Privacy Policy

Last updated: May 18, 2026 · Effective immediately

This Privacy Policy describes how Crunchly ("we", "us", or "our") collects, uses, and shares information about you when you use our website, mobile applications, and related services (collectively, the "Services").

Plain-English summary: we collect what we need to run Crunchly and nothing more. Your deal data lives on your device by default. We don't sell your information. You can delete your account at any time.

1. Information We Collect

Information you provide

• Account information: name, email address, and password (stored as a salted hash) when you create an account.
• Billing information: if you subscribe to a paid plan, payment details are processed and stored by our payment processor (Stripe). We never see or store your full card number.
• Deal data: property details, financial inputs, and calculations you enter into Crunchly. By default, this data is stored locally on your device. Optional cloud sync is available on Pro and Investor plans.
• Communications: if you email our support team or fill out a contact form, we keep that correspondence to help you.

Information we collect automatically

• Usage data: aggregate, non-identifying information about how the Services are used (page views, feature usage, error reports). We use privacy-first analytics that does not track individuals across sites.
• Device data: browser type, operating system, screen size, and IP address (used for security and abuse prevention). Contact-form IP addresses are retained for up to 90 days and then permanently deleted; other server-log IPs are retained per our hosting provider's standard retention window.
• Cookies: a small number of necessary cookies for login session management and your saved preferences. See our cookie disclosure below.

Ask Crunch AI conversations

When you use Ask Crunch, your typed questions and the deal context from the calculator you're viewing (the inputs and computed metrics) are sent to Anthropic's Claude API. We do not store the full conversation history on our servers. We do log a per-user usage counter so we can enforce monthly AI message limits on each plan tier.

2. How We Use Information

• To provide, maintain, and improve the Services.
• To authenticate users and prevent unauthorized account access.
• To process subscription payments and send receipts.
• To respond to your inquiries and provide customer support.
• To send transactional emails (account verification, password reset, billing receipts). You cannot opt out of these without closing your account.
• To send optional product updates if you opt in. You can unsubscribe at any time.
• To detect, investigate, and prevent fraudulent or harmful activity.
• To comply with legal obligations.

3. How We Share Information

We do not sell your personal information. We share information only in these limited circumstances:

We share specific information with the following service providers, each only to the extent needed to operate Crunchly. These vendors are contractually bound to use your information only as we direct.

• Stripe (payments): name, email, billing address, and payment method. Stripe is PCI-DSS Level 1 certified and we never store full card numbers ourselves.
• Supabase (database + auth + hosting): account information and session tokens.
• Resend (transactional email): email address and the contents of any email we send you.
• Vercel (hosting + serverless functions): standard server logs (IP address, user agent). Vercel's default log retention is 30 days for Pro accounts; we do not extend that retention.
• Anthropic (Ask Crunch AI): when you use the Ask Crunch chat assistant, your prompts and the deal context from the calculator you're viewing are sent to Anthropic's Claude API. Anthropic processes prompts under their own privacy policy. We do not store conversation transcripts on our servers; we only record a per-user usage count for billing purposes.
• Google Analytics 4 (analytics): standard pageview data, anonymized IP, and event metadata. Loaded only after you accept our cookie banner.
• Google Maps + Places (address autofill): when you type a property address in the calculator, the partial query is sent to Google Maps for autocomplete suggestions.
• OpenStreetMap Nominatim (fallback geocoding): property addresses are sent to OpenStreetMap servers to convert addresses to lat/long coordinates.
• FRED API / Federal Reserve Bank of St. Louis (mortgage rate data): used by our daily rate-change cron. No user data is sent — we only request public rate data.
• Twitter / X (news feed embeds): the Investor Voices feed loads content directly from Twitter; Twitter may see your IP and user agent.
• Unsplash (article images): the Market News feature pulls article hero images from Unsplash; Unsplash may see your IP and user agent.
• Amazon Associates (Book Club): when you click an Amazon book link, Amazon's standard tracking applies. We earn a small commission on qualifying purchases.

A complete list of subprocessors — what they process and where — is maintained at crunchly.io/subprocessors. We sign a Data Processing Addendum (DPA) with each subprocessor where required by GDPR Article 28 or CPRA. EU/UK transfers rely on Standard Contractual Clauses (SCCs) plus the supplementary measures expected post-Schrems II.

We also share information when we are legally required to (subpoena, court order, regulator), or in connection with a merger, acquisition, or asset sale of Crunchly. We do not sell your personal information to anyone.

4. Data Storage and Security

We use industry-standard encryption in transit (TLS 1.2+) and at rest. Passwords are hashed using bcrypt (via Supabase Auth). We restrict access to personal data to employees and contractors who need it to do their jobs.

By default, your deal data is stored locally on your device using browser storage. Your deal data is not synced to our servers; it lives in your browser only.

No security system is perfect. If we become aware of a breach affecting your information, we will notify you without unreasonable delay and in any event no later than 30 days after we determine the breach has occurred (10 MRSA § 1348), except where law enforcement requests a delay or where applicable law requires a faster timeline (in which case we will follow the stricter rule).

5. Your Rights and Choices

• Access and correction: you can view and update your account information at any time from your account settings.
• Deletion: you can delete your account and associated data at any time. Some information may be retained as required by law (e.g., tax records).
• Data export: you can export your deal data in CSV or PDF format at any time.
• Marketing communications: you can unsubscribe from marketing emails using the link in each email.
• Do Not Track: we do not currently respond to browser Do Not Track signals because there is no industry standard for compliance.

6. Regional Privacy Rights

California residents (CPRA)

Under the California Privacy Rights Act (CPRA, which amended and expanded the CCPA), you have the right to: know what personal information we collect; request deletion; correct inaccurate information; limit our use of sensitive personal information; opt out of any sale or sharing of your information (we do neither); and not be discriminated against for exercising these rights. Submit requests to privacy@crunchly.io; we will respond within 45 days.

Shine the Light (Cal. Civ. Code § 1798.83): California residents may request information about how we share personal information with third parties for those parties' direct marketing purposes. We do not currently share personal information with third parties for their direct marketing. To request the latest information, email privacy@crunchly.io.

European Economic Area, United Kingdom, Switzerland (GDPR)

You have the rights of access, rectification, erasure, restriction, portability, and objection (including the right to object to processing carried out under our legitimate interests, under Article 21 GDPR). The legal basis for our processing is performance of contract (to provide the Services), legitimate interest (to operate and improve the Services), and consent (where required, e.g., non-essential cookies). You also have the right to lodge a complaint with your local data protection authority. To exercise these rights, contact privacy@crunchly.io; we will respond within 30 days.

7. Children's Privacy

Crunchly is not directed to children under 18, and we do not knowingly collect information from children. If you believe a child has provided us information, contact us and we will delete it.

8. Cookies and Similar Technologies

Crunchly uses two categories of cookies and storage:

• Essential cookies and local storage — required to keep you logged in, remember your preferences, and store your saved deals locally. These are always on; you cannot disable them and still use the Services.
• Non-essential analytics (Google Analytics 4) — used to measure traffic and improve the site. We load these only if you click Accept on our cookie banner. You can change your choice at any time by clearing the cookieConsent entry in your browser storage and reloading the page.

Crunchly currently does not display ads.

For details on the specific data each cookie sets, see the corresponding entry in Section 3 (How We Share Information).

9. International Data Transfers

Crunchly is operated from the United States. If you access the Services from outside the U.S., your information will be transferred to and processed in the U.S. For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses, supplemented by the technical and organizational measures we use throughout the Services (encryption in transit and at rest, access controls, and minimization). You may request a copy of the SCC text or details of the supplementary safeguards by emailing privacy@crunchly.io.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email or by a notice on the website at least 14 days before they take effect. Continued use of the Services after changes constitutes acceptance.

11. Severability

If any provision of this Privacy Policy is found invalid or unenforceable by a court of competent jurisdiction, that provision will be modified to the minimum extent necessary to make it enforceable, or, if it cannot be modified, severed from this Policy. The remaining provisions will continue in full force and effect.

12. Contact

Questions about this policy or your privacy? Email privacy@crunchly.io or write to:

Crunchly LLC
126 Western Avenue Ste 2, PMB 1088
Augusta, ME 04330
United States

Crunchly™ and the Crunchly logo are trademarks of Crunchly LLC. All rights reserved.