This Privacy Policy describes how krewbot ("we", "us", "our") collects, uses, and protects information when you use the krewbot service available at app.krewbot.com and its subdomains (the "Service").

1. Information we collect

Account information

When you sign up, we collect your email address. If you sign in with Google, we also receive your name and profile photo from Google's identity service.

Workspace content

krewbot stores the content you create or upload inside your workspace, including chat messages, files, knowledge documents, automations, and integration settings. This content is stored encrypted at rest and is only accessible to members of your workspace.

Third-party integration credentials

When you connect a third-party service such as Slack, Telegram, WhatsApp, Microsoft Teams, Notion, or Google Workspace, krewbot stores the access tokens or API keys you provide (or that we receive via OAuth) so the agent can act on your behalf. These credentials are stored encrypted in AWS Secrets Manager, scoped per workspace, and are never shared between workspaces or with other users.

Operational data

We collect logs and metrics necessary to operate and secure the Service: timestamps, IP addresses, error traces, and request metadata. These are retained for a limited period for debugging and abuse prevention.

2. How we use information

  • To provide, maintain, and improve the Service.
  • To execute the actions you ask the agent to perform — including reading, writing, and modifying content in your connected third-party services.
  • To authenticate you and protect your account.
  • To detect, investigate, and prevent fraud or abuse.
  • To respond to your support requests.

We do not sell your personal information. We do not use your workspace content or integration data to train machine-learning models.

3. Third-party services

krewbot relies on the following sub-processors:

  • Amazon Web Services (AWS) — hosting, storage, logging, and authentication.
  • Anthropic — AI model inference. Prompts and tool calls necessary to complete your agent turns are sent to Anthropic under their data processing terms.
  • SendGrid — transactional email delivery (e.g. magic-link sign-in).
  • Third-party integrations you choose to connect — such as Notion, Google Workspace, Slack, Telegram, WhatsApp, and Microsoft Teams. When connected, the agent reads and writes data in those services as you direct it.

Notion data

When you connect Notion via OAuth, krewbot stores the OAuth access token Notion issues. The agent uses that token to read and write pages, databases, and blocks in the Notion pages you have explicitly shared with the integration. We do not access content outside the pages you share, and we do not use your Notion content for any purpose other than fulfilling your requests.

Google Workspace data

When you connect Google via OAuth, krewbot stores a refresh token issued by Google and uses it only to access the scopes you authorize. Depending on which features you enable, this may include:

  • Google Calendar — to view and manage the events you ask the agent to schedule or update.
  • Google Drive, Docs, Sheets, and Slides — to read, create, and edit the documents, spreadsheets, and presentations you direct the agent to work with.
  • Google Forms — to create and edit forms and to read their responses when you ask the agent to.
  • Gmail (gmail.modify) — to read, compose, send, and organize email on your behalf when you ask the agent to. The agent acts only on the messages and actions you request.

krewbot's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use of Google data

krewbot uses data received from Google Workspace APIs only to provide and improve the user-facing features described above. Specifically, we do not:

  • transfer or sell this data to third parties;
  • use it for advertising or for any purpose unrelated to the features you use; or
  • allow humans to read it, except (a) with your explicit consent, (b) where necessary for security purposes or to comply with applicable law, or (c) where the data has been aggregated and anonymized for internal operations.

4. Data security

We follow industry-standard practices to protect your data: network-isolated containers per workspace, encryption in transit (TLS) and at rest, scoped IAM permissions, and regular security reviews. No system is perfectly secure, however; you use the Service at your own risk.

5. Data retention and deletion

Workspace content is retained for as long as your workspace exists. When you delete a workspace, all associated data — chat history, files, integration credentials, and automations — is permanently deleted within a reasonable period. You may request deletion of your account by contacting us at the address below.

6. Your rights

Depending on where you live, you may have the right to access, correct, port, or delete your personal information, and to object to or restrict certain processing. Contact us to exercise any of these rights.

7. International data transfers

krewbot is hosted in the United States. By using the Service, you consent to your information being transferred to and processed in the United States.

8. Children

krewbot is not directed at children under 16 and we do not knowingly collect personal information from children.

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date above and, where appropriate, by email.

10. Contact us

Questions about this Privacy Policy? Email info@krewbot.com.