Crux

Privacy Policy

Effective: June 10, 2026Last updated: June 10, 2026

Privacy Policy

Effective Date: June 10, 2026 Last Updated: June 10, 2026

This Privacy Policy explains how Arinian Studio ("Crux," "we," "our," or "us") collects, uses, shares, and protects your personal data when you use the Crux website and services (the "Service").

We take your privacy seriously. This policy is written to be clear and specific. If anything is unclear, please contact us at support@cruxpov.com.

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

Arinian Studio Representative: Jason Jiyoon Guk Business Registration Number: 318-01-61448 Address: 6F B611, 74 Okjeongdong-ro 7da-gil, Yangju-si, Gyeonggi-do 11473, Republic of Korea Phone: +82-70-4571-7486 Email: support@cruxpov.com Preferred contact: email

Privacy Contact: Jason Jiyoon Guk — support@cruxpov.com

For all privacy-related inquiries, including exercising your rights under applicable law, contact us at support@cruxpov.com.

If we become required to appoint an EU or UK representative under applicable data protection law, we will update this Policy with the representative's contact details.

2. What Personal Data We Collect

We collect the following categories of personal data:

Information You Provide to Us

  • Account information — your email address and basic Google profile information provided through Google OAuth, such as your name and profile image, if made available. We store only the information needed to create and maintain your account.
  • Birth information — your date of birth, time of birth (if known), and place of birth. This is the core input required to generate your report.
  • Payment information — handled directly by our payment provider, Paddle. We receive a transaction confirmation (order ID, amount, status), but we do not receive or store your full payment card details.
  • Communications — when you contact us at support@cruxpov.com or otherwise communicate with us.

Information We Generate

  • Report content and interpretive inferences — the personalized report generated from your birth information, including interpretive statements, summaries, and self-discovery insights presented to you in the Service.

Information Collected Automatically

  • Usage data — pages visited, features used, timestamps, referring URL, and similar technical information.
  • Device and connection data — IP address, browser type, operating system, approximate location derived from IP address, and similar technical metadata.
  • Analytics data — we use Vercel Web Analytics and Vercel Speed Insights to measure aggregate traffic and performance. These services are designed to be privacy-friendly: they do not use cookies and do not track individual users across sessions or sites. See Section 5 for details.
  • Error tracking data — we use Sentry to capture application errors and crash diagnostics. Sensitive personal data (such as birth details and report content) is masked or excluded from error logs where reasonably possible.
  • Uptime monitoring — we use Uptime Robot to monitor whether our Service is available. This service does not access personal data.
  • Essential cookies and similar technologies — used to operate the Service (e.g., maintaining your login session). See our Cookie Notice for details.

What We Do Not Collect

We do not:

  • Use advertising trackers, marketing pixels, or third-party behavioral profiling tools
  • Sell or rent your personal data to anyone
  • Collect data we do not need for the purposes described in this policy
  • Process biometric or health data
  • Knowingly collect data from anyone under the age of 18

3. How We Use Your Personal Data

We use your personal data for the following purposes:

Purpose Legal Basis (GDPR) Data Used
To create your account and authenticate you Contract performance Account information
To generate your personalized report Contract performance Birth information, account information
To process your payment Contract performance Payment confirmation (Paddle handles full payment data)
To deliver and store your report so you can access it Contract performance Account information, report content and interpretive inferences
To respond to your inquiries and provide support Contract performance / legitimate interest Communications, account information
To operate, secure, and maintain the Service Legitimate interest Usage data, device data, error logs
To monitor report quality and fix technical or content issues Legitimate interest Report content, generation logs, support communications
To comply with legal obligations (e.g., tax, accounting) Legal obligation Account information, payment confirmation
To detect and prevent fraud or abuse Legitimate interest Usage data, device data, account information

About report quality monitoring: We do not routinely review individual reports. We may review a report only when needed to provide support, investigate abuse, fix a technical issue, or improve Service quality using appropriate safeguards.

We do not use your personal data for advertising, profiling for marketing purposes, or automated decisions that produce legal or similarly significant effects on you.

4. AI Processing of Your Information

Your report is generated using artificial intelligence. Specifically:

  • We send your birth information (date, time, and place of birth) to our AI provider, Anthropic (Claude API), along with our interpretive system instructions.
  • The AI produces an interpretive narrative based on the three traditional systems — Four Pillars, astrology, and numerology.
  • The output is returned to us, stored in your account, and displayed to you.

About this AI processing:

  • Your data is sent to Anthropic only for the purpose of generating your report.
  • For Claude API processing, Anthropic states that API inputs and outputs are not used to train its models unless the customer expressly permits such use. We do not permit Anthropic to use Crux API inputs or outputs for model training.
  • Anthropic retains API inputs and outputs for abuse monitoring for a limited period, currently up to 7 days under the applicable API data retention terms, unless a different period applies under our agreement.
  • The processing is not used to make automated decisions that produce legal or similarly significant effects on you. Reports are interpretive content, not decisions about you.
  • You can request deletion of your report at any time (see Section 9).

This disclosure is provided for transparency about our use of AI. We do not use AI to make automated decisions that produce legal or similarly significant effects about you.

5. Who We Share Your Personal Data With

We share your personal data only with the following categories of recipients, and only as needed to operate the Service:

Recipient Purpose Location
Anthropic (Claude API) AI generation of your report United States
Supabase Database and authentication infrastructure Japan (Tokyo)
Vercel Website hosting and content delivery United States and global edge network
Vercel Web Analytics + Speed Insights Privacy-friendly traffic and performance analytics (no cookies, no cross-session tracking) United States and global edge network
Sentry Application error tracking and debugging United States
Uptime Robot Uptime and availability monitoring (no personal data) United States
Paddle Payment processing (Merchant of Record) United Kingdom, United States, and other regions
Google (OAuth) Account authentication (only if you sign in with Google) United States and other regions
LocationIQ (Unwired Labs India) Geocoding and city autocomplete for birth place entry; receives the city name text you type India, United States, and other regions (outside the EEA; covered by a Data Processing Agreement)

Paddle acts as an independent controller for payment processing, tax, compliance, fraud prevention, and related payment obligations. Google may act as an independent controller for Google OAuth. Our infrastructure, AI, error tracking, and monitoring providers generally process personal data on our behalf to provide the Service.

Where required by applicable law, we enter into data processing agreements or rely on equivalent contractual safeguards with service providers that process personal data on our behalf.

We do not sell, rent, or trade your personal data to third parties for their own marketing or other purposes.

We may also share personal data:

  • If required by law — to comply with a legal obligation, court order, or government request
  • To protect rights and safety — to investigate fraud, protect our rights, or protect the safety of others
  • In a business transfer — if Arinian Studio is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any such change.

6. International Data Transfers

Because some of our service providers are located outside the Republic of Korea (primarily in Japan, the United States, and the United Kingdom), your personal data may be transferred internationally when you use the Service.

We rely on the following legal mechanisms to safeguard these transfers:

  • Adequacy decisions where applicable. For example, the European Commission has recognized Japan as providing an adequate level of data protection for transfers from the EU/EEA.
  • Standard Contractual Clauses (SCCs) approved by the European Commission, where data is transferred from the EU/EEA to countries without an adequacy decision.
  • UK International Data Transfer Addendum or equivalent approved transfer mechanism, where data is transferred from the United Kingdom.
  • Equivalent contractual safeguards under the Republic of Korea's Personal Information Protection Act for transfers outside Korea.
  • Vendor certifications and security commitments (e.g., providers participating in recognized data protection frameworks).

You can request more information about these safeguards by contacting us at support@cruxpov.com.

Overseas Transfers — Information for Korean Users

For users in the Republic of Korea, the following overseas transfers may occur when you use the Service:

Recipient Country Data Transferred Purpose Time and Method of Transfer Retention Period
Anthropic United States Birth information and report prompt/output AI generation of your report Encrypted transfer via API when you request report generation Up to the period stated in Anthropic's API data retention terms (currently up to 7 days)
Supabase Japan (Tokyo) Account information, birth information, report content, logs Database, authentication, and storage Encrypted transfer during Service use Until account deletion or request deletion, unless legal retention applies
Vercel United States and global edge network IP address, device/connection data, request metadata Hosting, delivery, and security Automatic transfer when you access the website Server log retention period stated in this Policy or provider terms
Sentry United States Application error data; PII masked where possible Error tracking and debugging Encrypted transfer when an application error occurs As stated in Sentry's data retention terms
Paddle United Kingdom, United States, and other regions Payment and transaction information Payment processing, tax, compliance, refunds Encrypted transfer during checkout and transaction processing As required by Paddle and applicable law
Google United States and other regions OAuth account information Authentication, if you choose Google sign-in Encrypted transfer during sign-in As required for authentication or until account disconnection/deletion
LocationIQ (Unwired Labs) India / United States City name text entered for birth place Geocoding and city autocomplete Encrypted transfer when you type and search for a birth place city As stated in LocationIQ's data retention terms

You may refuse overseas transfer of personal data where applicable law gives you that right. However, because these transfers are necessary to provide Crux, refusing transfer may prevent us from creating your account, generating your report, processing payment, or providing the Service.

7. How Long We Keep Your Personal Data

We keep your personal data only as long as necessary for the purposes described in this policy, or as required by law:

Data Retention Period
Account information Until you delete your account
Reports you have purchased Until you delete your account or request deletion
AI generation request data Stored as part of your report record, unless needed temporarily for debugging or security
Payment and transaction records 5 years after the transaction, or longer if required by tax, accounting, e-commerce, or dispute-resolution laws
Communications with support 3 years after the last communication
Error and diagnostic logs Up to 30 days, unless needed to investigate fraud, abuse, security incidents, or technical failures
Server logs and security records 6 months

Diagnostic logs do not intentionally include full birth information or report content, unless needed to resolve a specific support or technical issue.

When you delete your account, we delete your personal data except where we are required to retain it by law (such as payment records). Where we retain data for legal reasons, we limit access to those who need it for the retention purpose.

8. How We Protect Your Personal Data

We use a combination of technical, administrative, and physical safeguards to protect your personal data, including:

  • Encryption in transit (HTTPS/TLS) for all data sent between your device and our Service
  • Database and infrastructure-level encryption at rest where supported by our infrastructure providers
  • Access controls — only authorized personnel can access personal data, and only for legitimate purposes
  • Secure authentication — Google OAuth and Supabase Auth, with no passwords stored on our side
  • Payment data isolation — payment card details are handled entirely by Paddle and never reach our systems
  • Regular updates — we keep our infrastructure and dependencies up to date with security patches

No system can guarantee absolute security. If we become aware of a data breach affecting your personal data, we will notify you and the relevant regulators within the time period required by applicable law, which may be within 72 hours for certain regulatory notifications.

9. Your Rights

Depending on where you live, you may have the following rights regarding your personal data. We honor these rights for all users, regardless of location, to the extent reasonably practicable.

General Rights

  • Access — request a copy of the personal data we hold about you
  • Correction — request that we correct inaccurate or incomplete data
  • Deletion — request that we delete your personal data (subject to legal retention requirements). You may request deletion of a specific report without deleting your entire account, or request deletion of your account entirely.
  • Restriction — request that we limit how we use your data in certain circumstances
  • Portability — request a copy of your personal data in a structured, commonly used, and machine-readable format. You can download your reports as PDF through your account. To receive a structured machine-readable copy of your account data (in JSON format), contact us at support@cruxpov.com.
  • Objection — object to certain processing based on our legitimate interest
  • Withdraw consent — where processing is based on consent, you can withdraw that consent at any time
  • Lodge a complaint — with your local data protection authority

Additional Rights for California Residents, where applicable

Where the CCPA/CPRA applies to us, California residents may have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete personal information we have collected
  • Correct inaccurate personal information
  • Opt out of the "sale" or "sharing" of personal information — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of
  • Limit the use of sensitive personal information — we do not use sensitive personal information for purposes beyond providing the Service
  • Non-discrimination for exercising your rights

Additional Rights for EU, EEA, and UK Residents (GDPR / UK GDPR)

You have all the General Rights above, and the right to lodge a complaint with your local data protection authority. A list of EU authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents can contact the Information Commissioner's Office (ico.org.uk).

How to Exercise Your Rights

To exercise any of these rights — including account deletion, report deletion, data correction, or data export in JSON format — contact us at support@cruxpov.com with a description of your request and the email address associated with your account.

We will respond to your request within:

  • 30 days for users covered by GDPR / UK GDPR (extendable by 60 days for complex requests, with notice)
  • 45 days for users covered by the CCPA / CPRA (extendable by 45 days, with notice)
  • A reasonable period for all other users

We may need to verify your identity before fulfilling certain requests, particularly deletion or access requests.

10. Cookies and Similar Technologies

We use only essential cookies and storage required to operate the Service (for example, maintaining your login session). We do not use advertising, marketing, or behavioral profiling cookies.

For traffic and performance measurement, we use Vercel Web Analytics and Speed Insights, which are designed to be privacy-friendly and do not use cookies.

For full details, see our Cookie Notice.

11. Children's Privacy

Crux is not intended for and is not directed to children under the age of 18. We do not knowingly collect personal data from anyone under 18.

If you believe a child under 18 has provided us with personal data, please contact us at support@cruxpov.com and we will take steps to delete that information.

The Service may contain links to third-party websites or services (for example, Paddle's checkout pages, or external resources we reference). This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies before providing any personal data to them.

13. Automated Decision-Making

We do not make automated decisions about you that produce legal effects or similarly significant effects within the meaning of GDPR Article 22. Your report is interpretive content generated for your personal reflection — not a decision about you, your access to services, or your legal rights.

14. Sensitive Personal Information

We do not request or process special categories of personal data (such as health data, biometric data, racial or ethnic origin, religious beliefs, or sexual orientation) within the meaning of GDPR Article 9 or analogous categories under California or other laws.

While birth date and birth time are personal data, they are not classified as special category data under GDPR or similar frameworks. We treat them with the same care and security as all personal data we hold.

The report may contain interpretive inferences about personality, tendencies, or self-reflection themes, but these are not medical, psychological, diagnostic, or health records.

15. Marketing Communications

We do not currently send marketing emails. If we begin to offer optional marketing communications in the future (for example, announcing new report types or features), we will only do so based on your explicit opt-in consent, and you will be able to unsubscribe at any time.

Transactional emails such as purchase confirmations and refund notifications are sent by our payment processor, Paddle, as part of completing your purchase. These are not marketing communications. We currently do not send marketing or promotional emails.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law
  • Notify affected users without undue delay, with information about what happened, what data was affected, and what steps you can take

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes that affect your rights or how we process your data, we will notify you by email or through a prominent notice in the Service before the changes take effect.

Your continued use of the Service after the effective date of an updated policy means that you have been provided with the updated notice. Where required by law, we will obtain your consent before applying material changes to how we process your personal data.

18. Jurisdiction-Specific Notices

Republic of Korea

Arinian Studio is a business registered in the Republic of Korea and processes personal data in accordance with the Personal Information Protection Act ("PIPA") and related regulations. Korean residents who use the Service have the rights described in Section 9, including the right to lodge a complaint with the Personal Information Protection Commission (privacy.go.kr).

United States

In addition to the California-specific rights in Section 9, residents of other U.S. states with comprehensive privacy laws (including, but not limited to, Virginia, Colorado, Connecticut, Utah, and Texas) have similar rights, which we honor through the same request process.

Other Jurisdictions

Where local data protection laws grant additional rights, we honor those rights to the extent applicable.

19. Contact Us

For any questions, requests, or complaints about this Privacy Policy or our handling of your personal data, contact us at:

Arinian Studio Email: support@cruxpov.com Phone: +82-70-4571-7486 Address: 6F B611, 74 Okjeongdong-ro 7da-gil, Yangju-si, Gyeonggi-do 11473, Republic of Korea Preferred contact: email

We aim to respond to all privacy-related inquiries within a reasonable time, and within the time frames required by applicable law.

Last updated: June 10, 2026