Book a Demo

Privacy Policy

CRSTBL, Inc.

Privacy Policy

Effective Date: March 13, 2026

Last Updated: March 13, 2026

This Privacy Policy describes how CRSTBL, Inc. (“CRSTBL,” “we,” “us,” or “our”) collects, uses, stores, and discloses information when you visit our website at crstbl.com (the “Site”) or use our SaaS platform and related services (the “Platform”). It applies to brand, distributor, and retail business customers (“Business Customers”), their authorized users, and consumers who interact with AI-powered experiences powered by CRSTBL technology.

By accessing the Site or using the Platform, you agree to this Privacy Policy. If you do not agree, please discontinue use.

You may print a copy of this Privacy Policy at any time. If you have a disability and require this Privacy Policy in an alternative format, please contact us at support@crstbl.com.

1. Who We Are

CRSTBL, Inc. is a software company incorporated in the State of Delaware. Our Platform enables brands, distributors, and local retail businesses to upload product information that is processed and delivered to large language model (LLM) chatbots and AI-powered consumer experiences.
For purposes of applicable privacy law, CRSTBL acts as:

  • A data controller with respect to website visitor data and Business Customer account data.
  • A data processor (or “Service Provider” under CCPA) with respect to product data and consumer data submitted by or on behalf of Business Customers.

2. Information We Collect

2.1 Website Visitors

When you visit crstbl.com, we may collect:

  • Browser type, operating system, IP address, and referring URL
  • Pages visited, time on site, and clickstream data
  • Contact form submissions (name, email, company, message)
  • Cookie and tracking data (see Section 7)

 

2.2 Business Customer Account Data

When a brand, distributor, or retailer creates an account on the Platform, we collect:

  • Company name, business address, and industry
  • Account administrator name, email address, and phone number
  • Billing and payment information (processed by a PCI-compliant third-party payment processor)
  • Login credentials (passwords are hashed and never stored in plaintext)
  • User role assignments and access logs

 

2.3 Product and Business Data Uploads

Business Customers upload product information to the Platform for the purpose of feeding LLM-powered experiences. This may include:

  • Product names, descriptions, specifications, pricing, and imagery
  • Inventory and availability data
  • Promotional content, FAQs, and brand guidelines
  • Any other proprietary business data voluntarily uploaded by the Business Customer

 

Ownership: All uploaded product data remains the intellectual property of the Business Customer. CRSTBL does not claim ownership over uploaded content.

2.4 Consumer Data

When consumers interact with AI-powered experiences enabled by CRSTBL technology (e.g., chatbot interfaces on a retailer’s website), CRSTBL may receive:

  • Query text and conversational inputs submitted by the consumer
  • Session identifiers and interaction timestamps
  • Device type, browser, and general location (city/region level)

 

CRSTBL does not knowingly collect or store consumer names, email addresses, or other directly identifying information unless explicitly provided in a query. Business Customers are responsible for their own consumer-facing disclosures and consent mechanisms.

3. How We Use Your Information

3.1 Website Visitors

  • To operate and improve the Site
  • To respond to inquiries submitted via contact forms
  • To analyze traffic and user behavior for marketing purposes
  • To comply with legal obligations

 

3.2 Business Customers

  • To provision, operate, and maintain Platform accounts
  • To process billing and payments
  • To provide customer support and onboarding
  • To send service-related communications (e.g., system alerts, policy updates)
  • To enforce our Terms of Service and contractual agreements
  • To comply with legal obligations

 

3.3 Product and Business Data

  • To process and structure uploaded content for delivery to LLM APIs and AI-powered experiences
  • To generate AI-ready product data feeds and embeddings
  • To improve accuracy and relevance of AI responses in the context of Business Customer content

 

CRSTBL does not use Business Customer product data to train foundational AI models. Data is processed solely to fulfill the contracted service.

 

3.4 Consumer Data

  • To facilitate real-time AI query responses
  • To log and audit interactions for quality assurance and safety monitoring
  • To generate anonymized, aggregated analytics for Business Customers

4. AI and LLM Data Processing

CRSTBL’s Platform routes Business Customer product data and consumer query data to one or more third-party large language model (LLM) API providers (“LLM Partners”) for the purpose of generating AI responses. Current LLM Partners may include, but are not limited to, providers such as OpenAI, Anthropic, Google, and others.

The following disclosures apply:

  • Data sent to LLM Partners is governed by their respective data processing agreements and privacy policies.
  • CRSTBL selects LLM Partners that commit to not using submitted data for model training (“zero retention” or equivalent data handling commitments).
  • CRSTBL does not guarantee that LLM Partner policies will remain unchanged. Business Customers are encouraged to review applicable LLM Partner terms.
  • Queries and responses may be temporarily retained by LLM Partners in accordance with their standard data handling policies.

 

A current list of LLM Partners can be obtained by contacting privacy@crstbl.com.

5. Data Sharing and Disclosure

5.1 Service Providers and Sub-Processors

We share data with third-party vendors who assist in operating the Platform, including:

  • Cloud infrastructure: Amazon Web Services (AWS) — U.S.-based hosting, storage, and compute
  • LLM API providers (see Section 4)
  • Payment processors (PCI-DSS compliant)
  • Analytics providers
  • Customer support and communication tools

 

All sub-processors are contractually required to process data only as directed by CRSTBL and to maintain appropriate security standards.

5.2 Business Customers

Business Customers may receive aggregated and anonymized analytics derived from consumer interactions on their AI-powered experiences. We do not share one Business Customer’s data with another Business Customer.

5.3 Legal Obligations

We may disclose information if required by law, court order, regulatory requirement, or to protect the rights, safety, or property of CRSTBL or others.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, user and customer data may be transferred as part of that transaction. We will provide notice before such transfer and indicate any change to this Privacy Policy.

6. Data Retention

  • Website visitor data: retained for up to 24 months, then deleted or anonymized.
  • Business Customer account data: retained for the duration of the contract plus 3 years, unless a shorter period is required by law.
  • Uploaded product data: retained while the account is active. Upon account termination, data is deleted within 90 days unless earlier deletion is requested.
  • Consumer query data: retained for up to 12 months for quality assurance purposes, then deleted or fully anonymized.

 

Business Customers may request deletion of their uploaded data at any time by submitting a written request to privacy@crstbl.com. We will confirm deletion within 30 days.

7. Cookies and Tracking Technologies

Our Site uses cookies and similar tracking technologies. Categories of cookies we use:

  • Essential cookies: Required for Site functionality (login sessions, security tokens).
  • Functional cookies: Remember your preferences, settings, and choices to personalize your experience (e.g., language, region).
  • Analytics cookies: Help us understand Site usage (e.g., Google Analytics). These may be opted out.
  • Marketing cookies: Used to measure campaign performance. These require consent where applicable.

 

You may manage cookie preferences through your browser settings or our cookie consent banner. Note that disabling essential cookies may impair Site functionality.

8. Data Security

We implement industry-standard security measures to protect data on the Platform and Site, including:

  • Encryption in transit via TLS 1.2 or higher
  • Encryption at rest for stored data on AWS
  • Role-based access controls limiting data access to authorized personnel
  • Regular security assessments and vulnerability monitoring
  • Multi-factor authentication for Platform accounts

 

No system is perfectly secure. In the event of a data breach affecting your information, we will notify affected parties as required by applicable law, including within 72 hours for GDPR-covered incidents where feasible.

9. Your Privacy Rights

9.1 California Residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, and sell
  • Delete personal information we hold about you (subject to exceptions)
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information
  • Limit use of sensitive personal information
  • Non-discrimination for exercising your rights

 

CRSTBL does not sell personal information as defined under California law. To submit a verifiable consumer request, contact us at privacy@crstbl.com or call us at the number listed on our Site.

9.2 EEA / UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area or United Kingdom, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erasure (“right to be forgotten”) under applicable conditions
  • Restrict or object to processing
  • Data portability
  • Lodge a complaint with your local supervisory authority

 

Our legal basis for processing is typically contractual necessity (B2B Customers), legitimate interest (analytics), or consent (marketing cookies). For data transfers outside the EEA, CRSTBL relies on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.

9.3 Nevada Residents

If you are a Nevada resident, you have the right to opt out of the sale of certain personal information to third parties who intend to license or sell that personal information. To submit such a request, contact us at support@crstbl.com with the subject line “Nevada Do Not Sell Request” and include your name.

9.4 Exercising Your Rights — All Residents

To exercise any of the rights described in this Section 9, you or your authorized agent must submit a verifiable request that: (1) provides sufficient information to allow us to verify your identity, and (2) describes your request in enough detail for us to understand and evaluate it. We will respond within 45 days of receipt. We will not charge a fee unless requests are excessive or repetitive.

Submit requests by emailing: privacy@crstbl.com

You may authorize an agent to exercise rights on your behalf by providing them written permission. We may request a copy of that written authorization when your agent submits a request.

9.5 Non-Discrimination

We will not discriminate against you for exercising your privacy rights. We will not deny services, charge different prices, or provide lower quality service based solely on your exercise of these rights.

9.6 Business Customer Data Processing Agreement

Business Customers who require a Data Processing Agreement (DPA) for GDPR compliance or a CCPA Service Provider addendum may request one by contacting privacy@crstbl.com. A DPA is available as a standard attachment to CRSTBL’s Enterprise Agreement.

10. Children’s Privacy

The Site and Platform are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will delete it promptly. If you believe a child has submitted information to us, please contact us at support@crstbl.com.

11. Third-Party Links

Our Site may contain links to third-party websites or services. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party services you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically. When we do, we will revise the “Last Updated” date at the top of this page. For material changes, we will notify Business Customers via email or in-platform notification at least 30 days before the change takes effect. Continued use of the Site or Platform after the effective date constitutes acceptance of the updated policy.

Linkedin X-twitter Youtube

Los Angeles, CA

© 2025 All rights Reserved.