Privacy Policy

01Who we are

Crown QMS is a quality management and compliance platform for small food and beverage manufacturers, operated by Crown Cocktail Co. Inc.(“Crown,” “we,” “us,” or “our”), incorporated in Ontario, Canada.

This Privacy Policy explains how we collect, use, store, and protect information when you use the Crown platform (the “Service”). It applies to all users of the Service, including account owners, administrators, and any individuals whose data is entered into the platform by a tenant organization.

02What data we collect

Account and organizational data

When you register for Crown, we collect your name, email address, company name, and billing information. We also collect information about your facility, including address and any regulatory identifiers you choose to enter (e.g. CFIA licence number, FDA registration number).

Operational and manufacturing data

The core function of Crown is to store your manufacturing records. This includes batch records, lot codes, recipes and formulations, ingredient and supplier records, receiving logs, quality control results, deviation and corrective action records, sanitation and pest control program documents, training records, complaint logs, and recall plans. This data is entered by you and belongs to you.

Employee and personnel data

Training logs and other records within Crown may contain names and information about your employees or contractors. You are responsible for ensuring you have appropriate authority to enter this information into the platform on their behalf.

Usage data

We collect standard technical data about how you use the Service, including log data, IP addresses, browser type, pages visited, and feature usage. This is used to maintain and improve the platform.

Communications

If you contact us for support, we retain records of that correspondence.

03How we use your data

We use the data we collect to:

• Provide, operate, and maintain the Crown platform
• Generate documents, reports, and records you request within the Service
• Compute lot codes, best-before dates, and other derived values based on your configured settings
• Send transactional communications (account confirmations, billing receipts, material service notices)
• Diagnose technical issues and improve platform performance
• Comply with legal obligations

We do not use your manufacturing or operational data to train machine learning models, build advertising profiles, or sell to third parties.

04AI features and third-party processing

Crown's Pro tier includes AI-assisted document authoring features, including preventive control plan (PCP) generation. When you use these features, relevant portions of your operational data — which may include product names, process descriptions, hazard analysis inputs, and facility information — are transmitted to Anthropic, PBC for processing via their API.

Anthropic processes this data solely to generate the requested output and, under Anthropic's Commercial Terms, does not use API inputs to train their models. You can review Anthropic's privacy practices at anthropic.com/privacy.

By using AI features in Crown, you consent to this data being transmitted to Anthropic for processing. If your organization has restrictions on sharing operational data with third-party AI providers, you should not use AI features or should consult your compliance team before doing so.

05Data sharing

We do not sell your data. We share data only in the following circumstances:

Service providers

We use the following third-party providers to operate Crown. Each processes data on our behalf under data processing agreements and is not permitted to use your data for their own purposes:

Legal requirements

We may disclose data if required by law, court order, or regulatory authority.

Business transfers

If Crown is acquired or merges with another entity, your data may transfer as part of that transaction. We will provide notice before this occurs.

06Data retention

We retain your data for as long as your account is active. If you cancel your subscription, your data remains accessible for 30 days following cancellation, during which you may export it. After this period, your data is permanently deleted from our systems.

Some aggregated, anonymized usage data may be retained after deletion for platform improvement purposes. This data cannot be used to identify you or your organization.

07Cookies and similar technologies

Crown uses cookies only where they are necessary to operate the Service.

Application

When you sign in, our authentication provider (Supabase) sets session cookies on your browser to keep you signed in across pages. These cookies are scoped to your Crown session and are not used to track you on other websites.

Marketing site

Our marketing pages (crownqms.com) use Google Analytics 4to understand how visitors find and move through the site so we can improve it. This sets Google's analytics cookies and shares usage data (such as pages viewed, approximate location, and device type) with Google. IP addresses are anonymized, and we do not enable advertising features or use the data to build cross-site advertising profiles. You can review Google's practices at policies.google.com/privacy.

Analytics run on the marketing site only. The Crown application itself embeds no analytics, advertising, or social-media tracking cookies; signed-in sessions use only the necessary session cookie described above. You can block analytics cookies with your browser settings or an extension without affecting your ability to use the Service.

08Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or request deletion of your personal data. To exercise these rights, contact us at privacy@crownqms.com.

Canada

Canadian users have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

European Economic Area and United Kingdom

Users in the EEA or UK have rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, erase, restrict, or port your personal data, and the right to lodge a complaint with a supervisory authority in your jurisdiction.

California

California residents have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and to request deletion.

We will respond to rights requests within 30 days.

09Security

We implement industry-standard security measures including encryption in transit (TLS) and at rest, access controls, and multi-tenant data isolation. Each tenant's data is logically separated and inaccessible to other tenants.

No method of transmission over the internet is completely secure. We cannot guarantee absolute security, but we take our obligations seriously and will notify affected users in the event of a data breach as required by applicable law.

10Changes to this policy

We may update this Privacy Policy from time to time as the Service evolves or as legal requirements change. If we make a material change — for example, expanding the categories of data we collect, adding a new subprocessor that handles your records, or changing how we use AI features — we will notify you by email at the address on your account and post a notice on this page at least 30 days before the change takes effect.

The “Last updated” date at the bottom of this page always reflects the current version. Continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes. If you do not agree with a material change, you may cancel your account and export your data before the new policy takes effect (see Section 6 — Data Retention).

11Contact

For privacy questions or rights requests:

Crown Cocktail Co. Inc.
4400 Montrose Rd, Unit 14
Niagara Falls, ON
privacy@crownqms.com