Privacy Policy
Your privacy and security are important to Crystal Project, Inc. (“Crystal”). As a result, we have developed strict internal processes developed to maintain your data in a secure environment.
For purposes of this Privacy Policy, “Personal Data” means any information relating to an identified or identifiable natural person including name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, cultural or social identity of that natural person. Personal Data may include Sensitive Information; and “Subscription Service” means the particular edition and elements of Crystal Project's Crystal applications, tools and platform subscribed to by Customer under an Order Form, and developed, operated, and maintained by Crystal Project, accessible via www.crystalknows.com or another designated URL, and any ancillary online or offline products and services provided to Customer by Crystal Project, to which Customer is being granted access pursuant to this Agreement and an Order Form. The Subscription Service includes the Crystal Project Content, and does not include training services, consulting services, and Third-Party Products. All other terms used in this Privacy Policy that are not otherwise defined in this Privacy Policy have the meanings ascribed to them in the Terms of Service (available here: https://www.crystalknows.com/tos).
Crystal is a platform where people can fill out personality tests and share their personality profile. We also offer tools that analyze public data to provide personality predictions, based on the person's writing style, job experience, and other publicly available data.
The purpose of this Privacy Policy is to explain (1) what data we collect from you, (2) how we collect, use, process, store, and share your data, and (3) who we share your data with.
We collect and use the following information to provide, improve and protect our Services:
We may collect, and associate with your account, information like your name, email address, phone number, and billing and payment information.
When you use Crystal and the Subscription Services, you may grant us access to third-party applications like Gmail or LinkedIn (such applications, the “Connected Accounts”). We query, store, process, and transmit information related to your Connected Accounts in connection with providing the Subscription Services. If you decide to connect your Google Calendar or Outlook Calendar to receive meeting insights, you grant Crystal permission to read your calendar events for the purpose of generating one-time or recurring meeting reports, with personalized insights for communicating effectively with each attendee. We do not store past meetings on our servers.
We collect information from and about the devices you use to access the Subscription Services. This includes things like IP addresses, the type of browser and device you use, the languages used by your browser or device, the web page you visited before coming to our sites, and identifiers associated with your devices, such as location. Your devices (depending on their settings) may also transmit location information to the Subscription Services. Most mobile devices allow you to turn off location services.
We use cookies and similar technology to automatically collect data from you to provide, improve, protect and promote our Subscription Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with our Subscription Services, and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use the Subscription Services.
The Subscription Services may allow you to connect and share your actions, comments, contacts, and information publicly with friends, relatives, and members of your professional network. Please be mindful of your personal privacy needs and the privacy needs of others as you choose whom to connect with and what to share and make public. We cannot control the privacy or security of information you choose to make public or share with others. Please contact those sites and services directly if you want to learn about their privacy practices.
Additionally, certain Subscription Services utilize publicly available sources of information to provide assumptions and determinations about third parties. Because certain of our Subscription Services provide predictive insights to Customers or Users about third parties who may be unaware that our Subscription Service is analyzing publicly available information about them, it is of utmost importance that we take appropriate measures to protect such third parties’ rights and freedoms. To that end, we ensure that our Services only utilize information that such third party has made publicly available and for which such third party does not have a reasonable expectation of privacy, that only information is stored that is necessary to provide the Subscription Services to our Customers and Users, that and that only our assumptions and determinations based on that data, as opposed to the specific data itself, is disclosed to our Customers and Users.
If you delete your Crystal account, we will delete all of your personal information and private data. Please note: (1) there might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements. You have the right to request, at any time, Crystal to delete, update, change, or alter your Crystal account and any other information Crystal may have collected from or about you. To delete, update, change, or alter your account or any information that Crystal may have collected from or about you, contact us at [email protected].
We use your data collected through the Subscription Services for the purposes described in this Privacy Policy. For example, we may use your data to:
By providing you mobile phone number and/or email address, you expressly consent to receive direct dial calls, autodialed and prerecorded calls, text messages, and or email messages from us regarding our products and services.
We employ appropriate technical and organizational measures to help protect your Personal Data and any other information that Crystal collects from or about you. We have team members dedicated to keeping your information secure and testing for vulnerabilities. We also continue to work on features to keep your information safe. However, while we attempt to protect all information you send to us and we maintain to provide Crystal and the Subscription Services to you, please note that no connection through the Internet and data storage facilities are entirely immune from unauthorized hacking and access, and so you should use Crystal and the Subscription Services with discretion. You can help us by protecting your username and password and using Crystal and the Subscription Services only through secure networks.
Your private data will be kept secure and private as detailed above. It may need to be processed by other people or third party purposes. We will only share such information for the following purposes.
For quality and technical support purposes, select Crystal employees may review your data. These employees will access your information only to perform tasks on behalf of and in compliance with this Privacy Policy. Crystal employees with access to your data are bound to Crystal by obligations of confidentiality sufficient to ensure compliance with the requirements set forth in this Privacy Policy.
Crystal uses trusted third party cloud service providers to help us provide, improve, protect, and promote our Subscription Services (for example, Google Analytics uses cookies to help us understand how users interact with cyrstalknows.com). These third parties will access your information only to perform tasks on our behalf and in compliance with this Privacy Policy.
To use certain Subscription Services, we may require credit or debit card account information. By submitting your credit or debit card account information through the Subscription Services, you expressly consent to the sharing of such information with third-party payment processors for the sole purpose of billing you for the Subscription Services.
We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of Crystal or our users; or (d) protect Crystal’s property rights.
If we are involved in a reorganization, merger, acquisition or sale of our assets, your information may be transferred as part of that deal. We will notify you (for example, via a message to the email address associated with your account) of any such deal and outline your choices in that event. We may revise this Privacy Policy from time to time, and will post the most current version on our website. If a revision meaningfully reduces your rights, we will notify you. We will comply with applicable laws and regulations to the extent changes to this Privacy Policy require your consent.
This is the Privacy Policy of Crystal Project, Inc. incorporated in Oregon, United States of America and having its principal place of business at 9450 SW Gemini Dr PMB 72836, Beaverton 97008, Oregon and any entity which directly or indirectly controls, is controlled by, or is under common control with Crystal Project, Inc.
Purpose of this Privacy Policy
The Privacy Policy will inform you as to how we look after your Personal Data and tell you about your privacy rights and how the law protects you. Please also use the Glossary to understand the meaning of some of the terms used in this Privacy Policy.
It is important that you read this Privacy Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your Personal Data. This Privacy Policy supplements the other notices and is not intended to override them.
This Privacy Policy applies if you are a resident in the UK or Europe and we are acting as a controller of your Personal Data as determined by the EU & UK Data Protection Legislation.
Controllers determine how and why Personal Data is processed, whereas processors process Personal Data on behalf of, and under the instructions of, the controller. In most instances, our Customers are controllers of the Personal Data processed by our Crystal platform for assessments and predictions and we act as a processor on behalf of our Customers in providing the Subscription Services. When we collect and use your Personal Data in the ways set out in this Privacy Policy, we are the controller.
If you have any queries in relation to this Privacy Policy or how we use your Personal Data then please feel free to contact us at: [email protected].
The General Section (section 2) of the Privacy Policy applies to the use of all Personal Data processed by us in our capacity as a controller. There are then specific section(s) (sections 3 to 7) that will or will not apply to you depending on how you interact with us. Please read the relevant sections that apply to you:
• Section 3: Customer Section: When our Customers are individuals (rather than corporate bodies).
• Section 4: User Section: If you have a User account for Crystal.
• Section 5: Personality Profile Section: If Crystal Project has collected a personality profile for you via the Crystal platform for its own purposes.
• Section 6: Website Section: If you visit our website and/or contact us through our website.
• Section 7: Marketing Section: If you receive marketing communications or updates from us.
References to Personal Data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
controller, processor, data subject, supervisory authority and processing and appropriate technical and organisational measures have the meanings given to them in the EU & UK Data Protection Legislation.
EU & UK Data Protection Legislation means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR") and (ii) the United Kingdom’s Data Protection Act 2018 and the GDPR as it forms part of the law of the United Kingdom (“UK GDPR”), including by virtue of Section 3 of the European Union (withdrawal) Act 2018, as any of the forgoing may be amended from time to time.
All other terms used in this Privacy Policy that are not otherwise defined in this Privacy Policy have the meanings ascribed to them in the Terms of Service (available here: https://www.crystalknows.com/tos).
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. It was last updated on December 2022. We may revise this Privacy Policy at any time by amending this page. You are expected to visit this page from time to time to note any changes we make, as they affect you.
Under certain circumstances, you have rights in relation to your Personal Data under the EU & UK Data Protection Legislation.
You have the right to:
• Request access to your Personal Data (commonly known as a "data subject access request"). This enables you to receive a copy of Personal Data we hold about you and to check that we are lawfully processing it.
• Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us at [email protected].
You will not usually have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive or if you ask for multiple copies of your Personal Data. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You have the right to make a complaint at any time to your relevant supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.
We share your Personal Data with others in certain circumstances as detailed below.
We contract with third party service providers and suppliers to deliver certain services, for example third party payment processors, hosting providers, digital marketing providers, etc. We only permit them to process your Personal Data for specified purposes and in accordance with our instructions. Our service providers change from time to time. If you require any further information on our service providers, you may request this by contacting us, subject to our obligations of confidentiality.
We will also provide your Personal Data to third parties where there is a legal obligation to do so, for example to regulators, government departments, law enforcement authorities, tax authorities and any relevant dispute resolution body or the courts.
We may also provide your Personal Data to third parties to whom we may consider or choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them.
We will provide information about you to any other person who is authorised to act on your behalf.
We will only retain Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of the Personal Data, the purposes for which we process the Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Where applicable, we have discussed specific retention periods under the specific sections.
We may transfer data outside the UK or the EEA. Crystal Project is a US based entity and currently uses data centers based out of the UK and the EEA, and which are located in the US. We will take reasonable steps to ensure that the transfer is to a country covered by a decision of the European Commission or the UK Information Commissioner or is otherwise made in circumstances where we have put appropriate safeguards in place to protect your Personal Data in accordance with the EU & UK Data Protection Legislation.
We employ appropriate technical and organizational measures to help protect your Personal Data. We have team members dedicated to keeping your information secure and testing for vulnerabilities. We also continue to work on features to keep your information safe. However, while we attempt to protect all Personal Data, please note that no connection through the Internet and data storage facilities are entirely immune from unauthorized hacking and access, and so you should use Crystal and the Subscription Services with discretion. You can help us by protecting your username and password and using Crystal and the Subscription Services only through secure networks.
We will only use your Personal Data when the law allows us to. Most commonly, we will use your Personal Data in the following circumstances:
• Where we need to perform the Agreement we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.
• Where you have consented to us using your Personal Data for specific purposes.
In the specific sections we have provide more information about the types of lawful basis that we will rely on to process your Personal Data.
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
The Crystal platform and our website is not intended for children and we do not knowingly collect Personal Data relating to children.
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.
Where we need to collect Personal Data by law, or under the terms of the Agreement and you fail to provide that Personal Data when requested, we may not be able to perform the Agreement we have or are trying to enter into with you.
In common with many other website operators, we may use standard technology called 'cookies' on our website and the Crystal platform. Cookies are small text files that are placed on your devices. They are widely used to make websites and platforms work, or work more efficiently, as well as to provide information to the owner of platform.
Generally our cookies do not collect any information which identifies you and therefore the information collected is not deemed Personal Data. Our cookies do collect Personal Data in the following specific scenarios
Name of cookie |
Purpose |
Duration |
Third party provider |
Hubspot Tracking Pixel |
User analytics |
[e.g. how long the cookie sits on the users device] |
HubSpot – the provider of our marketing automation system |
Rudderstack Tracking Pixel |
User analytics |
[e.g. how long the cookie sits on the users device] |
Rudderstack – the provider of our user analytics platform |
If you are a Customer of Crystal Project in your capacity as an individual, rather than a corporate body, please read this section. Information related to corporate Customers is not Personal Data and so this Privacy Policy does not apply to that type of Customer.
We generally collect Personal Data directly from our Customer.
In general terms, we use your Personal Data to allow us to perform the Subscription Services and to comply with the Agreement that we have with you.
Purpose/Activity |
Types of Personal Data |
Lawful basis for processing including basis of legitimate interest |
To register you as a new Customer |
Email address |
Necessary for the performance of the Agreement that we have with you |
Respond to your comments and questions and to provide customer service |
Email address |
(a) Necessary for the performance of the Agreement that we have with you (b) Necessary for our legitimate interests (to respond to enquiries) |
To improve our Subscription Services, our applications, and other products and services |
Email address |
Necessary for our legitimate interest of improving our business |
Correspond with you regarding the Subscription Services, including technical notices, updates, security alerts, and support and administrative messages this is necessary to perform the Agreement that we have with you, or is in our and your legitimate interests to ensure that we have good communication regarding the Subscription Services |
Email address |
(a) Necessary for the performance of the Agreement that we have with you (b) Necessary for our legitimate interests (to ensure that we have good communication regarding the Subscription Services) |
Authenticate credit card or debit card account information |
Credit card information |
(a) Necessary for the performance of the Agreement that we have with you (b) Necessary for our legitimate interests (to recover debts due to us) |
Protect, investigate, and deter against fraudulent, unauthorized |
Email address |
(a) Necessary for the performance of the Agreement that we have with you (b) Necessary for our legitimate interests (to identify fraud and to recover debts due to us) |
When you use Crystal and the Subscription Services, you may grant us access to third-party applications like Gmail, Outlook or LinkedIn (such applications, the “Connected Accounts”). The Crystal platform does not have access to email content with Connected Accounts, and the only information that it transmitted from such Connected Accounts to Crystal Project is the email address of Users for authentication purposes as required to provide the Subscription Services. |
Email address |
(a) Necessary for the performance of the Agreement that we have with you (b) Necessary for our legitimate interests (authentication) |
If you have a User account for Crystal please read this section.
We generally collect Personal Data of Users directly from the User or indirectly from our Customer.
Purpose/Activity |
Type of Personal Data |
Lawful basis for processing including basis of legitimate interest |
To allow us to manage and maintain User accounts |
Email address |
Necessary for our legitimate interests (and the legitimate interests of Users and Customers to ensure that User accounts are appropriately managed). |
When you use Crystal and the Subscription Services, you may grant us access to third-party applications like Gmail, Outlook or LinkedIn (such applications, the “Connected Accounts”). The Crystal platform does not have access to email content with Connected Accounts, and the only information that it transmitted from such Connected Accounts to Crystal Project is the email address of Users for authentication purposes as required to provide the Subscription Services. The Crystal platform's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
|
Email address |
Necessary for our legitimate interests (authentication) |
If you delete your Crystal User account, we will delete all of your Personal Data as stored on the account. Please note: (1) there might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.
To request that we delete, update, change, or alter your account or any information that Crystal may have collected from or about you, contact us at [email protected].
Please read this section if: (a) you are a User who has chosen to publicly publish their own ‘verified’ personality profiles, or (b) you have completed a personality assessment sent to you by a Crystal Project employee, or (c) Crystal Project has generated a personality prediction for you.
The Crystal platform allows our users to run personality assessments by sending email invitations and unique links to any third party selected by the user. The assessments generally only process Personal Data provided by the assessment respondents themselves apart from the email address or other identifier to which the assessment results are linked.
The Crystal platform also provides functionality for our users to generate personality predictions for individuals based on text analysis. The predictions mainly use and analyse Personal Data that is of a corporate, business or professional nature (e.g. the types of information available on a LinkedIn profile) rather than Personal Data that is of a sensitive nature or related to the prediction respondent’s private life outside of their profession, and only process Personal Data that is publicly available or uploaded by the user:
• Publicly available text samples - on websites with available text samples (including job titles, experiences, bios, etc), Crystal uses a predictive model to immediately generate a predicted profile without sending any of the text samples to Crystal platform servers. Crystal Project does directly not scrape or copy profiles from any website or social network
• Uploaded Text Samples - users may upload a text sample in the form of a raw text or PDF file in order to generate a predicted profile. In this case, the text sample is sent to Crystal platform servers for back-end analysis, but none of the original text sample is.
• Sometimes we may supplement samples with Back End Data. Back End Data is aggregated and returned via API by providers like People Data Labs (https://docs.peopledatalabs.com/docs/data-sources) and CoreSignal (https://coresignal.com/data-sources). Our current provider used for data collection is People Data Labs. You can read more about People Data Labs’ data sourcing here: https://docs.peopledatalabs.com/docs/data-sources. The link explains that People Data Labs uses public data sources (e.g. open-sourced datasets, publicly available data, governmental public records) and validates the source and accuracy of all data before adding it to its data-sets.
Purpose/Activity |
Type of Personal Data |
Lawful basis for processing including basis of legitimate interest |
Enhancing the skills and effectiveness of personnel and teams e.g. team collaboration, leadership development and talent acquisition |
Personality profile The detail in the personality profiles is a broadly described cohort by reference to a generic personality type with reference to 16 generic personality types. |
Necessary for our legitimate interests (to enhance personnel and teams). |
Enhancing sales, business opportunities and business growth through more effective marketing and customer success |
Personality profile The detail in the personality profiles is a broadly described cohort by reference to a generic personality type with reference to 16 generic personality types. |
Necessary for our legitimate interests (to develop our business). |
Enhancing other key business functions that rely on communication skills |
Personality profile The detail in the personality profiles is a broadly described cohort by reference to a generic personality type with reference to 16 generic personality types. |
Necessary for our legitimate interests (to develop our business and increase communication effectiveness). |
For as long as the User retains their User account which holds the personality profile.
If you visit our website and/or contact us through our website then please read this section.
We generally collect Personal Data directly from the website user.
Purpose/Activity |
Type of Personal Data |
Lawful basis for processing including basis of legitimate interest |
To respond to an enquiry made by you or your company |
Your identity, your contact information and your query |
Necessary for our legitimate interests (to respond to your enquiry) |
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
If you interact with us as a Customer, User or enquirer via our website then you may receive marketing or advertising materials from us, our affiliates or our selected partners. This is necessary for our legitimate interest of marketing and growing our business or we may have obtained your consent.
We may form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You can ask us to stop sending you marketing messages by contacting us or by following any opt-out links on any marketing message sent to you.
Where you opt out of receiving these marketing messages, this will not apply to Personal Data provided to us as a result of a service purchase, service experience or other transactions.