Privacy Policy

Crene, Inc. is a Delaware corporation with its principal place of business in California. For the personal data described in this policy, Crene is the data controller (GDPR, UK GDPR) and the business (CCPA / CPRA).

Privacy contact: stephen@crene.com

An EU representative and a UK representative will be designated upon onboarding of the first controller customer for which one is required. Until then, EU and UK data subjects may reach Crene directly at the email above.

Crene serves institutional users. We do not collect personal data from consumers in a personal entertainment context. The categories below describe what is collected from business users and visitors to the platform.

• ·Inquiry and lead form data. Name, business email, company, role or title, and a free-text description of the intended use case, submitted by users requesting dataset access or API access.
• ·Account data. For users who create an account: business email, hashed credentials, display name, and account preferences (saved views, notification settings).
• ·API access data. For authenticated API consumers: API key identifier, request metadata (endpoint, timestamp, response code, payload size) for rate limiting, abuse prevention, and operational metrics.
• ·Technical and session data. IP address, user agent, device and browser characteristics, referring URL, and timestamps. Used for security, abuse detection, and to operate the service.
• ·Analytics data. Aggregate and pseudonymous behavioral data collected via Google Analytics (property G-0EP6PCDW8P) and Microsoft Clarity (project us1ljuhm3j). This includes page views, session duration, click and scroll patterns, and session replay (Clarity). Both products may set cookies or similar identifiers in your browser.
• ·Cookies and similar technologies. Strictly necessary cookies (session, security, locale preference), analytics cookies (Google Analytics, Microsoft Clarity), and preference cookies. See the Cookies section below.
• ·Communications. Records of emails, support requests, and other correspondence you send to Crene.

Crene does not knowingly collect special category data under GDPR Article 9 (race, political opinion, religion, health, biometrics, etc.), and we ask users not to submit such data through forms or support channels.

We use the categories above for the following purposes:

• ·Operating the platform, API, and dataset access, including authentication, rate limiting, and abuse prevention.
• ·Responding to inquiries and dataset access requests, and processing institutional procurement and design partner relationships.
• ·Maintaining the security and integrity of the platform, including detecting and preventing fraud, unauthorized access, and misuse.
• ·Understanding aggregate usage of the platform and improving the product, using analytics and session replay data.
• ·Sending necessary service communications (security alerts, material changes to these documents) and, to addresses that have opted in, periodic product updates.
• ·Complying with legal obligations and enforcing our Terms of Service.

Crene does not sell personal data. Crene does not use personal data submitted through inquiry forms, account data, or API request payloads to train AI models. The underlying frontier AI models that generate probability forecasts (Claude, GPT, Gemini, Grok) are queried with depersonalized event and factor questions; they do not receive customer personal data as part of normal operation.

For data subjects in the European Economic Area, the United Kingdom, or Switzerland, the lawful bases under Article 6 GDPR (and the equivalent UK GDPR provisions) are:

• ·Performance of a contract (Art. 6(1)(b)). Account data, API access data, and direct license customer data are processed to provide the service you have requested or contracted for.
• ·Legitimate interests (Art. 6(1)(f)). Security, abuse prevention, operational logging, and aggregate product analytics are processed on the basis of Crene's legitimate interest in operating a reliable, secure service and the legitimate interest of customers in receiving one. We have assessed that these processing activities do not override the rights and freedoms of data subjects, given that they involve standard business operational data.
• ·Consent (Art. 6(1)(a)). Non-essential analytics cookies (Google Analytics, Microsoft Clarity) and marketing communications, where consent is required by applicable law, are processed on the basis of consent that you may withdraw at any time.
• ·Legal obligation (Art. 6(1)(c)). Where required by tax, accounting, anti-money laundering, or other applicable law.

We share personal data only with the following categories of recipients:

• ·Infrastructure and hosting providers. Amazon Web Services (US regions) hosts the platform, API, and dataset.
• ·Analytics processors. Google LLC (Google Analytics) and Microsoft Corporation (Microsoft Clarity), each as a separate processor under their own terms.
• ·Email and communications providers. Standard transactional email providers for service messages.
• ·Frontier model providers. Anthropic, OpenAI, Google, and xAI receive event and factor questions for probability generation. They do not receive customer personal data in normal operation.
• ·Professional advisors. Accountants, auditors, and legal counsel under confidentiality.
• ·Authorities and successors. Government authorities where required by enforceable legal process; an acquirer, successor, or restructuring counterparty in connection with a corporate transaction (in which case continued processing remains subject to a policy at least as protective as this one).

Crene does not sell personal data and does not share personal data with advertising networks for cross-context behavioral advertising.

Crene operates from the United States. Personal data of EU, UK, and Swiss data subjects may be transferred to and processed in the United States and other jurisdictions outside the EEA / UK.

For such transfers, Crene relies on the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) and the UK International Data Transfer Addendum, supplemented by appropriate technical and organizational measures. Where a recipient is certified under an adequacy framework recognized by the European Commission or the UK government (for example, the EU US Data Privacy Framework), Crene may also rely on that framework as a transfer mechanism.

A copy of the SCCs / IDTA used for a specific processing activity is available on request to stephen@crene.com.

We retain personal data only for as long as necessary for the purposes described in this policy.

• ·Inquiry and lead form data: up to 24 months after last contact, unless converted to an active customer relationship.
• ·Account data: for the duration of the account and 12 months after closure for legal and security purposes, except where longer retention is required by law.
• ·API request logs: 90 days for operational metrics; abuse and security logs may be retained longer where necessary to address an investigation.
• ·Analytics data: in accordance with the retention settings of Google Analytics and Microsoft Clarity, which Crene sets to the minimum supported by each platform.
• ·Communications and support records: up to 36 months after the last interaction.

If you are a data subject in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights, subject to applicable conditions and exceptions:

• ·Right of access to your personal data and information about how it is processed.
• ·Right to rectification of inaccurate or incomplete data.
• ·Right to erasure (right to be forgotten) where applicable.
• ·Right to restriction of processing under specified conditions.
• ·Right to data portability for data processed on the basis of contract or consent and by automated means.
• ·Right to object to processing based on legitimate interests, including profiling.
• ·Right to withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing.
• ·Right to lodge a complaint with your local supervisory authority (for example, the Information Commissioner's Office in the United Kingdom or your national Data Protection Authority in the EEA).

To exercise these rights, email stephen@crene.com. We respond within one month, extendable by two months for complex requests as permitted by GDPR Article 12(3).

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you the following rights:

• ·Right to know what personal information has been collected, the sources, the purposes, and the categories of recipients.
• ·Right to delete personal information held by Crene, subject to applicable exceptions.
• ·Right to correct inaccurate personal information.
• ·Right to opt out of the sale or sharing of personal information. Crene does not sell or share personal information for cross-context behavioral advertising, so there is no sale or sharing to opt out of at this time.
• ·Right to limit use and disclosure of sensitive personal information. Crene does not collect sensitive personal information for purposes beyond what is reasonably necessary to operate the service.
• ·Right not to receive discriminatory treatment for exercising any of these rights.

To exercise these rights, email stephen@crene.com with "California Privacy Request" in the subject line. We will verify your identity before fulfilling the request. You may designate an authorized agent in writing.

Categories of personal information collected and disclosed for business purposes in the preceding 12 months are described in Sections 2 and 5 above.

The platform uses three categories of cookies and similar identifiers:

• ·Strictly necessary. Required for the service to function. These cover session state, security tokens, locale preference, and CSRF protection. Cannot be disabled through Crene's controls.
• ·Analytics. Google Analytics (G-0EP6PCDW8P) and Microsoft Clarity (us1ljuhm3j) for aggregate usage measurement and session replay. Where required by law, set on the basis of consent.
• ·Preference. Remember non-essential settings you have chosen.

You may control cookies through your browser settings. Where applicable consent law requires it, Crene will surface a consent control before non-essential cookies are set.

Crene applies industry standard technical and organizational measures, including encryption in transit (TLS), encryption at rest where supported by the underlying storage, role-based access controls, principle-of-least-privilege for staff access, structured logging, and incident response procedures.

No system is perfectly secure. Crene will notify affected data subjects and the relevant supervisory authorities of personal data breaches in accordance with applicable law, including GDPR Article 33 and Article 34, UK GDPR equivalents, and applicable US state breach notification laws.

Crene does not use personal data to make decisions that produce legal effects on individuals or similarly significantly affect them within the meaning of GDPR Article 22. The probability forecasts Crene produces concern macroeconomic, market, and policy events; they are not individual scoring decisions.

The service is intended for use by businesses and adults in a professional capacity. The service is not directed to children, and Crene does not knowingly collect personal data from individuals under 16. If you believe a child has provided personal data, contact stephen@crene.com and we will delete it.

Crene may revise this policy. Material changes will be posted on this page with an updated date, and where required by law we will provide additional notice. Continued use of the service after a revision constitutes acknowledgement of the changes.

Crene, Inc.
Delaware corporation, principal place of business in California.

Privacy email: stephen@crene.com

See also the Terms of Service.