Legal
Effective May 11, 2026 · Last Updated May 11, 2026
This Privacy Policy describes how Gray Group International, operating as Crowd & Courage (“C&C,” “we,” “us,” or “our”), collects, uses, stores, and shares information when you use the Crowd & Courage platform. By using the Platform, you agree to the practices described here. Questions? Email privacy@crowdandcourage.com.
01 — What We Collect
Account and Identity Information
When you create an account: full name, email address, business name and type, US state of residence/operation, and username or profile handle.
Business Information
When you create a Courage Contract: your stated goal, contract parameters (goal amount or metric, deadline, stake amount, charity designation), and business category.
Payment Information
We do not store full payment card numbers, CVV codes, or other sensitive payment card data. All payment processing is handled by Stripe. When you add a payment method, it goes directly to Stripe's PCI-compliant infrastructure. We store only a tokenized reference from Stripe.
Business Data (Verification Only)
When you authorize outcome verification, we access your connected business data source (Stripe revenue data, QuickBooks financials, or other supported integrations) on a read-only basis. This access occurs only at or near your contract's verification deadline — not continuously. It is limited to the specific metric(s) required to evaluate your contract and is not stored in raw form beyond producing and recording the verdict.
Usage and Technical Data
We automatically collect limited technical data: browser type, device type, IP address, approximate location (country/state level), pages visited, features used, and session duration. This is used for security, performance monitoring, and understanding how the Platform is used.
Communications
If you contact us by email or support channels, we retain those communications to resolve your inquiry and improve our support.
02 — How We Use Your Information
03 — What We Do Not Do
We do not sell your personal information. Your data is not sold to data brokers, advertisers, or third parties for their commercial use.
We do not share with advertisers. We run no advertising program and do not share your data with ad networks.
We do not store full payment card data. Stripe handles this — see Section 4.
We do not continuously monitor your business accounts. We access your connected data source only at verification time, for the specific purpose of evaluating your contract.
We do not use your business data to train AI models without your explicit, separate consent.
04 — Third-Party Services
We use the following third-party services to operate the Platform:
Stripe, Inc.
Payment processing and escrow management
All staked funds are held by Stripe. We never handle raw payment credentials. Stripe is PCI DSS Level 1 compliant. Stripe also provides the read-only API integration used for revenue verification.
Stripe Privacy Policy ↗Vercel, Inc.
Platform hosting and infrastructure
Vercel hosts the Platform. All web traffic passes through Vercel's edge network, which may process IP addresses and request headers under Vercel's data processing agreement.
Vercel Privacy Policy ↗Vercel Analytics
Anonymous usage analytics
Aggregate page views, browser type, device type, and country-level location. No personally identifiable information is included in analytics data.
Intuit (QuickBooks)
Read-only financial data access at verification time
We query your QuickBooks account for a specific financial metric to verify your contract outcome. The raw API response is used to produce the verdict and then stored in summarized form only.
Intuit Privacy Statement ↗We do not use third-party advertising networks, social media pixels, or tracking tools beyond those listed above.
05 — Data Retention
| Data Type | Retention | Reason |
|---|---|---|
| Account information | Until deletion request | Account operation |
| Courage Contract records | 7 years from completion | Financial and audit obligations |
| Verification data (outcome summary) | 7 years from completion | Audit trail |
| Payment records | 7 years | Tax and accounting obligations |
| Usage/technical logs | 90 days | Security and debugging |
| Support communications | 3 years | Dispute resolution |
After the applicable retention period, data is deleted or anonymized. Anonymized data may be retained indefinitely for aggregate analysis (for example, understanding hit/miss rates by vertical).
06 — Your Rights
California Residents (CCPA)
Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and any third parties we have shared it with.
Right to Delete: Request deletion of your personal information, subject to legal retention obligations.
Right to Opt Out of Sale: We do not sell your personal information, so this right has no active application — but you may submit a request to confirm this in writing.
Right to Non-Discrimination: We will not discriminate against you for exercising these rights.
To exercise CCPA rights: email privacy@crowdandcourage.com with subject line “CCPA Request.” We respond within 45 days.
EEA / UK Residents (GDPR / UK GDPR)
Right of Access · Right to Rectification · Right to Erasure · Right to Portability · Right to Restrict Processing · Right to Object
Note: The Platform is currently available to US residents only (alpha period). If you are an EEA/UK resident who has accessed the Platform, contact privacy@crowdandcourage.com.
Our legal basis for processing: contract performance (for operating your Courage Contract), legitimate interests (security and platform improvement), and legal obligation (financial record retention).
All Users: Data Access and Deletion
Email privacy@crowdandcourage.com with “Data Request” in the subject line. We will verify your identity and respond within 30 days (45 days for CCPA). If you have an active Courage Contract, we cannot delete your account or contract records until the contract is completed.
07 — Cookies
| Type | Purpose | Opt Out? |
|---|---|---|
| Session cookies | Keep you logged in during your session | No — required for Platform function |
| Security cookies | CSRF protection and fraud prevention | No — required for security |
| Analytics cookies (Vercel) | Aggregate, anonymous usage statistics | Yes — via browser settings |
We do not use advertising cookies, social media tracking pixels, or third-party remarketing cookies. Blocking analytics cookies does not affect your ability to use the Platform.
08 — Security
Encryption in transit: All data transmitted between your browser and the Platform uses TLS (HTTPS).
Encryption at rest: Sensitive data is encrypted at rest in our database.
PCI compliance: Payment card data is never transmitted to or stored on our servers — it goes directly to Stripe, which is PCI DSS Level 1 certified.
Access controls: Access to production data is limited to personnel who need it, and all access is logged.
Incident response: We have procedures to detect, contain, and notify affected users of data breaches in accordance with applicable law.
If you believe you have discovered a security vulnerability, contact privacy@crowdandcourage.com immediately. No system is completely secure — we aim to minimize risk, not promise perfection.
09 — Children's Privacy
The Platform is not directed at anyone under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided information to us, contact privacy@crowdandcourage.com and we will delete it.
10 — Changes to This Policy
We will provide at least 30 days' advance notice of material changes to this Privacy Policy — by email to the address on your account and/or by prominent notice on the Platform. Material changes include changes to what data we collect, how we use it, or who we share it with. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.
11 — Contact
Privacy inquiries: privacy@crowdandcourage.com
Legal matters: legal@crowdandcourage.com
We aim to respond to all privacy inquiries within 5 business days.