Legal
Privacy Policy
Last updated: May 2026 · Version 1.0
Introduction
This Privacy Policy explains how Crispy Development Ltd collects, uses, stores, and shares your personal data when you use the Crispy Leaders platform, including the WayPoint AI coaching feature. It also explains your rights under UK GDPR.
1. Who We Are and How to Contact Us
Crispy Development Ltd is the data controller for personal data collected through the Crispy Leaders platform.
- Company number: [Company Number]
- Registered address: [Registered Address]
- Contact: hello@crispyleaders.com
The supervisory authority in the UK is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. ico.org.uk · 0303 123 1113
ICO registration note: ICO registration is pending. We are in the process of registering with the ICO as required for organisations that process personal data in the UK. This will be completed before onboarding paid subscribers.
2. What Data We Collect
2.1 Account data
When you create an account, we collect: your email address, display name, password (stored as a cryptographic hash — we never see your actual password), and your language preference (English or Indonesian).
2.2 Membership application data
Our membership application form collects additional context to understand your background. This includes: your role, your organisation, how you heard about us, and your faith or religious background.
Religious belief is a special category of personal data under UK GDPR Article 9. We collect this only with your explicit consent, indicated by a clearly labelled opt-in checkbox at the time of application. You may decline this field without affecting your application.
2.3 Team data
If you join or create a team within the platform, we collect: your team name, which assessments your team has completed, and the names and email addresses of team members.
2.4 WayPoint AI coaching profile
If you use the WayPoint AI coaching feature, you will complete a coaching profile. This includes: your name, role, organisation, location, home culture and host culture, how long you have been in your current context, and any personal notes you choose to share with the AI coach to personalise your sessions.
This data is used solely to personalise your coaching sessions. It is not visible to your team leader.
2.5 WayPoint session data
After each coaching session, a session whiteboard is stored in your account. This includes: the focus you set for the session, key insights generated, any actions you committed to, and content you chose to carry forward. This whiteboard is private to you. Your team leader cannot see it.
We do not store your voice audio. Voice input is processed in real time by Google Gemini and is not retained by Crispy Development Ltd.
2.6 Push notification tokens
If you opt in to push notifications, we store a device push subscription endpoint in our database. This is used only to deliver notifications you have consented to. We do not use it for profiling or advertising.
2.7 Analytics data
We use two analytics tools:
- Google Analytics 4 (GA4) — We use GA4 to collect basic usage data, including pages visited, time of visit, approximate location (country level), device type, and referring website. GA4 uses cookies. We activate GA4 only after you give explicit consent via the cookie banner shown on your first visit. You may decline or withdraw consent at any time. See our Cookie Policy for full details.
- Vercel Analytics — A privacy-preserving tool that collects aggregated, anonymous traffic data (page views, device type, country-level location) without using cookies, without fingerprinting your device, and without tracking you across other websites. No consent is required for Vercel Analytics under UK GDPR.
3. Why We Process Your Data (Legal Basis)
| Data type | Legal basis |
|---|---|
| Account data | Art. 6(1)(b) — performance of contract (providing you access to the platform) |
| Membership application data (general) | Art. 6(1)(b) — performance of contract |
| Religious belief (Art. 9 data) | Art. 9(2)(a) — explicit consent (opt-in checkbox) |
| WayPoint coaching profile | Art. 6(1)(b) — performance of contract; Art. 6(1)(a) — consent for AI processing |
| WayPoint session whiteboards | Art. 6(1)(b) — performance of contract |
| Push notification tokens | Art. 6(1)(a) — consent |
| GA4 analytics | Art. 6(1)(a) — consent (cookie banner) |
| Vercel Analytics | Art. 6(1)(f) — legitimate interests (privacy-preserving, no personal data) |
4. Who We Share Your Data With
We do not sell your data. We share it only with service providers (data processors) who help us operate the platform.
| Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, and secure storage of all platform data | Singapore (ap-southeast-1) |
| Google LLC (Gemini API) | Real-time voice processing for WayPoint AI coaching sessions | Global (may include US) |
| Vercel Inc. | Website hosting and deployment | Global CDN |
| Resend Inc. | Transactional email delivery (account notifications) | United States |
| Google LLC (GA4) | Website usage analytics (consent-based) | United States |
| Vercel Analytics | Privacy-preserving anonymous traffic analytics | Global CDN |
5. Google Gemini — Cross-Border Transfer Disclosure
The WayPoint AI coaching feature uses Google's Gemini API to process your voice input in real time. This means your spoken words are transmitted to Google's servers during a session.
- Google's paid API does not use your inputs to train its AI models
- Crispy Development Ltd does not receive or store raw audio from your sessions
- The Gemini API currently routes data through Google's global infrastructure, which may include servers in the United States
- Google provides Standard Contractual Clauses (SCCs) for international data transfers
- Google's data processing terms (including UK GDPR compliance) apply to all API usage
If you have concerns about cross-border data processing, you may choose not to use the WayPoint feature. Your core platform membership is not affected by this choice.
6. Data Retention
| Data type | Retention period |
|---|---|
| Account and membership data | 12 months after account closure, then deleted |
| WayPoint coaching profile and whiteboards | 12 months after account closure, then deleted |
| Push notification tokens | Deleted when consent is withdrawn or account is closed |
| Financial transaction records | 7 years (statutory requirement) |
| GA4 analytics data | Per Google Analytics retention settings (configured at 14 months) |
| Vercel Analytics data | Aggregated and anonymous — no personal data retained |
7. Your Rights
Under UK GDPR, you have the following rights:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate data
- Right to erasure — ask us to delete your data (subject to legal obligations)
- Right to restriction — ask us to limit how we process your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing
- Right to object — object to processing based on legitimate interests
- Right to lodge a complaint — you may complain to the ICO at ico.org.uk if you believe we have mishandled your data
To exercise any of these rights, contact us at hello@crispyleaders.com. We will respond within one calendar month.
8. Cookies and Tracking
We use Google Analytics 4 (consent-based) and Vercel Analytics (no consent required). A cookie consent banner is shown on your first visit. You may accept or decline analytics cookies at any time.
The following strictly necessary items may also be present:
- Authentication session token — keeps you logged in (essential, no consent required)
- Language preference — stored in local storage (essential, no consent required)
- Cookie consent choice — stores your accept/decline decision in local storage
We do not use Facebook Pixel, LinkedIn Insight Tag, or any advertising network tracker. For a full explanation of our analytics approach, see our Cookie Policy.
9. Security
We take reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS), hashed passwords, and access controls on our database (Supabase, Singapore). No system is completely secure; if you believe your account has been compromised, contact us immediately at hello@crispyleaders.com.
10. Governing Law
This Privacy Policy is governed by the laws of England and Wales. The supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a notice within the platform. The effective date at the top of this document will be updated. Continued use of the platform after the effective date constitutes your acceptance of the updated policy.
12. Contact
Data protection queries: hello@crispyleaders.com
Crispy Development Ltd
[Registered Address]
Company number: [Company Number]
Supervisory authority: Information Commissioner's Office (ICO) · ico.org.uk