Skip to main content
Privacy

Privacy Policy

Last updated: March 6, 2026

1. Data Controller

The data controller responsible for your personal data is:

2. Information We Collect

Cronic collects information you provide when you create an account and use our service. We are committed to collecting only what is necessary to deliver our AI-powered newsletter curation platform.

Account Information

  • Email address
  • Password (stored as a secure hash — we never store your plaintext password)

Content Data

  • Newsletter emails you forward to or receive through our service
  • Reading preferences and bookmarks

Payment Information

Payment processing is handled entirely by Stripe. We never store your credit card number, CVC, or full billing details on our servers. Stripe may share limited information (e.g., last four digits, card brand) for display in your account.

Automatically Collected Data

  • Page view analytics (via PostHog)
  • Error and performance data (via Sentry, including masked session replays for debugging)
  • Theme preference (stored in your browser's localStorage)

3. Legal Basis for Processing

Under Article 6 of the GDPR, we process your personal data on the following legal bases:

Processing Activity Legal Basis GDPR Article
Account creation & authentication Contract performance Art. 6(1)(b)
Email content processing & AI curation Contract performance Art. 6(1)(b)
Payment processing (Stripe) Contract performance Art. 6(1)(b)
Analytics (PostHog) Consent Art. 6(1)(a)
Error monitoring (Sentry) Legitimate interest Art. 6(1)(f)

Where we rely on consent, you may withdraw it at any time (see Section 9). Where we rely on legitimate interest, we have assessed that our interest in maintaining service reliability does not override your rights and freedoms.

4. How We Use Your Information

  • Provide, operate, and maintain the Cronic service
  • Process and curate your newsletter content using AI
  • Process payments and manage subscriptions via Stripe
  • Monitor and fix errors to improve service reliability
  • Understand page-level usage to improve the product (with your consent)
  • Communicate with you about your account
  • Comply with legal obligations

5. Sub-Processors and Third-Party Services

We share data with the following sub-processors, each for a specific purpose:

Sub-Processor Purpose Location Safeguard
Stripe Payment processing United States EU-US Data Privacy Framework
PostHog Page view analytics United States Standard Contractual Clauses (SCCs)
Sentry Error monitoring & session replay United States Standard Contractual Clauses (SCCs)

We do not sell, rent, or trade your personal information to any third party.

6. International Data Transfers

Some of our sub-processors are located in the United States. When personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework — for sub-processors certified under the framework (e.g., Stripe)
  • Standard Contractual Clauses (SCCs) — approved by the European Commission, used with sub-processors not covered by an adequacy decision

You may request a copy of the applicable safeguards by contacting dpo@cronic.team.

7. Data Retention

We retain your data for the periods described below:

Data Category Retention Period
Account information (email, profile) Until account deletion
Newsletter content & reading data Until account deletion
Payment records 7 years after transaction (legal obligation)
Analytics data (PostHog) 24 months
Error logs (Sentry) 90 days
Authentication logs 12 months

When you delete your account, we delete your personal data within 30 days, except where retention is required by law (e.g., financial records).

8. Cookies and Local Storage

We use a small number of cookies and browser storage, detailed in our Cookie Policy:

  • Authentication cookies (httpOnly, secure) — access token (7-day expiry) and refresh token (30-day expiry)
  • Analytics cookies (PostHog) — require your consent before being set
  • Theme preference — stored in localStorage (not a cookie)

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access — obtain a copy of your personal data (Art. 15)
  • Rectification — correct inaccurate or incomplete data (Art. 16)
  • Erasure — request deletion of your data ("right to be forgotten") (Art. 17)
  • Restriction — restrict processing in certain circumstances (Art. 18)
  • Data portability — receive your data in a structured, machine-readable format (Art. 20)
  • Object — object to processing based on legitimate interest (Art. 21)
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing (Art. 7(3))

To exercise any of these rights, contact us at privacy@cronic.team. We will respond within 30 days.

10. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77).

A list of EU data protection authorities can be found on the European Data Protection Board website.

11. Data Security

  • Passwords are hashed using industry-standard algorithms
  • Authentication uses httpOnly, secure cookies to prevent XSS attacks
  • All connections use HTTPS/TLS encryption in transit
  • Access to production systems is restricted on a need-to-know basis

12. Children's Privacy

Cronic is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on our website. We encourage you to review this page periodically.

14. Contact Us

If you have questions about this privacy policy or your personal data, contact us at: