Your customers’ data is not our business model.

Last updated: April 1, 2026

The short version

If you run a shop on Crankshop, the data in your account belongs to you. We only use it to operate the product you pay us for. We do not sell it, rent it, or share it with OEMs, distributors, ad networks, or data brokers. Ever.

We store data on US-based infrastructure, encrypted at rest and in transit. We keep audit logs for 7 years. On request, you can export everything or have us delete it.

Who this applies to

• Shops — the businesses and owners who sign up for a Crankshop account.
• Shop staff — techs, counter writers, and anyone else invited to a shop account.
• End customers — the people whose equipment is being serviced. We process their data on behalf of the shop under a standard data processing agreement.
• Visitors — anyone browsing crankshop.app without an account.

What we collect

From shops and shop staff

• Account info: name, email, phone, shop name, business address, EIN.
• Authentication: hashed password, 2FA enrollment, session cookies.
• Billing: last four digits of payment card (held by Stripe, not us), invoices.
• Usage: which features you use, what errors you encounter, the rough size of your shop.

From end customers (entered by the shop)

• Name, phone number, email, service address.
• Equipment records: make, model, serial, photos, service history.
• Ticket communications: SMS threads, voice memos, notes.
• Payment method references via Stripe tokenization — we never see the card number.

Automatically

• IP address, browser, operating system for security and abuse prevention.
• Aggregate, anonymized product analytics to understand what’s working.

What we don’t do

• We don’t sell any personal information.
• We don’t share shop data with OEMs unless the shop explicitly submits a warranty claim.
• We don’t share shop data with distributors unless the shop explicitly places a parts order.
• We don’t use shop data to train generic AI models.
• We don’t run ad targeting. There are no third-party ad trackers on crankshop.app.

How we use what we collect

• To operate, maintain, and improve the product.
• To notify you about changes, outages, billing events, and security advisories.
• To investigate abuse, fraud, and security incidents.
• To meet legal obligations (subpoenas, tax law, sanctions screening).
• With your permission, to feature your shop as a customer.

Subprocessors

We use carefully selected third parties to operate the service. This is the complete list. We update it here before we add a new one — no silent changes.

• Stripe — payment processing and tokenization (US).
• Twilio — SMS and voice messaging (US).
• Cloudflare — CDN, image resizing, DDoS protection, and R2 object storage (US).
• Neon / Supabase — managed Postgres database (US regions only).
• Intuit (QuickBooks) — bookkeeping integrations, only when you connect them.
• Sentry — crash and error monitoring (US).
• PostHog — product analytics (self-hosted in US).
• BetterStack — uptime and log monitoring (US).
• Groq — transcription of voice notes you record in-app (audio is deleted within 30 days of transcription).

Where data lives

All primary data is stored in US regions. Backups are encrypted with AES-256 and kept for 30 days. Point-in-time recovery covers the prior 7 days. We do not transfer your data to servers outside the United States.

Your rights

Regardless of where you live, Crankshop honors the data subject rights defined by the GDPR and the major US state privacy laws (California, Colorado, Connecticut, Virginia, Utah):

• Access — we’ll tell you what we have about you.
• Correction — we’ll fix anything wrong.
• Deletion — we’ll delete your data on request (subject to legal holds, e.g. tax records).
• Portability — CSV export of everything in your shop, on demand.
• Objection — you can ask us to stop specific processing.
• No retaliation — asking doesn’t change your pricing or service.

To exercise any of these rights, email privacy@crankshop.app from the account’s verified email. We respond within 30 days.

End-customer data requests

If you are an end customer of a shop that uses Crankshop and you want your data accessed, corrected, or deleted, please contact the shop first — they are the controller of your data, and we process it on their behalf. If the shop cannot or will not respond, email us and we will help resolve it.

Retention

• Active shop data: retained while the shop’s subscription is active.
• After cancellation: retained for 90 days as a grace period, then permanently deleted.
• Audit logs: 7 years (for legal, tax, and dispute resolution reasons).
• Voice memo audio: deleted within 30 days of transcription; transcript retained.
• Backups: up to 30 days on a rolling basis.

Children

Crankshop is not intended for anyone under 16. We don’t knowingly collect information from children. If you believe we have, email us and we’ll delete it.

Security

See our security page for the full posture. Short version: AES-256 at rest, TLS 1.3 in transit, argon2id password hashing, row-level tenant isolation, two-factor authentication required for Owner role, annual penetration testing, and a 72-hour incident notification commitment.

Cookies

We use a session cookie to keep you logged in and a CSRF cookie to protect form submissions. We do not use advertising cookies. We do not load third-party trackers on marketing pages, beyond self-hosted analytics that doesn’t set cross-site cookies.

Changes to this policy

If we make a material change — adding a subprocessor, changing what data we collect, changing retention — we’ll notify account owners by email at least 14 days before it takes effect. Non-material changes (typos, clarifications) are posted with a new date at the top.

Contact

Privacy questions, data requests, or concerns:
privacy@crankshop.app
Crankshop, Inc. · Rochester, NY · US