Privacy Policy
Effective from 13 May 2026. Updates will be published here with 30 days' notice by email to active customers.
1. Data controller
Crubby is a service operated by Filippo Finazzi (Milan, Italy). As the controller of personal data we can be reached at fil@crubby.com. For privacy-specific requests write to privacy@crubby.com.
2. Data we collect
- Account: email, restaurant name, password (hashed with bcrypt), notification preferences.
- Menu content:names, prices, descriptions, allergens and product images you upload to the CMS. This is your venue's business data, not personal data.
- Your end customers' data (only if you use Crubby Pay): optional email for the receipt, amount paid, payment method (Apple Pay / Google Pay / card). Card numbers never pass through our servers — they are handled by Stripe.
- Diagnostics: application error logs (Sentry), anonymous product usage statistics (PostHog, optional), web server logs (IP, user agent, path) kept for 90 days.
- Billing: company name, VAT number, address and payment method for the Crubby subscription (processed by Stripe on our behalf).
3. Legal basis for processing
Under art. 6 GDPR, the legal bases on which we process data are:
- Performance of a contract (art. 6.1.b): account, menu, payment processing.
- Legal obligation (art. 6.1.c): retention of invoices, recording of takings, anti-money-laundering.
- Legitimate interest (art. 6.1.f): error diagnostics, security, fraud prevention.
- Explicit consent (art. 6.1.a): behavioural analytics (PostHog), heatmaps (Clarity), marketing and advertising (Meta pixel), newsletter. Revocable at any time from the cookie banner.
4. Purposes of processing
- Provide and maintain the service (account, menu, payments).
- Operational communications: payment confirmations, error alerts, password resets, subscription expiry.
- Improve the product: understand which features you use, identify bugs, optimise performance.
- Measure and optimise our marketing campaigns, and show Crubby ads to people who have visited the site (only with consent).
- Comply with Italian tax and accounting obligations.
5. Retention periods
- Active account: for as long as you keep the account, +30 days after deletion for export and reconsideration.
- Full backups: 90 days rolling (Supabase point-in-time recovery).
- Web server and application logs: 90 days.
- Security logs (logins, sensitive access): 12 months.
- Invoices and tax documents: 10 years (legal obligation).
6. Your GDPR rights
You have the right to: access (art. 15), rectification (art. 16), erasure (art. 17), restriction (art. 18), portability (art. 20), objection (art. 21). To exercise them write to privacy@crubby.com attaching an identity document. We respond within 30 days.
You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante) if you believe the processing infringes the GDPR.
7. Sub-processors
The sub-processors that process data on our behalf. They are all bound by a DPA (Data Processing Agreement) consistent with the GDPR.
- Vercel (Next.js hosting, USA) — Standard Contractual Clauses 2021/914.
- Supabase (database + auth, region eu-central-1 Frankfurt, Germany) — DPA available.
- Cloudinary (image CDN, EU primary, US backup) — DPA + SCC.
- Stripe (payments, Ireland + USA) — Stripe DPA + PCI-DSS Level 1.
- Resend (transactional email, USA) — SCC + DPA.
- PostHog (analytics, EU instance) — only with explicit cookie consent.
- Sentry (error tracking, USA) — SCC; no personally identifiable data is logged (PII scrubbing active).
- Microsoft Clarity (heatmaps, USA) — only with explicit consent, can be disabled.
- Meta Platforms Ireland (Facebook/Instagram advertising pixel, Ireland + USA) — only with marketing consent; SCC + EU-US Data Privacy Framework.
To obtain the full DPA, write to privacy@crubby.com.
8. Transfers outside the EU
Some sub-processors (Vercel, Stripe, Resend, Sentry, Clarity, Meta) involve data transfers to the United States. Such transfers take place on the basis of Standard Contractual Clauses (EU 2021/914) and, where applicable, the EU-US Data Privacy Framework certification.
9. Security measures
- TLS 1.3 encryption for all data in transit.
- Database encrypted at rest (AES-256) managed by Supabase EU.
- Passwords hashed with bcrypt cost factor 12.
- Optional two-factor authentication for restaurant admins (coming soon).
- Audit log of all cross-tenant administrative actions.
- Daily backups with 7-day point-in-time recovery; weekly backups kept for 90 days.
10. Cookies and trackers
Crubby uses three categories of cookies:
- Strictly necessary (always on): session token, CSRF token, language preference. Without them you cannot use the service.
- Analytics and diagnostics (only with consent): PostHog product analytics, Microsoft Clarity heatmaps.
- Marketing (only with consent): the Meta pixel(Facebook/Instagram), which measures our advertising campaigns and lets us show Crubby ads to people who have visited the site. It activates only after «Accept all cookies» and is never loaded on our customers' public menu pages.
Consent to analytics and marketing cookies is optional and can be withdrawn at any time, just as easily as you granted it:
11. Children's data
Crubby is a B2B service intended for adult restaurateurs. We do not knowingly collect data on children under 16. If you become aware of an account opened by a minor, report it to privacy@crubby.com and we will proceed with removal.
12. Changes to this policy
We will update this page when sub-processors, purposes or security measures change. Active customers are notified by email at least 30 days in advance of material changes.
Last updated: 13 May 2026 · Terms of Service