Privacy Policy

Last updated March 2026

This Privacy Notice for Crystallized Intelligence ('we', 'us', or 'our'), describes how and why we might access, collect, store, use, and/or share ('process') your personal information when you use our services ('Services'), including when you:

• Visit our website at www.crystallized.lu or any website of ours that links to this Privacy Notice
• Subscribe to our newsletter or other email communications
• Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@crystallized.lu.

Summary of Key Points

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by using the table of contents below.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.

Do we process any sensitive personal information? We do not process sensitive personal information.

Do we collect any information from third parties? We do not collect any information from third parties.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

Where is your data stored? Newsletter subscriber data is stored on our own self-hosted infrastructure within the European Union. CRM data is processed using EU-based cloud services. We do not transfer personal data outside of Europe for marketing purposes.

In what situations and with which types of parties do we share personal information? We may share information in specific situations and with specific categories of third parties.

How do we keep your information safe? We have adequate organisational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information.

How do you exercise your rights? The easiest way to exercise your rights is by contacting us at privacy@crystallized.lu.

Table of Contents

1. What Information Do We Collect?
2. How Do We Process Your Information?
3. What Legal Bases Do We Rely On?
4. When and With Whom Do We Share Your Information?
5. Do We Use Cookies?
6. Do We Offer AI-Based Products?
7. Newsletter and Email Communications
8. How Long Do We Keep Your Information?
9. How Do We Keep Your Information Safe?
10. Do We Collect Information from Minors?
11. What Are Your Privacy Rights?
12. Controls for Do-Not-Track Features
13. Do We Make Updates to This Notice?
14. How Can You Contact Us?
15. How Can You Review, Update, or Delete Your Data?

1. What Information Do We Collect?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information we collect may include: names, phone numbers, email addresses, job titles, contact preferences, and contact or authentication data.

Newsletter Subscription Data. When you subscribe to our newsletter, we collect your email address and your preferred delivery frequency (daily or weekly). This data is stored on our self-hosted email marketing platform within the European Union (see Section 7).

Sensitive Information. We do not process sensitive information.

Information automatically collected

In Short: Some aggregated, non-personal information is collected automatically when you visit our Services through our privacy-friendly analytics.

We use Plausible Analytics, which collects aggregated, anonymised data about website usage. This includes page views, referral sources, browser type, and country-level location. This data cannot be used to identify individual visitors. No personal information, IP addresses, or device identifiers are collected or stored.

We do not use cookies, local storage, or any similar tracking technologies. For more details, see our Cookie Policy.

Google API

Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

2. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for a variety of reasons, including: to deliver and facilitate delivery of services, to respond to user inquiries, to send administrative information, to fulfil and manage orders, to request feedback, to send marketing and promotional communications (with your consent), to deliver targeted advertising, to protect our Services, to identify usage trends, to determine marketing effectiveness, and to save or protect an individual's vital interest.

3. What Legal Bases Do We Rely On?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason to do so under applicable law.

The GDPR and UK GDPR require us to explain the valid legal bases we rely on. These include: Consent (you can withdraw at any time), Performance of a Contract, Legitimate Interests (where they do not outweigh your rights), Legal Obligations, and Vital Interests.

For newsletter communications specifically, we rely on Consent — you actively subscribe and can unsubscribe at any time via the link in every email or through our subscription management page.

4. When and With Whom Do We Share Your Information?

In Short: We may share information in specific situations described in this section and/or with specific categories of third parties.

We may share your data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf. Categories include: AI platforms, cloud computing services, communication tools, data storage providers, payment processors, and website hosting providers.

Specific service providers

The following service providers may process personal data on our behalf:

• Email marketing: We use Brevo, an EU-headquartered email marketing platform, to manage newsletter subscriptions and deliver email communications. Brevo processes subscriber email addresses and engagement data (opens, clicks) on our behalf.
• Email delivery: Outbound emails are sent via an EU-based SMTP provider. Email metadata (recipient address, delivery status) is processed by this provider in the course of delivery.
• CRM: Contact form submissions are processed through our self-hosted API server (Scaleway, EU) and forwarded to Odoo CRM via email notification. No third-party form processing services are used.
• Workflow automation: We use Pipedream to orchestrate data flows between API-connected AI models and our email marketing tool. We do not process personal data through Pipedream nor through API-connected AI models.
• Website hosting: Our website is hosted on Scaleway.
• Analytics: We use Plausible Analytics (EU-hosted, no personal data collected).

We may also share your information in connection with business transfers, with affiliates, or with business partners.

5. Do We Use Cookies and Tracking Technologies?

In Short: No. We do not use cookies or similar tracking technologies. Our analytics are fully privacy-friendly.

This website does not use cookies — neither first-party nor third-party. We do not use local storage, web beacons, tracking pixels, or fingerprinting techniques.

Website Analytics

We use Plausible Analytics, a privacy-friendly, open-source analytics tool that is fully compliant with GDPR, CCPA, and PECR. Plausible does not use cookies, does not collect personal data, and does not track visitors across websites or devices. All analytics data is aggregated and cannot be used to identify individual visitors. Data is processed within the EU.

We previously used Google Analytics, which relied on cookies and cross-site tracking. We have since removed it entirely from our website.

For more details, see our Cookie Policy.

Newsletter tracking

Our newsletter emails may include a tracking pixel to measure aggregate open rates and link click tracking to measure engagement. This data is used to improve the relevance and quality of our newsletter content. You can prevent open tracking by disabling remote image loading in your email client. You can opt out of all email communications at any time via our subscription management page.

6. Do We Offer AI-Based Products?

In Short: We offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies.

Client AI services

We provide AI automation services to clients using third-party AI providers including Mistral AI, Anthropic, and Google Cloud AI. When delivering these services, client data may be shared with and processed by these providers as necessary to perform the agreed work. All such processing is governed by individual client agreements and handled in line with this Privacy Notice.

Newsletter AI curation

Our newsletter content is curated with the assistance of AI (via Mistral AI through OpenRouter). The AI processes publicly available news articles to generate summaries — it does not process or have access to subscriber personal data.

To opt out of AI-processed services, you can contact us using the contact information provided.

7. Newsletter and Email Communications

In Short: Your newsletter data is stored on our own self-hosted infrastructure within the EU. You have full control over your subscription at all times.

What we collect

When you subscribe to our newsletter, we collect: your email address, your preferred frequency (daily or weekly), and a timestamp recording when you gave consent. We may also collect aggregate engagement data (opens, clicks) to improve content quality.

Where your data is stored

Newsletter subscriber data is managed through Brevo, an EU-headquartered email marketing platform. Brevo processes subscriber email addresses, frequency preferences, and engagement data (opens, clicks) on our behalf. Brevo stores data within the European Union and is fully GDPR-compliant. Our subscriber API server, which handles subscription sign-ups and preference management, is self-hosted on Scaleway infrastructure within the European Union. Your data does not leave Europe for marketing purposes.

How to manage your subscription

You can update your preferences or unsubscribe at any time by:

• Clicking the "Unsubscribe" or "Manage preferences" link in any newsletter email
• Visiting our subscription management page
• Contacting us at privacy@crystallized.lu

When you unsubscribe, your email address is flagged as "Do Not Contact" in our system. You may also request full deletion of your subscriber record by contacting us.

8. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfil the purposes outlined in this Privacy Notice unless otherwise required by law.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it, or securely store and isolate it until deletion is possible.

For newsletter subscribers: active subscriber records are retained for the duration of the subscription. Unsubscribed records (flagged as "Do Not Contact") are retained for up to 12 months to prevent accidental re-subscription, after which they are permanently deleted unless you request earlier deletion.

9. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organisational and technical security measures.

We have implemented appropriate security measures, including:

• Self-hosted infrastructure within the EU with encrypted database storage
• HTTPS/TLS encryption for all data in transit
• Access controls limiting who can view subscriber data
• Regular software updates and security patches
• Automated encrypted backups

However, no electronic transmission over the Internet can be guaranteed to be 100% secure. Transmission of personal information is at your own risk and you should only access the Services within a secure environment.

10. Do We Collect Information from Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

If we learn that personal information from users under 18 has been collected, we will deactivate the account and take reasonable measures to delete such data. If you become aware of any data we may have collected from children under 18, please contact us at privacy@crystallized.lu.

11. What Are Your Privacy Rights?

In Short: In some regions, such as the EEA, UK, and Switzerland, you have rights that allow you greater access to and control over your personal information.

These may include the right to request access, rectification, erasure, restriction of processing, data portability, and the right to object. You can make such a request by contacting us. If you are in the EEA or UK and believe we are unlawfully processing your information, you have the right to complain to your data protection authority (in Luxembourg, this is the CNPD).

Withdrawing your consent: You have the right to withdraw your consent at any time by contacting us.

Opting out of marketing: You can unsubscribe from our marketing emails at any time by clicking the unsubscribe link, visiting our subscription management page, or contacting us.

Data portability: You may request a copy of your subscriber data in a machine-readable format by contacting us at privacy@crystallized.lu.

Analytics: Since we use Plausible Analytics (which does not use cookies or collect personal data), there is nothing to opt out of. No tracking consent is required. See our Cookie Policy for more information.

12. Controls for Do-Not-Track Features

Since we do not use cookies or track individual visitors, Do-Not-Track signals are not applicable to our website. Our analytics tool (Plausible) does not identify or track individual users regardless of browser settings.

13. Do We Make Updates to This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We encourage you to review this Privacy Notice frequently. The updated version will be indicated by an updated date at the top.

14. How Can You Contact Us?

If you have questions or comments about this notice, you may email us at privacy@crystallized.lu or contact us by post at:

Crystallized Intelligence
38 Route d'Echternach
Dommeldange
Luxembourg 1453
Luxembourg

15. How Can You Review, Update, or Delete Your Data?

You have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. To request to review, update, or delete your personal information, please contact: privacy@crystallized.lu.