Privacy Policy

1. Who we are

CrisisLoop ("we", "us", "our") is an operational resilience platform operated by CrisisLoop Ltd, registered in the United Kingdom. This policy explains how we collect, use, store, and protect personal data when you use our website and platform.

2. Data we collect

We collect the following categories of personal data:

• Account data: Name, email address, job title, and company name when you register or are invited to the platform.
• Usage data: How you interact with the platform, including pages visited, features used, exercise participation, and session duration.
• Contact data: Information you provide when contacting us through forms, email, or the pilot application / waitlist.
• Voice and audio data: When you participate in voice-based exercise injects (e.g. simulated phone calls), your microphone audio is streamed to our voice-AI sub-processor for real-time conversation. The audio is not retained by us beyond the exercise session unless you're in a scored exercise where a transcript is generated for debrief.
• Technical data: IP address, browser type, operating system, and device information collected automatically through server logs.

3. How we use your data

We use personal data for the following purposes:

• Providing and maintaining the CrisisLoop platform and services
• Authenticating users and managing account security (including multi-factor authentication)
• Sending service-related communications (welcome emails, password resets, assignment notifications, pilot application follow-ups)
• Responding to enquiries submitted through our contact forms
• Improving the platform based on usage patterns
• Complying with legal and regulatory obligations

We do not sell personal data to third parties. We do not use personal data for advertising purposes.

4. Legal basis for processing

We process personal data on the following legal bases under UK GDPR:

• Contract: Processing necessary to provide the platform services you or your organisation have engaged.
• Legitimate interests: Improving our services, ensuring platform security, and communicating with prospects who have expressed interest (e.g. pilot applicants).
• Consent: Where you have opted in to receive communications (e.g. pilot-cohort application, waitlist signups).
• Legal obligation: Where we are required to retain data for compliance, audit, or regulatory purposes.

5. Data retention

We retain personal data for as long as necessary to fulfil the purposes described above. Account data is retained for the duration of the customer relationship and for a reasonable period thereafter for audit and legal purposes. Contact form submissions and pilot-application enquiries are retained for 12 months. Voice-exercise audio is not retained after the exercise session ends; transcripts of scored exercises are retained for the duration of the customer relationship. You may request deletion at any time.

6. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit (TLS) and at rest (AES-256-GCM for backups)
• Multi-factor authentication for all platform access
• Role-based access controls with audit logging
• Regular security reviews and vulnerability management
• Secure password hashing (bcrypt); password-change events invalidate all existing sessions
• Server-side request forgery protection on all tenant-supplied URLs

7. Multi-tenancy and data isolation

The CrisisLoop platform is multi-tenant. Each customer's data is logically isolated by company identifier at the database query level. Users can only access data belonging to their own organisation. Platform staff access is logged and auditable; staff impersonation of tenant users is read-only for any mutating action.

8. Sub-processors

We use the following third-party services to operate the platform:

• Anthropic (Claude API): AI-powered exercise generation, scoring, and analysis. Data is processed in accordance with Anthropic's data processing terms.
• ElevenLabs (Conversational AI + voice synthesis): Real-time voice conversation during exercises, and text-to-speech generation for pre-recorded media. Audio is streamed via WebRTC; see Section 2 for retention details.
• OpenAI (DALL-E): Optional image generation for exercise media.
• Plausible Analytics: Cookieless, privacy-friendly website analytics. No personal data is collected; no tracking cookies are set. See plausible.io/data-policy.
• Infrastructure providers: Hosting, database, and backup-storage services within the UK/EU. Production data is hosted in the United Kingdom for data-residency compliance.

9. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate personal data
• Request erasure of your personal data
• Restrict or object to processing
• Data portability
• Withdraw consent at any time

To exercise any of these rights, contact us at privacy@crisisloop.io.

10. Cookies and tracking

The CrisisLoop platform uses essential cookies for authentication (JWT session tokens stored as httpOnly cookies). The marketing website uses Plausible Analytics, which does not set cookies and does not track users across sites. We do not use advertising cookies, third-party trackers, or fingerprinting.

11. International transfers

Where data is transferred outside the UK/EEA (for example, to our AI sub-processors), we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or other lawful transfer mechanisms as applicable. We do not transfer personal data to countries without adequate protection.

12. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated to registered users via email. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact

For any questions about this privacy policy or our data practices:

Email: privacy@crisisloop.io
CrisisLoop Ltd
United Kingdom