1. Introduction
This Privacy Policy describes how we collect, use, store, and protect your information when you use our CRM platform ("Service"). By using the Service, you consent to the practices described in this policy.
We are committed to protecting your privacy and handling your data responsibly. This policy may be updated from time to time, and continued use of the Service constitutes acceptance of any changes.
2. Information We Collect
2.1 Account Information
When you register or create an account, we collect:
- Name, email address, and phone number
- Company/organization name
- Billing information and payment details (processed by third-party payment providers)
- Account credentials (passwords are stored using one-way encryption)
2.2 Customer Data
Data you input into the Service as part of your CRM operations:
- Leads, contacts, and company records
- Deals, pipeline, and sales data
- Communication history (emails, SMS, WhatsApp, RCS messages)
- Activities, tasks, and notes
- Files and attachments
- Custom field data
2.3 Usage Data
We automatically collect certain information about your use of the Service:
- Login activity and access logs
- Feature usage and interaction patterns
- IP addresses and device information
- API request logs (for rate limiting and security)
- Message delivery and engagement metrics
3. How We Use Your Information
We use the collected information for the following purposes:
- Service Delivery: To provide, maintain, and improve the CRM platform
- Authentication: To verify your identity and secure your account
- Communication: To send transactional emails, system notifications, and service updates
- Billing: To process payments and manage subscriptions
- Analytics: To understand usage patterns and improve the Service
- Security: To detect and prevent fraud, abuse, and unauthorized access
- Legal Compliance: To comply with applicable laws and regulations
4. Multi-Tenant Data Isolation
Our Service operates on a multi-tenant architecture. Your data is logically isolated from other tenants through strict access controls:
- Each tenant's data is separated using unique tenant identifiers
- All database queries are scoped to your tenant, preventing cross-tenant data access
- API authentication ensures that users can only access data within their own tenant
- Administrative operations are restricted to authorized roles within your organization
5. Data Retention
- Active Accounts: Your data is retained for as long as your account is active
- Cancelled Accounts: Data is retained for 30 days after account cancellation to allow for reactivation, after which it is permanently deleted
- Audit Logs: Access and activity logs are retained for 12 months for security purposes
- Backups: Automated backups may retain data for up to 90 days as part of disaster recovery procedures
6. Third-Party Services
We integrate with third-party services to provide certain features. These services may process your data in accordance with their own privacy policies:
- Payment Processing: Subscription payments are processed by third-party payment gateways. We do not store your full credit card details.
- Email Delivery: Outbound emails are sent through third-party email service providers (e.g., SMTP relay services)
- SMS & Messaging: SMS, WhatsApp, and RCS messages are delivered through third-party communication providers
We carefully select third-party partners and require them to maintain appropriate security standards.
7. Cookies & Tracking
The Service uses the following client-side storage:
- Local Storage: Authentication tokens and user session data are stored in your browser's local storage for authentication purposes
- UTM Parameters: Landing pages capture UTM parameters for lead attribution and marketing analytics
We do not use third-party tracking cookies or advertising trackers within the application.
8. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Passwords are hashed using bcrypt with strong cost factors
- API authentication uses JWT tokens with short expiration and refresh token rotation
- API keys are stored as SHA-256 hashes (plaintext is never stored)
- All communication between your browser and our servers uses HTTPS encryption
- Rate limiting is applied to prevent brute-force attacks
- Account lockout is enforced after multiple failed login attempts
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: You can view and access your data through the Service at any time
- Export: You can export your data in CSV format through the built-in export feature or API
- Correction: You can update or correct your data through the Service interface
- Deletion: You can request deletion of your account and associated data by contacting support
- Portability: You can download your data in a machine-readable format via the API
10. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.
11. International Data Transfers
Your data may be processed and stored in jurisdictions outside your country of residence. By using the Service, you consent to the transfer of your data to these jurisdictions, which may have different data protection laws than your own.
12. Changes to This Policy
We reserve the right to update this Privacy Policy at any time. Changes will be posted on this page with an updated "Last updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.
13. Contact
For privacy-related questions, data access requests, or concerns, please contact us through the support channels available within the Service.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.