Privacy Policy

1) Scope & Who We Are

Pixel Framers LLC operates Crosstab. This Policy applies to your use of our Services, including our Chrome/Edge extension(s) and website(s). If a term is undefined here, it has the meaning given in our Terms of Service.

2) What We Collect

2.1 Account Information (Stored)

• Email address (required to create and manage your account).
• Name (optional/limited; e.g., if you choose to provide it for display or billing communications).

2.2 Usage Statistics (Stored, Minimal)

We record high-level, non-content usage data to operate the service and enforce plan limits, e.g.:

• Timestamps, request counts, and success/error codes.
• Extension/app version, basic device or browser info (non-identifying), and feature flags.
• Aggregated counters (e.g., operations per day) tied to your account.

2.3 Web Page Content (Not Stored)

When you invoke extraction or transformation, page content visible in your session may be transiently processed to produce the result you asked for. We do not store this content in our databases.

3) How We Use Information

• Provide the Services: Authenticate you, run requested operations, enforce plan limits, and deliver results.
• Maintain & Improve: Diagnose errors, keep the extension reliable, fight abuse, and plan capacity (using usage statistics, not page content).
• Communicate: Send essential service messages (e.g., security, billing, product notices). We do not sell or broker your data for ads.
• Legal & Safety: Comply with laws, enforce Terms, and protect the rights, safety, and property of users and third parties.

4) No Sale/Share of Personal Information

We do not sell your personal information. We also do not “share” personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA).

5) Processing of Web Page Content

5.1 How Processing Works

• When you trigger an action (e.g., “export”), the extension reads page content you can already see in your browser session.
• That content may be transmitted through our infrastructure and to service providers (currently Google and OpenAI) to transform or structure the data you requested.
• We design these operations to be ephemeral: page content is handled only as needed to perform the operation and is not written to our persistent storage.

5.2 Provider Use Restrictions

• We select and configure providers to process data only to deliver the Services to you. Where available, we disable provider training/retention features for this data.
• We require providers to protect data under appropriate confidentiality, security, and data processing terms.

6) Legal Bases (GDPR/UK GDPR)

• Performance of a contract: To create your account and provide the features you request.
• Legitimate interests: To prevent abuse, enforce rate limits, secure our systems, and improve reliability using minimal, non-content telemetry.
• Consent (where required): For optional communications or settings you choose to enable.
• Legal obligations: To comply with applicable laws and lawful requests.

7) Data Retention

• Account Email/Name: Stored while your account is active and for up to 90 days after closure for fraud prevention and recordkeeping, unless law requires longer.
• Usage Statistics: Rolling retention, typically ≤ 90 days, unless needed longer for security, abuse investigation, or legal obligations.
• Web Page Content: Not stored; processed only transiently to fulfill your request.

8) Security

We implement technical and organizational measures to protect stored account data and usage statistics, including encryption in transit, access controls, and least-privilege practices. No system is perfectly secure; we encourage strong passwords, up-to-date browsers, and care with device access.

9) How We Share Information

• Service Providers: We use reputable providers to help us operate the Services. Today, that includes Google and OpenAI for compute/AI processing and related infrastructure. Providers act under contract and may only process data to deliver our Services.
• Corporate Events: In a merger, acquisition, financing, or sale of assets, account data and usage statistics may be transferred under this Policy’s protections.
• Legal: We may disclose information to comply with the law, enforce our Terms, or protect users and third parties from harm.

10) Your Privacy Rights

10.1 GDPR/UK GDPR (EEA/UK Users)

• Access, rectification, erasure, restriction, and portability.
• Object to processing based on legitimate interests.
• Withdraw consent where processing relies on consent.
• Lodge a complaint with your supervisory authority.

10.2 California (CCPA/CPRA)

• Right to know categories/specific pieces of personal information we collected.
• Right to delete personal information (subject to lawful exceptions).
• Right to correct inaccurate information.
• Right to opt out of sale/share (we do not sell/share).
• Right to non-discrimination for exercising rights.

10.3 Exercising Your Rights

Contact us at privacy@crosstab.app or via the address below. We will verify your request and respond as required by law. If you act through an authorized agent, we may require proof of authorization.

11) International Transfers

We are based in the United States and may process information in the U.S. and other countries. Where required, we rely on appropriate safeguards (e.g., standard contractual clauses) for transfers and maintain contractual protections with service providers.

12) Children’s Privacy

Our Services are not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us to request deletion.

13) Changes to this Policy

We may update this Policy to reflect changes to our practices. If changes are material, we will provide notice via the Services or email. The “Effective date” above shows when this Policy last changed.

14) Contact Us