PRIVATE BETA · INVITATION ONLY
The World’s First True Digital Co-Founder™. Beta starts soon.
CR3SCENDO AI/Legal/Cohort Benefit Policy

Cohort Benefit Policy

Version 1.0-draft · Effective 2026-05-26

This is the plain-language operating manual for how CR3SCENDO AI lets one founder benefit from another founder's lessons, without exposing private data. It applies to every customer of the platform. CR3SCENDO AI is bound by the same rules.

What This Policy Does

Founders learn from other founders. The platform should let that happen at scale: what worked for Customer A, and what mistake Customer A made, should help Customer B navigate the same decision faster. This Policy describes the architecture that lets the platform deliver that benefit without exposing Customer A's private data to Customer B.

The short version: your private data stays in your tenant, forever. Only the SHAPE of decisions and outcomes (no names, no values, no specifics) flows into an aggregated pattern layer. That layer is what the platform reads to recommend something to the next founder. The trust chain is structural: not "we promise not to look," but architecturally incapable of letting private data reach another tenant.

The Five-Class Data Taxonomy

Every event captured on the platform is classified, at the moment of capture, into exactly one of five privacy classes. Class determines what is retained, for how long, and whether it is eligible to flow into the cross-tenant synthesis pipeline.

C1: Private Content

Your actual data. Raw text from documents, financial values from invoices, the body of a contract, your customer list, your operating-account balance, the contents of your vault (SSN, EIN, banking credentials).

Cohort eligibility: NEVER. Never leaves your tenant. Enforced by row-level security in the database and AES-256-GCM column-level encryption for vault entries.

C2: Identifying Metadata

Anything that could re-identify you, your company, your customers, or your counter-parties: your name, your email, your address, your EIN, distinctive customer counts ("you have exactly 47 customers"), distinctive product names, distinctive case-by-case detail.

Cohort eligibility: NEVER. Used only for your own dashboard, your own audit trail, and your own filings. Never aggregated across tenants in raw form.

C3: Decision-Shape Metadata

The SHAPE of an interaction, without its specifics. Examples:

  • "Founder asked a question in the formation domain at step 3 of the entity-type wizard."
  • "CR3SCENDO recommended Option A out of {A, B, C} in the entity-type decision."
  • "Founder accepted the recommendation within 4 minutes."
  • "Founder requested deeper explanation at step 5 of the licensing-check wizard."

Cohort eligibility: Eligible for anonymized aggregation across consenting founders. Default consent at signup is on (so the platform can deliver cohort benefit to you from day one). You can turn it off at any time.

C4: Outcome-Shape Metadata

What HAPPENED after a decision, at the shape level. Examples:

  • "Founder filed entity within 14 days of starting the wizard."
  • "Founder reversed a prior decision and chose differently at the same step 3 months later."
  • "Outcome category for this decision class was positive / mixed / negative."

Cohort eligibility: Eligible for anonymized aggregation across consenting founders. Default consent at signup is on. You can turn it off at any time.

C5: Pattern-Level Signal

Derived inside the platform from Class C3 and Class C4 across the cohort, by the synthesis pipeline. Example:

"Founders in the craft-distillery cohort, facing the entity-type decision at step 3, who chose LLC, experienced outcome shape positive at frequency 78% across 22 contributing founders."

Cohort eligibility: THIS is what the platform reads to recommend something to the next founder. Generated automatically from C3 and C4 across the cohort. The founder whose data contributed never sees their individual contribution. The founder receiving the recommendation never sees who contributed. C5 patterns are platform-internal and never exposed to third parties outside the platform.

The Synthesis Pipeline (Three Stages)

Stage 1, Capture (per-tenant)

Every event is captured into your tenant first. Personally identifying values are stripped by our ComplianceMux layer before any synthesis pipeline can read the event. A deterministic classifier (governed by Pydantic schema validation, no LLM in the loop, fully auditable) tags the event with its privacy class. Class C1 and Class C2 events stay in your tenant forever. Class C3 and Class C4 events enter the cross-tenant synthesis pipeline only if your per-category consent toggle is on.

Stage 2, Aggregate (cross-tenant, de-identified)

A scheduled synthesis job reads C3 and C4 events across all consenting tenants. Your tenant identifier is hashed before aggregation, so nothing identifying enters the aggregation layer. Events are grouped by cohort, decision class, step, and outcome shape. The result is a Class C5 pattern: "in cohort X, decision class D at step S, option O leads to outcome shape Y at frequency F over N contributing founders."

The K-anonymity threshold gates publication. If N (the count of contributing founders) is below K, the pattern is suppressed. Default K is 5. For smaller cohorts where re-identification risk is higher (for example, the Researcher cohort), K is set higher. K is never below 3 for any pattern that names a specific decision. Configurable per cohort, never below the floor.

Stage 3, Recommend (per-tenant, on demand)

When you face decision D at step S in cohort X, the recommendation layer reads the C5 layer for the matching pattern and surfaces a recommendation: "founders in your cohort who faced this decision and chose option O experienced outcome Y at frequency F." The recommendation tells you WHY (the frequency math, the sample size, the K-anonymity threshold met) but never reveals contributors. You can drill into how the C5 pattern was computed at any time.

The Five Day-One Design Tenets

These five tenets are binding from the first day the synthesis pipeline runs. They are architecturally enforced, not policy-promised.

Tenet 1: Structural Privacy, Not Policy Privacy

Class C1 and Class C2 data are technically incapable of reaching another founder's dashboard. The data-flow architecture, row-level security in PostgreSQL, and tenant isolation make a cross-tenant leak architecturally impossible. Reviewers test this by attempting to trace a C1 event to a foreign tenant; if a path exists, the design is wrong and is fixed before the synthesis pipeline runs against real founder data.

Tenet 2: K-Anonymity Threshold on Every Cohort-Benefit Signal

No pattern leaves the synthesis layer if fewer than K consenting founders contributed. The default K is 5. For smaller cohorts (where re-identification risk is higher because cohort size is smaller), K is set higher. K is never below 3 for any pattern that names a specific decision. Where the contributing-founder count is below threshold, the pattern is suppressed. The platform does not generate cohort-benefit signal from samples small enough to back-trace to an individual.

Tenet 3: Per-Category, Per-Cohort, Per-Founder Reversible Consent

You toggle off Class C3, Class C4, both, or all at any time from your account settings. Past contributions stay aggregated (a published pattern is, by construction, aggregated across multiple founders and your individual contribution cannot be isolated to remove it), but no future contribution flows once you withdraw consent. Your consent UI shows you what you have contributed in aggregate count and what recommendations you have received back.

Tenet 4: Founder-Visible Audit Log

You can see, at any time, every cohort-benefit extraction performed on your data: the date, the event class (C3 or C4), the cohort pattern it contributed to, and the aggregate count your contribution joined. This is the trust receipt. Without it, the consent would be theatrical. The audit log is part of your data export under our portability commitments.

Tenet 5: Customer Zero on Cohort Benefit

CR3SCENDO AI is itself a customer of the platform. Our own operational decisions emit Class C3 and Class C4 events, get the same classification, and, with our own consent, contribute to the same Class C5 patterns visible to other founders. We receive the same cohort-benefit recommendations any other founder receives. We are subject to the same K-anonymity threshold, the same reversibility, the same audit log. This is durable proof of the discipline.

Consent Mechanics (Plain Walkthrough)

At signup, you acknowledge this Policy and choose your initial consent settings:

  • Class C3 (decision-shape) contribution: default on. You can turn it off with one click and never have it flow to the synthesis pipeline.
  • Class C4 (outcome-shape) contribution: default on. Same toggle behavior.
  • Class C5 (pattern-level recommendations you receive): always on, because the recommendation flow uses already-de-identified patterns derived from other consenting founders. There is no individual contribution to opt out of at this layer.

Default-on for C3 and C4 with plain-language framing is the price-of-entry consent that makes the cohort-benefit moat possible. You can opt out at any time from your account settings. Opt-out is one click. We never make you justify a consent change.

Audit-Log Walkthrough

Your account dashboard exposes an "Cohort Benefit Activity" view that lists every cohort-benefit extraction performed on your data: timestamp, event class, cohort, the pattern the contribution rolled into, the aggregate count of contributors at the moment of aggregation, and the K-anonymity threshold applied. The same view shows recommendations you received: the cohort pattern, the recommendation copy, the frequency math behind it, and the depth-on-demand drill-in for how the pattern was computed. This view is also included in your data export under our portability commitments.

Sub-Processors That Touch the Pipeline

If the synthesis pipeline uses an external AI provider for any step of C5 generation, that provider is logged as a sub-processor in our Sub-Processor List and operates only on already-de-identified Class C3 and Class C4 data, never on Class C1 or Class C2. The same ComplianceMux redaction that gates outbound traffic to external AI providers gates the synthesis pipeline.

What This Policy Rules Out

  • We do NOT train external AI models on your data, of any class, under any consent setting, for any purpose. The synthesis pipeline produces platform recommendations, not training corpus. See our AI Posture Statement.
  • We do NOT generate cohort-benefit signal from samples smaller than the K-anonymity threshold. Re-identification risk dominates the value of small-sample signal.
  • We do NOT share Class C5 patterns outside the platform. No public API exposes them to third parties. No "industry benchmarks" page is published from them. C5 is platform-internal; it flows only to founders who are themselves in the platform.
  • We do NOT process Class C1 or Class C2 across tenants under any condition, including our own internal analytics. Per-tenant analysis happens within the tenant; cross-tenant analysis happens only on Class C3 and Class C4.

Changes to This Policy

We will update this Policy when the synthesis pipeline materially changes. Material changes (a new event class, a lower K-anonymity threshold, a new sub-processor on the pipeline) are communicated to registered users with 30 days advance notice. Continued use after a change takes effect constitutes acceptance. The History section at the bottom of this page tracks every material change.

Contact

For questions about this Policy, contact us at privacy@cr3scendo.ai. For legal questions about the grant of rights that accompanies this Policy, see the Terms of Service.