This Privacy Policy describes how Kaldr Business Group LLC ("CraneOp," "we," "us," or "our") collects, uses, stores, and protects information when you visit craneop.net (the "Site"), interact with the Leah chat widget, or use the CraneOp software service (the "Service"). We wrote this in plain English. If anything here is unclear, email privacy@craneop.net and we will explain.
Who We Are
CraneOp is a software product owned and operated by Kaldr Business Group LLC, a Texas limited liability company. Our office address and registered agent information are available on request through privacy@craneop.net.
We are the data controller for information you provide to us through the Site, the Leah chat, our forms, and the Service.
What We Collect
We collect three categories of information: information you give us, information we collect automatically, and information from third parties.
Information you give us
When you fill out a form, sign up for a trial, contact us, or talk to Leah, you may give us information like your name, your company name, your email address, your phone number, your job title, your fleet size, your geographic service area, the software you currently use, and the problems you want to solve. You give this information voluntarily. We use it to qualify you as a prospect, respond to your inquiry, set up your account if you sign up, and follow up on your behalf when appropriate.
When you sign up for the Service, you provide additional information like a billing address, a payment method (processed and stored by our payment processor Stripe; we do not store full card numbers), and any company details required for account setup (state of operation, NCCCO certifications, OSHA history if you choose to upload it). We use this information to deliver the Service, charge you, fulfill compliance and lien obligations on your behalf, and respond to inquiries.
Information we collect automatically
When you visit the Site, we collect technical information automatically. This includes your IP address (which we hash with SHA-256 before storage so the raw address is not retained), your approximate geographic location derived from your IP (country, region, city, postal code), the browser and operating system you use, the screen resolution and language settings of your device, the referring URL that brought you to the Site, any UTM parameters in the link you followed, the pages you visit on the Site, the time you spend on each page (active time versus idle time), how far you scroll on each page, which sections of each page you read longest, which buttons and links you click, and which calls to action you engage with. We attach this information to two browser-stored identifiers: a long-lived visitor token (kept for up to 365 days) that helps us recognize returning visitors, and a session token that rotates after thirty minutes of inactivity.
This is first-party analytics. We do not use Google Analytics. We do not use Hotjar. We do not use Segment. We do not use Facebook Pixel. No third-party advertising tracker runs on craneop.net. All of this information lives in our own Supabase database. We own it. We do not sell it. We do not share it with advertisers. We do not share it with data brokers.
We also collect the full text of any conversation you have with the Leah chat widget on the Site. We use this to follow up on your inquiry, improve Leah's responses, and review whether Leah is meeting our quality standards. We disclose this collection in the chat widget interface before you send your first message. If you choose not to chat with Leah, no chat data is collected.
Information from third parties
When you sign up for the Service, our payment processor Stripe verifies your card information and shares with us metadata about the transaction (the card brand, the last four digits, the issuing country, a risk score). We use this for fraud prevention and chargeback defense. Stripe's own privacy policy governs how they handle your card data.
When you connect your business phone number for the 24/7 Receptionist feature, our telephony provider Twilio handles the call routing and provides us call metadata (caller phone number, call duration, recording if you have opted in to recording). Twilio's privacy policy governs how they handle telephony data.
When you authorize ACH payments through the Service, our banking provider Modern Treasury handles the bank account verification and transaction processing. Modern Treasury's privacy policy governs how they handle banking data.
How We Use Your Information
We use information for the following purposes only.
To respond to your inquiries, qualify you as a prospect, schedule walkthroughs, send you the materials you request, and follow up when you indicate interest. To deliver the Service to you, including dispatching, invoicing, compliance management, lien filing, voice receptionist, and every other feature you use. To charge you for the Service, send you receipts, respond to billing questions, process refunds where applicable, and defend against payment disputes. To monitor and improve the Service, including by reviewing chat conversations with Leah to ensure response quality, by analyzing visitor behavior to improve the Site, and by aggregating usage data to make product decisions. To send you product updates, security notices, feature announcements, and other transactional emails related to your account. We will send you marketing emails only if you opt in. To detect, investigate, and prevent fraud, abuse, and violations of our Terms of Service. To comply with our legal obligations, including responding to lawful subpoenas, court orders, and regulatory requests.
We do not use your information for any purpose beyond these. We do not train AI models on your private data. We do not share your information with competitors. We do not allow third parties to advertise to you on our Site.
How We Share Your Information
We share information only in the limited circumstances described below.
With service providers who help us run the Service: Supabase (database hosting), Vercel (web hosting), Stripe (payment processing), Twilio (telephony and SMS), Modern Treasury (banking and ACH), Resend (transactional email), Cloudflare (DDoS protection and bot detection), Anthropic (the Claude API that powers Leah's natural language responses), Hookdeck (webhook routing). Each of these providers receives only the information necessary to perform its function. Each is bound by a data processing agreement requiring them to protect your information.
With law enforcement, regulators, or courts when we are required by law to do so, when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of CraneOp, our users, or others, or when we are responding to a valid subpoena or court order.
In connection with a business transfer, such as a merger, acquisition, financing, or sale of assets. We will give you advance notice if your information is transferred and you have rights regarding its future use.
We do not sell your information. We do not rent your information. We do not share it with marketing partners.
Data Retention
We keep information for as long as we need it for the purposes described in this policy, then we delete it.
For prospective customers who chat with Leah but never give us an email address or sign up, we retain chat and analytics data for ninety days, then delete it automatically.
For prospective customers who give us an email address through Leah or a contact form, we retain the lead record indefinitely until you ask us to delete it. Chat conversations attached to identified leads are retained as part of the lead record.
For active customers, we retain account data for as long as you have an account, plus seven years after account closure for tax, legal, and audit purposes.
For payment records and financial transactions, we retain records for seven years per US tax requirements.
For audit logs and security events, we retain records for at least two years.
You can request earlier deletion at any time by emailing privacy@craneop.net. We will honor the request unless we are legally required to retain the information longer (for example, an open dispute or an active legal hold).
Your Rights
Depending on where you live, you may have specific rights about your information. We honor the following rights for all users, regardless of jurisdiction.
You can request a copy of the information we hold about you. Email privacy@craneop.net with the subject line "Data Access Request." We will respond within thirty days.
You can request correction of inaccurate information. Email privacy@craneop.net or update your account directly through the Service.
You can request deletion of your information. Email privacy@craneop.net with the subject line "Data Deletion Request." We will delete your information within thirty days unless we are legally required to retain it.
You can request an export of your information in a portable format (JSON or CSV). Email privacy@craneop.net with the subject line "Data Export Request."
You can opt out of marketing emails at any time using the unsubscribe link in any email we send you, or by emailing privacy@craneop.net. This does not affect transactional emails related to your account (receipts, security notices, etc.).
You can opt out of cookies and analytics tracking through the cookie banner shown on your first visit to the Site, or by clearing your browser's local storage at any time. Note that some Site features require cookies to function (the chat widget, for example, uses local storage to remember your session).
California residents have additional rights under the California Consumer Privacy Act. EU residents have additional rights under the General Data Protection Regulation. We honor these rights as described in this policy. To exercise jurisdiction-specific rights, email privacy@craneop.net.
Cookies and Similar Technologies
We use the browser's local storage and cookies for two purposes.
Strictly necessary storage: We store a session token in local storage to keep you logged in and to maintain your chat conversation with Leah across page loads. This is required for the Site and Service to function. We do not ask consent for strictly necessary storage.
Analytics storage: We store a visitor token and session token in local storage to track your behavior across the Site as described in the "Information we collect automatically" section above. This is governed by your cookie consent choice. You can decline this storage through the cookie banner. Declining will not break the Site. It will prevent us from tracking your visit, which means we cannot follow up with you based on what you read.
We do not use third-party tracking cookies. No advertising cookies are set by craneop.net.
Security
We protect your information with industry-standard security practices. Our security program is documented internally as the "Fort Knox" specification and covers infrastructure security, audit logging, fraud prevention, and incident response.
Every data table in our Supabase database has Row-Level Security enabled, restricting access to authorized accounts only. Service-level credentials (database keys, API keys, encryption keys) are stored in environment variables and rotated regularly. Every administrative action is logged to an immutable audit log with hash chaining. We require two-factor authentication for any account with administrative access. Webhooks from our partners are signed with HMAC and verified before processing. Our public forms use Cloudflare Turnstile to prevent automated abuse. We monitor for unusual login patterns, suspicious IP activity, and fraud signals from Stripe Radar.
No security system is perfect. If we discover a breach affecting your personal information, we will notify you within seventy-two hours by email and post a notice on the Site.
International Transfers
CraneOp operates from the United States. Our service providers may store and process data in the United States and other countries. If you are located outside the United States, your information will be transferred to the United States. We rely on standard contractual clauses and adequacy decisions where required for international transfers.
Children
The Service is intended for businesses. We do not knowingly collect information from anyone under the age of eighteen. If we discover that we have collected information from someone under eighteen, we will delete it. If you believe we have collected information from a minor, email privacy@craneop.net.
Third-Party Links
The Site and the Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. Read their privacy policies separately.
Changes to This Policy
We may update this policy from time to time. When we do, we will bump the version number at the top of this page, change the "Last updated" date, and notify registered customers by email. For substantial changes (changes to what we collect, how we use it, or who we share it with), we will give thirty days advance notice and require renewed consent.
Every version of this policy is archived. Email privacy@craneop.net to request a prior version.
Contact
For any privacy question, exercise of rights, or concern, contact us.
Email: privacy@craneop.net
Subject lines: "Data Access Request," "Data Deletion Request," "Data Export Request," or "Privacy Question."
Response time: within thirty days for rights requests, within five business days for general questions.
If you are not satisfied with our response, you may contact the regulator in your jurisdiction. EU residents may contact their national Data Protection Authority. California residents may contact the California Privacy Protection Agency. US residents in any state may contact their state Attorney General.
Governing Law
This policy is governed by the laws of the State of Texas, United States, without regard to its conflict-of-laws principles. Any disputes related to this policy are governed by the Terms of Service.
By using craneop.net or the CraneOp Service, you acknowledge that you have read and understood this Privacy Policy.