Privacy Policy

Welcome to crosswind ("we," "us," or "our"). crosswind is a SaaS management platform that helps organizations orchestrate their software ecosystem, optimize costs, ensure compliance, and manage licenses — powered by an AI agent that turns prompts into actions.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website and use our services (collectively, the "Service"). It applies to all users worldwide and addresses obligations under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and the Israeli Privacy Protection Law, 5741-1981 and its regulations.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service.

crosswind acts as the data controller (under GDPR) and business (under CCPA/CPRA) for the personal information we process through the Service. For any questions, requests, or complaints regarding this Privacy Policy or our data practices, you may contact us at:

If you use crosswind through an organization workspace, your organization's administrators may also determine which integrations are connected, which users can access the workspace, and which organization-scoped logs, approvals, and operational records are visible inside that workspace.

• Email: privacy@crosswind.app

We collect the following categories of personal information:

3.1 Account, Identity & Organization Data

When you create an account, sign in, or are invited to an organization, we collect:

• Full name
• Email address
• Avatar / profile picture URL
• Organization name and membership
• Role within the organization (for example, user, org admin, or system admin)
• Account-state and security flags such as suspension, password-change requirements, and organization-access revocation status
• Invitation and membership-management records associated with your workspace access

Authentication is provided through Supabase Auth. If you sign in with email and password, password handling occurs through that auth stack; we do not store your plaintext password in our application tables.

3.2 Integration & Connected-Service Data

When you connect supported third-party services through the Service, including Google Workspace, Slack, Microsoft 365, Postman, Atlassian, GitHub, Zoom, Figma, and DocuSign, we may collect and store:

• Credentials you authorize or submit, such as OAuth tokens, SCIM/API tokens, service-account or app-credential JSON, and related tenant, directory, organization, or enterprise identifiers
• Provider metadata required to validate and route the integration, such as GitHub mode or provider-specific configuration fields
• User and directory data from connected services, including names, email addresses, account statuses, provider IDs, and last-login or activity timestamps when returned by the provider
• Group, team, channel, workspace, and similar membership information
• Provider response data and metadata needed for normalization, troubleshooting, security review, and display

3.3 AI Agent, Workflow & Usage Data

When you use our AI-powered agent (Agent1), we collect and generate operational records such as:

• Prompts, queries, follow-up replies, and assistant responses
• Generated plans, action proposals, execution logs, step results, statuses, and error messages
• Session messages, commands, events, dialog-state records, compacted summaries, and workflow-memory entries
• Approval and rejection decisions, including reasons supplied by reviewers
• Operational usage metrics, such as timestamps and whether a request used a model-backed or no-model path

Depending on the request, some agent flows are processed by OpenAI and some are resolved through deterministic or no-model paths inside the Service.

3.4 Administrative, Audit & Organization Data

We store organization and administrative records needed to operate and secure the workspace, including:

• Invitations and invitation status
• Role changes, suspensions, organization-member removals, and password-reset or password-change flags
• Organization settings and selected user-interface preferences
• Administrative and organization activity logs

3.5 Billing, Pricing & Commercial Data

The current build includes pricing pages and internal billing/payment tracking tables. If billing-related records are stored for your organization, they may include amount, currency, status, service name, payment date, and related metadata. The current build does not include a self-serve in-app checkout or live invoice-sync integration.

3.6 Technical, Session & Client-Side Data

When you access the Service, we may process technical and session data such as:

• Session and authentication cookies used by Supabase Auth
• Browser, device, and request metadata made available during authentication and request handling, such as timestamps, IP address, and user-agent-like data
• Client-side preference storage used for interface settings such as theme

We process your personal information for the following purposes and legal bases:

We share personal information only as needed to operate the Service, honor your organization's configuration, and comply with law.

5.1 Infrastructure & Authentication

• Supabase — database hosting, authentication, and session management for the Service.

5.2 Artificial Intelligence

• OpenAI — when a request uses a model-backed agent path, relevant prompts and context are sent to OpenAI to help interpret the request and generate responses or plans. Some requests are resolved without an external model call. OpenAI's use of data is governed by OpenAI's Privacy Policy.

5.3 Connected SaaS Integrations

When you connect a third-party service, we access that service's API on your behalf using the credentials you authorize or submit. Data exchanged with these services is governed by each provider's own privacy policy.

5.4 Organization & Administrative Access

Authorized administrators within your organization, and authorized internal administrators where applicable, may access workspace-scoped member records, invitations, integration status, approvals, organization activity logs, and certain agent or session records within the scope permitted by role-based access controls.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes, and we do not share personal information for cross-context behavioral advertising.

We currently use a limited set of cookies and similar technologies to operate the Service:

• Essential / Authentication Cookies — required to authenticate your session, maintain login state, and ensure the security of the Service. These are used through our authentication stack and cannot be disabled without breaking core functionality.
• Browser Storage for Preferences — client-side storage may be used for interface preferences such as theme.

We do not currently use third-party advertising or analytics cookies in this codebase. If this changes, we will update this Privacy Policy and, where required, obtain your consent.

We implement industry-standard security measures, including:

• Encryption at rest — newly stored integration credentials are encrypted using AES-256-GCM. The Service also supports decryption of certain older legacy records for backward compatibility.
• Encryption in transit — all data transmitted between your browser and our servers is protected by TLS/HTTPS.
• Authentication controls — account authentication and session management are handled through Supabase Auth.
• Row-Level Security (RLS) — database-level policies ensure users can only access data belonging to their organization.
• Approval workflows — destructive or high-impact actions performed by the AI agent require explicit administrator approval before execution.
• Audit logging — administrative and organization actions are logged for accountability and incident response, and sensitive log metadata is redacted where applicable.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously review and improve our safeguards.

We retain personal information for as long as reasonably necessary to operate the Service, maintain security, support organization administration, and comply with legal obligations. In the current build:

• Account, profile, and organization data — retained while the account or workspace remains active, and may persist in backups or logs for a reasonable period.
• Integration credentials and records — retained while the integration is active; disconnecting an integration deletes the stored integration record and its encrypted credential.
• Agent sessions, job logs, approvals, and operational records — retained until deleted, superseded, or otherwise removed through administrative action or future retention controls. Some agent-memory entries may also carry expiration or superseded timestamps.
• Audit and organization activity logs — retained for security, troubleshooting, and compliance needs.
• Billing and payment records — if present, retained for accounting, audit, and legal purposes.

If you request deletion or account closure, we will process that request subject to legal, security, fraud-prevention, and backup or archival requirements.

Your information may be transferred to and processed in countries other than your country of residence, including the United States and Israel. When we transfer personal data outside the European Economic Area (EEA), the United Kingdom, or Israel, we rely on one or more of the following safeguards:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions issued by the European Commission or the Israeli Privacy Protection Authority.
• Other lawful transfer mechanisms recognized under applicable data protection laws.

If you are located in the European Economic Area or the United Kingdom, you have the following rights:

• Right of Access — request a copy of the personal data we hold about you.
• Right to Rectification — request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten") — request deletion of your personal data, subject to legal exceptions.
• Right to Restrict Processing — request limitation of processing under certain circumstances.
• Right to Data Portability — receive your data in a structured, commonly used, machine-readable format.
• Right to Object — object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent — where processing is based on consent, withdraw at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@crosswind.app. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to Know — request disclosure of the categories and specific pieces of personal information we have collected, the purposes of collection, and the categories of third parties with whom we share it.
• Right to Delete — request deletion of your personal information, subject to legal exceptions.
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing — we do not sell or share personal information for cross-context behavioral advertising.
• Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights.
• Right to Limit Use of Sensitive Personal Information — you may request that we limit use of sensitive personal information to what is necessary to provide the Service.

To submit a verifiable consumer request, contact us at privacy@crosswind.app. We will verify your identity and respond within 45 days. You may also designate an authorized agent to make a request on your behalf.

CCPA Categories Disclosure

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers — name, email address, account credentials, IP address.
• Internet/Network Activity — session, request, and in-product interaction data.
• Commercial Information — pricing, billing, and payment-tracking records, if applicable.
• Professional/Employment Information — organization name, role, team memberships obtained from connected services.
• Inferences — AI agent plans, workflow summaries, and other outputs derived from your prompts.

We have not sold personal information to third parties. We have disclosed personal information to service providers such as Supabase and, when model-backed flows are used, OpenAI, solely for the business purposes described in this Privacy Policy.

If you are located in Israel, you have rights under the Privacy Protection Law, 5741-1981 and the Privacy Protection Regulations (Data Security), 5777-2017, including:

• Right to Access — review the personal data we hold about you in our databases.
• Right to Correction — request correction of inaccurate data.
• Right to Deletion — request deletion of data that is no longer necessary for the purpose for which it was collected.
• Right to Object — object to the use of your data for direct marketing.
• Right to Data Portability — in accordance with applicable regulations.

To exercise these rights, contact us at privacy@crosswind.app. You may also file a complaint with the Israeli Privacy Protection Authority (PPA).

The Service is not directed to individuals under the age of 16 (or 13 in the United States, in accordance with COPPA). We do not knowingly collect personal information from children. If we learn that we have inadvertently collected personal information from a child, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at privacy@crosswind.app.

Some browsers transmit "Do Not Track" (DNT) signals. As there is currently no industry consensus on how to interpret DNT signals, we do not alter our data practices based on DNT signals. If a standard is established, we will update this Privacy Policy accordingly.

The Service may contain links to or integrations with third-party websites and services (e.g., Google Workspace, Slack, Microsoft 365). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with personal information.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated Privacy Policy on this page with a revised "Last updated" date. For significant changes, we may also send an email notification or display a prominent notice within the Service. Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@crosswind.app

For GDPR-related inquiries, you may also contact your local Data Protection Authority. For CCPA/CPRA inquiries, California residents may submit requests via the email above. For Israeli Privacy Protection Law inquiries, you may contact the Israeli Privacy Protection Authority.