Privacy Policy

Last updated: 5/18/2026. This policy describes how Crew Orbit (https://crew-orbit.com) processes personal data in connection with the service as implemented today. The legal entity named in our Legal Notice is the controller for this offering.

1. Scope and roles

This policy covers the Crew Orbit web application, API, and related background processing (including AI-assisted workflows). Where we integrate third-party processors (cloud hosting, authentication, payments, AI providers), their processing is described below.

For our own website, account, billing, and service operations, Forge Labs UG acts as the controller. For customer content processed on behalf of team organizations (for example task content, repository context, prompts, attachments, and generated outputs within a workspace), we generally act as a processor and the customer organization acts as the controller. Our Data Processing Agreement (DPA) is available for business customers.

2. Categories of personal data

  • Account and profile: identifiers and profile data from our identity provider and your profile (e.g. user id, email, display name, avatar).
  • Organization and collaboration: organization and project memberships, roles, invitations, and settings needed for multi-user workspaces.
  • Product usage content: tasks, descriptions, comments, feedback you submit, file attachments you upload, and metadata about runs and workflows.
  • Credentials you configure: secrets such as Git or AI provider tokens that you store for a project — stored encrypted server-side (see Security).
  • Technical data: logs, diagnostics, IP addresses, user-agent and request metadata, security and rate-limiting records, and similar data generated when you use the service.
  • Billing (team organizations): where applicable, billing-related data processed by Stripe (e.g. customer, subscription, payment method metadata) in accordance with Stripe's policies.

3. Purposes and legal bases (summary)

Key GDPR legal bases include:

  • Account creation, authentication, workspace access, and core service delivery: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual steps).
  • AI-assisted workflows you trigger: Art. 6(1)(b) GDPR for direct service delivery; where we process customer content on behalf of a team organization, we do so under that customer's instructions as processor.
  • Security logging, abuse prevention, service integrity, and reliability improvements: Art. 6(1)(f) GDPR (legitimate interests in securing and operating the service).
  • Billing, invoicing, tax, and fraud-prevention compliance: Art. 6(1)(b) and, where applicable, Art. 6(1)(c) GDPR.

Our legitimate interests under Art. 6(1)(f) GDPR include securing the service, preventing abuse, investigating incidents, and ensuring reliable operation for all customers.

Where additional laws apply, we rely on the corresponding legal basis required for the relevant processing activity.

4. Hosting, storage, and locations

Deployed environments are hosted on Amazon Web Services (AWS), with the primary region EU (Frankfurt), AWS region eu-central-1 for infrastructure as defined in this product's deployment configuration.

Major storage components include:

  • Amazon DynamoDB — application data (users, organizations, projects, tasks, runs, workflow state, encrypted credential payloads, attachments metadata, feedback, notifications, integrations, etc.).
  • Amazon S3 — object storage for avatars, feedback images, task attachments (original files and optimized text extracts used for AI context), and worker-generated artifacts (e.g. logs and outputs from AI job execution).
  • Amazon Cognito — authentication for end users.
  • Amazon SQS — queues for asynchronous jobs (e.g. account deletion, attachment optimization pipeline).
  • AWS Batch (Fargate) — isolated compute for AI workers that clone your repositories and call external AI tools.

Third-party AI providers (for example providers supported by the product such as Anthropic, OpenAI, Cursor, or GitHub Copilot) may process prompts and code context outside our AWS account, under their own terms and locations. In the current product design, the AI provider used for a workspace is determined by credentials and settings configured by the customer in that workspace; we do not currently supply a separate proprietary default model on your behalf.

Where personal data is transferred outside the EEA/UK/Switzerland, we rely on an appropriate transfer mechanism such as an adequacy decision or the European Commission's Standard Contractual Clauses (SCCs), together with supplementary measures where required.

5. Security measures

  • Encryption in transit: HTTPS between clients and our API / frontend (e.g. TLS termination at the load balancer / CDN).
  • Encryption at rest: DynamoDB uses AWS-managed encryption; S3 buckets use server-side encryption (AWS-managed keys in our infrastructure code).
  • Project credentials: In production and QA, stored secrets are encrypted with AWS KMS before persistence; decryption is performed only server-side for authorized operations (e.g. dispatching a run). Plaintext secrets are not returned to the browser — the API exposes masked values only.
  • Development / test builds may use alternative encryption or test keys; do not use production secrets in non-production environments.
  • Access control: API requests use authenticated sessions (Cognito JWT); organization and project permission checks enforce access to resources. Dedicated worker endpoints use a separate service token.
  • Rate limiting and security headers are applied on the API to reduce abuse (see product security documentation).

6. Retention and deletion

Account deletion: You can request deletion from account settings. The account enters a deleting state; a background job cancels active work, transfers or deletes projects you own (per your choices), removes memberships, deletes feedback and related images, removes or winds down organizations as applicable, deletes your avatar object, and marks the account deleted. A scheduled job permanently removes accounts that have been in the deleted state for longer than the configured grace period (default 14 days), including deletion of the identity record in Cognito. During the grace period you may be able to restore the account where the product allows it.

Data export: The in-product export includes profile, project memberships (with project names and roles), and your feedback records. It does not include other users' data, full project/task content, credentials, or detailed AI run outputs — those may require separate procedures.

Project deletion: Deleting a project removes associated tasks, run / execution records, project settings, project memberships, and stored credentials for that project from our databases. Deleting an individual task triggers cleanup of attachments tied to that task in object storage.

Team organization deletion: Deleting a team organization (where the product allows it) removes its projects and related data, organization settings, org-level credentials, roles, memberships, and subscription records from our application database.

Attachments: Attachment records may include time-limited metadata for failed or transient states (automatic expiry in DynamoDB). Optimized extracts and originals persist until removed by user/project lifecycle actions or operational cleanup consistent with the above.

Operational logs: Routine application and infrastructure logs are typically retained for 30 days in non-production environments and up to 90 days in production, unless a longer period is required to investigate abuse, security incidents, or legal claims.

Queue metadata: Certain asynchronous processing records (for example queue retention windows) may persist for up to 14 days before expiry or cleanup.

Backups and recovery: Some production data stores use AWS point-in-time recovery or similar backup features while active. Backup copies and recovery points may persist for a limited period beyond primary deletion, subject to cloud-provider controls and operational necessity.

7. Subprocessors

Current categories of recipients and subprocessors include:

  • Amazon Web Services (hosting and related cloud services) — EU (Frankfurt) primary.
  • Stripe — payment processing for team subscriptions where enabled.
  • AI and developer-tool providers you enable — processing of prompts and repository content on their infrastructure.
  • Git hosts (e.g. GitHub, GitLab) when you connect repositories — per your configuration.

We maintain a public subprocessor list at /subprocessors and may update it as our infrastructure and integrations evolve.

8. Your rights

Depending on your jurisdiction (including GDPR where applicable), you may have rights to access, rectify, erase, restrict or object to certain processing, and to data portability, and to lodge a complaint with a supervisory authority. If our establishment in Lower Saxony, Germany is relevant to your complaint, you may also contact the Landesbeauftragte für den Datenschutz Niedersachsen. Use the contact below first where possible; we may need to verify your identity.

9. Cookies and local storage

We use browser local storage for essential product functions — for example keeping your session tokens (via the app's auth store) and UI preferences such as theme (light/dark). These are not used for third-party advertising in the product implementation described here. Additionally, Stripe may set essential cookies necessary for payment processing and fraud prevention; these do not require consent.

10. AI Data Usage

We process your prompts, codebase context, and files to provide the AI engineering service. Our policy regarding AI data is as follows:

  • Storage: Prompts and AI outputs are stored in our databases (DynamoDB) and object storage (S3) to maintain your task history and enable the self-correcting workflow.
  • Training: We do not use your prompts, code, or data to train our own AI models. We use enterprise/paid APIs for third-party AI providers (e.g., Anthropic, OpenAI), which explicitly prohibit using customer data for training their foundation models.
  • Retention: AI inputs and outputs are retained as part of your project data until you delete the task, project, or your account.
  • Human Review: We do not routinely review your AI prompts or generated code. Human review by our staff only occurs if you explicitly request support or if required to investigate a security incident or terms violation.

11. Children

The service is intended for professional use and is not directed at children. We do not knowingly collect personal data from children under 16.

12. Contact

Privacy and data protection inquiries: info@crew-orbit.com.

We do not currently designate a formal Data Protection Officer unless and until legally required, but privacy requests sent to this address are routed to the responsible team.

This policy summarizes technical behavior reflected in the product codebase and infrastructure. It is not legal advice. Final wording should be reviewed by qualified counsel, especially for enterprise customers, DPAs, and jurisdiction-specific obligations.

← Back to home