Privacy Policy

1. What Data We Collect

1.1 Account Information

When you sign up for Kestrel Crew, we collect:

• Company name, address, and industry
• Contact name, email address, and phone number for account administrators
• Names and email addresses of team members you invite to the platform
• Account preferences and agent configuration choices

1.2 Payment Information

Subscription payments are processed by Stripe. We do not store your full credit card number, CVV, or bank account details on our systems. Stripe handles payment data under their own privacy policy and PCI DSS compliance. We retain only:

• Last four digits of your payment method (for your reference)
• Billing address
• Transaction history (dates, amounts, plan details)

1.3 Usage Data

We collect data about how you interact with the Service:

• Token credit consumption (per agent, per task)
• Agent task logs (what tasks ran, when, duration — not the content of your business data)
• Operator Console activity (logins, feature usage, configuration changes)
• Integration connection status (which tools are connected, uptime)
• Ember engagement metrics (streaks, badge completions, challenge participation)

1.4 Website Visitor Data

When you visit kestrelcrew.com, we may collect basic analytics data: pages visited, referral source, browser type, and approximate location (country/region level). We use this to understand how people find and use our website. See Section 8 (Cookies) for details.

2. Data Your Agents Access

This is the important part. Your Kestrel Crew agents connect to your business systems — CRM, email, analytics, payment processors, project management tools, etc. — and access the data within those systems to do their jobs.

2.1 What Agents Access

Depending on the integrations you configure, agents may access:

• CRM data (contacts, deals, pipeline stages, notes, activities)
• Email content and metadata (for email-integrated agents)
• Marketing platform data (campaigns, spend, performance metrics)
• Customer data (support tickets, satisfaction scores, usage data)
• Financial data (invoices, payments, outstanding balances)
• Any other data accessible through integrations you authorize

2.2 You Control Access

You decide which systems to connect and which data your agents can access. You can add, modify, or revoke integrations at any time through the Operator Console. We don’t access any system you haven’t explicitly authorized.

2.3 Your Business Data Is Yours

We process your business data solely to deliver the Service. We don’t own it, and we don’t use it for any purpose other than running your agents and generating the analyses, reports, and briefings you’ve configured. See Section 3 for the full rundown on how we use data.

3. How We Use Data

3.1 To Deliver the Service

• Running your AI agents and processing their tasks
• Generating analyses, briefings, and reports based on your business data
• Maintaining and monitoring your dedicated infrastructure
• Sending you notifications, alerts, and agent outputs
• Providing customer support and onboarding assistance

3.2 To Improve the Service

We use aggregated, anonymized usage metrics (not your business data) to improve the Service — things like average token consumption patterns, common integration configurations, and feature usage trends. This helps us build better agent capabilities and optimize performance.

3.3 To Communicate With You

We use your contact information to send service-related communications: billing notifications, usage alerts, maintenance notices, product updates, and occasional check-ins from our team. We don’t send marketing emails to people who aren’t clients.

3.4 What We Do NOT Use Data For

4. How We Share Data

We share data with a limited set of service providers, only as necessary to deliver the Service:

We may also share data if legally required (court order, subpoena, law enforcement request) or to protect the safety and security of our Service, our clients, or the public. We’ll notify you of legal requests for your data unless we’re legally prohibited from doing so.

We do not sell your personal information or business data. We have not sold data in the past 12 months and have no plans to.

5. Data Retention

5.1 During Your Subscription

While your subscription is active, we retain all data necessary to operate the Service: your account information, agent configurations, task logs, generated reports, and cached business data used by your agents. Business data accessed from your integrated systems is processed in real-time and cached only as needed for agent operations.

5.2 After Termination

When your subscription ends:

• 30-day export window: You have 30 days to export your agent-generated reports, analyses, and outputs.
• Data deletion: After the 30-day window, we delete your business data, agent configurations, and cached data from your dedicated hardware. The hardware is securely wiped before reuse.
• Account records: We retain basic account records (company name, contact info, billing history) for up to 24 months after termination for legal, tax, and accounting purposes.
• Aggregated data: Anonymized, aggregated usage statistics (which cannot identify you or your business) may be retained indefinitely.

5.3 Deletion Requests

You can request immediate deletion of your data at any time by contacting privacy@kestrelcrew.com. We’ll process deletion requests within 30 days, subject to any legal retention requirements.

6. Security Measures

We take the security of your data seriously. Our measures include:

• Dedicated hardware isolation: Each client’s aerie runs on its own Mac Mini. No shared infrastructure between clients.
• Encrypted credentials: Integration credentials (API keys, OAuth tokens) are stored in Google Cloud Secret Manager with encryption at rest.
• Encrypted transit: All data transmitted between your agents, the Operator Console, and third-party services is encrypted via TLS.
• Access controls: Role-based access within your team. Administrative actions are audit-logged.
• Audit logging: Every integration access, agent task, and administrative action is logged and available for your review.
• Instant revocation: You can revoke any integration credential instantly through the Operator Console.
• Secure hardware decommission: When hardware is retired or reassigned, all data is securely wiped.

No system is 100% secure. While we implement industry-standard security practices, we cannot guarantee absolute security. If we discover a breach that affects your data, we’ll notify you promptly and take immediate remedial action.

7. Your Privacy Rights

Depending on your location, you may have specific privacy rights under applicable law. We respect these rights regardless of where you’re located:

7.1 CCPA / California Privacy Rights

If you are a California resident or your business operates in California, you have the right to:

• Know what personal information we collect and how we use it
• Delete your personal information (subject to legal exceptions)
• Opt out of sale — though we don’t sell personal information, so there’s nothing to opt out of
• Non-discrimination — we won’t treat you differently for exercising your rights

7.2 Other State Privacy Laws

If you are located in Virginia, Colorado, Connecticut, Utah, or other states with comprehensive privacy legislation, you may have additional rights including access, correction, deletion, data portability, and the right to opt out of targeted advertising (which we don’t do) or profiling (which we don’t do).

7.3 Exercising Your Rights

To exercise any privacy right, contact us at privacy@kestrelcrew.com. We’ll verify your identity and respond within 30 days (or 45 days if we need an extension, with notice). There is no fee to exercise your rights.

8. Cookies & Tracking

We keep cookies minimal. Here’s what we use:

We do not use advertising cookies, retargeting pixels, or cross-site tracking of any kind. This is a B2B SaaS product, not an ad platform.

9. Third-Party Links & Integrations

The Service connects to third-party tools that you authorize (CRMs, marketing platforms, etc.). These tools have their own privacy policies. When you connect an integration, data flows between your systems and your agents. We encourage you to review the privacy practices of any tool you integrate. We are not responsible for the privacy practices of third-party services.

10. Children’s Privacy

Kestrel Crew is a B2B service designed for businesses. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected personal information from a minor, we will delete it promptly. If you believe a minor has provided us with personal information, please contact us at privacy@kestrelcrew.com.

11. International Data Transfers

Kestrel Crew operates primarily in the United States. Your data is processed and stored on dedicated hardware within the United States. If you are located outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer. We apply the same security and privacy protections regardless of where data originates.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we’ll notify you via email or through the Operator Console at least 30 days before the changes take effect. We’ll always post the current version on this page with an updated “Last Updated” date. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

Questions, concerns, or requests about your privacy? We’re here to help: