PRIVACY POLICY

Last updated: April 6, 2026

1. Introduction

Crate ("we," "our," or "us") operates the digcrate.app website and AI music research platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

We collect information in the following ways:

Account Information

When you create an account, we collect your name, email address, and profile information through our authentication provider (Clerk). We do not store your password directly.

API Keys

If you provide your own API keys (Anthropic, OpenRouter, Spotify, etc.), they are encrypted and stored securely. We use these keys only to make API calls on your behalf during your sessions.

Connected Services (OAuth)

When you connect services like Spotify, Tumblr, Slack, or Google through Auth0 Token Vault, we store OAuth tokens securely via Auth0. We access only the permissions you explicitly grant during the OAuth consent flow. We do not access your accounts beyond the scopes you authorize.

Usage Data

We collect anonymized usage analytics through PostHog to understand how features are used and improve the product. This includes page views, feature usage, and session duration. We do not sell this data to third parties.

3. How We Use Your Information

  • To provide and maintain the Crate service
  • To process your music research queries via AI models
  • To connect to third-party services you authorize (Spotify, Tumblr, Slack, Google Docs)
  • To save your research, playlists, and published content
  • To personalize your experience with cross-session memory (Pro plan, opt-in)
  • To improve our product through anonymized analytics
  • To communicate with you about your account or service updates

4. Third-Party Services

Crate integrates with the following third-party services:

  • Clerk — Authentication and user management
  • Convex — Database and real-time backend
  • Auth0 — OAuth token management (Token Vault) for connected services
  • Anthropic / OpenRouter — AI model providers for research queries
  • Spotify, Tumblr, Slack, Google — Connected services you optionally authorize
  • Stripe — Payment processing for subscriptions
  • PostHog — Product analytics
  • Vercel — Hosting and deployment

Each service has its own privacy policy. We encourage you to review them. We share only the minimum information necessary for each integration to function.

5. Data Storage and Security

Your data is stored using Convex (database), Auth0 (OAuth tokens), and Clerk (authentication). All data is transmitted over HTTPS. API keys are encrypted at rest.

We implement reasonable security measures to protect your information. However, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Disconnect any connected service at any time via Settings
  • Revoke API keys at any time
  • Opt out of analytics tracking

To exercise any of these rights, contact us at the email below.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days. Anonymized analytics data may be retained indefinitely. Published content (Telegraph, Tumblr) remains on those platforms under their respective policies.

8. Children's Privacy

Crate is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date.

10. Contact Us

If you have questions about this Privacy Policy, contact us at: tarikjmoody@gmail.com