Crosswise Privacy Policy
Last updated: August 13 2025
Layered Summary - At a Glance
1. Scope
This Policy applies to personal data processed by Crosswise, Inc. ("Crosswise," "we," "us," or "our") when you (i) visit crosswise.io and subsites (the "Sites"); (ii) register for or use the Crosswise platform and related APIs (the "Platform"); (iii) interact with our sales, marketing, or events team; or (iv) apply for employment. Platform content that we process solely on behalf of an enterprise customer is governed by the terms of the relevant customer agreement under which Crosswise acts as a "service provider" or "processor," as those terms are defined by applicable privacy laws.
2. Definitions
Personal Data - information linked or reasonably linkable to an identified or identifiable natural person.
Sensitive Personal Data - categories designated as sensitive under U-S privacy laws (e.g. login credentials, full bank-account numbers).
Customer Content - any information, files, or records your organization chooses to upload or connect to the Platform (including, without limitation, business documents, internal policies, financial records, transaction evidence, complaints, images, and related supporting materials). Customers control the nature of Customer Content and are responsible for ensuring a lawful basis to provide it. Crosswise processes Customer Content solely to provide and secure the services under the customer's instructions and does not use Customer Content for advertising or other unrelated purposes.
Other capitalized terms have the meanings set by applicable state privacy statutes.
3. Categories of Personal Data Collected
| Category | Examples | Source |
|---|---|---|
| Customer Content (uploaded or connected records) | Any business records your organization chooses to upload or connect (including, without limitation, internal policies, financial statements, bank account numbers, transaction evidence, complaints, images of checks, and supporting documents) | Provided by customer |
| Account Identifiers | Name, business email, MFA phone, role | Provided by user via AWS Cognito |
| Session Data | AWS Cognito session cookie - strictly necessary | Automated via Platform |
| Marketing and Prospect Data | Name, work email, title, company, LinkedIn profile, campaign source, deal notes | Provided by user |
| Support Records | Help-desk tickets, attachments | Provided by customer |
| Employment and Applicant Data | Resume, compensation, diversity info; background screening results | Provided by applicant |
| Device Data | Cloudflare performance cookie | Automated when visiting Sites |
| Website Interaction Data | Information intentionally submitted through web forms or scheduling (name, email, message content). | Provided by visitor |
We do not intentionally collect biometric, health, precise geolocation, or social-security numbers.
4. Sources of Personal Data
Crosswise obtains Personal Data directly from the individual or customer that provides it, or via strictly necessary technical means (session cookies, logs). We do not purchase, enrich, or otherwise obtain Personal Data from data-broker or ad-tech sources.
5. Purposes for Processing and Legal Bases
| Purpose | Illustrative Uses | Legal Basis |
|---|---|---|
| Service delivery and security | Authenticate sessions; encrypt and store financial content; prevent fraud. Create and administer user accounts. | Contract performance |
| Customer support | Troubleshoot issues | Contract performance |
| Sales and marketing | Respond to demo requests; send product updates (opt out anytime). | Legitimate interests or consent |
| Legal and compliance | Maintain audit logs; fulfill tax, AML, and dispute obligations. | Legal requirement |
| Product improvement | Analyze de-identified usage trends to improve features and reliability. | Legitimate interests |
6. Disclosure of Personal Data
We disclose Personal Data only to:
- Service Providers - AWS (hosting), cloud-based productivity and collaboration tools (email and collaboration), Clarify.ai (CRM), Datadog (observability), Rippling (HR).
- Professional Advisors - auditors, accountants, legal counsel under NDA.
- Authorities - when required by law or to protect rights.
Crosswise does not sell or share Personal Data for cross-context behavioral advertising.
7. Cross-Border Data Transfers
Crosswise currently stores data in the United States. If we later transfer Personal Data from the European Economic Area, United Kingdom, or Switzerland, we will rely on an approved transfer mechanism, such as the EU-US Data Privacy Framework and or Standard Contractual Clauses.
8. Cookies and Similar Technologies
The Sites set only strictly necessary cookies:
- Cloudflare (__cf_bm) - security and load balancing; 30-minute expiry.
- AWS Cognito session cookie - maintains login; expires on logout or timeout. No analytics or advertising cookies are used.
We plan to recognize the Global Privacy Control (GPC) signal once our consent-management platform goes live (target: Q1 2026). A detailed Cookie Notice and banner will accompany that rollout.
9. Data Retention and Minimization
| Data Category | Retention Schedule | Rationale |
|---|---|---|
| Website logs | None collected | Minimal data philosophy |
| Marketing leads | 24 months from last activity | Sales analytics lifecycle |
| Customer account data | Duration of contract | Contract fulfilment |
| Uploaded financial content | Duration of contract | Service delivery |
| Contract and billing records | 24 months from last activity | Audit and dispute window |
| Support tickets | 24 months from last activity | QA and knowledge-base reuse |
| HR and applicant records | 12 months | Talent-pool review |
| Backup archives | 12-month rolling | Disaster-recovery constraints |
Sensitive Personal Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). After account closure, encrypted archives are retained for seven (7) years solely for audit and regulatory defense, then purged.
10. Security Measures
- TLS 1.2+ encryption in transit and AES-256 at rest.
- Quarterly privileged-access reviews.
- Annual third-party penetration testing.
- Continuous monitoring via Datadog.
- SOC 2 Type 2 report in progress - available under NDA upon completion.
11. Privacy Rights and How to Exercise Them
Under California, Colorado, Connecticut, Utah, Virginia, and Florida law you may: Access, delete, or correct Personal Data; obtain a portable copy (CA); opt out of processing of Sensitive Personal Data for any secondary purpose (we do not conduct such processing); opt out of sale or share (we do not sell or share data).
Submission methods: Email: privacy@crosswise.io
We acknowledge requests within ten (10) business days and respond within forty-five (45) calendar days (one 45-day extension permitted). Identity is verified by matching the request to the email linked to the account; unverified requests will be denied with explanation. We retain a secure log of all requests for twenty-four (24) months as required by CPRA regs §7141.
| CPRA Category | Collected | Purpose(s) | Disclosed to | Retention |
|---|---|---|---|---|
| Identifiers (name, email, IP) | Yes | Service, security, marketing | Service Providers | See §9 |
| Commercial info (subscription tier) | Yes | Billing, support | None | See §9 |
| Internet activity (session cookie) | Yes | Security | None | Session only |
| Financial data (bank details) | Yes | Service delivery | None | Contract plus 7 yrs archive |
| Sensitive login credentials | Yes | Authentication | None | Contract plus 7 yrs archive |
12. Children's Privacy
The Sites and Platform are not directed to children under 16 and Crosswise does not knowingly collect Personal Data from anyone under 13. If you believe we have received data from a minor, contact privacy@crosswise.io for prompt deletion.
13. Data Breach Notification
In the event of a security incident involving Personal Data, Crosswise will notify affected individuals and relevant regulators without undue delay and, where applicable, within the timeframes mandated by state breach-notification statutes.
14. Changes to This Policy
Material changes will be announced at least thirty (30) days in advance via email and or in-product banner. The "Last updated" date will always reflect the current version.
15. Contact Us
Email: privacy@crosswise.io
Mail: 8893 Meadow View Road, Park City, UT 84098
We prefer email for privacy correspondence.
