Privacy Policy

Last updated: March 13, 2026

1. Who we are

Crispy ("Service") is operated by Closyn LLC, doing business as Crispy, a Delaware limited liability company located at 8 The Green, STE A, Dover, Delaware 19901, United States ("we", "us", "our"). This policy explains how we collect, use, and protect your information when you use our service at crispy.sh.

2. What we collect

  • Account information: Email address and password hash when you sign up. If you sign in via Google OAuth, we receive your email address and display name.
  • LinkedIn connection: When you connect your LinkedIn, we store a secure authentication token via our infrastructure provider. We never store your LinkedIn username or password.
  • API usage logs: We log which API tools are called, when, and by which account for rate limiting and analytics. We do not log the content of messages or posts you create.
  • Billing information: Payment is processed by Stripe. We store your Stripe customer ID and subscription status. We do not store credit card numbers.
  • Device and access data: We collect IP addresses, browser type, and access timestamps for security, rate limiting, and abuse prevention purposes.

3. Legal basis for processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases as defined by the General Data Protection Regulation (EU) 2016/679 ("GDPR"):

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, process payments, and execute API requests on your behalf.
  • Legitimate interest (Art. 6(1)(f)): Processing necessary for security, fraud prevention, rate limiting, abuse detection, and improving the Service. You may object to processing based on legitimate interest by contacting us.
  • Consent (Art. 6(1)(a)): Where you have given explicit consent, such as opting into marketing communications. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, such as tax and accounting requirements.

4. How we use your data

  • To provide and maintain the Service
  • To authenticate API requests and enforce rate limits
  • To process payments and manage subscriptions
  • To send important service-related communications
  • To detect and prevent abuse or fraud
  • To generate aggregated, anonymized analytics about Service usage

We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising purposes.

5. LinkedIn data

Crispy acts as a pass-through to LinkedIn via our infrastructure provider. When you use our tools (search, messaging, posting), requests are executed in real-time against LinkedIn. We do not bulk-download, cache, or store your LinkedIn data, contacts, messages, or posts on our servers. API responses are returned directly to your MCP client. Cached content metrics (likes, comments, shares) are stored temporarily for analytics purposes and retained for up to 90 days.

6. Third-party services (sub-processors)

We use the following third-party services to operate Crispy. Each processes data only as necessary to provide their respective services:

  • Supabase (Supabase Inc.): Database hosting, authentication, and row-level security. Data stored in Supabase's cloud infrastructure.
  • Stripe (Stripe Inc.): Payment processing and subscription management. Subject to Stripe's Privacy Policy.
  • Vercel (Vercel Inc.): Application hosting and serverless functions. Subject to Vercel's Privacy Policy.
  • LinkedIn integration provider: A third-party infrastructure provider manages secure LinkedIn session tokens on our behalf.
  • Resend (Resend Inc.): Transactional email delivery for account notifications, onboarding emails, and support communications.
  • Sentry (Functional Software Inc.): Error monitoring and performance tracking. Personally identifiable information is scrubbed from error reports before transmission.
  • Upstash (Upstash Inc.): Redis-based rate limiting infrastructure. Stores only anonymized request counters.
  • PostHog (PostHog Inc.): Product analytics (when enabled). Used to understand aggregate usage patterns. No personal data is shared with PostHog beyond anonymized event data.

7. Data security

API keys are stored as HMAC-SHA256 hashes with a server-side pepper and cannot be retrieved after creation. Authentication tokens are verified using timing-safe comparison to prevent timing attacks. All connections use HTTPS/TLS encryption in transit. Database access is controlled by row-level security policies. Sensitive data in error reports is automatically scrubbed before transmission to monitoring services. We follow industry-standard practices to protect your data.

8. Data retention

  • Account data: Retained for as long as your account is active.
  • API usage logs: Retained for 90 days, then automatically deleted.
  • Content metrics cache: Retained for up to 90 days.
  • Billing records: Retained for the duration required by applicable tax and accounting laws (typically 7 years).
  • Support tickets: Retained for 12 months after resolution, then deleted.
  • Account deletion: When you delete your account or disconnect your LinkedIn, associated data is removed within 30 days. Backup copies may persist for up to an additional 30 days before being purged.

9. Your rights

You can:

  • Disconnect your LinkedIn account at any time from the dashboard
  • Delete your Crispy account and all associated data
  • Request a copy of the data we hold about you (data portability)
  • Request correction or deletion of your personal data
  • Object to or restrict processing of your personal data
  • Withdraw consent where processing is based on consent

To exercise these rights, contact us at support@crispy.sh. We will respond to your request within 30 days.

10. Rights for EEA, UK, and Swiss residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the GDPR, including:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed unlawfully.

11. Rights for California residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

  • Right to know: You may request details about the categories and specific pieces of personal information we have collected about you.
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to opt-out of sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, contact us at support@crispy.sh. We will verify your identity before processing your request and respond within 45 days.

12. International data transfers

Closyn LLC is based in the United States. If you access the Service from outside the United States, your data may be transferred to and processed in the United States and other countries where our sub-processors operate. We ensure that appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission where required by GDPR.

13. Cookies and tracking

We use the following types of cookies:

  • Essential cookies: Required for authentication and session management. These include Supabase authentication cookies (HTTP-only, secure, SameSite=lax) with a maximum lifetime of 30 days. The Service cannot function without these cookies.
  • Analytics cookies (optional): When PostHog analytics is enabled, we use anonymized event tracking to understand aggregate usage patterns. No personal identifiers are included in analytics data. You can opt out of analytics tracking through your browser settings or by using a Do Not Track signal.

We do not use third-party advertising cookies. We do not use cross-site tracking.

14. Children's privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.

15. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or through the Service at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

16. Contact

Questions about this Privacy Policy? Contact us at:

Closyn LLC (d/b/a Crispy)
8 The Green, STE A
Dover, Delaware 19901
United States

Email: support@crispy.sh