Legal
Effective May 26, 2026 · Last Updated May 26, 2026
This Privacy Policy describes how Gray Group International, operating as Crowd & Courage (“C&C,” “we,” “us,” or “our”), collects, uses, stores, and shares information when you use the Crowd & Courage platform. By using the Platform, you agree to the practices described here. Questions? Email privacy@crowdandcourage.com.
01 — What We Collect
Account and Identity Information
When you create an account: full name, email address, US state of residence, username or profile handle, and — where applicable — business name and type. We may collect identity verification information before activating an account or releasing a refund.
Goal and Contract Information
When you file a Courage Contract: your stated goal, contract parameters (goal amount or metric, deadline, stake amount, designated charity), category, and the resulting verdict (HIT or MISS).
Payment Information
We do not store full payment card numbers, CVV codes, or other sensitive payment card data. All payment processing — including the charge at filing and any refund — is handled by Stripe. When you add a payment method, it goes directly to Stripe's PCI-compliant infrastructure. We store only a tokenized reference from Stripe and a record of charge and refund amounts.
Consent Record
When you agree to our Terms and confirm the consent shown at filing, we record evidence of that consent: the version of the Terms and consent text you accepted, the date and time, your IP address, your browser or device user agent, and the associated contract ID. This record exists to prove that you knowingly agreed to the irrevocable, charge-now / refund-on-win / forfeit-on-miss terms, and it is retained as part of the financial record for the contract.
Verification Data
When you authorize outcome verification, we access only the data needed to evaluate your contract — for example, read-only access to a connected data source (Stripe revenue data, QuickBooks financials, or a similar integration), data from a wearable or service you connect, a public record, or information you submit for human review. This access occurs at or near your verification deadline — not continuously — and is limited to the specific metric(s) required. The raw response is used to produce the verdict and is retained only in summarized form afterward.
Usage and Technical Data
We automatically collect limited technical data: browser type, device type, IP address, approximate location (country/state level), pages visited, features used, and session duration. This is used for security, performance monitoring, and understanding how the Platform is used.
Communications
If you contact us by email or support channels, we retain those communications to resolve your inquiry and improve our support.
02 — How We Use Your Information
03 — What We Do Not Do
We do not sell your personal information. Your data is not sold to data brokers, advertisers, or third parties for their commercial use.
We do not share with advertisers. We run no advertising program and do not share your data with ad networks.
We do not store full payment card data. Stripe handles this — see Section 4.
We do not continuously monitor your accounts. We access your authorized verification source only at verification time, for the specific purpose of evaluating your contract.
We do not use personally identifiable data to train AI models without your explicit, separate consent. Aggregate, de-identified insights (such as the Courage Index) do not identify you.
04 — Third-Party Services
We use the following third-party services to operate the Platform:
Stripe, Inc.
Payment processing (charges and refunds)
Stripe charges your card when you file a contract and processes refunds on a verified win. We never handle raw payment credentials. Stripe is PCI DSS Level 1 compliant. Stripe also provides the read-only API integration used for revenue verification.
Stripe Privacy Policy ↗Vercel, Inc.
Platform hosting and infrastructure
Vercel hosts the Platform. All web traffic passes through Vercel's edge network, which may process IP addresses and request headers under Vercel's data processing agreement.
Vercel Privacy Policy ↗Vercel Analytics
Anonymous usage analytics
Aggregate page views, browser type, device type, and country-level location. No personally identifiable information is included in analytics data.
Intuit (QuickBooks)
Read-only financial data access at verification time
Where you connect QuickBooks for a business goal, we query your account for a specific financial metric to verify your contract outcome. The raw API response is used to produce the verdict and then stored in summarized form only.
Intuit Privacy Statement ↗Where your goal uses another verification source you connect (for example, a fitness wearable or service), that provider processes the limited data needed to verify your result, under its own privacy terms. We do not use third-party advertising networks, social media pixels, or tracking tools beyond those listed above.
05 — Data Retention
| Data Type | Retention | Reason |
|---|---|---|
| Account information | Until deletion request | Account operation |
| Courage Contract records | 7 years from completion | Financial and audit obligations |
| Consent records (incl. IP / timestamp) | 7 years from completion | Proof of agreement / financial record |
| Verification data (outcome summary) | 7 years from completion | Audit trail |
| Payment and refund records | 7 years | Tax and accounting obligations |
| Usage/technical logs | 90 days | Security and debugging |
| Support communications | 3 years | Dispute resolution |
After the applicable retention period, data is deleted or de-identified. De-identified data may be retained indefinitely for aggregate analysis (for example, understanding hit/miss rates by category as part of the Courage Index).
06 — Your Rights
California Residents (CCPA / CPRA)
Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and any third parties we have shared it with.
Right to Delete: Request deletion of your personal information, subject to legal retention obligations (such as financial and consent records tied to a contract).
Right to Correct: Request correction of inaccurate personal information we hold about you.
Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising, so this right has no active application — but you may submit a request to confirm this in writing.
Right to Non-Discrimination: We will not discriminate against you for exercising these rights.
To exercise these rights: email privacy@crowdandcourage.com with subject line “CCPA Request.” We respond within 45 days.
EEA / UK Residents (GDPR / UK GDPR)
Right of Access · Right to Rectification · Right to Erasure · Right to Portability · Right to Restrict Processing · Right to Object
Note: The Platform is currently available to US residents only. If you are an EEA/UK resident who has accessed the Platform, contact privacy@crowdandcourage.com.
Our legal basis for processing: contract performance (operating your Courage Contract), legitimate interests (security and platform improvement), and legal obligation (financial and consent record retention).
All Users: Data Access and Deletion
Email privacy@crowdandcourage.com with “Data Request” in the subject line. We will verify your identity and respond within 30 days (45 days for CCPA). If you have an active Courage Contract, we cannot delete your account or contract records until the contract is completed, and we retain financial and consent records for the periods shown in Section 5 even after deletion.
07 — Cookies
| Type | Purpose | Opt Out? |
|---|---|---|
| Session cookies | Keep you logged in during your session | No — required for Platform function |
| Security cookies | CSRF protection and fraud prevention | No — required for security |
| Analytics cookies (Vercel) | Aggregate, anonymous usage statistics | Yes — via browser settings |
We do not use advertising cookies, social media tracking pixels, or third-party remarketing cookies. Blocking analytics cookies does not affect your ability to use the Platform.
08 — Security
Encryption in transit: All data transmitted between your browser and the Platform uses TLS (HTTPS).
Encryption at rest: Sensitive data is encrypted at rest in our database.
PCI compliance: Payment card data is never transmitted to or stored on our servers — it goes directly to Stripe, which is PCI DSS Level 1 certified.
Access controls: Access to production data is limited to personnel who need it, and all access is logged.
Incident response: We have procedures to detect, contain, and notify affected users of data breaches in accordance with applicable law.
If you believe you have discovered a security vulnerability, contact privacy@crowdandcourage.com immediately. No system is completely secure — we aim to minimize risk, not promise perfection.
09 — Children's Privacy
The Platform is not directed at anyone under 18, and you must be at least 18 to use it. We do not knowingly collect personal information from anyone under 18. If you believe someone under 18 has provided information to us, contact privacy@crowdandcourage.com and we will delete it.
10 — Changes to This Policy
We will provide at least 30 days' advance notice of material changes to this Privacy Policy — by email to the address on your account and/or by prominent notice on the Platform. Material changes include changes to what data we collect, how we use it, or who we share it with. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.
11 — Contact
Privacy inquiries: privacy@crowdandcourage.com
Legal matters: legal@crowdandcourage.com
We aim to respond to all privacy inquiries within 5 business days.