Back to Network
Protocol Documentation

Privacy Policy

How We Collect, Use, and Protect Your Data

Last Updated: March 2026

At CR3W, we believe data sovereignty is a right, not a privilege. This Privacy Policy explains how CR3W ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use joincr3w.com (the "Platform"). This policy is compliant with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, and applicable data protection laws.

Data Controller: CR3W is the data controller for personal data collected through the Platform. For data-related enquiries, contact us at hello@joincr3w.com.

1. Data We Collect

We collect only what is necessary to operate the Platform. This includes:

  • Account Information: Your full name, email address, profile photo, bio, location, social media links, LinkedIn URL, and professional background — provided when you register.
  • User-Generated Content: Projects you submit, messages you send, connections you form, and any other content you post to the Platform.
  • Usage & Technical Data: IP address, browser type, device information, pages visited, and session timestamps — collected automatically for security, anti-fraud, and performance purposes.
  • Payment Data: Payment is processed by Stripe. We do not store your card details. We may retain transaction IDs and amounts for accounting purposes.
  • Communications: Emails you send to us and support requests.

2. Lawful Basis for Processing (UK/EU GDPR)

We process your personal data under the following lawful bases under Article 6 of the UK/EU GDPR:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with your membership and operate your account (e.g., profile creation, project hosting, messaging).
  • Legitimate Interests (Art. 6(1)(f)): Processing for network security, spam prevention, fraud detection, and improving Platform quality — where these interests are not overridden by your rights.
  • Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws (e.g., financial record-keeping, responding to lawful authority requests).
  • Consent (Art. 6(1)(a)): For optional communications (e.g., marketing emails, non-essential cookies). You may withdraw consent at any time without affecting prior processing.

3. How We Use Your Data

  • To create and manage your account and profile;
  • To enable communication between members (messaging, connection requests);
  • To display your projects and profile to other members;
  • To process payments for mentorship sessions or premium features;
  • To send transactional emails (account verification, booking confirmations, security alerts);
  • To enforce our Terms of Service and Community Guidelines;
  • To improve the Platform through aggregated, anonymised analytics;
  • To comply with legal obligations.

We do not use your data for advertising. We do not sell your data to third parties. Ever.

4. Data Sharing & Third-Party Processors

We do not sell or share your personal data with third parties for their own marketing purposes. We engage the following GDPR-compliant processors strictly to operate the Platform:

  • Supabase (Infrastructure & Database): EU-hosted database and authentication infrastructure. Data processed under Supabase's DPA.
  • Stripe (Payments): Secure payment processing. Governed by Stripe's Privacy Policy.
  • Vercel (Hosting): Platform hosting and CDN delivery.
  • Resend / Email Provider: Transactional email delivery.

We require all processors to maintain appropriate technical and organisational security measures and only process data in accordance with our documented instructions.

5. International Data Transfers

Some of our processors (including Stripe and Vercel) may process data outside the UK/EEA. Where this occurs, we ensure transfers are protected by appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the relevant data protection authority, or other legally recognised transfer mechanisms.

6. Data Retention

We retain your personal data only for as long as your account is active or as required to fulfil the purposes described in this Policy. Specifically:

  • Account & Profile Data: Retained while your account is active. Deleted within 30 days of account deletion request, except where retention is required by law.
  • Messages & Content: Deleted upon account deletion, unless required for an ongoing dispute or legal obligation.
  • Payment Records: Retained for 7 years to comply with financial regulations.
  • Usage Logs: Aggregated or anonymised within 90 days.

7. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights — all of which you can exercise directly in your account settings, or by contacting us at hello@joincr3w.com:

  • Right of Access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data via your profile settings at any time.
  • Right to Erasure / Right to be Forgotten (Art. 17): Delete your account and all associated personal data using the "Delete My Account" tool. We will process this within 30 days.
  • Right to Data Portability (Art. 20): Export all your data in a machine-readable format using the "Export My Data" tool in your profile settings.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Restrict Processing (Art. 18): Request that we limit the processing of your data in certain circumstances.
  • Right to Withdraw Consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with a supervisory authority, such as the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local EU data protection authority.

We will respond to all verified data subject requests within 30 days (extendable by a further two months for complex requests, with prior notice).

8. Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
  • Access controls restricting data access to authorised personnel only;
  • Regular security reviews of our infrastructure and third-party processors;
  • Supabase's Row-Level Security (RLS) policies governing database access.

In the event of a data breach that is likely to affect your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with our legal obligations (within 72 hours of becoming aware).

9. Cookies

We use essential cookies to operate the Platform (e.g., session authentication). For full details on how we use cookies and how to manage your preferences, please see our Cookie Policy.

10. Children's Privacy

CR3W is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated Policy with an updated "Last Updated" date and, where appropriate, by email. Your continued use of the Platform after such changes constitutes your acceptance of the updated Policy.

12. Contact Us

For any privacy-related questions, data subject requests, or to contact our Data Protection team:

Your Data, Your Control

Exercise your rights instantly — no forms, no waiting. Use the Export My Data and Delete My Account tools in your profile settings. You are always in control.

CR3W.

Membership is a privilege. Preserve the signal.