Legal

Privacy Policy

How Crucible handles, secures, and retains your data.

Last updated December 30, 2025Previous version December 11, 2025

Overview

Crucible ("we," "our," or "us") is an AI-powered decision support platform operated by Roundtable Labs Pty Ltd (ABN 31 694 006 749). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our service. By using Crucible, you agree to the practices described in this policy. We are committed to protecting your privacy and handling your data with transparency and care.

We adhere to the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) and, to the extent applicable to our users in the European Union, the EU General Data Protection Regulation (GDPR). We have designed this policy to meet the requirements of the strictest applicable privacy laws, which means compliance with GDPR standards covers users in Australia, the United States, and most other jurisdictions.

You may contact us in writing at: Roundtable Labs Pty Ltd, 81-83 Campbell Street, Surry Hills, New South Wales 2010, Australia, or via email at privacy@roundtablelabs.ai for further information about this Privacy Policy.

Information We Collect

We collect information necessary to provide and improve Crucible. This includes:

Account information: name, email address, organization name, and authentication credentials.
Session content: decision questions you submit, uploaded reference documents, and AI-generated outputs (Decision Briefs and Minutes).
Usage data: product analytics, feature usage, and interaction patterns to improve the service (can be disabled for enterprise accounts).
Payment information: processed securely through third-party payment processors (e.g., Stripe); we do not store full payment card details.
Support communications: messages, feedback, and support requests.
Technical data: IP addresses, browser type, device information, and log data.

How We Use Your Information

We use your information based on the following legal bases: (1) Contractual Necessity: to provide the services you requested. (2) Legitimate Interests: to improve our security, analytics, and product performance. (3) Consent: for marketing communications or optional cookies. (4) Legal Obligation: to comply with tax and accounting laws. Specifically, we use data to:

Deliver and operate Crucible, including processing your sessions and generating outputs.
Authenticate your account and manage your workspace.
Process payments and manage subscriptions.
Provide customer support and respond to inquiries.
Improve our service through aggregated, anonymized analytics.
Comply with legal obligations and enforce our terms.

We do not sell, rent, or trade your personal information to third parties for marketing or any other purposes.

AI & Model Providers - No Training Policy

Crucible uses third-party AI/LLM providers (e.g., OpenAI, Anthropic, Google) as data processors to generate session outputs. These providers have publicly committed in their own terms of service and privacy policies that they do not use API data to train their models. Specifically:

OpenAI: Commits in its API terms that data submitted via API is not used to train models.
Anthropic: States in its terms that API data is not used for training purposes.
Google (Gemini): Commits that API data is not used to train models.
Most providers we use have similar commitments in their terms and conditions.

We do not use your session content, inputs, or outputs to train our own models or any third-party models. Your data is used exclusively for inference (generating responses) during active sessions. However, please note that these no-training commitments are based on the providers' own terms and conditions, not separate contractual agreements between Roundtable Labs and the providers. Private Office customers can request dedicated, segregated inference endpoints for additional isolation.

Special Notice: DeepSeek Subprocessor - Data Residency

IMPORTANT: Crucible offers DeepSeek as an optional AI model provider for specialized reasoning tasks. DeepSeek operates infrastructure in China, which may involve data processing in jurisdictions with different data protection laws than your own.

Data Location: DeepSeek processes data through APIs that may route through China-based infrastructure, even when accessed from the United States. This means your session data may be subject to Chinese data protection laws (including PIPL).
Consent Required: By using DeepSeek-enabled features, you acknowledge and consent to your data being processed in China. If you do not consent to data processing in China, please avoid using DeepSeek or contact us to disable it for your account.
Enterprise Options: Enterprise customers with strict data residency requirements can request that DeepSeek be disabled for their workspace. Contact security@roundtablelabs.ai to configure model restrictions.
Alternative Models: You may select alternative AI providers (OpenAI, Anthropic, Google) that process data exclusively in the United States or other jurisdictions with adequacy decisions under GDPR.

DeepSeek is clearly marked in our interface with data residency warnings. For questions about data residency or to disable DeepSeek, contact privacy@roundtablelabs.ai.

Cookies & Analytics

We use cookies and similar technologies to:

Maintain your session and authentication state.
Analyze product usage through analytics tools (e.g., Google Analytics) to improve functionality and user experience.
Support essential service features.

You can control cookies through your browser settings. Enterprise accounts can request that product analytics be disabled. We do not use cookies for advertising or cross-site tracking.

International Data Transfers

Your data may be processed and stored in Australia, the United States, and other countries where our service providers operate. When we transfer personal data outside the European Economic Area (EEA), United Kingdom, or Australia, we ensure appropriate safeguards are in place as required by the GDPR and Australian Privacy Principles, including:

Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses to provide legal protection for data transfers from the EU/EEA to countries without an adequacy decision.
Processor agreements: All data processors are contractually bound to comply with applicable data protection laws and maintain appropriate security measures.
Adequacy decisions: Where the European Commission or relevant authority has determined a country provides adequate data protection, transfers may occur under that adequacy framework.
Binding Corporate Rules: Where applicable, binding corporate rules may be used for intra-group transfers.

By using Crucible, you consent to such international data transfers. A copy of the relevant Standard Contractual Clauses is available upon request by contacting privacy@roundtablelabs.ai.

Data Security

We implement industry-standard security measures to protect your data:

Encryption in transit using TLS 1.2+ for all data transmission.
Encryption at rest using AES-256 for stored data.
Access controls: user authentication is handled through OAuth, and all access to user resources requires verification. Production system access is restricted using role-based permissions and access controls.
Audit logging: all access to production systems is logged and monitored.
Security assessments: security documentation is available for enterprise review.

While no system is 100% secure, we continuously work to maintain and improve our security posture.

Data Retention & Deletion

We retain your data only as long as necessary to provide the service and comply with legal obligations:

Session history: Professional accounts retain session history for 24 months by default.
Account data: retained while your account is active and for a reasonable period after closure for legal and business purposes.
Backups: deleted data may remain in backups for up to 30 days before permanent erasure.

You may request deletion of individual sessions or your full account at any time by contacting support or privacy@roundtablelabs.ai. We will honor deletion requests within 30 days, subject to legal retention requirements.

Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.
Correction: update or correct inaccurate information.
Deletion: request deletion of your data (subject to legal requirements).
Portability: receive your data in a structured, machine-readable format.
Objection: object to certain processing activities.
Restriction: request restriction of processing in certain circumstances.
Withdraw consent: where processing is based on consent.
Opt-out: disable analytics for enterprise accounts.

To exercise these rights, contact privacy@roundtablelabs.ai. We respond to requests within 30 days (or as required by applicable law).

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You have the right to request information about the categories and specific pieces of personal information we collect, use, disclose, and sell (if applicable).
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information (such as precise geolocation, racial/ethnic origin, etc.) to that which is necessary to provide the service.
Authorized Agent: You may designate an authorized agent to make requests on your behalf. We will require proof of authorization and may verify your identity directly.

To exercise your California privacy rights, contact privacy@roundtablelabs.ai or use our data request form. We will verify your identity before processing your request.

Children's Privacy

Crucible is not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@roundtablelabs.ai, and we will take steps to delete such information.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Posting the updated policy on this page with a revised 'Last updated' date.
Sending an email notification to registered users for significant changes.
Displaying a notice within the service when appropriate.

Your continued use of Crucible after changes become effective constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

Contact & Data Requests

For privacy questions, data requests, or concerns about how we handle your information, contact us at:

Email: privacy@roundtablelabs.ai. We respond to privacy inquiries and data subject requests within 7-30 business days, depending on the nature of the request and applicable legal requirements. For general inquiries, contact hello@roundtablelabs.ai. If you are located in the European Economic Area (EEA) or United Kingdom and have concerns about our data practices, you also have the right to lodge a complaint with your local data protection authority.