CrewRise ("CrewRise," "we," "our," or "us") is a trade name of Joseph Torrance, a sole proprietor based in North Carolina, United States. This Privacy Policy explains what information we collect when you use CrewRise (the web application available at https://crewrise.io and related subdomains, collectively the "Service"), how we use it, who we share it with, and the choices you have.
This policy is written in plain English on purpose. If something is unclear, email privacy@crewrise.app and we will answer.
1. Who this policy applies to
This policy covers:
- Visitors to
https://crewrise.io(the marketing site) - Users with a CrewRise account, including electricians, foremen, owners, and administrators at electrical contracting businesses ("shops")
- People whose information a shop enters into CrewRise (for example, crew members added by an owner, or customers named on a work order)
It does not cover third-party services you connect to CrewRise. Those services have their own privacy policies — links are in Section 6.
2. Service scope and jurisdiction
CrewRise is built for U.S.-based electrical contracting businesses. Our servers, support, and billing operate in the United States.
CrewRise is not directed to residents of the European Economic Area, the United Kingdom, or Canada. If you are outside the United States, please do not submit personal information through the Service. By using the Service, you confirm you understand that your information will be processed in the United States.
Our California privacy disclosures for consumers covered by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are in Section 11.
3. Information we collect
3.1 Information you give us directly
- Account data: name, email address, password (stored hashed with bcrypt), phone number (optional, for SMS reminders), role (owner, foreman, crew, admin), and the shop you belong to.
- Shop data: company name, business address, licensed trades, and other shop-profile fields you enter.
- Operational data: jobs, forms (including safety forms such as JSAs, job-hazard analyses, panel schedules, disconnect labels), time entries, tickets, photos, signatures, and other records you create in the Service.
- Billing data: handled by our payment processor (Stripe). We receive the last four digits of the card, card brand, billing ZIP, and subscription state — never the full card number.
- Support communications: if you email
support@crewrise.appor use in-app support, we keep the message thread so we can help you and improve the Service.
3.2 Information we collect automatically
- Device and usage data: browser type, operating system, device type, IP address, referring URL, pages visited, timestamps, and error logs. We use this to keep the Service secure and working.
- Cookies and similar technologies: see Section 10.
3.3 Information from third parties
- OAuth providers (Google, Dropbox, and future cloud providers): when you connect a cloud provider in Profile → Cloud (see Section 5), we receive a refresh token and an access token for the scope you approved, the email address on the connected account, and the account display name. We never receive your cloud-provider password.
- Google, if you sign in with Google: name, email, and Google account ID.
3.4 What we do not collect
- We do not buy information about you from data brokers.
- We do not track your location outside the Service.
- We do not collect biometric data, health data, or children's data. The Service is not intended for anyone under 18.
4. How we use your information
We use the information above to:
- Provide and operate the Service (authenticate you, render your forms, store your records, send you PDFs, and similar core functions).
- Sync PDFs to the cloud-storage folders you connect and map (see Section 5).
- Send transactional messages — receipts, password resets, schedule reminders, sync-failure alerts. These come from
support@crewrise.app,noreply@crewrise.app, oradmin@crewrise.app. - Bill your subscription through Stripe and keep tax records.
- Keep the Service secure — detect abuse, fraud, brute-force login attempts, and API misuse.
- Improve the Service — understand which features are used, find bugs, and prioritize what to build next.
- Comply with the law — respond to valid legal process and enforce our Terms.
We do not sell your personal information. We do not show you targeted advertising. We do not share your form data with insurers, inspectors, or any third party except as described in Section 6.
5. Cloud-storage sync (the "connected cloud providers" feature)
Starting with Phase 1.75, CrewRise can sync a copy of each form PDF you submit to a folder you choose in your own cloud-storage account. This section explains exactly what happens.
5.1 Per-user consent
Cloud sync is off by default. You enable it per-user, per-provider, in Profile → Cloud. Each person at your shop authorizes their own account; authorizing as an owner does not authorize your foreman or crew.
5.2 Scopes we request
We intentionally request the narrowest scope each provider offers:
| Provider | Scope | What this grants | What this does not grant |
|---|---|---|---|
| Google Drive | https://www.googleapis.com/auth/drive.file |
Access only to files CrewRise creates in your Drive and files you explicitly open through the Google Picker. Google calls this a "non-sensitive" scope. | Access to any other file, folder, shared drive, or metadata anywhere else in your Google account. |
| Dropbox (Phase 1.85) | files.content.write + files.metadata.write at the folder you pick via the Dropbox Chooser |
Read and write access inside the single folder you select. | Access outside that folder, access to other folders, or access to your account settings. |
Google Drive's drive.file scope is classified by Google as non-sensitive and does not require a Google CASA security audit or third-party review. We consciously chose drive.file over the broader drive scope for this reason.
5.3 What gets synced
- What is synced: the rendered PDF of every form you submit after cloud sync is enabled for that job. Filenames follow the pattern
{template-slug}_{label-slug}_{YYYY-MM-DD}.pdf. - What is not synced: draft forms, unsaved edits, raw form-field JSON, attachments stored outside CrewRise, your time-entry records, your job-cost data, chat or support threads, billing records, or anything from before cloud sync was enabled.
- One-way only: we push PDFs to your cloud folder. We do not read files back out. If you edit, rename, move, or delete the PDF in your Drive or Dropbox, CrewRise does not know and does not react.
5.4 How tokens are stored
OAuth refresh and access tokens are encrypted at rest using AES-256-GCM with a server-side key that is never exposed to the client. The encryption key is stored in our hosting provider's secret manager. Tokens are transmitted over TLS 1.3.
5.5 Disconnect, revoke, and delete
- In CrewRise: Profile → Cloud → Disconnect. We immediately call the provider's revoke endpoint and delete the local token record.
- At the provider: you can revoke access at any time from your Google Account → Security → Third-party apps or Dropbox → Connected apps. If you revoke there, the next sync from CrewRise will fail and we will stop trying after one automatic retry.
- PDFs already synced: stay in your cloud folder. They belong to you. We never delete files out of your Drive or Dropbox as part of disconnect.
5.6 Source of truth
CrewRise's own database (hosted on Supabase, see Section 8) is the authoritative copy of every form. Your connected cloud folder is a mirror for your convenience. If you delete a PDF from your cloud folder, the CrewRise copy is still there.
5.7 Future cloud providers
We may add support for additional cloud-storage providers in the future (for example, Microsoft OneDrive, Box, Apple iCloud Drive, or Microsoft SharePoint). When we do, we will follow the same principles: the narrowest scope available, per-user consent, one-way sync, encrypted tokens, and an updated version of this Privacy Policy before the provider goes live.
6. Sub-processors and third parties
We keep the list of companies that process your data short and name them plainly.
| Vendor | What they do for us | What data they see | Where they are |
|---|---|---|---|
| Supabase, Inc. | Primary database and file storage for your CrewRise account and form PDFs | All CrewRise account and operational data | United States |
| Railway | Hosts the CrewRise web application | Traffic to and from the Service; no direct database access | United States |
| Netlify | Hosts the crewrise.io marketing site (including this page) |
Visitor logs on the marketing site only | United States |
| Google Workspace | Our business email (admin@crewrise.app, support@crewrise.app) |
Support threads you email us | United States |
| Stripe | Processes your subscription payment | Billing contact, card details, subscription state | United States |
| Google LLC | Google Sign-In and Google Drive sync, if you enable them | OAuth tokens and the scopes in Section 5.2 | United States |
| Dropbox, Inc. | Dropbox sync (Phase 1.85), if you enable it | OAuth tokens and the scopes in Section 5.2 | United States |
| Brady Corporation | Label printing via the Brady Web SDK (Phase 1.5), if you enable it | Label-data you print; the SDK runs in your browser and communicates directly with the Brady printer on your network | United States |
We do not use third-party analytics or advertising networks in the application. We may use basic, privacy-respecting analytics on the marketing site (crewrise.io) — see Section 10.
We will update this table whenever we add or remove a sub-processor that has access to customer data.
7. How we share information
We share personal information only in these specific cases:
- Within your shop. Information you enter in CrewRise (jobs, forms, time entries, photos) is visible to other authorized users of your shop per their role. That is how the Service works.
- With sub-processors listed in Section 6, strictly to operate the Service.
- With cloud-storage providers you connect, strictly to sync the PDFs you submit, as described in Section 5.
- With Brady Corporation, only if you use the label-printing feature, and only for the label data sent to your own Brady printer.
- To comply with the law. We will respond to valid subpoenas, court orders, and government requests, and we will push back on requests that are overbroad or legally defective. If legally permitted, we will tell you before producing your data.
- In a business transfer. If CrewRise is acquired or merged, your information may be transferred to the acquirer. The acquirer must honor this policy or give you notice and a choice.
We do not sell your personal information and we do not share it for targeted advertising.
8. How long we keep data
- Active accounts: we keep your data for as long as your account is active.
- Canceled accounts: we keep your data for 90 days after cancellation so you can reactivate, then we delete it or anonymize it. You can ask us to delete it sooner (see Section 9).
- Billing records: we retain invoices and Stripe records for seven years to meet U.S. tax and accounting requirements.
- Backups: routine database backups may contain copies for up to 30 days after deletion, after which they roll off.
- Support threads: we keep support emails for two years to improve the Service and handle recurring issues.
9. Your choices and rights
Regardless of where you live, you can:
- Access or download your data — email
privacy@crewrise.appor use in-app export where available. - Correct inaccurate information — edit in the app or email us.
- Delete your account — email
privacy@crewrise.app; we will delete within 30 days, subject to the retention rules in Section 8. - Object to or limit how we use your data — email us and tell us what you'd like to change.
- Disconnect any cloud-storage provider at any time — Profile → Cloud → Disconnect.
- Revoke our Google or Dropbox access directly at the provider — see Section 5.5.
We will not discriminate against you for exercising any of these rights.
10. Cookies and similar technologies
In the application (app.crewrise.io and successor subdomains) we use:
- Strictly necessary cookies to keep you signed in and secure (session cookie, CSRF token).
- Preference cookies to remember things like your language choice and whether you've dismissed onboarding dialogs.
We do not use third-party advertising cookies in the application.
On the marketing site (crewrise.io) we may use a privacy-respecting analytics tool that does not use third-party cookies and does not track you across other sites. If and when we enable it, it will be listed in Section 6. Most browsers let you block or delete cookies — doing so may sign you out of the Service.
11. California notice (CCPA / CPRA)
If you are a California resident, you have the additional rights described below. We process California personal information for the business purposes in Section 4 and share it only with the sub-processors in Section 6.
- Categories collected in the last 12 months: identifiers (name, email), customer records (account, shop, operational data), commercial information (subscription, invoices), internet activity (logs, error events), geolocation inferred from IP only, and professional information (role, trade).
- Sources: directly from you; automatically from your use of the Service; from the OAuth providers you connect.
- Sale or sharing: we do not sell personal information, and we do not share it for cross-context behavioral advertising.
- Sensitive personal information: we do not collect or use sensitive personal information for purposes that require an opt-out under CPRA.
- California rights: you can request to know, delete, correct, or limit — email
privacy@crewrise.app. We will verify your request using your account email, respond within 45 days (with a possible 45-day extension), and not retaliate. - Authorized agent: you can designate an agent to make a request on your behalf. We will require proof of the agent's authority.
12. Security
We protect your data with:
- TLS 1.3 in transit
- AES-256-GCM encryption for OAuth refresh and access tokens at rest
- Supabase Row-Level Security on every table that contains customer data
- Role-based access inside the Service (owners, foremen, crew)
- Short-lived server-side tokens for cloud APIs (we do not store long-lived provider tokens in the browser)
- Least-privilege access for CrewRise operators
- Continuous typecheck, linting, and a safety audit in CI
No system is perfectly secure. If we learn of a breach that affects your personal information, we will notify you in accordance with applicable U.S. state laws and without unreasonable delay.
13. Children
The Service is not for anyone under 18, and we do not knowingly collect personal information from children. If you believe a child has given us information, email privacy@crewrise.app and we will delete it.
14. Changes to this policy
We will post changes here and update the "Last updated" date. If a change is material — for example, we add a new sub-processor with access to your data, or we change how cloud sync works — we will notify account holders by email at least seven days before the change takes effect.
15. Contact
- Privacy questions:
privacy@crewrise.app - General support:
support@crewrise.app - Mail: CrewRise (c/o Joseph Torrance), North Carolina, USA — email first for the mailing address.