Privacy Policy
Last updated: May 25, 2026 · Effective: May 25, 2026
CrossLayer, Inc. ("CrossLayer", "we", "us") operates the CrossLayer service at crosslayer.ai ("Service"). This policy explains what data we collect, how we use it, and the rights you have over it.
1. Information we collect
1.1 Account & identity
When you sign in we receive your email address, name, and (if you sign in with Google or Microsoft) a profile picture URL. Authentication is handled by WorkOS on our behalf; passwords (if any) are never stored by us.
1.2 Workspace content you connect
When you connect a tool such as Slack or GitHub via OAuth, we receive an access token scoped to the permissions you approved. Using that token we ingest:
- Slack: messages in channels where you have invited the CrossLayer bot, plus the metadata Slack returns (channel name, sender ID, timestamp, thread parent).
- GitHub: repository metadata, pull-request titles, file paths, and contents of files we are explicitly directed to read.
We do not ingest channels where the bot has not been invited, direct messages between humans, or repositories you have not granted access to.
1.3 Knowledge content you generate
The skill nodes ("BCL nodes"), governance settings, signal events, and audit log entries created while using the Service are stored against your workspace.
1.4 Operational telemetry
We log request paths, response codes, timings, IP address, browser user-agent, and error stack traces for the purpose of operating the Service. We do not run third-party advertising trackers, analytics pixels, or session replay tools.
2. How we use information
- To provide the Service — extract skills from your team's conversations, generate signals, render the web app, deliver Slack notifications.
- To secure the Service — detect abuse, debug failures, enforce rate limits, respond to incidents.
- To communicate with you — transactional emails (sign-in, alerts you've subscribed to). We do not send marketing email without your opt-in.
We do not use your workspace content for marketing, ad targeting, or product analytics across customers.
3. AI processing & model training
CrossLayer uses third-party large language models (currently Anthropic Claude) to extract structured skills from your unstructured conversations.
- Per Anthropic's Commercial Terms, content sent via their API is not used to train Anthropic's models.
- Anthropic retains API inputs and outputs for up to 30 days for trust & safety review, after which they are deleted.
- We do not train our own models on customer content. We do not pool customer content across workspaces.
Full list of subprocessors: crosslayer.ai/subprocessors.
4. Data sharing
We do not sell, rent, or trade personal information. We disclose data only to:
- Subprocessors listed at /subprocessors who provide hosting, authentication, and AI inference under written data-protection agreements.
- Law enforcement when compelled by a valid legal order; we will challenge overbroad requests and notify you unless legally prohibited.
- A successor entity in a merger, acquisition, or asset sale, with notice to you.
5. International transfers
Our infrastructure currently runs in the United States. If you are accessing the Service from the EU/UK we rely on Standard Contractual Clauses (SCCs) for cross-border transfers. EU/UK users may request a copy of our SCC addendum by emailing privacy@crosslayer.ai.
6. Retention
| Data category | Retention |
|---|---|
| Account profile | Lifetime of account + 30 days after deletion request |
| Workspace content (BCL nodes, audit log) | Until you delete it; bulk deleted within 30 days of account closure |
| OAuth refresh tokens | Encrypted at rest; revoked immediately on disconnect |
| Operational logs | 30 days, then auto-purged |
| Backups | Encrypted, rotated every 7 days, fully overwritten within 35 days |
7. Your rights
Depending on your jurisdiction (including GDPR for EU/UK residents and CCPA/CPRA for California residents) you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Export your data in a machine-readable format
- Object to or restrict certain processing
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority
To exercise any right, email privacy@crosslayer.ai. We respond within 30 days.
8. Security
OAuth tokens are encrypted at rest with NaCl sealed boxes (curve25519). All traffic uses TLS 1.2+. Each customer's data is scoped by a tenant_id enforced at the database layer and re-validated in application middleware. See /security for full controls.
9. Cookies
We use one HttpOnly, Secure, SameSite=Lax session cookie to keep you signed in. We do not use analytics, advertising, or tracking cookies, so there is no cookie banner to dismiss.
10. Children
The Service is not directed to children under 16. We do not knowingly collect data from children.
11. Changes to this policy
If we make material changes we will notify you in-app and by email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
12. Contact
Questions, complaints, or data requests: privacy@crosslayer.ai.
CrossLayer, Inc.
Delaware, United States