Privacy Policy
Last updated: 29 June 2026
Who we are
Craeft ("Craeft", "we", "us") provides online courses that help people learn to use AI confidently. This policy explains what personal data we collect, why, and what rights you have.
For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), the data controller is Will Larkin, operating as Craeft (craeft.ai), an individual based in the United Kingdom.
Contact for any privacy question or request: privacy@craeft.ai
The information we collect
1. Account information — your email address, given when you sign up. We use a "magic link" login, so we don't store a password.
2. Your course activity
- Your progress through units and exercises.
- The text you type into exercises and any reflections you write.
- The multiple-choice answers you give, including the "what would help you most next" choices.
3. Health-related information (special category data) One optional exercise path ("Take care of yourself") invites you to describe things like sleep, stress or energy. Providing this is entirely optional, and where you do, we rely on your explicit consent to process it solely to generate your AI feedback in that exercise. We do not use it to make decisions about you, and you can delete it at any time.
4. Technical information — standard information your browser sends (such as IP address, device and browser type) to keep the service secure and working. Any analytics we use is privacy-friendly and does not identify you personally or use tracking cookies.
We collect all of this directly from you. We do not buy personal data or collect it from other sources.
Why we use your data, and our legal basis
| What we do | Why | Legal basis (UK GDPR) |
|---|---|---|
| Create and run your account; deliver the course | To provide the service you signed up for | Performance of a contract |
| Generate AI feedback on what you write | Core part of the course | Performance of a contract |
| Process health-related text you choose to enter | To give you feedback in that exercise | Explicit consent (Article 9) |
| Improve the course using aggregated, non-identifying patterns | To make Craeft better | Legitimate interests |
| Send you marketing about new Craeft courses | Only if you opt in | Consent |
| Keep the service secure | To protect you and us | Legitimate interests |
You can withdraw any consent at any time without affecting processing already carried out.
Who we share it with (our processors)
We don't sell your data. We use a small number of trusted suppliers, each acting as our processor under a data processing agreement:
- Supabase — database and login, hosted in the EU (West).
- Anthropic — provides the AI that generates your feedback; the text you submit in an exercise is sent to Anthropic's API to produce a response.
- Vercel — website hosting.
- Resend — sends your login and (if you opt in) marketing emails.
- Cloudflare — domain and email routing.
We may also share data if required by law.
Where your data is processed (international transfers)
Your account and course data are stored in the EU. Some suppliers (for example Anthropic and Vercel) are based in the United States, so some data may be processed outside the UK/EU. Where that happens, we rely on appropriate safeguards — Standard Contractual Clauses and the UK Addendum — which each of these suppliers provides as part of their data processing terms, to protect your data to UK standards.
How long we keep it
- Account and progress data: for as long as your account is active, then deleted within 6 months of you closing it or asking us to delete it.
- Exercise text and reflections: kept while your account is active; you can delete them sooner on request.
- Marketing consent records: kept while you're subscribed and for a reasonable period afterwards to evidence your choices.
Your rights
Under UK GDPR you can ask us to: give you a copy of your data; correct it; delete it; restrict or object to how we use it; give you a portable copy; or withdraw consent at any time.
To use any of these, email privacy@craeft.ai. We'll respond within one month. If you're unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk — though we'd appreciate the chance to put things right first.
Security
We use reputable providers with encryption in transit and at rest, restricted access, and a passwordless login to reduce risk. No system is perfectly secure, but we take protecting your data seriously.
Children
Craeft is intended for adults and is not directed at anyone under 18. We do not knowingly collect data from children.
Changes to this policy
If we make significant changes, we'll update this page and, where appropriate, let you know by email. This version is dated at the top.
Contact
Any questions: privacy@craeft.ai