Privacy Policy.

Data controller

CrowAgent Ltd, a private company limited by shares incorporated in England and Wales, is the data controller for personal data processed through the CrowAgent platform.

CrowAgent Ltd (the "Company", "we", "us", or "our") is committed to protecting and respecting your privacy. This policy (together with our terms of use and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

For data-protection enquiries: [email protected]

ICO data-controller registration

CrowAgent Ltd is registered as a data controller with the UK Information Commissioner’s Office (ICO) in accordance with the Data Protection (Charges and Information) Regulations 2018. Verifiable on the ICO public register by searching for “CrowAgent Ltd”. Companies House No. 17076461.

Data we collect

We may collect and process the following data about you:

• Account data: Information that you provide by filling in forms on our site or via our application (app.crowagent.ai). This includes email address, full name, and password hash (via Supabase Auth).
• Property data: Postcodes and address filters you submit for EPC lookups, MEES compliance checks, and SECR reporting. This is essential for the CrowAgent Core platform foundation.
• Social Value data: Procurement descriptions, National TOMs selections, and submissions you enter for PPN 002 scoring and CrowMark narrative generation.
• Usage data: Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, API call counts, feature usage events, timestamps, and subscription plan.
• Billing data: Stripe customer ID and subscription status. We do not store raw card numbers; these are handled directly by Stripe.
• Technical data: IP address, browser type, and error telemetry (collected by Sentry).
• Analytics data: Page views and feature interaction events (collected by PostHog with your consent).

How we use your data

We use information held about you in the following ways:

• To provide the CrowAgent service, including CrowAgent Core, CrowMark, and CrowESG features such as authentication, EPC lookups, MEES checks, and Social Value scoring based on National TOMs.
• To process billing and maintain financial records through Stripe.
• To improve the product through aggregate analytics and user feedback (consent-gated via PostHog).
• To monitor and fix errors, ensuring service stability (via Sentry).
• To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.

Legal basis for processing

Under the UK GDPR, the lawful bases we rely on for processing this information are:

• Contract performance (Article 6(1)(b) UK GDPR): processing necessary to provide the CrowAgent service and fulfill our obligations arising from any contracts entered into between you and us.
• Legitimate interests (Article 6(1)(f) UK GDPR): processing necessary for our legitimate interests, including error monitoring, fraud prevention, service security, and general improvement of the platform.
• Consent (Article 6(1)(a) UK GDPR): processing where you have given clear consent for us to process your personal data for a specific purpose, such as analytics tracking via PostHog or marketing communications.
• Legal obligation (Article 6(1)(c) UK GDPR): processing necessary for compliance with a legal obligation to which we are subject, such as financial records retention for HMRC.

Data retention

We retain personal data only for as long as necessary for the purposes set out in this policy, in line with UK GDPR Article 5(1)(e) (storage limitation). When we no longer need your personal data, we will securely delete or anonymise it.

Your rights under UK GDPR

You have the following rights in respect of personal data we hold about you. To exercise any right, see the DSAR procedure below.

• Right to access (Art 15): You have the right to ask us for copies of your personal information.
• Right to rectification (Art 16): You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Right to erasure (Art 17): You have the right to ask us to erase your personal information in certain circumstances.
• Right to restriction (Art 18): You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Right to portability (Art 20): You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
• Right to object (Art 21): You have the right to object to the processing of your personal information in certain circumstances.
• Withdraw consent (Art 7(3)): For consent-based processing, you can withdraw your consent at any time.
• Lodge ICO complaint (Art 77): You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

Data Protection Officer

Our Data Protection Officer is the canonical contact for all data-protection enquiries, subject access requests, erasure requests, and incident notifications. You can contact our DPO for any matter related to CrowAgent Core, CrowMark, or CrowESG data handling.

Cookies

CrowAgent sets a minimal set of cookies. Analytics and non-essential cookies are gated behind explicit consent (PECR & UK GDPR). Essential cookies are required for the platform to function correctly.

• Supabase Auth: Session cookies for sign-in. (No consent required - essential for service)
• PostHog: Product analytics and feature flags. (Consent required)
• Stripe: Billing session and fraud prevention. (No consent required - essential for service)

Sub-processors

We engage the following third-party sub-processors to operate the service. A Data Processing Agreement (DPA) is available on request. We ensure that all sub-processors provide sufficient guarantees to implement appropriate technical and organisational measures.

• Supabase (EU): Database, authentication, object storage. Essential for CrowAgent Core data residency.
• Railway (EU): Application hosting for the CrowAgent backend and AI engines.
• Vercel (Edge): Frontend hosting for app.crowagent.ai.
• Cloudflare (Edge): DNS, CDN, DDoS protection, and Turnstile bot challenges.
• Stripe (US/EU): Payment processing and subscription management.
• PostHog (EU): Product analytics and session recording.
• Sentry (US): Error monitoring and performance tracking.
• Brevo (EU): Transactional and marketing email delivery.
• Google Gemini (US): AI narrative generation for CrowMark social value drafts based on National TOMs.
• Anthropic, Claude (US): AI narrative generation for drafting compliance content, including CrowMark social value bid narratives and CrowESG report drafting, from the inputs you provide.

International data transfers

Where personal data is transferred outside the UK, we rely on UK IDTA or EU SCCs + UK Addendum, adequacy decisions, or documented Transfer Risk Assessments (TRAs). This ensures that your data receives an equivalent level of protection to that provided under UK law.

Automated decisions & AI

In accordance with Article 22 UK GDPR, we confirm that CrowAgent does not make any decision about you that is based solely on automated processing and that produces legal effects. CrowAgent uses AI models from Google (Gemini) and Anthropic (Claude) to draft compliance content, such as social value narratives based on TOMs data and ESG report drafts. All such outputs are advisory and must be reviewed and signed off by a human before use.

Subject Access Request (DSAR) procedure

You can exercise your data-subject rights (Articles 15-21 UK GDPR) by emailing [email protected] with the subject line “DSAR, [type of request]”. Please include the email address associated with your CrowAgent account and a brief description of the request. We will verify your identity where necessary and respond within one calendar month of receipt.

Google Gemini DPA

CrowMark uses Google Gemini 1.5 Flash to assist with drafting Social Value narratives. We have signed Google’s Cloud Data Processing Addendum (DPA) to ensure data protection. Prompts and completions submitted via our API are not used to train Google's foundation models, and PII is stripped at the prompt boundary to maintain anonymity.

Anthropic (Claude) AI processing

CrowAgent uses Anthropic's Claude models as an AI sub-processor to generate and draft compliance content from the data you provide, including CrowMark social value bid narratives and CrowESG report drafting.

Anthropic acts as a data processor on our behalf under our agreement with them. Where data is transferred outside the UK, we rely on the transfer safeguards set out in the "International data transfers" section above.

Sentry retention & error scrubbing

We use Sentry for error monitoring to ensure the stability of CrowAgent Core and other platform modules. Error events are retained for 90 days, and session replays are retained for 30 days. The Sentry SDK is configured to scrub sensitive keys such as passwords and tokens before they are transmitted from your browser.

Contact & ICO complaint

CrowAgent Ltd. Companies House No. 17076461. Registered office: Reading, Berkshire, RG1 6SP, GB.

If you are not satisfied with our response to a data protection request, you have the right to complain to the UK Information Commissioner’s Office (ICO).

ICO Website: ico.org.uk/make-a-complaint | Helpline: 0303 123 1113 | Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.