CraftOS ("we," "us," "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, and share your information when you access or use the CraftOS platform and website at craftos.net, CraftBot (our open-source personal AI assistant), and any APIs, integrations, or related services provided by CraftOS.
We believe that privacy is a fundamental right, and we have designed our services with privacy as a core principle. Our approach prioritizes transparency about what data we collect and how we use it, while implementing robust security measures to protect your information at every step.
By using our services, you agree to the practices described in this policy. If you do not agree with any aspect of this Privacy Policy, please discontinue use of our services immediately. We encourage you to read this document carefully and contact us if you have any questions or concerns.
When you create a CraftOS account, we collect basic registration information including your name, email address, and password. This information is essential for creating and managing your account, authenticating your identity when you log in, and providing you with access to our services. Your password is securely hashed using industry-standard cryptographic algorithms and is never stored in plain text. We implement additional security measures such as rate limiting and account lockout policies to protect against unauthorized access attempts.
If you subscribe to a paid plan, we collect billing and payment data necessary to process your transactions. This includes your billing address and payment method details. However, CraftOS does not directly store or have access to your complete credit card numbers or sensitive financial information. All payment processing is handled by our trusted third-party payment processor, which maintains PCI-DSS compliance and employs bank-level encryption to protect your financial data during transmission and storage.
We also collect communications that you send to us through our platform. This includes messages, feedback, support requests, and any other inquiries submitted directly within the CraftOS platform. These communications are encrypted both in transit and at rest, ensuring that your conversations with our support team remain confidential. Please note that communications made through third-party applications or services are not collected by CraftOS and are governed by the respective privacy policies of those services.
When you choose to connect third-party services to enhance your CraftOS experience, we receive OAuth credentials in the form of authentication tokens. These tokens are stored using strong encryption, and CraftOS does not have access to the underlying content of your connected accounts. The tokens serve solely to establish and maintain the connection between CraftOS and the third-party service, allowing our AI agents to perform authorized actions on your behalf. You maintain full control over these connections and can revoke access at any time through your account settings or directly through the third-party service's permissions page.
When you access our website and services, we automatically collect certain technical information to ensure optimal performance and security. This includes your device's operating system, browser type and version, IP address, device identifiers, and general geographic location at the city or region level. We use this information to optimize our services for different devices and browsers, detect and prevent security threats, and understand the geographic distribution of our user base to improve service availability.
We also collect usage and analytics data to understand how users interact with our platform. This includes information about pages visited, features used, session duration, and navigation patterns on craftos.net and the CraftOS dashboard. This data helps us identify areas for improvement, prioritize feature development, and ensure that our platform meets the needs of our users. All analytics data is processed in aggregate form where possible, and we implement data minimization practices to collect only what is necessary.
For users of our cloud platform, we may log certain agent activity information including task types, execution timestamps, and error events. This logging is essential for ensuring the reliability and performance of our cloud services, troubleshooting issues, and providing you with execution history and debugging capabilities. These logs are retained for a limited period and are automatically purged according to our data retention schedule.
We use cookies and similar tracking technologies to maintain your session, remember your preferences, and analyze web traffic patterns. Strictly necessary cookies are required for basic website functionality such as authentication and security, and cannot be disabled. Functional cookies help us remember your preferences and dashboard settings to provide a more personalized experience. Analytics cookies help us understand how users navigate our site, and this data is aggregated and anonymized. Marketing cookies, which require your explicit consent, may be used for interest-based advertising on third-party platforms. You can manage your cookie preferences through your browser settings or our Cookie Consent Banner.
CraftOS supports integrations with various third-party platforms (including Google, Microsoft, Slack, and others) to extend the capabilities of our AI agents. When you authorize these integrations, we request the minimum permissions required to deliver the feature you enable. We follow the principle of least privilege, meaning we only ask for access to the specific data and functionality necessary to perform the tasks you request. You always have visibility into what permissions are being requested before granting access, and you can review and modify these permissions at any time.
Depending on the integrations you enable and the permissions you grant, we may access various types of data from your connected third-party accounts. This includes calendar data such as event titles, descriptions, dates, times, attendees, and meeting links for scheduling and calendar management features. For email-related automation tasks, we may access email headers (sender, recipient, subject, date), email body content, attachments, and folder or label information. Contact data including names, email addresses, phone numbers, and other contact details may be accessed for communication features. Document data such as file names, content, metadata, and sharing permissions may be accessed for document management and collaboration features. We also access basic profile information such as your name, email address, and profile picture to identify your account. For productivity integrations, we may access task lists, project information, assignments, and status updates. Messaging platform integrations may involve access to messages, channels, and workspace information.
The specific data accessed depends entirely on which integrations you enable and the permissions you authorize. You can view and manage connected services and their permissions at any time through your account settings.
Data accessed from your connected third-party services is used exclusively to provide the features you have enabled. Our AI agents access and process your data solely to perform the specific tasks you initiate, such as scheduling meetings, drafting emails, organizing files, or managing tasks. We use the data to display relevant information in the CraftOS interface, enable cross-platform workflows, and deliver the features you have enabled. With your explicit consent, we may use aggregated and anonymized patterns to improve our AI agent capabilities and user interface.
We do NOT use your third-party service data for advertising or marketing purposes, training AI models (without explicit opt-in consent), selling or renting to third parties, profiling or targeting unrelated to the services you requested, or any purpose unrelated to providing and improving the CraftOS features you have enabled.
Your data from connected third-party services is shared only in limited circumstances. When you use AI features, relevant data may be sent to your chosen LLM provider (such as OpenAI, Anthropic, or others) to process your requests; this is essential for the AI functionality and is governed by the LLM provider's privacy policy. Our cloud infrastructure providers (for hosting and storage) may process encrypted data as part of delivering our services, and these providers are contractually bound to maintain confidentiality and security. We may also disclose data if required by valid legal process, as described in Section 4.4.
We do NOT sell, rent, or share your third-party service data with advertisers, data brokers, or any third parties for their independent commercial purposes.
We implement robust security measures to protect your third-party service data. All third-party service data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 encryption. Strict role-based access controls limit which personnel can access your data, and all access is logged and audited. Your authentication tokens are stored using strong encryption and are never logged or exposed in plain text. We only store the minimum data necessary to provide the requested features and complete your tasks. We conduct regular security reviews and vulnerability assessments of our integration infrastructure.
We retain third-party service data only as long as necessary to provide our services. Data accessed to complete a specific task is processed in memory and not persistently stored beyond what is needed to complete the task, unless you enable features that require persistent storage (such as long-term memory). Some data may be temporarily cached for performance purposes and is automatically purged within 24 hours. Authentication tokens are retained until you revoke access or 30 days after account deletion, whichever occurs first. Logs of integration activity (without sensitive content) are retained for 90 days for debugging and support purposes.
You can request deletion of your third-party service data at any time by disconnecting the integration through your CraftOS account settings (which revokes access and deletes associated tokens), emailing info@craftos.net with a deletion request, or revoking CraftOS access directly through the third-party service's security settings (such as Google Account permissions or Microsoft account apps). We will process deletion requests within 30 days and confirm completion. Some data may be retained in encrypted backups for up to 180 days as described in Section 5.
CraftBot is our open-source personal AI assistant designed with a strict local-first architecture. When you run CraftBot on your own machine, absolutely no data is stored on or transmitted to CraftOS servers. This means your conversations, tasks, memories, and all associated data remain entirely under your control on your local device.
All persistent memory, including the ChromaDB vector database that stores your agent's long-term memory, resides exclusively on your local device. Your user profile files, agent configurations, and any customizations you make are stored locally and never leave your machine. Task instructions, agent actions, conversation history, and all LLM prompts and responses are processed either locally or sent directly to your chosen LLM provider. CraftOS has no visibility into or access to any of this data.
We have designed CraftBot this way because we believe you should have complete ownership and control over your personal AI assistant and all the data it processes. There are no hidden data collection mechanisms, no telemetry that captures your usage patterns, and no analytics that monitor your behavior. When you use CraftBot in self-hosted mode, your privacy is absolute — we simply cannot access data that never leaves your device.
The primary purpose of collecting your information is to provide, operate, maintain, and continuously improve the CraftOS platform and related services. This includes authenticating your identity when you access your account, managing your subscription and processing payments, executing AI agent tasks on your behalf when using our cloud features, and enabling seamless integrations with the third-party services you authorize. We are committed to using your data solely in ways that benefit your experience and the functionality of our services.
We use your contact information to respond to your support requests and inquiries in a timely manner. We also send service-related notices that are essential for your use of our platform, including security alerts, account updates, and important policy changes. With your explicit consent, we may send newsletters and product announcements to keep you informed about new features and improvements. You can opt out of marketing communications at any time through the unsubscribe link in any email or by adjusting your preferences in your account settings.
We analyze aggregated and de-identified usage data to understand how our platform is being used and to identify opportunities for improvement. This analysis helps us prioritize feature development, optimize performance, and enhance the overall user experience. Importantly, we do not use your personal data, task instructions, prompts, or agent outputs to train our own AI models without your explicit opt-in consent. Your data is your own, and we respect the boundary between providing you with a service and using your data for our own purposes.
We may use your information to comply with applicable laws and lawful government requests, to detect, prevent, and investigate fraud, abuse, and security incidents, and to enforce our Terms of Service. We take the safety and security of our platform seriously, and we will take appropriate action to protect our users and the integrity of our services. In all cases, we strive to be transparent about our legal obligations and to protect your privacy to the maximum extent permitted by law.
Third-Party Service Data — Special Commitments: CraftOS's use of data from connected third-party services (including Google, Microsoft, Slack, and others) is strictly limited to providing the features you explicitly enable. We never use third-party service data for advertising or interest-based targeting. We never use third-party service data for AI model training without your explicit opt-in consent. We never sell, rent, or share third-party service data with data brokers or for any third party's independent commercial use. We only share data with LLM providers and essential service providers as required to deliver the features you request. You can revoke access and request deletion of your data at any time. These commitments apply to all third-party integrations and reflect our core philosophy of respecting user privacy and data ownership.
We work with trusted third-party vendors who help us operate and improve our services. These include cloud hosting providers, payment processors, analytics services, and email delivery platforms. All service providers are carefully vetted and contractually bound to use your data only on our behalf, to maintain appropriate security measures, and to comply with applicable privacy laws. We do not sell or rent your personal information to any third party.
When using CraftOS cloud features, your task prompts and instructions may be sent to your configured LLM provider to generate AI responses. Each LLM provider has its own privacy policy and data handling practices that apply independently to data submitted to their models. CraftOS does not control how these providers process or store data sent to them. For users who prioritize privacy, we recommend using CraftBot in self-hosted mode with a local LLM solution, which keeps all processing on your own infrastructure.
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy, giving you the opportunity to make informed decisions about your continued use of our services. We will ensure that any successor entity is bound by the commitments made in this Privacy Policy or provides you with notice and choice regarding any material changes.
We may disclose your information to law enforcement agencies, government authorities, or other third parties when we believe in good faith that such disclosure is required by applicable law, to respond to valid legal process, to protect our rights or the safety of any person, or to investigate potential violations of our Terms of Service. In such cases, we will attempt to notify affected users unless prohibited by law or court order, and we will disclose only the minimum information necessary to comply with the request.
CraftOS does not sell, rent, lease, or broker your personal information to third parties for their independent commercial use. This commitment is absolute and applies to all user data we collect. We believe that your data belongs to you, and we will never monetize it by selling it to advertisers, data brokers, or other third parties. Our business model is built on providing valuable services to our users, not on exploiting user data.
We retain your data only for as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy. Account data is retained for the duration of your account plus 90 days after deletion to allow for account recovery and to comply with our backup procedures. Billing records are retained for 7 years to meet legal and tax obligations in the jurisdictions where we operate.
Support communications and other correspondence are retained for 3 years to maintain continuity in our customer relationships and to address any ongoing issues. Agent task logs on our cloud platform are retained for 90 days to provide you with execution history and debugging capabilities, after which they are automatically purged. OAuth tokens are retained until you revoke access or 30 days after account deletion, whichever occurs first.
Encrypted backups are maintained for disaster recovery purposes and are retained for up to 180 days from the date of data deletion, after which they are securely destroyed. We employ automated processes to enforce these retention periods and regularly audit our data storage practices to ensure compliance.
You may request deletion of your data at any time by emailing info@craftos.net. Upon receiving a valid deletion request, we will verify your identity and complete the deletion process within 30 days. Please note that some data may be retained for longer periods if required by law or to protect our legitimate interests, but we will inform you of any such exceptions.
We believe that you should have meaningful control over your personal information. All users have the right to access their data by requesting a copy of the personal information we hold about them. You can request correction of any inaccurate or incomplete data, and we will promptly update our records. You have the right to request deletion of your personal data, subject to certain exceptions required by law or our legitimate business interests.
You can request your data in a portable, machine-readable format for transfer to another service. You have the right to opt out of marketing communications at any time, and we will honor such requests promptly. You can revoke OAuth access and disconnect third-party integrations at any time through your account settings. For CraftBot users, you can disable any optional telemetry through the configuration settings.
To exercise any of these rights, please email info@craftos.net with your request. We will verify your identity to protect against unauthorized access to your data and respond to your request within 30 days. If we need additional time to process your request, we will notify you of the delay and the reasons for it.
We use cookies and similar technologies on craftos.net to provide essential functionality and improve your experience. Strictly necessary cookies are required for the website to function properly, enabling features like authentication and security. These cookies cannot be disabled as they are essential for the basic operation of our services.
Functional cookies help us remember your preferences and dashboard settings, providing a more personalized experience when you return to our site. Analytics cookies help us understand how users navigate and interact with our platform, allowing us to identify areas for improvement. This analytics data is aggregated and anonymized to protect your privacy.
Marketing cookies may be used for interest-based advertising on third-party platforms, but these require your explicit consent before being activated. You can manage your cookie preferences through your browser settings or our Cookie Consent Banner on the website. Disabling certain cookies may affect the functionality of some features, but will not prevent you from using our core services.
We implement comprehensive security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. All data transmitted to our servers is encrypted in transit using TLS 1.2 or higher, ensuring that your information cannot be intercepted during transmission. Data at rest is encrypted using strong encryption algorithms, with encryption keys managed through secure key management practices.
We employ role-based access controls to limit employee access to personal data, ensuring that only authorized personnel can access sensitive information on a need-to-know basis. Our systems undergo regular security reviews, penetration testing, and vulnerability assessments to identify and address potential security weaknesses. We maintain incident response procedures for detecting, investigating, and responding to data breaches, and we are committed to notifying affected users promptly in the event of a security incident.
For self-hosted CraftBot deployments, you are responsible for securing your own infrastructure, including your local database, API keys, and network configuration. We provide documentation and best practices to help you implement appropriate security measures, but the security of your local deployment ultimately depends on your own practices and infrastructure.
Our platform may contain links to third-party websites, services, or applications that are not operated or controlled by CraftOS. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices or the content they provide. We encourage you to review the privacy policies of any third-party services you use alongside CraftOS, including your chosen LLM provider, OAuth-connected applications, and any other external services. Your interactions with these third parties are governed by their own terms and policies.
This Privacy Policy is governed by and construed in accordance with the laws of Japan. Any disputes arising in connection with this policy shall be subject to the exclusive jurisdiction of the courts of Japan. We comply with Japan's Act on the Protection of Personal Information (APPI) and will handle your personal data in accordance with its requirements. If you are accessing our services from outside Japan, please be aware that your information may be transferred to, stored, and processed in Japan, where our servers are located and our central database is operated.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Effective Date" at the top of this policy, posting a prominent notice on craftos.net, and sending an email notification to registered users for significant changes. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our services after any changes to this policy constitutes your acceptance of the updated terms.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, we encourage you to reach out to us. You can contact us by email at info@craftos.net for all privacy-related inquiries, data requests, and general questions. You can also join our Discord community at discord.gg/ZN9YHc37HG for additional support. We are committed to responding to all inquiries within 30 days of receipt and will work with you to address any concerns you may have.