Privacy Policy

1) Scope and Who We Are

This Privacy Policy explains how Crink Private Limited ("Crink", "we", "us", "our") collects, uses, discloses, and safeguards information through our websites (e.g., crink.app), mobile apps, and related online services, including our AI therapist/companion "Cri" and PsychOps tools (collectively, the "Services"). By using the Services, you agree to this Policy. If you do not agree, do not use the Services.

• Registered office: Integrated Startup Complex, North Kalamassery, Kochi, Kerala 683503, India
• Contact (privacy & grievances): sruthi@crink.app
• Roles: Crink acts as the data controller / data fiduciary for most processing. For enterprise deployments (e.g., hospitals, universities, employers), we may act as a data processor on the enterprise's instructions.

2) Definitions

• Personal Information (PI): Information that identifies or can reasonably identify you (directly or indirectly).
• Non-Personal Information: Aggregated, de-identified, or otherwise non-identifying information.
• Conversation Data: Text content from interactions with Cri and any files you choose to upload. Voice audio is processed ephemerally unless you explicitly enable features that store it.

3) Information We Collect

A. Personal Information you provide

• Account & Profile: Name, email, phone, password (hashed), profile photo (optional), time zone, language.
• Contact & Support: Messages you send us (email, in-app), issue reports, feedback.
• Conversation Data (Service Use): Content you enter in Cri; preferences/goals; tasks, schedules, wellbeing exercises you choose to track.
• Assessments & Wellbeing Metrics: If you use them (e.g., PHQ-9, GAD-7, PERMA, WHO-5). These may be considered sensitive under some laws.
• Human-in-the-Loop Notes: Notes by Crink-affiliated psychologists/consultants (if applicable) to support care or program management.
• Payment & Billing: Processed by payment providers (we receive limited details like transaction ID and status).
• Enterprise Programs: Organization, cohort, referral codes (if applicable). We do not share your private therapy content with your organization without your explicit consent.

B. Information we collect automatically

• Online Identifiers & Device Data: IP address, device type, OS, app version, unique identifiers, crash logs.
• Usage Data: Pages/screens viewed, clicks, features used, session time, referrers.
• Approximate Location: City/region derived from IP. We do not collect precise location unless you enable a feature requiring it.

C. Information from third parties

• SSO & App Stores: If you sign in via Apple/Google or install via an app store, we receive information those providers share per their settings.
• Program Partners: If you join via a hospital, university, insurer, or employer, we may receive limited enrollment data (e.g., eligibility, cohort, contact info). We do not receive your private therapy content from partners without your consent.

4) How We Use Information

• Provide and operate the Services: Account management, feature delivery, therapist/consultant collaboration (if chosen), support.
• Personalization: Tailor prompts, exercises, and reminders to your goals and context.
• Safety, security, integrity: Authenticate users; prevent/detect fraud, abuse, security incidents; maintain audit logs.
• Analytics & service quality: Understand usage, fix bugs, improve performance and reliability.
• Direct marketing (optional): Product updates or promotions. You can opt out anytime.
• Research & model improvement (optional): If you opt in, we de-identify Conversation Data and use it to improve models, prompts, and features. We never store voice for this purpose; you can opt out anytime.
• Legal compliance: Comply with law, respond to lawful requests, enforce terms, and protect rights and safety.
• De-identified data: Create aggregated insights (e.g., usage trends) for research, reporting, and product improvement.

5) How We Share Information

• Service Providers (Processors): Hosting, storage, analytics, error monitoring, communications, payments, fraud prevention, support tools — under confidentiality and security obligations, acting on our instructions.
• Human Psychologists/Consultants (if applicable): Limited access to relevant information to support care/programs. Access is role-based and audited.
• Enterprise/Institutional Programs: We may share aggregated or de-identified metrics (e.g., adoption, outcomes) with your organization. We do not share your private therapy content without your explicit, informed consent or your instructions.
• Affiliates & Corporate Transactions: In mergers, acquisitions, financings, or asset sales, information may transfer subject to this Policy.
• Legal & Safety: To comply with law, legal process, or governmental requests; to enforce terms; to protect rights, property, or safety of users or the public.
• With Your Direction: If you ask us to share (e.g., export to your therapist or another app), we will do so.

We do not sell Personal Information and we do not share it for cross-context behavioral advertising.

6) Sensitive Information Handling

Data such as mental-health assessments and therapy-related notes are protected with additional safeguards: strict role-based access, encryption at rest/in transit, and logical separation between therapy content and operational metadata. Access is logged and periodically reviewed.

7) Data Security

• Encryption in transit (TLS) and at rest.
• Role-based access; least-privilege; mandatory multi-factor authentication for staff.
• Network segregation; secrets management; regular patching and vulnerability scanning.
• Audit logging for sensitive stores; anomaly detection.
• Backups with limited retention and controlled restore.

No system is perfectly secure. If a security incident affects your data, we will notify you and/or regulators as required by law.

8) Cookies, SDKs & Tracking Tools

We use cookies and mobile SDKs to run and improve the Services.

• Essential: Authentication, security, load balancing, preferences.
• Functional/Analytics: Usage measurement, performance, crash reporting, A/B testing.
• Marketing (optional): Product updates and attribution. You can opt out of marketing cookies in settings and unsubscribe from emails.

Your browser/device settings may allow you to block or limit cookies/SDK tracking. Some features may not work without essential cookies.

9) Data Retention

• Account & Profile: Kept while your account is active; deleted within 30–90 days after account deletion, subject to legal holds and backup cycles.
• Conversation Data: Retained for history/continuity of care. You can delete specific conversations or delete your account to remove history from active systems. Backups age out per schedule.
• Assessment Data: Retained with Conversation Data unless you delete it or your account.
• Opt-in Training Data: Stored de-identified with separate keys; you can withdraw consent anytime (new data excluded; prior de-identified corpora may not be traceable to you).
• Legal/Compliance: Certain records may be retained as required by law (e.g., tax/transaction records).

10) International Data Transfers

We may process and store data in countries other than where you live. When transferring Personal Information internationally, we use appropriate safeguards (e.g., Standard Contractual Clauses where applicable) and require our processors to do the same.

11) Your Choices & Rights

• Access / Correction / Portability: Request a copy of your data or corrections.
• Deletion: Delete specific items in-app where available, or request full account deletion.
• Withdraw Consent: Turn off transcript-sharing for improvement at any time.
• Marketing Opt-Out: Use the unsubscribe link in emails or app settings. Processing may take up to 7 business days.
• Appeal/Complaint: Contact us if you disagree with a decision. You may also lodge a complaint with your local data protection authority.

Submit requests at sruthi@crink.app. We will verify your identity and respond within applicable timelines.

12) Regional Notices

India (Digital Personal Data Protection Act, 2023)

• Crink is a Data Fiduciary for your Personal Data processed for our Services, and may be a Data Processor for enterprise customers.
• We rely on consent and other permitted uses under the DPDP Act.
• Children's Data: For users under 18, parental/guardian consent is required. We do not serve targeted ads to children or undertake prohibited tracking.
• Grievance Redressal: sruthi@crink.app. We aim to resolve grievances within statutory timelines.

United States (including California)

• Children: We do not knowingly collect PI from children under 13. If you believe a child under 13 has provided PI, contact us to delete it.
• CCPA/CPRA: We do not sell PI and do not share it for cross-context behavioral advertising. California residents may request access, correction, or deletion, and may limit use of sensitive PI as applicable.

13) Automated Decision-Making & Safety

Cri generates supportive suggestions based on your inputs and preferences. We do not use solely automated decision-making that produces legal or similarly significant effects. Cri is not a substitute for professional medical care or emergency services.

14) Third-Party Links

Our Services may link to third-party sites/apps. Their privacy practices are their own. Review their policies before use.

15) Enterprise & B2B Customers

If your access is provided by an organization, we may process data on their behalf under our agreement with that organization. We do not disclose your private therapy content to the organization without your explicit consent or as required by the agreement and applicable law.

16) Changes to this Policy

The "Last Updated" date at the top of this page reflects the latest revision.

17) Contact Us (Privacy & Grievances)

Crink Private Limited
Integrated Startup Complex, North Kalamassery,
Kochi, Kerala 683503, India
Email: sruthi@crink.app