Legal

Privacy Policy

How Localhost Labs LLC handles your data. Last updated June 21, 2026.

1. Who we are & scope

This policy explains how Localhost Labs LLC ("Crumb", "we", "us") handles personal data for Crumb Cloud (the app at crumb-app.localhostlabs.net) and this marketing website (crumb.localhostlabs.net). It works alongside our Terms of Service.

Self-hosted Community edition: if you run the open-source edition on your own infrastructure, your data stays in your own Postgres and we never receive it; you are the data controller, and the "Crumb Cloud" sections below don't apply to you.

2. Information we collect

  • Account & workspace data: names, email addresses, workspace and account records, and the ARR values you attach to accounts.
  • Feedback content: the bugs, ideas, and questions your End Users submit, plus the page, app version, and session context attached at capture time.
  • Session Record (optional, Growth plan): a replay of an End User's recent session, with inputs masked and password and email fields blocked from capture.
  • Payment data: billing is handled by our payment processor (Stripe); we receive limited billing details and do not store full card numbers.
  • Usage & device data: logs, IP address, request metadata, and metering needed to run, secure, and meter the Service.
  • Cookies: see section 7.

3. How we use it

To operate and provide the Service: routing and triaging feedback, sending the notifications that close the loop, powering AI clustering and ticket drafting, processing billing, securing the platform and preventing abuse, providing support, and improving the product. We do not sell personal data. Our AI features run on infrastructure we operate ourselves — your data is not sent to any third-party AI provider.

4. Legal bases (GDPR/UK GDPR)

Where the GDPR applies, we process personal data on these bases: performance of a contract (to provide the Service you signed up for), legitimate interests (to secure, maintain, and improve the Service), consent (where we ask for it, e.g., certain optional features or communications, which you can withdraw), and legal obligation.

5. Controller vs. processor (your End Users' data)

For personal data your End Users submit through your workspace, you are the controller and we act as your processor, handling it on your instructions to provide the Service. Our Data Processing Addendum (DPA) governs that processing. You're responsible for the privacy notices and lawful basis for collecting that data.

6. How we share it

  • Subprocessors: vetted providers that process data on our behalf under contract: hosting/infrastructure, email delivery, payment processing (Stripe), and product analytics (PostHog). Our AI runs on our own infrastructure, so there is no third-party AI subprocessor. The current list is on our Subprocessors page.
  • Integrations you connect: when you link Linear, Jira, GitHub, or Slack, we exchange the data needed for that feature; those services handle it under their own policies.
  • Legal & safety: to comply with law or protect rights, safety, and the integrity of the Service.
  • Business transfers: in a merger, acquisition, or asset sale, subject to this policy.

We do not sell personal data, and we do not "share" it for cross-context behavioral advertising.

7. Cookies & tracking

Crumb Cloud uses essential cookies (e.g., to keep you signed in and secure your session). This marketing website uses PostHog for product analytics (page views, referrers, and clicks) and optional session replay; it sets cookies and is only enabled after you accept the consent banner. You can decline and analytics stays off, or change your mind later by clearing the site's stored choice, and we honor your browser's Do Not Track setting. Session replay masks text inputs and blocks password and email fields. We do not use advertising or cross-site tracking cookies. Blocking essential cookies may break parts of the app. For the full breakdown, see our Cookie Policy.

8. International transfers

We're based in the United States and may process data in the US and other countries. Where required, we use appropriate safeguards (such as the EU Standard Contractual Clauses) for cross-border transfers.

9. Data retention

We keep personal data while your workspace is active and as needed to provide the Service and meet legal obligations, then delete or anonymize it. You can export or request deletion of your data; on account closure you have a reasonable window to export before deletion. Self-hosted operators control their own retention entirely.

10. Your rights (GDPR/UK)

Subject to applicable law, you may request to access, correct, delete, restrict, or port your personal data, and to object to certain processing or withdraw consent. You also have the right to lodge a complaint with your local data-protection supervisory authority. If we're processing data on a customer's behalf (as processor), we'll route your request to that customer.

11. Your California rights (CCPA/CPRA)

California residents may request to know, delete, and correct personal information, and to limit the use of sensitive personal information. We do not sell or share personal information as those terms are defined under California law, and we won't discriminate against you for exercising your rights.

12. Security

We use reasonable technical and organizational measures (encryption in transit, access controls, and least-privilege practices) to protect personal data. No method of transmission or storage is 100% secure, but we work to protect your information and to notify affected parties as required if an incident occurs.

13. Children

The Service is for businesses and isn't directed to children under 16, and we don't knowingly collect their personal data. If you believe a child has provided us data, contact us and we'll delete it.

14. Changes to this policy

We may update this policy from time to time. We'll post the new version here and update the date above; for material changes we'll provide reasonable notice.

15. Contact

Questions, or want to exercise a privacy right? Reach us at [email protected].