Privacy

Privacy Policy

Last updated: 11 May 2026

This policy explains what information microcrew collects when you use the service, how we use it, who we share it with, and the choices you have. Plain English. No dark patterns.

1. Who we are

microcrew (operated by Gustforward Pte. Ltd., a Singapore-registered company) provides an AI assistant platform for service-business agents, accessible at microcrew.ai. Throughout this policy, "we," "us," and "microcrew" refer to the operator; "you" refers to the agent using the service.

2. What we collect

Account information

When you sign up, we collect your email address and a hashed password (we use Supabase for authentication; we never see your raw password). You can add your name, business profile, and timezone in Settings — these are optional but improve the AI's behaviour.

Integration data

To run your AI crew, you can connect Google Drive, Google Calendar, WhatsApp Business, Telegram, and Twilio. We store OAuth refresh tokens and access tokens for these services, encrypted at rest with AES-256-GCM. We only access the scopes you grant.

Conversation data

We store messages exchanged between your AI and your customers/leads, including the message text, timestamps, channel, and AI-generated reply transcripts. This data is used to build conversation context so the AI can respond intelligently.

Voice data

If you opt to use voice cloning, we collect voice samples you record and submit to our voice provider (ElevenLabs) to clone your voice. The original samples are stored temporarily; only the resulting voice ID is retained long-term.

Usage data

We log API request metadata (endpoint, status code, latency, IP address) for security monitoring and rate-limiting. We do not use third-party analytics or tracking pixels on the dashboard.

3. How we use your data

• To provide the service — generate AI replies, place calls, book meetings on your behalf
• To maintain conversation context across sessions and channels
• To send transactional emails (account confirmation, password reset, important notices)
• To enforce rate limits and detect abuse
• To comply with legal obligations (e.g. responding to lawful requests)

We do not sell your data. We do not use your data or your customers' conversations to train third-party AI models. We do not share your data with advertisers.

4. Who we share data with

To run the service, we share specific data with the following processors (each operating under their own privacy terms):

• DeepSeek — sends conversation context to generate AI replies
• Google (Gemini) — sends image / PDF content for OCR and vision
• ElevenLabs — sends voice samples for cloning, text for synthesis
• Twilio — places voice calls and sends SMS
• Meta (WhatsApp Cloud API) — sends and receives WhatsApp messages
• Telegram — sends and receives Telegram messages
• Supabase — handles authentication and email verification
• Cloudflare — DNS, TLS, and CDN for microcrew.ai
• Railway — application hosting (Singapore, Asia-Southeast region where available)

5. Where data is stored

Application data lives on Railway-managed infrastructure (MongoDB, Redis, Qdrant). Voice IDs and email addresses are stored in Supabase (PostgreSQL).

6. How long we keep data

Default retention policies:

• Messages and conversations — 540 days, then automatically deleted
• Incoming chats from non-clients — 180 days
• Call results and transcripts — 540 days
• Audit log — 730 days (required for security investigations)
• Agent account data — retained while your account is active; 30 days after deletion request, then permanent removal

You can request earlier erasure of any specific client's data, lead's data, or your entire tenant data at any time via the dashboard or by emailing [email protected].

7. Your rights

Subject to Singapore's Personal Data Protection Act and applicable foreign laws (GDPR for EU residents, CCPA for California residents), you have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Request erasure of your personal data (right to be forgotten)
• Request a copy of your data in a portable format
• Object to or restrict certain processing
• Withdraw consent at any time

To exercise any of these rights, contact us at [email protected].

8. Security

We take security seriously. Measures include: TLS for all traffic in transit; AES-256 encryption for sensitive fields at rest; multi-tenant data isolation enforced at the query layer; per-tenant rate limiting; webhook signature verification on all third-party inbound traffic; audit logging of all data-changing operations; daily off-site database backups with point-in-time recovery.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours of discovery, as required by Singapore PDPA.

9. Cookies and similar tech

We use strictly-necessary cookies for authentication (a session cookie issued by Supabase). We do not use advertising cookies, analytics cookies, or cross-site tracking pixels on the microcrew dashboard or landing pages.

10. International transfers

Some of our processors (e.g. OpenAI, DeepSeek, ElevenLabs) are based outside Singapore. Where data is transferred internationally, we rely on standard contractual clauses or equivalent safeguards offered by those processors.

11. Children's data

microcrew is for business use by professionals. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. When we do, we'll update the date at the top and notify you by email if changes are material. Continued use of the service after a change constitutes acceptance.

13. Contact us

Privacy questions: [email protected]
General: [email protected]