Privacy Policy

CRATrust (“CRATrust”, “we”, “our”, “us”) operates the website cratrust.com and the CRATrust compliance platform.

We are the data controller for personal data collected through our website and waitlist. Questions about this policy should be directed to: [email protected].

Waitlist and contact forms: When you join our beta waitlist or contact us, we collect your full name, work email address, and company name. This is the minimum required to manage your access request and communicate with you.

Usage data: We collect standard web server logs including IP address, browser type, pages visited, and timestamps. This data is used for security, debugging, and aggregate analytics only.

Cookies: We use essential cookies required for the website to function. We do not use advertising cookies or cross-site tracking.

We process your personal data under the following lawful bases (GDPR Article 6):

• Legitimate interest (Art. 6(1)(f)): Web server logs and security monitoring.
• Pre-contractual steps / contract performance (Art. 6(1)(b)): Processing waitlist and contact form submissions to respond to your access request.
• Consent (Art. 6(1)(a)): Any optional marketing communications. You can withdraw consent at any time.

• To process and respond to beta access requests
• To contact you about your account or platform updates
• To communicate the transition from beta to paid plans (with advance notice)
• To maintain the security and integrity of our systems
• To comply with legal obligations

We do not sell your data. We do not use your data for advertising.

We share personal data only with processors who assist us in operating the platform. All processors are contractually bound to process data only on our instructions and in compliance with GDPR. Current processors include cloud infrastructure and email delivery services. All data is processed within the European Economic Area (EEA).

We do not transfer your personal data outside the EEA. If this changes, we will update this policy and implement appropriate safeguards (e.g., Standard Contractual Clauses).

Waitlist data is retained until you withdraw from the waitlist or request deletion, or for a maximum of 24 months from your last interaction with us.

Server logs are retained for 90 days for security purposes, then deleted.

You have the following rights regarding your personal data:

• Access: request a copy of the data we hold about you
• Rectification: request correction of inaccurate data
• Erasure: request deletion of your personal data
• Restriction: request that we restrict processing
• Portability: receive your data in a machine-readable format
• Object: object to processing based on legitimate interest
• Withdraw consent: at any time, where consent is the basis

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the supervisory authority in your EU member state.

We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, and disclosure. All data in transit is encrypted using TLS 1.2 or higher. Access to personal data is restricted to employees and contractors who need it to perform their roles.

We may update this policy from time to time. We will notify you of material changes via email (if you are on our waitlist) or by posting a prominent notice on our website. The effective date at the top of this page will reflect when changes take effect.

For any privacy-related questions or to exercise your rights, contact us at: [email protected]

CRATrust
[email protected]