Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Square account data. When you connect your Square account via OAuth, we receive your merchant ID, business name, location information, and catalog data (products, categories, variations, inventory counts). We do not receive your Square password.
• Contact information. If you contact our support team, we collect the information you provide such as your name and email address.

1.2 Information Collected Automatically

• Usage data. We collect information about how the service is accessed and used, including IP addresses, browser type, pages visited, and timestamps.
• Transaction data. When an AI agent facilitates an order through Crumb, we log the order reference, location, items, and payment link for service operation and fee calculation.
• MCP request data. When AI agents interact with our MCP endpoint, we log tool calls, parameters, and response metadata for debugging and service improvement.

2. How We Use Your Information

We use the information we collect to:

• Operate, maintain, and improve the Crumb platform.
• Sync your Square catalog and make your products discoverable by AI agents.
• Facilitate shopping cart creation, checkout, and payment link generation.
• Calculate and collect transaction fees owed to Crumb.
• Respond to support requests and communicate with you about the service.
• Monitor for abuse, enforce rate limits, and maintain security.

3. Information Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

• With Square. We interact with the Square API using your authorized OAuth credentials to read your catalog, create orders, and generate payment links. Your data remains in your Square account.
• With AI agents. When an AI agent queries the Crumb MCP endpoint, we return your publicly listed catalog data (product names, descriptions, prices, availability) so the agent can assist customers. We do not share your merchant credentials or financial details with agents.
• Service providers. We use third-party services to operate Crumb, including Microsoft Azure (cloud hosting), Auth0 (authentication), and Plausible Analytics (privacy-focused web analytics). These providers process data on our behalf under contractual obligations.
• Legal requirements. We may disclose information if required by law, regulation, legal process, or governmental request.

4. Data Retention

We retain your merchant connection data and catalog cache for as long as your Square account is connected to Crumb. When you disconnect your account (via the merchant portal or by revoking access in Square), we delete your OAuth credentials and cached catalog data within 30 days. Transaction logs may be retained for up to 12 months for billing reconciliation and legal compliance.

5. Data Security

We implement appropriate technical and organizational measures to protect your information. Square OAuth tokens are encrypted at rest. All data in transit is encrypted via TLS. We use rate limiting, security headers, and request correlation to detect and prevent abuse. However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access. Request a copy of the personal information we hold about you.
• Deletion. Request that we delete your personal information. You can initiate this by disconnecting your Square account from Crumb.
• Correction. Request that we correct inaccurate personal information. Since most data comes from your Square account, corrections are typically made in Square directly.
• Opt-out. You may disconnect your Square account at any time through the merchant portal to stop all data collection and processing.

To exercise any of these rights, contact us at support@crumb.llc.

7. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). You have the right to know what personal information we collect, request its deletion, and opt out of its sale. As stated above, we do not sell personal information. To submit a verifiable consumer request, contact us at support@crumb.llc.

8. Cookies and Tracking

Crumb uses essential cookies for session management (e.g., the merchant session cookie for authenticated portal access). We use Plausible Analytics, a privacy-focused analytics service that does not use cookies and does not collect personal data. We do not use third-party advertising cookies or cross-site tracking.

9. Children's Privacy

Crumb is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the effective date above. Your continued use of Crumb after changes are posted constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: