Privacy Policy

CrateToCloud is operated by Breen Duo LLC, a limited liability company organized under the laws of the State of Arizona, United States.

Mailing address: PO Box 790, Vail, AZ 85641, United States
Privacy contact: privacy@cratetocloud.com

CrateToCloud is currently in Early alpha. Access is invitation-only and the platform is intended for a small, US-based community of music collectors.

• Provide, operate, and improve the CrateToCloud service.
• Match and deduplicate your collection across sources (Discogs, Plex, manual entries).
• Enable community features: following other collectors, trade proposals, wantlist matching.
• Send transactional emails (account confirmation, password reset, trade notifications, follow notifications) via our email provider (Resend).
• Detect abuse, enforce our Terms of Service, and protect platform integrity.
• Comply with applicable law.

We do not sell, rent, or share your personal information with third parties for advertising or marketing purposes.

CrateToCloud is a US-based service in Early alpha with no active marketing directed at residents of the European Economic Area (EEA) or the United Kingdom. If you are an EEA or UK resident who has nonetheless signed up, we process your data on the following bases:

• Contract performance — to provide the service you requested (Art. 6(1)(b) GDPR).
• Legitimate interests — security, abuse prevention, service improvement (Art. 6(1)(f) GDPR).
• Consent — optional features such as public profile visibility, where applicable.

We do not currently have a designated EU/EEA representative. If this changes, we will update this policy. EEA/UK residents may contact us at privacy@cratetocloud.com to exercise their rights.

We retain your personal data for as long as your account is active. If you delete your account, we delete or anonymize your personal data within 30 days, except where we are required to retain it by law (e.g., billing records) or where data has been anonymized as part of aggregate statistics.

Server-level access logs retained by our infrastructure providers (Vercel) are subject to their own retention schedules, typically 30–90 days.

Inactive accounts (no login for 12 months) may be flagged for deletion with prior email notice.

We share data with the following sub-processors to operate the service:

All sub-processors are bound by data processing agreements and are required to protect your data in accordance with applicable privacy laws.

CrateToCloud is operated from the United States. All personal data is stored and processed in the United States. If you access the service from outside the US, your data will be transferred to and processed in the US.

For EEA/UK users, transfers to the US are covered by our sub-processors' Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms (e.g., Vercel, Supabase, and Resend each maintain GDPR-compliant DPAs). We incorporate those mechanisms by reference.

We use strictly necessary session cookies only:

• An HttpOnly authentication cookie (JWT) set by Supabase Auth to maintain your logged-in session.

We do not use third-party cookies, advertising cookies, or persistent tracking cookies. No cookie consent banner is required because we use only essential cookies.

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate data.
• Deletion — request deletion of your account and associated data.
• Portability — receive your data in a machine-readable format.
• Objection / Restriction — object to or restrict certain processing.
• Withdrawal of consent — for any processing based on consent.

To exercise any of these rights, email privacy@cratetocloud.com. We will respond within 30 days. You may also delete your account directly from Settings → Account → Delete account within the app.

California residents (CCPA/CPRA): We do not sell or share personal information as defined by the CCPA. You have the right to know, delete, and opt out of sale/sharing (not applicable here). Contact us at the email above or submit a request via the in-app settings.

CrateToCloud is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from minors. If you believe a child has provided us with personal data, please contact us at privacy@cratetocloud.com and we will delete it promptly.

We take reasonable technical and organizational measures to protect your data, including:

• TLS encryption in transit for all connections.
• Encryption at rest for database storage (Supabase).
• Encrypted storage of OAuth tokens (Discogs, Plex).
• Role-based access controls — only authorized platform administrators can access production data.

No system is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@cratetocloud.com.

CrateToCloud may link to Discogs listings and other third-party URLs. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before sharing any information.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) and update the “Last updated” date above. Your continued use of CrateToCloud after the effective date of the revised policy constitutes your acceptance of the changes.

Questions, concerns, or requests regarding this Privacy Policy should be directed to: