Privacy Policy

Last Updated: January 26, 2026

1. Introduction

This Privacy Policy describes how CREA (Contract Research & Evidence Assistant) collects, uses, and protects information when you use our grievance research service. We are committed to protecting your privacy and handling your data responsibly.

2. Information We Collect

2.1 Query Data

When you use CREA, we process the workplace situation descriptions you submit. This may include details about your employment situation, supervisors, workplace incidents, and other information you choose to provide.

2.2 Technical Data

We automatically collect certain technical information, including:

  • IP address (for rate limiting and security purposes)
  • Browser type and version
  • Device information
  • Timestamp of requests
  • Pages visited and features used

2.3 Session Data

We use session cookies to maintain your browsing session and provide CSRF (Cross-Site Request Forgery) protection. These cookies are temporary and expire when you close your browser.

3. How We Use Your Information

We use the information we collect to:

  • Process your queries and generate research results
  • Improve the accuracy and relevance of our search results
  • Maintain security and prevent abuse of the service
  • Enforce rate limits to ensure fair access for all users
  • Debug issues and improve service performance

4. Third-Party Data Sharing

4.1 AI Processing

Your queries are processed using an AI-powered analysis service. When you submit a query, the text of your workplace situation description is sent to our AI provider's servers for analysis. Our AI provider processes data in accordance with their privacy policies and applicable data protection regulations.

4.2 No Sale of Data

We do not sell, rent, or trade your personal information to third parties. We do not use your query data for advertising purposes.

4.3 Legal Requirements

We may disclose information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Data Retention

Query Data: By default, we do not permanently store the content of your queries. Query data is processed in memory and discarded after generating results. Server logs containing technical data may be retained for up to 30 days for security and debugging purposes.

Rate Limiting Data: IP addresses used for rate limiting are stored temporarily in memory and cleared when the server restarts.

6. Cookies

CREA uses the following types of cookies:

  • Session Cookies: Essential for the service to function. These maintain your session and expire when you close your browser.
  • CSRF Tokens: Security cookies that protect against cross-site request forgery attacks.

Google Analytics

We use Google Analytics to understand how visitors interact with our website. Google Analytics collects information such as how often users visit the site, what pages they visit, and what other sites they used prior to coming to our site. We use this information to improve our service. Google Analytics collects the IP address assigned to you on the date you visit the site, but not your name or other identifying information. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • HTTPS encryption for all data transmission
  • CSRF protection on all forms
  • Rate limiting to prevent abuse
  • Security headers to prevent common web attacks
  • Regular security updates and monitoring

However, no method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your information
  • Object to processing of your information
  • Request data portability

Since we do not permanently store query content, most data rights requests can be satisfied by simply not using the service. For technical data inquiries, please contact us at support@crearesearch.com.

9. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information:

  • Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale: You have the right to opt-out of the sale of your personal information. We do not sell your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

How to Exercise Your Rights: To exercise any of these rights, please contact us at support@crearesearch.com. We will verify your identity before processing your request.

10. EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) provides you with specific rights:

Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide the CREA service you have subscribed to.
  • Legitimate Interest: Processing for security, fraud prevention, and service improvement.
  • Consent: Where you have given explicit consent (e.g., marketing communications).

Data Retention

We retain your account information for as long as your account is active. Technical logs are retained for up to 30 days. Query content is not permanently stored.

Your GDPR Rights

  • Right of Access: Request a copy of your personal data.
  • Right to Rectification: Request correction of inaccurate data.
  • Right to Erasure: Request deletion of your data ("right to be forgotten").
  • Right to Restrict Processing: Request limited processing of your data.
  • Right to Data Portability: Request your data in a portable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal data violates the GDPR.

How to Exercise Your Rights: To exercise any of these rights, please contact us at support@crearesearch.com.

11. Children's Privacy

CREA is not intended for use by individuals under 18 years of age. We do not knowingly collect information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes by posting a notice on the service. Your continued use of CREA after changes are posted constitutes acceptance of the updated policy.

13. Contact Information

For questions about this Privacy Policy or our data practices, please contact us at support@crearesearch.com.

Summary: CREA processes your queries to provide research results. We send query text to our AI provider for analysis. We don't permanently store your queries or sell your data. We use minimal cookies for security purposes only.

Back to Home