Privacy
Policy.

What this policy covers.

This policy covers personal information you provide to us through:

• The contact form on the website.
• White paper downloads.
• Applications for Crux Lab, Crux Field, and access to Crux AI®.
• The Crux Read diagnostic at diagnostic.cruxperformance.co.uk.
• Any direct email enquiry to an address listed on the site.

This policy also covers, at a high level, how Crux AI® handles subscriber data. A separate Crux AI® product privacy notice describes the detailed handling inside the product. Crux AI® subscribers receive that notice before activating their subscription, and can request a copy at any time at privacy@cruxperformance.co.uk.

If you contact us another way (for example through LinkedIn), the data handling will be governed by that platform's own privacy notice up to the point where your information reaches us.

What we collect and why.

The information we ask for depends on the form. Most forms ask for some combination of:

• Your name.
• Your email address.
• The name of your organisation.
• Your role or phone number (some forms).
• Free-text answers to a small number of questions about why you are getting in touch.

The Crux Read diagnostic collects your contact details and your diagnostic answers so that we can generate the diagnostic output and discuss it with you if appropriate.

We use this information only for the purpose you sent it: to read what you have shared, to reply, and, if it leads to a conversation about working together, to continue that conversation. We will not add you to a marketing list without your consent, sell your data, or share it outside the parties described below.

Please do not include sensitive personal information in your submissions, such as health information, political views, religious beliefs, trade union membership, criminal offence information, or information about children, unless we have specifically asked for it.

Who reads your submissions.

Each submission is read by the founder of Crux Performance and a small number of colleagues or contractors who help respond to applications, enquiries, diagnostics, and client conversations. They are required to handle the information confidentially.

How the website behaves.

We do not use analytics, advertising cookies, tracking pixels, behavioural profiling, marketing tags, or any third-party scripts on the website. We do not build profiles of visitors.

Our website hosting provider and our security infrastructure process basic technical information, such as IP address, browser type, and server logs, to deliver the site, maintain security, and diagnose faults. We do not use this information to identify visitors or build profiles, and we do not see or retain it in any usable form.

Service providers for the website and forms.

The forms, the Crux Read diagnostic, and the email notifications they trigger are supported by a small number of third-party service providers. These providers process your information only to provide their services to us. They do not use your information for their own marketing or other purposes.

• Replit, Inc. hosts the website and the application that receives form submissions. Based in the United States.
• Neon Inc. provides the database that stores form submissions and Crux Read responses. Data is stored on Amazon Web Services infrastructure in the United States (US-West-2, Oregon).
• Resend sends notification emails to our team inbox when you submit a form. Based in the United States.
• Google LLC (Google Workspace) provides the team email inbox at which Crux personnel read your submissions. Based in the United States.

Service providers for Crux AI®.

Crux AI® uses a different and smaller set of service providers, separate from those used by the website forms:

• Supabase provides the database that stores Crux AI® subscriber accounts and the content subscribers enter into the product.
• OpenAI, L.L.C. provides the language model (GPT) that powers the AI-assisted parts of the product. When a subscriber interacts with Crux AI®, the relevant content of that interaction is sent to OpenAI's API for processing. OpenAI is based in the United States.

Crux AI® subscriber database content is stored in Supabase's EU region, currently Stockholm, Sweden. Some account, support, security, logging, or administrative processing by Supabase or its subprocessors may involve access from outside the UK/EU. Where that happens, it is covered by Supabase's data processing terms and applicable transfer safeguards.

OpenAI does not use Crux AI® content to train its models. Crux AI® uses OpenAI's commercial API under contractual terms that prohibit use of submitted content for model training. OpenAI may retain API inputs and outputs for up to 30 days for abuse-monitoring purposes, after which they are deleted, unless a different retention setting applies to our account. The Crux AI® product privacy notice explains the applicable setting and any updates to it.

The detailed handling of Crux AI® subscriber data, including specifics on what is sent to OpenAI, what is retained in Supabase, how subscribers can export or delete their content, and how long the data is kept, is described in the Crux AI® product privacy notice, provided to every subscriber before activation.

International transfers.

Some of our service providers are based in the United States or may process personal information from outside the United Kingdom. Where we transfer personal information internationally, we use a lawful transfer mechanism under UK GDPR.

For US providers certified to the UK Extension to the EU-US Data Privacy Framework (DPF), we may rely on that certification where it is active and covers the type of data being transferred. For other providers, or where DPF certification does not apply, we rely on the UK Addendum to the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, or another lawful safeguard.

The current position for each provider is summarised below:

We periodically check that the transfer mechanism remains appropriate for each provider. You can ask us for more information about the transfer mechanism used for a particular provider by emailing privacy@cruxperformance.co.uk.

How long we keep your data.

We keep submissions, and the personal information they contain, for 24 months from the date you submit them. After that, we delete the original submission, the database record, and any working notes derived from it.

There are two exceptions:

• If your enquiry leads to client work, we will keep the information needed to manage that relationship, deliver the work, keep business and accounting records, and meet any legal or regulatory obligations. Those records are kept under our client record-retention rules and are not treated as enquiry records.
• If you ask us to keep your application live for longer, we will.

Crux AI® subscriber data is retained for the duration of the subscription and as set out in the Crux AI® product privacy notice. Account closure triggers deletion under the terms described there.

If you would like us to delete your data sooner, write to us at the address below and we will do it.

How we make decisions.

We do not use artificial intelligence, profiling, or automated decision-making to assess applications or enquiries received through the website forms or the Crux Read. A person reads and replies to each submission.

Crux AI® itself uses AI as part of its product function, which is the point of the product, and the way it does so is described in the Crux AI® product privacy notice. The use of AI inside the product is not the same as using AI to make decisions about who can use the product or how their application is reviewed.

Lawful basis.

Under UK GDPR, our basis for processing personal information you provide to us through the website and the Crux Read is legitimate interest. You have voluntarily contacted us, and we have a legitimate interest in reading and responding to what you have sent. We have considered the privacy impact of this against your rights and interests and concluded that the impact is low, the processing is expected by you when you make contact, and the benefits to both sides outweigh any minor privacy intrusion.

Our basis for processing Crux AI® subscriber data is contract, because we cannot deliver the product without processing the data the subscriber chooses to enter.

You can object to our processing at any time using the contact details below.

Security.

We use reasonable technical and organisational measures to protect personal information, including access controls, secure accounts, and limiting access to people who need it for their work. The service providers listed above also operate their own security measures appropriate to the data they process for us.

Your rights.

You have rights under UK GDPR, although they do not apply in every situation. Subject to those limits, you can:

• Ask us what personal information we hold about you (a "subject access request").
• Ask us to correct anything that is wrong.
• Ask us to delete the data we hold.
• Ask us to restrict how we use it.
• Object to our use of it.
• Where it applies, receive a copy of personal information you have provided to us in a portable format.

To exercise any of these rights, email privacy@cruxperformance.co.uk. We will respond within one month. If the request is unusually complex we may need longer; if so, we will tell you within that month. There is no charge for a reasonable request.

If you believe we have handled your data wrongly, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk. We would rather you spoke to us first so we can fix whatever is wrong.

Children.

Our work is with leadership teams in operating businesses. Crux Performance is not directed at children and we do not knowingly collect personal information from anyone under 18.

Changes to this policy.

If we change how we handle data, we will update this policy and change the date at the bottom. If the change is significant and affects personal information we still hold about you, we will let you know where we have your email address.

Contact.

For any question, request, or complaint about your data: