to understand traffic and improve content.
• Scheduling (Calendly) — for demo and meeting bookings.
• Status & uptime (Instatus) — to publish service status updates.

A current list of subprocessors is available on request. Each subprocessor is bound by obligations materially no less protective than those in this Policy and, where applicable, our DPA.

Cremit is headquartered in the Republic of Korea. We and our subprocessors may process personal data in countries other than your country of residence, including the United States and the European Economic Area.

Where personal data is transferred from the EEA, the UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, UK International Data Transfer Addendum, or other transfer mechanisms permitted by applicable law. Where data is transferred from or to the Republic of Korea, we comply with the Personal Information Protection Act (PIPA) requirements for cross-border transfers.

We retain personal information for as long as needed to fulfill the purposes described in this Policy, including providing the Services, meeting legal and accounting obligations, resolving disputes, and enforcing our agreements. Typical retention periods:

• Account data: for the duration of the account and up to 3 years after closure, unless a longer period is legally required.
• Billing records: up to 5 years from the date of the transaction, or longer where required by tax or accounting law.
• Support tickets and communications: up to 3 years after resolution.
• Web analytics and cookie data: up to 26 months.
• Security logs: up to 1 year, subject to incident-investigation needs.

When information is no longer needed, we delete or anonymize it, subject to technical limitations of backups and legal-hold obligations.

We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS 1.2+) and at rest, role-based access controls, logging and monitoring, vendor due diligence, and employee security training. Despite our controls, no system is perfectly secure; if we become aware of an incident that affects your personal data, we will notify you as required by applicable law.

Depending on where you live, you may have the following rights with respect to your personal information:

• access to the personal information we hold about you;
• correction of inaccurate or incomplete information;
• deletion of personal information;
• objection to, or restriction of, certain processing;
• data portability;
• withdrawal of consent (without affecting the lawfulness of prior processing);
• the right to lodge a complaint with a supervisory authority.

To exercise these rights, contact privacy@cremit.io. We will respond within the timeframe required by applicable law. You can unsubscribe from marketing email at any time via the "unsubscribe" link in our messages.

10.1 European Economic Area, UK, Switzerland

Cremit is the data controller for personal data processed under this Policy. You have the rights described in §9 under the GDPR and UK GDPR, and may lodge a complaint with your local data protection authority.

10.2 Republic of Korea

For the Korean Personal Information Protection Act (PIPA), Cremit is the 개인정보처리자. You have the rights to access, correction, deletion, and suspension of processing as described in §9. You may submit inquiries, complaints, or damage-relief requests through our Data Protection Officer (see §13).

10.3 California

California residents have the rights described in §9 under the California Consumer Privacy Act (CCPA) / CPRA. We do not sell personal information, and we do not knowingly "share" personal information for cross-context behavioral advertising as defined by the CPRA.

The Services are intended for business users over the age of majority in their jurisdiction. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, please contact privacy@cremit.io and we will take steps to delete it.

We may update this Privacy Policy from time to time. For material changes, we will provide notice (for example, by email or in-product notice) before the changes take effect. The "Last reviewed" date at the top of this page always reflects the most recent version.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: