Privacy Policy

Last Updated: January 14, 2026

Introduction

Cremit ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

Contact Information:

Email: hi@cremit.io

Location: Seoul, South Korea

1. Information We Collect

1.1 Information You Provide

Account Information:

Email address, name, company name

Payment Information:

Processed through Polar.sh, Stripe, or wire transfer (we do not store credit card details)

Communications:

Support tickets, feedback, and correspondence

1.2 Automatically Collected Information

Usage Data:

Activity logs, feature usage, API calls

Analytics Data:

Through Google Analytics, Pixel, Apollo, and Pipedrive

Technical Data:

IP address, browser type, device information, session data

1.3 What We DO NOT Collect or Store

Your Source Code:

We never store your source code. Code is analyzed in-memory and immediately discarded after scanning.

Unmasked Secrets:

Detected secrets are masked and encrypted. Only masked data (prefix/suffix) is stored for identification.

Raw Data:

Original data from scanned sources is not retained after processing.

2. How We Use Your Information

We use collected information to:

Provide and maintain our services

Process payments and manage subscriptions

Send service-related notifications and updates

Improve our platform through analytics

Detect and prevent security threats

Comply with legal obligations

3. Data Security

3.1 Security Measures

ISO 27001 Certified:

Our information security management system meets international standards

SOC 2 Ready:

Prepared for SOC 2 Type II certification

Encryption:

All data encrypted at rest (AES-256) and in transit (TLS 1.2+)

KMS Integration:

Secrets encrypted using AWS KMS

BYOK Support:

Bring Your Own Key option for enterprise customers

Private Subnet Architecture:

All application servers in isolated private networks

3.2 Data Storage

Primary Region:

Seoul, South Korea (ap-northeast-2)

Secondary Region:

United States

Customer Choice:

Enterprise customers can select their preferred region

4. Data Ownership and Control

4.1 Your Data Rights

Ownership:

You retain full ownership of all data you upload or connect

Access:

View all your data through the platform dashboard

Export:

Download your data in standard formats

Deletion:

Request immediate deletion of your data at any time

Portability:

Transfer your data to another service

4.2 Account Deletion

When you delete your account:

All associated data is immediately and permanently deleted

Data is removed from all systems, including backups

Deletion cannot be reversed

Complies with GDPR's "Right to be Forgotten"

5. Data Sharing and Disclosure

5.1 We Do Not Sell Your Data

We never sell, rent, or trade your personal information.

5.2 Third-Party Service Providers

We share limited data with:

Payment Processors:

Polar.sh, Stripe (for billing)

Analytics Providers:

Google Analytics, Pixel, Apollo, Pipedrive

Cloud Infrastructure:

AWS (hosting and infrastructure)

All third parties are bound by confidentiality agreements and process data only as directed.

5.3 Legal Requirements

We may disclose information if required by:

Valid legal process (subpoena, court order)

Protection of our rights or safety

Compliance with applicable laws

6. International Data Transfers

We comply with:

GDPR

(General Data Protection Regulation - EU)

CCPA

(California Consumer Privacy Act - US)

Personal Information Protection Act

(South Korea)

Data transferred internationally is protected by:

Standard Contractual Clauses (SCCs)

Adequate security measures

Compliance with local data protection laws

7. Cookies and Tracking Technologies

See our Cookie Policy for detailed information about cookies and tracking technologies we use. Cookie Policy

8. Your Privacy Rights

Depending on your location, you may have the right to:

Access:

Request a copy of your data

Rectification:

Correct inaccurate data

Erasure:

Delete your data ("Right to be Forgotten")

Restriction:

Limit how we process your data

Portability:

Receive your data in a machine-readable format

Objection:

Object to certain data processing

Withdraw Consent:

Revoke previously given consent

To exercise these rights, contact us at hi@cremit.io

9. Data Retention

Active Accounts:

Data retained while account is active

Deleted Accounts:

Data immediately deleted upon account deletion

Legal Requirements:

Some data may be retained longer if required by law

Backup Systems:

Deleted data removed from backups within 30 days

10. Children's Privacy

Our services are not intended for users under 16. We do not knowingly collect information from children.

11. Changes to This Policy

We may update this Privacy Policy. Changes are effective when posted. Continued use constitutes acceptance of changes.

12. Contact Us

For privacy-related questions or concerns:

Email: hi@cremit.io

Subject: "Privacy Inquiry"