Craftly Privacy Policy

Effective Date: April 1, 2026

1. Introduction

This Privacy Policy describes how Craft Collective LLC ("Craftly," "we," "us," or "our") collects, uses, shares, retains, and protects information about you when you use the Craftly website located at getcraftly.io, any associated mobile applications, and all related services, features, content, and functionality (collectively, the "Platform").

By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy is incorporated into and subject to our Terms of Service.

If you do not agree with the practices described in this Privacy Policy, please do not use the Platform.

2. Information We Collect

We collect information in the following categories:

2.1 Account Data

When you create an account, we collect:

(a) Your email address;

(b) Authentication credentials, including one-time passcode (OTP) verification records and biometric passkey enrollment data (stored on your device; Craftly receives a cryptographic key, not biometric data such as fingerprints or facial scans); and

2.2 Profile Data

If you create a Provider profile, we collect information you provide, which may include:

(a) First and last name, display name, and profile photograph;

(b) Biographical text and professional description;

(d) Credentials and certifications you claim to hold;

(e) Pricing information, including hourly rates and travel zone fees;

(f) Business hours and availability schedule;

(g) Physical location (address and geographic coordinates, used for proximity-based search);

(h) Travel radius and service area;

(i) Payment methods you accept from clients (e.g., cash, credit card, Venmo);

(j) Portfolio content, including photographs, videos, and documents (such as sample menus or certificates); and

(k) Years of experience.

If you act as a Consumer, we collect limited information including your name and any details you include in connection requests.

2.3 Search and Discovery Data

When you use the Platform's search and discovery features, we collect:

(a) Search queries, filters, and sort preferences;

(b) Search result interactions (which profiles you view, how far you scroll); and

(c) Location data used to power proximity-based search (derived from your IP address, browser geolocation if you grant permission, or a location you manually enter).

2.4 Messaging Data

When you participate in conversations through the Platform, we collect:

(a) The content of all messages sent and received within a conversation thread, regardless of the delivery channel used (in-app, SMS relay, or email relay);

(b) Message metadata, including timestamps, sender and recipient identifiers, and delivery channel; and

Important: All messages are stored in Craftly's database regardless of how they are delivered. If you receive messages via SMS (through our Twilio relay) or via email (through our Resend relay), the content of those messages is stored in Craftly in addition to being delivered to your phone or inbox. This is necessary for trust, safety, dispute resolution, and maintaining a complete conversation history accessible to both parties.

2.5 Connection and Interaction Data

We collect information about your interactions on the Platform, including:

(a) Connection requests sent and received, including request content, preferred dates, and status (pending, accepted, declined, ignored);

(b) Reviews submitted and received, including star ratings, review text, and responses to the "Did the person on the profile deliver the service?" question;

(d) Profile views, search impressions, and connection acceptance rates (used for Provider analytics features).

2.6 Verification Data

If you choose to verify your identity (as a Provider seeking the Verified Badge, or as a Consumer seeking Verified User status), the following applies:

(a) Identity verification is processed by our third-party partner, Stripe Identity. The verification process involves capturing a selfie and a photograph of a government-issued photo ID.

(b) Craftly does not receive or store your selfie images, ID photographs, or the data extracted from your ID. Craftly receives only the verification result (pass or fail) and a verification session identifier from Stripe.

2.7 Billing Data

If you purchase a paid feature (such as a Provider subscription plan, Verified Badge, or Verified User status), the following applies:

(a) All payment processing is handled by our third-party partner, Stripe. Craftly does not receive, process, or store your credit card number, debit card number, bank account number, or other payment instrument details.

(b) Craftly receives and stores: your subscription plan tier, subscription status (active, canceled, past due), billing cycle dates, transaction history references (Stripe charge IDs), and the last four digits of your payment method (for display purposes only).

2.8 Device and Usage Data

When you access the Platform, we automatically collect:

(a) IP address;

(b) Browser type and version;

(d) Pages visited, features used, and actions taken on the Platform;

(e) Referring URL (the page you came from);

(f) Date and time of access; and

(g) General geographic location inferred from your IP address (city/region level, not precise).

2.9 Cookies and Local Storage

The Platform uses cookies and similar technologies as follows:

(a) Essential cookies — Required for the Platform to function. These include authentication session tokens (managed by Supabase) and security tokens (managed by Cloudflare). These cannot be disabled without breaking core functionality.

(b) Analytics (cookieless) — We use Vercel Web Analytics to understand aggregate usage. It is cookieless and does not collect personally identifiable information, IP addresses, or cross-site tracking identifiers. It records anonymized events such as pageviews, referrer, country, and device type. Data is processed by Vercel Inc. on our behalf as a sub-processor. See Vercel's privacy notice at https://vercel.com/legal/privacy-policy.

(c) Advertising cookies — Not used. Craftly does not run advertisements and does not use advertising cookies or tracking pixels.

We do not use cookies to track you across other websites.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Platform

(a) Creating and maintaining your account;

(b) Displaying Provider profiles in search results and discovery features;

(d) Routing messages through the appropriate delivery channel (in-app, SMS relay, or email relay) based on recipient preferences;

(e) Delivering authentication codes (OTP) and transactional notifications (connection request alerts, review confirmation requests, acceptance notifications);

(f) Processing identity verification requests through Stripe Identity;

(g) Processing subscription billing and payments through Stripe; and

(h) Providing Provider analytics features (profile views, search impressions, connection rates) to users with eligible subscription tiers.

3.2 Trust, Safety, and Platform Integrity

(a) Enforcing our Terms of Service, Community Standards, and other policies;

(b) Investigating reported violations, including "Who You See Is Who You Get" violations, fraudulent profiles, fake reviews, and harassment;

(d) Detecting and preventing fraud, spam, scraping, and unauthorized access; and

(e) Protecting the rights, safety, and property of Craftly, our users, and the public.

3.3 Improving the Platform

(a) Analyzing usage patterns and trends to improve features, functionality, and user experience;

(b) Identifying and fixing bugs, errors, and performance issues; and

3.4 Communications

(a) Sending transactional communications necessary for Platform operation (authentication codes, connection request notifications, review confirmations, billing receipts);

(b) Sending Platform updates, including policy changes, new feature announcements, and service notifications; and

3.5 Legal, Compliance, and Business Operations

(a) Complying with applicable legal obligations, including tax and financial reporting requirements;

(b) Responding to legal process (subpoenas, court orders, government requests);

(d) Enforcing our Terms of Service and other agreements;

(e) Conducting internal audits, security assessments, and risk management; and

(f) In connection with a merger, acquisition, reorganization, or sale of assets, as described in our Terms of Service.

4. Lawful Basis for Processing

For users located in jurisdictions that require a lawful basis for processing personal data (including the European Economic Area, the United Kingdom, and certain U.S. states), we rely on the following bases:

4.1 Contract Performance

Processing necessary to perform our contract with you (the Terms of Service), including: creating and maintaining your account, displaying your Provider profile, processing connection requests, routing messages, and processing subscription billing.

4.2 Legitimate Interest

Processing necessary for our legitimate interests or the legitimate interests of third parties, where those interests are not overridden by your rights. This includes: trust and safety enforcement, fraud prevention, reviewing message history for dispute resolution, platform security, analytics and platform improvement, and protecting our legal rights. Where we rely on legitimate interest, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights.

Processing based on your affirmative consent, including: identity verification (you choose to initiate the Stripe Identity flow), receiving non-essential platform update communications, and any future use of non-essential cookies or tracking technologies. You may withdraw consent at any time by contacting us at service@getcraftly.io or through the applicable settings in the Platform. Withdrawal of consent does not affect the lawfulness of processing conducted before withdrawal.

4.4 Legal Obligation

Processing necessary to comply with a legal obligation to which Craftly is subject, including: tax and financial record-keeping for paid subscriptions, and responding to lawful government or law enforcement requests.

5.1 With Other Users

Certain information is shared with other users as part of the Platform's core functionality:

(a) Provider profile data is displayed to Consumers in search results and on profile pages. The visibility of specific data fields depends on whether the viewing Consumer is authenticated. Unauthenticated visitors see limited information (service category, general location, aggregate rating, price range). Authenticated users see additional details (Provider name, photograph, full reviews, portfolio content, availability).

(b) Connection request details are shared with the Provider to whom the request is directed.

(d) Review content is displayed publicly on Provider profiles after dual-confirmation is complete.

(e) Verification status (whether you have a Verified Badge or Verified User badge) is displayed to other users.

5.2 With Service Providers (Sub-Processors)

We share information with third-party service providers who process data on our behalf to operate the Platform. These providers are contractually obligated to use your data only as directed by Craftly and in accordance with this Privacy Policy.

| Sub-Processor | Purpose | Data Shared | |---|---|---| | Supabase (Supabase, Inc.) | Database hosting, authentication, file storage | All Platform data including account information, profile data, messages, reviews, and uploaded files | | Stripe (Stripe, Inc.) | Subscription billing, payment processing, identity verification | Billing information (processed by Stripe directly), identity verification data (selfie and ID, processed by Stripe directly; Craftly receives only pass/fail result) | | Twilio (Twilio, Inc.) | SMS message relay between Providers and Consumers, and SMS notifications about account activity (consented to when the user provides a phone number; opt out by replying STOP) | Phone numbers of users who provide a phone number, message content routed via SMS, and notification alert content | | Resend (Resend, Inc.) | Email relay, transactional email notifications | Email addresses, message content routed via email, notification content | | Vercel (Vercel, Inc.) | Web hosting, edge network, serverless functions | HTTP request data including IP addresses, request headers, and page content served | | Cloudflare (Cloudflare, Inc.) | DNS resolution, DDoS protection, bot management, security | HTTP request data including IP addresses, request headers, and security challenge data |

When active, the following additional sub-processor may be used:

| Sub-Processor | Purpose | Data Shared | |---|---|---| | Checkr (Checkr, Inc.) | Background checks for trust-sensitive service categories | Personally identifiable information required for screening (name, date of birth, Social Security number, address history), submitted with your separate consent |

5.3 No Sale of Personal Data

Craftly does not sell your personal data. We do not sell, rent, lease, or trade personal information to advertisers, data brokers, or any third party for their own commercial purposes. Craftly does not run advertisements on the Platform.

5.4 Legal and Safety Disclosures

We may disclose your information if we believe in good faith that disclosure is necessary to:

(a) Comply with applicable law, regulation, legal process, or enforceable governmental request;

(b) Enforce our Terms of Service or other agreements, including investigation of potential violations;

(d) Protect the rights, property, or safety of Craftly, our users, or the public as required or permitted by law; or

(e) Respond to an emergency involving danger of death or serious physical injury.

5.5 Business Transfers

If Craftly is involved in a merger, acquisition, reorganization, bankruptcy, asset sale, or similar transaction, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data.

6. Data Retention

We retain your information for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Craftly determines, in its sole discretion, what retention periods are reasonably necessary for each category of data.

6.1 Active Accounts

While your account is active, we retain all data associated with your account as necessary to provide the Platform's services.

6.2 Account Deletion

When you delete your account:

(a) Profile data and personal information (name, photograph, biography, portfolio content, credentials, pricing, location, availability) will be deleted within thirty (30) days of your deletion request, unless Craftly is required or permitted to retain such data by applicable law or has a legitimate need to retain it for ongoing trust, safety, or legal purposes (such as an active investigation or pending legal claim).

(b) Messages you sent or received will be anonymized (your identity will be disassociated from the messages) but the message content will be retained in anonymized form for trust, safety, dispute resolution, and platform integrity purposes.

(c) Reviews you submitted (as a Consumer) will be anonymized but will remain on the Platform to preserve the integrity of Provider reputation data.

(d) Reviews you received (as a Provider) will be removed along with your profile.

(e) Verification data held by Stripe is subject to Stripe's own data retention policies. Craftly will delete the verification result and session identifier associated with your account, unless retention is required for an active investigation or legal proceeding.

(f) Billing records (transaction history, subscription records) will be retained for the period required by applicable tax and accounting laws, typically seven (7) years.

(g) Trust and safety records (reports filed, moderation actions, investigation records, account violations) may be retained for up to five (5) years after account deletion for ongoing safety, legal, and enforcement purposes.

(h) Anonymized and aggregated data derived from your account activity may be retained indefinitely as described in Section 6.3.

6.3 Anonymized Data

Craftly may retain and use anonymized, aggregated data that cannot reasonably be used to identify you for any purpose, including analytics, research, platform improvement, marketing, and statistical analysis, without restriction or time limit. This includes data derived from your profile, search activity, connection patterns, review content, and messaging activity.

7. Your Rights

Depending on your location and applicable law, you may have some or all of the following rights regarding your personal data. These rights apply to users in the European Economic Area, the United Kingdom, and U.S. states with comprehensive privacy laws (including California, Virginia, Colorado, Connecticut, and others), as well as any other jurisdiction that grants equivalent rights.

7.1 Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this information in a commonly used, machine-readable format.

7.2 Right to Rectification

You have the right to request that we correct inaccurate personal data about you. You can update most of your information directly through your account settings or profile editor.

7.3 Right to Erasure ("Right to Be Forgotten")

You have the right to request that we delete your personal data. This right is subject to exceptions, and Craftly may deny or defer an erasure request where:

(a) Data retention is required by applicable law (such as tax and billing records);

(b) Data is necessary for the establishment, exercise, or defense of legal claims;

(d) There is an active investigation, dispute, or legal proceeding involving your account;

(e) Retention is necessary to protect the rights, safety, or property of Craftly or other users; or

(f) The data constitutes anonymized or aggregated data that cannot reasonably be used to identify you.

You can initiate account deletion through the Platform's settings, subject to the retention provisions described in Section 6.

7.4 Right to Data Portability

You have the right to request a copy of your personal data in a structured, commonly used, machine-readable format. Where technically feasible and not unduly burdensome, you may request that we transmit that data to another service provider. This right applies only to data you have directly provided to Craftly and does not extend to data derived from our analysis or processing of your information (such as search ranking scores, internal trust metrics, or aggregated analytics).

7.5 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of your data or when you have objected to processing pending verification of whether our legitimate interests override your rights.

7.6 Right to Object

You have the right to object to the processing of your personal data based on our legitimate interests. Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

Where we process your data based on consent (such as identity verification or non-essential communications), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing conducted before withdrawal.

7.8 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You will not receive a different level of service or pricing for exercising your rights.

7.9 How to Exercise Your Rights

To exercise any of the rights described above, you may:

(a) Email us at service@getcraftly.io with your request;

(b) Use the account settings or data request features within the Platform (where available); or

We will respond to verified requests within thirty (30) days. If we need additional time (up to an additional sixty (60) days for complex requests), we will notify you of the extension and the reasons for the delay.

We may ask you to verify your identity before processing your request and may deny requests that we are unable to verify. We may also deny or limit requests that are manifestly unfounded, excessive, or repetitive, or where applicable law permits denial. If we deny a request, we will notify you of the denial and the reasons for it.

7.10 Right to Lodge a Complaint

If you are located in the European Economic Area or United Kingdom, you have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates applicable law.

8. International Data Transfers

Craftly is based in the United States, and our infrastructure (including our database, hosting, and service providers) is primarily located in the United States. If you are accessing the Platform from outside the United States, your information will be transferred to, stored in, and processed in the United States.

For users located in the European Economic Area, the United Kingdom, or other jurisdictions with data transfer restrictions, we rely on the following mechanisms to ensure adequate protection of your data:

(a) Standard Contractual Clauses (SCCs) — Our sub-processors (including Supabase, Stripe, Twilio, Resend, Vercel, and Cloudflare) maintain Standard Contractual Clauses or equivalent data transfer mechanisms in their data processing agreements.

(b) Data Processing Agreements (DPAs) — We maintain data processing agreements with each of our sub-processors that include appropriate safeguards for international data transfers.

By using the Platform, you acknowledge and consent to the transfer of your information to the United States and other countries as described in this section. We take reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

(a) Encryption in transit — All data transmitted between your device and the Platform is encrypted using TLS (Transport Layer Security).

(b) Encryption at rest — Data stored in our database is encrypted at rest.

(c) Row-Level Security (RLS) — Our database enforces row-level security policies to ensure that users can only access data they are authorized to view or modify.

(d) Authentication security — One-time passcode (OTP) authentication with rate limiting (three attempts per ten minutes) to prevent brute-force attacks. No passwords are stored.

(e) Infrastructure security — DDoS protection, bot management, and firewall rules provided by Cloudflare. Application hosting on Vercel with automatic security updates.

(f) Access controls — Internal access to user data is restricted to authorized personnel on a need-to-know basis.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

10. Children's Privacy

The Platform is not directed at children under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided personal data to Craftly, please contact us at service@getcraftly.io. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information.

11. Do Not Track

Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no uniform standard for interpreting DNT signals, the Platform does not currently respond to DNT signals. However, as described in Section 2.9, we do not use advertising or tracking cookies, and we do not track you across third-party websites.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

For changes that we determine, in our sole discretion, to be material, we will provide at least fifteen (15) days' notice before the changes take effect by posting the updated Privacy Policy on the Platform with a revised "Effective Date" and by sending an email notification to the address associated with your account. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Privacy Policy, your sole remedy is to discontinue use of the Platform and delete your account.

For non-material changes (such as typographical corrections, clarifications that do not alter the substance of the policy, or changes required by law), changes may take effect immediately upon posting.

We encourage you to review this Privacy Policy periodically.

13. Contact Information

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your information is handled, please contact us at:

Craft Collective LLC Email: service@getcraftly.io General legal inquiries: service@getcraftly.io

For data protection inquiries from the European Economic Area or United Kingdom, you may also contact us at the email above. Craftly has not appointed a Data Protection Officer at this time but will do so if required by applicable law.

This Privacy Policy was last updated on April 30, 2026.