Privacy Policy

Introduction

This Privacy Policy describes how mycrux. Private Limited ("Cruxy", "we", "us", "our") collects, uses, shares, and protects information about you when you visit cruxy.in or use any service provided under the Cruxy brand (the "Service"). It also explains the rights you have over your information and how to exercise them.

We are committed to protecting your privacy and to handling your personal data lawfully and transparently. We comply with India's Digital Personal Data Protection Act, 2023 (the "DPDP Act") and apply privacy-by-design principles in how we build the Service. Where users access the Service from outside India, we apply the same standards consistently rather than diluting them by jurisdiction.

This policy applies to the marketing site at cruxy.in and the waitlist signup process available there. It will be updated to cover the full Cruxy product, including AI services, account management, and billing, before those features launch publicly. The disclaimer banner at the top of this page reflects the pre-launch state.

Please read this policy carefully. If you do not agree with how we handle your information, you should not use the Service. By using the Service, you confirm that you have read, understood, and accepted this policy.

Who we are

Cruxy is a product being built by mycrux. Private Limited, an Indian private limited company incorporated in Andhra Pradesh. Our Corporate Identification Number (CIN) is U47912AP2025PTC121345.

For all matters related to your personal data - including questions about this policy, requests to exercise your rights, and complaints - you may contact us at cruxy@mycrux.in. We aim to respond within 30 days of receiving any data-related request, and sooner where required by law.

mycrux. Private Limited is the "data fiduciary" under the DPDP Act for the personal data we process about you. This means we determine the purposes and means of processing and are responsible for compliance.

Information we collect

We collect information in three ways: information you provide directly to us, information we collect automatically when you use the Service, and information we receive from third parties. The categories below describe what we collect today on the marketing site. Categories will expand when the full product launches, and this policy will be updated to reflect that.

Information you provide directly

When you interact with the Service, you may provide us with:

• Email address. Required when signing up for the Cruxy waitlist or submitting a contact form. We use this to confirm your signup, send the access invitation when Cruxy launches, and respond to any inquiry.
• Full name. Optional on the waitlist form, required on the contact-sales form. Helps us address you correctly and route inquiries.
• Company name and website. Required on the contact-sales form, used to understand who is reaching out and prepare relevant responses.
• Country. Required on the contact-sales form, used to route to the appropriate sales region and apply correct currency assumptions.
• Use case description. Free-text field on the contact-sales form describing what you intend to build with Cruxy. Helps us prepare a relevant response.
• Expected volume and timeline. Selection fields on the contact-sales form, used to prioritize follow-up.
• Any additional information you choose to share in free-text fields, support emails, or social-media outreach.

You are not legally required to provide any of this information, but without it we cannot add you to the waitlist or respond to your sales inquiry. Providing false information may cause us to suspend or remove your records.

Information collected automatically

When you visit cruxy.in, we automatically collect a limited set of technical information necessary to operate the site, prevent abuse, and understand aggregate usage patterns:

• User agent string. The identifier sent by your browser describing the browser version, operating system, and device type. We use this for compatibility, security, and aggregate analytics.
• Approximate country. Derived from your IP address by our infrastructure provider Cloudflare and exposed to us as a country code only. We do not store the full IP address in our database.
• Server logs. Standard request logs containing timestamps, requested URLs, response status codes, and user-agent strings. Logs are retained for a maximum of 30 days, then aggregated or deleted.
• Referrer information. The URL that referred you to our site, where your browser sends it. Helps us understand how visitors find Cruxy.

Information we explicitly do not collect

To set clear expectations, we want to be specific about what we do not do:

• We do not use third-party advertising trackers, advertising pixels, or marketing cookies on our marketing site.
• We do not currently use Google Analytics, Facebook Pixel, or similar profiling services.
• We do not collect biometric data, health data, financial account information, or government-issued ID numbers through the marketing site.
• We do not buy lists of email addresses or other personal data from data brokers.
• We do not track you across other websites you visit.

When the full Cruxy product launches, additional categories of information will become relevant - usage telemetry, billing details, API call logs, and content you submit to the AI service. This policy will be updated before those features go live, and you will be notified.

How we use your information

We use the information we collect for clearly defined purposes. We do not use your information for purposes incompatible with what we describe here.

To provide the Service

We use your email address to add you to the waitlist, send the confirmation email, and notify you when Cruxy access opens. If you submit a contact-sales form, we use the information to research your inquiry and respond to it. These are the core operational uses without which the Service cannot function.

To communicate with you

We may send you transactional emails directly related to your interaction with us - for example, confirming a waitlist signup, replying to a contact-sales submission, or notifying you of material changes to this policy. We do not send marketing emails to people who have not specifically signed up for marketing communications. The waitlist itself is not a marketing list; it is a launch-notification list.

To improve the Service

We analyze aggregate, non-identifying usage patterns to understand how visitors use the marketing site and where we can make it better. This includes things like which pages get the most traffic, how long visitors stay, and what device types they use. We do not analyze individual user behavior unless we are responding to a specific inquiry from that user.

To prevent abuse and fraud

We use limited technical information (user-agent strings, request patterns, country signals) to detect and block automated signups, denial-of-service attacks, and other abuse. This is essential to keep the Service running for legitimate users and to protect our infrastructure.

To comply with law

Where Indian law requires us to retain, disclose, or share information - including in response to lawful requests from courts, regulators, or law enforcement - we will do so. We will not share your information with government authorities outside such lawful processes.

What we will not do with your information

• We will not sell your personal data to anyone.
• We will not share your data with third parties for their own marketing purposes.
• We will not use your data to train AI models without your specific, separate consent - and never as part of the marketing site or waitlist.
• We will not surveil, profile, or score you in ways that materially affect your access to our Service or to third-party services.

Legal basis for processing

The DPDP Act requires us to process personal data only with a clear legal basis. We rely on the following bases:

• Your consent. When you submit a form on our site (waitlist, contact sales), you are providing consent for us to use your information for the purposes described at the point of collection. Consent is freely given, specific, informed, and you may withdraw it at any time.
• Performance of a service. Once you have signed up, processing your information to deliver the service you requested (sending the confirmation email, notifying you when access opens) is necessary to perform what you asked us to do.
• Legitimate purposes. Limited processing for security, fraud prevention, system administration, and aggregate analytics is permitted as a "legitimate use" under the DPDP Act because it is necessary for operating the Service safely and these uses do not override your reasonable privacy expectations.
• Compliance with law. Where Indian law obligates us to process or retain specific information, we do so to comply with that obligation.

Where we rely on your consent, you may withdraw it at any time by emailing cruxy@mycrux.in. Withdrawal of consent does not affect the lawfulness of processing before withdrawal but will stop further processing of your data for the purpose you withdrew consent for.

Who we share with

We share your personal data only with carefully selected service providers that help us operate the Service, and only to the extent necessary. Our current sub-processors are:

Resend (transactional email)

When you sign up for the waitlist or submit a contact form, we use Resend to deliver the confirmation email or routing email. Resend processes your email address, full name (if provided), and the message content. Resend is a Delaware-registered company; their privacy policy is at resend.com/legal/privacy-policy.

Cloudflare (CDN, security, DNS)

Our site is delivered through Cloudflare, which routes requests, caches static assets, blocks attacks, and provides DNS. Cloudflare may temporarily process IP addresses, request headers, and country signals to perform these functions. Cloudflare's privacy policy is at cloudflare.com/privacypolicy.

Hostinger (server and database hosting)

Our application servers and database run on Hostinger's infrastructure. Hostinger has access to the underlying systems hosting your data but does not access the data itself in normal operations. Hostinger's privacy policy is at hostinger.com/privacy-policy.

Future sub-processors

When the full product launches, we will engage additional sub-processors for services such as payment processing, AI inference infrastructure, and customer support. We will update this policy and the sub-processor list before we begin sharing data with any new sub-processor.

Other disclosure

We may also disclose your information in the following situations:

• Legal compliance. Where required by law, court order, or government request that meets the standards of the DPDP Act and applicable Indian law.
• Protection of rights. To enforce our terms, protect Cruxy's or others' rights and safety, or prevent fraud and security incidents.
• Business transfers. In the event of a merger, acquisition, or sale of all or substantially all of mycrux. Private Limited's assets, your information may be transferred to the acquiring entity, subject to confidentiality obligations and your continued rights under this policy.

We do not sell, rent, or trade your personal data. There is no Cruxy revenue model that depends on monetizing your data.

International transfers

Cruxy's primary infrastructure is in India. Some of our sub-processors operate globally and may process data outside India. Where this happens, we rely on the contractual obligations these providers have under their own terms of service to maintain security and confidentiality standards. We assess each provider's privacy practices before engaging them.

When the DPDP Act's cross-border transfer restrictions are formally activated (the Government of India has the power to designate countries to which transfers are restricted), we will reassess our sub-processor relationships and update them as needed.

Data retention

We retain personal data only as long as necessary for the purposes described in this policy. Specific retention periods:

• Waitlist entries. Retained until product launch and for an additional 12 months after the access invitation is sent. After that, entries are deleted unless you choose to remain in contact through other means.
• Contact sales submissions. Retained for 24 months from the date of submission, after which they are deleted unless they have become part of an active business relationship.
• Email correspondence. Retained for 24 months in our email service, after which it is archived or deleted in line with reasonable business practice.
• Server logs. Retained for a maximum of 30 days at full fidelity, then either deleted or aggregated into non-identifying statistics.
• Backups. Database backups are retained for 30 days as a security measure. Data deleted from active systems is also removed from backups within this period.

You may request earlier deletion of your information at any time by contacting us. We will comply unless a legal obligation requires us to retain it for longer.

Your rights

The DPDP Act gives you specific rights over your personal data. We honor these rights regardless of where you are located, applying the highest standard.

Right to access

You may request a copy of the personal data we hold about you, the purposes of processing, the categories of recipients with whom it has been shared, and the retention period.

Right to correction

You may ask us to correct any personal data that is inaccurate, incomplete, or misleading.

Right to erasure

You may request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when the processing is unlawful. We will comply unless we have a legal obligation to retain it.

Right to grievance redressal

If you believe we have not adequately addressed a request or complaint, you may escalate to the Data Protection Board of India, which is being established under the DPDP Act.

Right to nominate

You may nominate another individual to exercise your rights in the event of your death or incapacity.

How to exercise your rights

To exercise any of these rights, send an email to cruxy@mycrux.in with the subject line "Data subject request" and include enough information for us to identify you (typically the email address you used). We will respond within 30 days. There is no cost to exercise these rights, except in cases of clearly excessive or repeated requests, where we may charge a reasonable administrative fee.

We will not retaliate against you for exercising your rights. Exercising your rights does not affect any other dealings you have with us.

Security

We use industry-standard security measures to protect your information:

• TLS encryption for all data in transit between your browser and our servers.
• Encrypted storage at rest in our database.
• Strict access controls - only authorized personnel can access production systems, and access is logged.
• Secrets and credentials are kept out of source control and rotated when team members change.
• Regular security updates to operating systems, runtimes, and dependencies.
• Backup procedures with encrypted storage.
• Incident response procedures for handling security events.

No system is perfectly secure, and we cannot guarantee that information will never be accessed by unauthorized parties. We will notify affected users of a security incident that materially affects their personal data, in line with timing and content requirements of the DPDP Act, generally within 72 hours of becoming aware.

You play a part in security too. Use a strong, unique email password, do not share confirmation links from us, and let us know immediately if you receive a suspicious email claiming to be from Cruxy or mycrux..

Children's privacy

Cruxy is not directed at children under the age of 18. We do not knowingly collect personal data from children. The DPDP Act requires verifiable parental consent for processing the personal data of children, and our marketing site does not implement such consent flows because we do not invite children to use the Service.

If you believe we have inadvertently collected information from a child, contact us at cruxy@mycrux.in and we will delete it.

Cookies

We use only strictly necessary cookies on the marketing site. These cookies are essential for the site to function and cannot be disabled without breaking the site. They include:

• A session identifier required for form submissions to be associated with the same browser tab.
• A theme preference (dark mode by default) that remembers your choice across visits.

We do not use analytics cookies, marketing cookies, or tracking cookies. We do not embed third-party widgets that set cookies (no Facebook Like buttons, no Twitter share embeds that set cookies, no chatbot widgets that profile you).

If we add analytics in the future, we will choose privacy-respecting providers like Plausible or Fathom that do not use cookies, or we will add a clear cookie consent banner.

AI services and your data

When the full Cruxy product launches, the AI services will process the input you send (prompts, files) to generate responses. Some specific commitments we are making in advance about how that data will be handled:

• Your prompts and outputs will not be used to train Cruxy's models without your explicit, separate consent.
• You will own the outputs you generate, subject to our Usage Policy.
• We will store your conversation history only as long as required to provide the service to you. You will be able to delete it.
• Enterprise customers will have separate data processing agreements (DPAs) with stronger guarantees about data residency, retention, and deletion.

The detailed terms governing AI services will be published as a separate addendum to this policy before AI features become available. The current policy covers the marketing site and waitlist only.

Changes to this policy

We may update this Privacy Policy as Cruxy evolves and as our practices change. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Email subscribers to the waitlist or active users (where the change materially affects them).
• Post a clear notice on cruxy.in for at least 30 days for major changes.

For non-material changes (clarifying language, fixing typos, updating sub-processor links), we will simply update the page without separate notification. The version history of this policy is maintained internally.

Continued use of the Service after a policy change becomes effective constitutes acceptance of the change. If you disagree with the change, you may stop using the Service and request deletion of your data.

Contact us

For privacy questions, data subject requests, or to report a concern:

Email: cruxy@mycrux.in
Subject line: "Data subject request" or "Privacy question" - helps us route quickly.

mycrux. Private Limited
CIN: U47912AP2025PTC121345
Andhra Pradesh, India

If you do not receive a satisfactory response from us, you have the right to lodge a complaint with the Data Protection Board of India once it is operational.