Privacy Policy

Last Updated: April 27, 2026

1. Introduction

This Privacy Policy describes how CREA (Contract Research & Evidence Assistant) collects, uses, and protects information when you use our grievance research service. We are committed to protecting your privacy and handling your data responsibly.

2. Information We Collect

2.1 Query Data

When you use CREA, we process the workplace situation descriptions you submit. This may include details about your employment situation, supervisors, workplace incidents, and other information you choose to provide.

2.2 Account Data

When you create an account, we collect your email address and your union affiliation (NALC, APWU, NPMHU, or NRLCA). Your union affiliation is used to tailor search results to your craft's governing documents and arbitration cases.

2.3 Technical Data

We automatically collect certain technical information, including:

  • IP address (for rate limiting and security purposes)
  • Browser type and version
  • Device information
  • Timestamp of requests
  • Pages visited and features used

2.4 Session Data

We use session cookies to maintain your browsing session and provide CSRF (Cross-Site Request Forgery) protection. These cookies are temporary and expire when you close your browser.

2.5 File Uploads

When you attach files (PDFs or images) to a query, the file content is processed in the same flow as your query text. See Section 4.1 below for how uploaded content is handled by third-party AI language model service providers.

3. How We Use Your Information

We use the information we collect to:

  • Process your queries and generate research results
  • Improve the accuracy and relevance of our search results
  • Maintain security and prevent abuse of the service
  • Enforce rate limits to ensure fair access for all users
  • Debug issues and improve service performance

4. Third-Party Data Sharing

4.1 AI Processing

A current list of subprocessors is available upon request.

Your queries are processed using third-party AI language model service providers. When you submit a query, the text of your workplace situation description is sent to these providers' servers for analysis. These providers do not use data submitted through their API to train their AI models. They may retain API inputs and outputs for up to 30 days for trust and safety purposes, after which they are deleted. They process data in accordance with their privacy policies and applicable data protection regulations.

File Uploads. When you attach files (PDFs or images) to a query, the file content is briefly stored in temporary memory cache (no longer than 5 minutes) during request handling and then sent to third-party AI language model service providers for analysis as part of your query. Files are not retained in our cache after that 5-minute window and are processed under the same data protection terms as your query text. We recommend redacting names, employee IDs, addresses, and other personal identifiers before uploading — the substantive facts of the situation are what CREA needs, not who's involved. Do not upload files containing personal information about third parties unless you have authorization to share that information.

4.2 No Sale of Data

We do not sell, rent, or trade your personal information to third parties. We do not use your query data for advertising purposes.

4.3 Legal Requirements

We may disclose information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Data Retention

Query Data: By default, we do not permanently store the content of your queries. Query data is processed in memory and discarded after generating results. Server logs containing technical data may be retained for up to 30 days for security and debugging purposes.

Rate Limiting Data: IP addresses used for rate limiting are stored temporarily in memory and cleared when the server restarts.

6. Cookies

CREA uses the following types of cookies:

  • Session Cookies: Essential for the service to function. These maintain your session and expire when you close your browser.
  • CSRF Tokens: Security cookies that protect against cross-site request forgery attacks.

Google Analytics

We use Google Analytics to understand how visitors interact with our website. Google Analytics collects information such as how often users visit the site, what pages they visit, and what other sites they used prior to coming to our site. We use this information to improve our service. Google Analytics collects the IP address assigned to you on the date you visit the site, but not your name or other identifying information. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • HTTPS encryption for all data transmission
  • CSRF protection on all forms
  • Rate limiting to prevent abuse
  • Security headers to prevent common web attacks
  • Regular security updates and monitoring

However, no method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your information
  • Object to processing of your information
  • Request data portability

Since we do not permanently store query content, most data rights requests can be satisfied by simply not using the service. For technical data inquiries, please contact us at support@crearesearch.com.

9. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information:

  • Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale: You have the right to opt-out of the sale of your personal information. We do not sell your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

How to Exercise Your Rights: To exercise any of these rights, please contact us at support@crearesearch.com. We will verify your identity before processing your request.

10. EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) provides you with specific rights:

Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide the CREA service you have subscribed to.
  • Legitimate Interest: Processing for security, fraud prevention, and service improvement.
  • Consent: Where you have given explicit consent (e.g., marketing communications).

Data Retention

We retain your account information for as long as your account is active. Technical logs are retained for up to 30 days. Query content is not permanently stored.

Your GDPR Rights

  • Right of Access: Request a copy of your personal data.
  • Right to Rectification: Request correction of inaccurate data.
  • Right to Erasure: Request deletion of your data ("right to be forgotten").
  • Right to Restrict Processing: Request limited processing of your data.
  • Right to Data Portability: Request your data in a portable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal data violates the GDPR.

How to Exercise Your Rights: To exercise any of these rights, please contact us at support@crearesearch.com.

11. Children's Privacy

CREA is not intended for use by individuals under 18 years of age. We do not knowingly collect information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes by posting a notice on the service. Your continued use of CREA after changes are posted constitutes acceptance of the updated policy.

13. Contact Information

For questions about this Privacy Policy or our data practices, please contact us at support@crearesearch.com.

Summary: CREA processes your queries (and any files you attach) to provide research results. We send query text and uploaded file content to third-party AI language model service providers for analysis. Uploaded files are temporarily cached for up to 5 minutes during request handling and not retained thereafter. We don't permanently store your queries or sell your data. We use minimal cookies for security purposes only.

Back to Home