Message Crystal — Privacy Policy

Effective: April 21, 2026

This Privacy Policy describes how Message Crystal LLC ("Message Crystal," "we," "us") collects, uses, shares, and protects personal information in connection with the Message Crystal web application at message-crystal.com and the Message Crystal mobile application for iOS and Android (together, the "Service").

This Privacy Policy applies to both the Web Service and the Mobile App. Cookies and similar browser technologies used only on the Web Service are described in our separate Cookie Policy.

1. Who We Are

Message Crystal LLC
107 Hickory Hollow Circle
Warrington, PA 18976, United States
Privacy contact: legal@message-crystal.com

We do not have a designated Data Protection Officer.

2. Scope and Audience

The Service is offered to Users located in the United States. It is not directed to children under 13. If you are under 13, do not use the Service and do not submit any personal information to us.

3. Information We Collect

3.1 Information you provide

• Account information. Email address, password (hashed), account display name, and (for Publishers) account slug.
• Billing information. When you purchase a paid publishing plan, our payment processor (Stripe) collects your payment method details. We do not store full card numbers; we store the billing email address and a Stripe customer identifier.
• Publisher Content. Beacons, notification messages (Events), metadata, categories, and search terms that Publishers submit to the Service.
• Support and contact submissions. Messages you send through contact forms or by email.

3.2 Information generated by your use of the Service

• Subscription data. The Crystals you subscribe to and the facet preferences you apply to each Crystal.
• Notification interaction data. Timing information such as the interval between when a Notification is sent and when it is viewed.
• Aggregated reporting data. Derived statistics that are never associated with individual Subscribers — see Section 4 (Aggregate Rule of Fifty).

3.3 Information collected automatically

• Device and connection information. IP address, user agent, operating system, device identifiers, approximate location derived from IP, and timestamps.
• Push notification tokens. On the Mobile App, we receive an Apple Push Notification service (APNs) device token on iOS or a Firebase Cloud Messaging (FCM) registration token on Android. These tokens are required to deliver push notifications to your device.
• Logs and telemetry. Application and server logs generated while you use the Service.
• Cookies and similar technologies. Only on the Web Service — see the Cookie Policy.

3.4 Sensitive or special-category content

Publishers may publish content touching on health, political, religious, or biometric topics. Publishers represent to us that they have all necessary consents and legal bases to do so. Message Crystal does not itself solicit or classify such content, and we do not use it for any purpose other than delivering the Service.

4. The Aggregate Rule of Fifty

Subscriber preferences and behavioral data are never exposed to Publishers in identifiable form. Publishers receive only aggregated reports in which no segment, percentile, or range represents fewer than fifty Subscribers.

• Publishers with 5,000+ Subscribers receive data in ranges no finer than 1%.
• Publishers with 500 Subscribers receive data in ranges no finer than 10%.
• Publishers with 100 Subscribers see only above-half / below-half indications per characteristic.
• Publishers with fewer than 100 Subscribers receive no Subscriber data at all.

Attempts to circumvent the Aggregate Rule of Fifty result in warnings and, on repeated attempts, termination.

5. How We Use Information

We use personal information to:

1. provide, maintain, and deliver the Service, including routing Notifications from Publishers to Subscribers;
2. authenticate accounts and prevent fraud, abuse, and security incidents;
3. process payments and manage subscriptions;
4. send essential operational communications (password resets, security alerts, payment failure notices, policy changes, service availability notices);
5. produce aggregated reports for Publishers that satisfy the Aggregate Rule of Fifty;
6. comply with legal obligations and respond to valid legal process; and
7. debug, improve, and operate the Service.

We do not sell personal information, and we do not send marketing emails.

6. How We Share Information

6.1 Subprocessors. We share personal information with the following subprocessors strictly as necessary to operate the Service:

6.2 Publishers. Publishers receive only aggregated data subject to the Aggregate Rule of Fifty. Publishers never receive individual Subscriber identities, preferences, or behavior.

6.3 Legal. We may disclose personal information when required by law, valid legal process, or to protect the rights, property, or safety of Message Crystal, our Users, or the public.

6.4 Corporate transactions. If Message Crystal is involved in a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to this Privacy Policy or a successor policy of equivalent protection.

7. Data Location and Transfers

All primary data is stored in Amazon Web Services facilities in the US West (Oregon) region. Subprocessors may process data in other regions incidental to their own operations.

8. Data Retention

8.1 Active accounts

• Account, subscription, publishing, and log data are retained indefinitely while the account is active.
• Inactivity. An account is "inactive" if it shows no account activity and receives no new Crystal subscribers for a contiguous 18 months. Beginning at 18 months of inactivity, we will attempt to contact the account holder to confirm whether to preserve the account or to authorize deletion. If we receive no response within 6 months of first outreach, and after a final warning, we may delete the account at our sole discretion.
• Contact form submissions are anonymized 90 days after receipt, unless the submitted email is associated with an active account, in which case they are retained for the life of that account.

8.2 Deleted accounts

When an account is deleted — whether by the account holder or by Message Crystal for inactivity:

1. Financial records are retained only long enough to be anonymized into a form that satisfies our financial reporting, compliance, and tax obligations. This period will not exceed 30 days.
2. All other subscription data is irreversibly and irretrievably deleted within 14 days.
3. Published Crystals become unavailable to new subscribers within one hour.
4. Existing Crystal subscribers see a notice that the Crystal has become inactive and will no longer receive further Notifications.
5. Previously received Notifications belong to the recipient and are not automatically deleted; they auto-delete upon expiration or when the recipient deletes them.
6. Logs containing individualized system information are anonymized within 30 days. Fully anonymized or aggregated data may be retained indefinitely.

9. Security

We use industry-standard administrative, technical, and physical safeguards, including encryption in transit, encryption at rest for stored data, hashed passwords, and role-based access controls.

Breach notification. In the event of a personal data breach that is likely to result in harm to affected Users, we will notify affected Users and, where applicable, relevant authorities within 72 hours of becoming aware of the breach.

10. Your Rights and Choices

Depending on your state of residence, you may have the right to:

• Access the personal information we hold about you;
• Correct inaccurate personal information;
• Delete your personal information (see Section 8.2);
• Port your data in a machine-readable format;
• Opt out of the sale or sharing of personal information (we do not sell or share personal information for targeted advertising, but the "Do Not Sell or Share My Personal Information" link on our website allows you to confirm your preference).

How to exercise these rights.

• Account deletion can be performed at any time through the in-app settings of either the Web Service or the Mobile App.
• Publisher data export. Publishers may submit a request to admin@message-crystal.com for an export of their published Events, specifying the beginning and ending date (UTC+0). Within 3 business days we will prepare the export, encrypt it, and make it available in a secured folder within the Web Service. The export remains available for download for 30 days.
• All other requests should be sent to legal@message-crystal.com. We will respond within the timeframe required by applicable law (generally 45 days under California law).

We will not discriminate against you for exercising any of these rights.

11. California Residents (CCPA/CPRA)

California residents have the rights described in Section 10. The categories of personal information we collected in the preceding 12 months include identifiers (email, account ID, IP address), commercial information (subscription history), internet activity (usage logs, interaction timing), and inferences drawn from the foregoing solely for aggregated Publisher reporting. We do not sell or share personal information for cross-context behavioral advertising. The "Do Not Sell or Share My Personal Information" link is available in the Web Service footer.

12. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, contact legal@message-crystal.com and we will delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be announced in-app and by updating the "Last updated" and "Effective" dates above. Changes take effect thirty days after the Last updated date.

14. Contact

Message Crystal LLC
107 Hickory Hollow Circle
Warrington, PA 18976
Email: legal@message-crystal.com