Privacy Policy

Last updated: 25 May 2026

Crept ("we", "us", "our") is operated by Joshua James Harte, based in Birmingham, United Kingdom. This policy explains how Crept handles your data when you use our Chrome extension and web services at crept.app.

What data we collect

Crept collects only the minimum data necessary to provide the service:

• Your Google account email address and name, used to identify your account
• Project information you enter manually — client name, client email, deliverables, exclusions, rate, timeline, and payment terms
• Scope agreements and change orders you create, stored securely in our database
• The body text of the specific Gmail email you are currently viewing — only when you click the Analyze button or use the right-click "Analyze for Scope Creep" menu. This text is never stored.

What we do not collect

• We do not read, scan, or monitor your inbox automatically
• We do not access any email unless you explicitly click Analyze on that specific email
• We do not store any email content — it is sent directly to OpenAI for analysis and immediately discarded
• We do not sell, share, or monetise your data in any way
• We do not track your browsing activity

How we use your data

• Your account information is used to authenticate you and associate your projects with your account
• Project data is stored in Supabase so you can access your scope agreements and change orders across sessions
• Email body text is sent to OpenAI's API solely to analyse whether the email contains out-of-scope requests. It is not stored, logged, or used for any other purpose.

Third party services

• Supabase — stores your account and project data. Data is held in EU servers (eu-west-1). See supabase.com/privacy.
• OpenAI — receives email body text for analysis only when you click Analyze. OpenAI does not retain this data for training under our API agreement. See openai.com/privacy.
• Resend — used to send transactional emails such as scope agreements and change orders. See resend.com/privacy.
• Vercel — hosts our backend API. See vercel.com/legal/privacy-policy.
• Google Fonts — loaded on client-facing signing pages (fonts.googleapis.com) to display the signature font. See policies.google.com/privacy.

Data retention

Your account and project data is retained for as long as you have an active account. You may request deletion of your data at any time by contacting us at hello@crept.app. Email content is never retained — it is discarded immediately after analysis.

Your rights under UK GDPR

As a UK resident or user, you have the right to access, correct, or delete your personal data. You also have the right to object to processing and to data portability. To exercise any of these rights, contact us at hello@crept.app.

Chrome extension permissions

• Read Gmail content — required to read the body of the email you are currently viewing when you click Analyze or use the right-click context menu. No emails are read automatically.
• Storage — used to store your authentication token and active project reference locally so you remain signed in between sessions. All project data is stored server-side in Supabase.
• Identity — used to authenticate you with your Google account via OAuth.

Contact

For any privacy questions or data requests, contact Joshua James Harte at hello@crept.app.