Privacy Policy

Last updated: 10 March 2026

1. Who we are

crann.ai ("we", "us", "our") is a personal community media platform that lets individuals create and share content spaces ("leaves") under their own subdomain. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use crann.ai.

2. What data we collect

We collect only the data necessary to provide and improve the service:

  • Account data: Name, email address, date of birth (for age verification), and password (hashed, never stored in plain text).
  • Profile data: Bio, location, country, education, work, birthday, phone, and website — all optional, with per-field privacy controls you set.
  • Content: Leaves, posts, and pages you create, including text and uploaded media.
  • Social data: Connections and leaf follows.
  • Messaging data: Direct messages you send and receive, including text content, timestamps, read receipts, and message reactions. Media files (images, audio, video) shared in conversations are stored securely.
  • Call metadata: When you make voice or video calls, we store call session metadata (participants, start time, duration, call type). We do not record or store the audio or video content of calls. Screen sharing is real-time only and is not recorded.
  • Device tokens: If you use our mobile app, we store device tokens (APNs for iOS) to deliver push notifications. These tokens are removed when you sign out or unregister your device.
  • Activity logs: Internal records of actions like creating a post or leaf, used to power your network feed. We do not use external analytics or tracking services.
  • OAuth data: If you sign in with Google or GitHub, we receive your name, email, and profile picture from those providers. We do not access any other data from your Google or GitHub accounts.

3. How we use your data

  • To create and maintain your account
  • To display your content to visitors based on your privacy settings
  • To power the social features (network feed, connections, leaf follows)
  • To deliver direct messages and enable real-time communication (messaging, voice and video calls)
  • To send push notifications to your mobile device when you receive messages or calls
  • To provide AI-powered features (leaf generation, theme design, content suggestions) via the Anthropic API
  • To verify you meet the minimum age requirement (13 years)
  • To communicate with you about your account (e.g. security alerts)
  • To provide accessibility features such as Read Aloud (text-to-speech processing occurs locally in your browser)

4. AI data processing

When you use AI features (such as the leaf grow wizard or quick update), your content prompts are sent to Anthropic's API for processing. Anthropic does not use your data to train their models. For more information, see Anthropic's Privacy Policy.

5. Cookies

We use only essential cookies required for the service to function. We do not use analytics, advertising, or tracking cookies. See our Cookie Policy for details.

6. Data sharing

We do not sell your personal data. We share data only with:

  • Anthropic: Content prompts for AI features (see Section 4).
  • OAuth providers: Google and GitHub receive authentication requests when you use social sign-in.
  • LiveKit: Voice and video call streams are routed through LiveKit's infrastructure for real-time communication. LiveKit processes the media streams but does not store call content.
  • Apple Push Notification service (APNs): Device tokens and notification payloads are sent to Apple to deliver push notifications to iOS devices.
  • Law enforcement: When required by law or to protect the safety of our users.

7. Your rights

Under the General Data Protection Regulation (GDPR) and similar laws, you have the right to:

  • Access: Download a copy of all your data from your profile settings.
  • Rectification: Update or correct your data through your profile at any time.
  • Erasure: Delete your account from your profile settings. We apply a 30-day grace period, after which all personal data is permanently removed.
  • Portability: Export your data in JSON format from your profile settings.
  • Restriction and objection: Contact us to restrict or object to specific processing activities.

8. Data retention

  • Active accounts: Data retained for the duration of your account.
  • Deleted accounts: Personal data permanently removed 30 days after deletion.
  • Activity logs: Retained for 90 days, then automatically purged.

9. Data security

We protect your data with industry-standard measures: passwords are hashed with bcrypt, all connections are encrypted with HTTPS/TLS, and we apply strict Content Security Policy headers. We do not store payment or financial data.

10. Children's privacy

crann.ai is not intended for children under 13 years of age. We require date of birth verification at signup and do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, please contact us immediately.

11. Mobile application

If you use the crann.ai iOS app, the same data practices apply. Additionally, the app collects device tokens for push notifications and uses secure token-based authentication (JWT). The app does not access your device contacts, camera roll, or other device data beyond what you explicitly share (e.g. uploading a photo).

12. Data export

You can export a complete copy of your data in JSON format at any time from your profile settings. This export includes your profile information, leaves, posts, pages, events, connections, and messages, fulfilling your right to data portability under GDPR.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the platform. Continued use after changes take effect constitutes acceptance of the revised policy.

14. Contact us

For privacy inquiries, data requests, or concerns, contact us at: privacy@crann.ai