The detailed version. What Crux AI does with the content you put into it.
Read it alongside our Privacy Policy.
Lean Practice Ltd. Company No. 07380829. VAT No. 272 7323 03. Registered office: Blake House, 18 Blake Street, York, YO1 8QG.
Crux Performance® is a trading brand of Lean Practice Ltd, a company registered in England and Wales (Company No. 07380829) with its registered office at Blake House, 18 Blake Street, York, YO1 8QG. For Crux AI® subscriptions taken directly with us, we are the data controller for the personal information described here.
This is the Crux AI® product privacy notice referred to in our Privacy Policy and in our Master Services Agreement. It explains, at the product level, how Crux AI handles the content you put into it: what is collected, what is sent to OpenAI, where it is stored, how long it is kept, and how you export or delete it. Read it alongside our Privacy Policy, which covers the website, our forms, and the Crux Read diagnostic, and sets out your rights in full.
| Document | What It Covers | Where |
|---|---|---|
| Privacy Policy | High-level notice for the website, forms and Crux Read, plus an overview of Crux AI. | cruxperformance.co.uk/privacy-policy |
| Master Services Agreement | The contract for business clients, including Schedule 1 Data Processing Terms and Schedule 2 Crux AI and SaaS Terms. | cruxperformance.co.uk/master-services-agreement |
| This notice | Product-level detail on how Crux AI handles subscriber data. | cruxperformance.co.uk/crux-ai-privacy-notice |
Crux AI can be reached two ways, and the data protection roles differ:
If you subscribed to Crux AI directly, Lean Practice Ltd is the data controller and this notice applies in full. Our lawful basis is contract.
If an organisation gave you access under a Statement of Work, for example your employer, that organisation is the data controller. Crux acts as its data processor under the Data Processing Terms in Schedule 1 of our Master Services Agreement, and processes your data on that organisation's documented instructions. You should also read that organisation's own privacy notice. This notice then tells you, at a product level, how the data is handled inside Crux AI.
Depending on how you use the product, Crux AI processes:
We process this information to run your account and deliver the product, to generate outputs from your content, to keep the service secure, to support you and troubleshoot, to maintain and improve the product, and to comply with law and enforce our terms. We do not sell your data and we do not use it for advertising.
Crux AI uses OpenAI's commercial API, the GPT models, to power its AI-assisted features. When you use one of those features, the relevant content of that interaction is sent to OpenAI's API for processing and a response is returned. OpenAI is based in the United States.
OpenAI does not use Crux AI content to train its models. We use the commercial API under contractual terms that prohibit using submitted content for model training.
OpenAI may retain API inputs and outputs for up to 30 days for abuse-monitoring purposes, after which they are deleted. This is the retention position that applies to the Crux AI account. If we change it, we will update this notice.
Crux AI subscriber accounts and the content you enter are stored in a database provided by Supabase, in its EU region, currently Stockholm, Sweden. Some account, support, security, logging or administrative processing by Supabase or its subprocessors may involve access from outside the UK or EU. Where that happens, it is covered by Supabase's data processing terms and applicable transfer safeguards.
Crux AI uses a small, separate set of providers from those used by our website forms. They process your information only to provide their services to us, and not for their own purposes.
| Provider | Role | Location and Safeguard |
|---|---|---|
| Supabase | Database for subscriber accounts and the content you enter. | EU region (Stockholm); some support and administrative access may occur from outside the UK/EU. Supabase data processing terms and applicable safeguards. |
| OpenAI, L.L.C. | Language model (GPT) powering the AI-assisted features. | United States. Data processing agreement plus the applicable transfer mechanism. No use of content for model training. |
We do not use your content, your inputs or your outputs to train or improve public foundation models or third-party general-purpose AI models, unless you expressly opt in. We may use anonymised and aggregated usage, performance and diagnostic data to secure, maintain and improve Crux AI, in a form that does not identify you, your organisation or the content you entered.
Some of our providers are based in, or may process data from, outside the United Kingdom. Where we transfer personal information internationally, we use a lawful transfer mechanism under UK GDPR. OpenAI in the United States is covered by a data processing agreement together with the applicable transfer mechanism. Supabase stores subscriber content in the EU; any support or administrative access from outside the UK or EU is covered by its data processing terms and safeguards. You can ask us about the mechanism used for a particular provider by emailing privacy@cruxperformance.co.uk.
We keep your Crux AI account and the content you enter for the duration of your subscription. Closing your account triggers deletion of your account and content, subject to the points below. Content held in routine backups is retained until it is overwritten or deleted in the ordinary backup cycle, and is protected and not actively used in the meantime. Content sent to OpenAI is subject to the retention position in section 04.
You can ask us to export or delete your Crux AI content at any time by emailing privacy@cruxperformance.co.uk, and we will do it. Where the product offers self-serve export or deletion from within your account, you can also use that. Deletion removes your content from the live database; backup copies are then cleared in the ordinary backup cycle as described in section 09.
Crux AI uses AI as part of its product function; that is the point of the product. It is a decision-support tool, not a replacement for your own judgement. We do not use it to make automated decisions that produce legal or similarly significant effects about you. You should review outputs before relying on them, and Crux AI must not be used for high-risk or regulated decisions unless your Statement of Work expressly permits it and sets out the required controls.
For subscriptions taken directly with us, our lawful basis is contract: we cannot deliver Crux AI without processing the content you choose to enter. Where your access is provided by an organisation under a Statement of Work, that organisation is the controller and is responsible for the lawful basis for its people's use.
We use reasonable technical and organisational measures to protect your information, including access controls, secure accounts, encryption in transit and at rest where supported, and logical separation of subscriber data where supported. Our providers operate their own security measures appropriate to the data they process for us. The baseline security measures in Schedule 3 of our Master Services Agreement apply where relevant.
You have rights under UK GDPR, although they do not apply in every situation. Subject to those limits, you can ask us for a copy of the personal information we hold about you, ask us to correct or delete it, ask us to restrict or object to how we use it, and, where it applies, receive a copy in a portable format.
To exercise any of these, email privacy@cruxperformance.co.uk. We will respond within one month, and tell you within that month if a complex request needs longer. There is no charge for a reasonable request. If you believe we have handled your data wrongly, you can complain to the Information Commissioner's Office at ico.org.uk, though we would rather you spoke to us first.
Crux AI is built for leadership teams in operating businesses. It is not directed at children and we do not knowingly collect personal information from anyone under 18.
We give every subscriber this notice before they activate their subscription. If we change how Crux AI handles data, we will update this notice and change the date below, and where the change is significant and affects information we still hold, we will tell subscribers where we have their email address.
For any question, request or complaint about your data: