CRESTLINE
Trust

Privacy Policy

Effective as of 2026-07-15

Crestline Intelligence Private Limited (“Crestline”, “we”, “our”, or “us”) builds an AI-native operating layer for organisations. This policy explains what information we collect, why we collect it, how we protect it, and the control you have over it. It applies to crestlineintelligence.com, the Crestline application at app.crestlineintelligence.com, and every related service we operate.

1Who We Are

Crestline Intelligence Private Limited is the data controller for the information described in this policy. We are incorporated in India and operate the Crestline platform globally. For any privacy question, request, or complaint, contact us at info@crestlineintelligence.com and we will respond within 30 days.

2Information We Collect

We collect only what is needed to run the product you have asked us to run.

  • Account informationYour name, email address, and profile image — provided directly by you at signup or supplied by Google when you choose Sign in with Google.
  • Organisation dataYour organisation, departments, reporting lines, roles, and employee identifiers, as entered by you or your administrator.
  • Content you createProjects, tasks, messages, documents, policies, meeting notes, and memory items you or your colleagues create inside Crestline.
  • Connected service dataWhen you connect a third-party account (for example Gmail, Salesforce, or HubSpot), we access the data covered by the permissions you grant. See Section 3.
  • Technical and usage dataIP address, browser and device type, pages visited, and diagnostic logs — used to keep the service secure, available, and debuggable.

3Google User Data

If you sign in with Google or connect your Gmail account, Crestline requests the following Google API scopes. We request the narrowest set of permissions that will deliver the feature, and we access your Google data only while your connection is active.

  • openid · userinfo.email · userinfo.profileUsed solely to authenticate you and create or match your Crestline account. We read your email address, name, and profile picture — nothing else.
  • gmail.sendUsed only when you send a message from Crestline’s composer, so the email is delivered from your own Gmail address and the recipient sees you as the genuine sender. We never send email without an action you initiate.
  • gmail.readonlyUsed to read your email messages and their metadata so Crestline can display your threads in its unified inbox and attribute conversations to the right project and contact. This access is read-only — we cannot modify, delete, or archive anything in your mailbox.

Connecting Gmail is entirely optional and is never required to use Crestline. You can disconnect at any time from within the application, or revoke Crestline’s access directly at myaccount.google.com/permissions. On disconnection we delete the stored OAuth tokens immediately and any cached message content within 30 days.

4Limited Use of Google User Data

Crestline Intelligence’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

See the Google API Services User Data Policy.

Concretely, and without exception:

  • We do not use Google user data for advertising, and we never sell it.
  • We do not use Google user data to train, retrain, or improve generalised artificial-intelligence or machine-learning models — our own or anyone else’s.
  • We do not allow humans to read your Google user data, unless you give explicit consent for a specific message, it is necessary for security purposes such as investigating abuse, it is required to comply with applicable law, or the data has been aggregated and de-identified.
  • We transfer Google user data only where necessary to provide or improve the user-facing features you have enabled, to comply with applicable law, or as part of a merger or acquisition — in which case we will give notice before your data becomes subject to a different policy.

5How We Use Your Information

We use the information we collect to authenticate you, deliver the features you enable, keep the service secure and reliable, provide support, comply with legal obligations, and communicate service and product notices. We do not sell your personal data, and we do not use your content for advertising or profiling.

6AI Processing

Crestline is an AI product. To deliver features such as search, summarisation, briefs, and process explanations, your content may be processed by our AI sub-processors — principally OpenAI, and Anthropic where configured — and embedded into vector representations stored in our Qdrant database.

Three commitments govern this processing. Your content is sent only to deliver a feature you have invoked. Our AI providers are contractually bound not to train their models on data submitted through their APIs. And, as stated in Section 4, Google user data is never used for model training under any circumstances.

7Sharing and Sub-Processors

We share data only with vendors who help us run the service, each bound by contract to confidentiality and to using the data solely to provide their service to us.

  • VercelApplication hosting and content delivery.
  • NeonManaged PostgreSQL database hosting.
  • QdrantVector database powering semantic search and memory.
  • OpenAI · AnthropicLarge-language-model and embedding processing.
  • ResendTransactional email delivery, such as invitations and magic links.
  • PusherRealtime message and notification delivery.

We may also disclose information where legally compelled — a valid court order, subpoena, or equivalent legal process — or to protect the rights, safety, and property of Crestline, our users, or the public. We do not sell or rent personal data to anyone, for any purpose.

8Storage and Security

All data in transit is encrypted with TLS 1.3, and all data at rest is encrypted with AES-256. Third-party credentials and OAuth tokens receive an additional layer of AES-256-GCM application-level encryption before they are written to the database, so they remain unreadable even to someone holding raw database access. Access to production systems is role-based, multi-factor-authenticated, least-privilege, and logged. Our full security posture is documented in our Security Policy.

9Data Retention and Deletion

We retain your data for as long as your account is active. When you delete content inside Crestline, it is removed from our primary systems immediately and purged from encrypted backups within 90 days. When you close your account, we delete your personal data within 90 days, except where retention is required by law — for example, tax and accounting records. Disconnecting a third-party integration deletes its stored tokens immediately. You may request deletion at any time by writing to info@crestlineintelligence.com.

10Your Rights

Depending on where you live, you may have the right to access the personal data we hold about you, correct it if it is inaccurate, request its deletion, obtain a portable copy, object to or restrict certain processing, and withdraw consent at any time. These rights are available to users under India’s Digital Personal Data Protection Act 2023 and, for users in the European Economic Area and the United Kingdom, under the GDPR. To exercise any of them, contact info@crestlineintelligence.com. We will not discriminate against you for making a request.

11International Transfers

Crestline is operated from India and uses sub-processors that may store or process data in other jurisdictions, including the United States and the European Union. Where we transfer personal data across borders, we rely on appropriate safeguards such as Standard Contractual Clauses and equivalent contractual protections.

12Children

Crestline is a workplace product intended for business use. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If we learn that we have collected such data, we will delete it promptly.

13Changes to This Policy

We may update this policy as the product evolves. When we make material changes, we will update the effective date above and notify you by email or through an in-app notice before the change takes effect. Continued use of Crestline after a change takes effect constitutes acceptance of the revised policy.

Questions about this policy, or want to exercise a data right? Contact info@crestlineintelligence.com. See also our Security Policy and Terms of Service.