Privacy Policy

1. Overview

CRM Stack ("we", "us", "our") is a SaaS CRM platform for service businesses, available at crmstack.co. We serve customers worldwide — including Australia, the United States, the United Kingdom, Europe, Canada, the Middle East, Asia, and beyond.

This Privacy Policy explains what personal data we collect, why we collect it, how we protect it, and the rights available to you under the privacy laws of your country. Where specific laws apply based on your location, dedicated sections below explain your additional rights.

2. Data We Collect

2.1 Account & Registration Data

• Full name and business name
• Email address and phone number
• Industry / business type
• Password (hashed with bcrypt — never stored in plain text)
• Subscription plan, billing cycle, and registration date

2.2 CRM / Business Data

Data you enter while using the platform — this is your business data, processed solely to provide the Service:

• Lead and client records (names, emails, phones, addresses, notes)
• Pipeline stages and deal values
• Follow-up tasks, reminders, and scheduled appointments
• Invoice details and payment records
• Staff profiles, roles, and activity logs
• WhatsApp and SMS message templates
• Custom fields you create

2.3 Payment & Billing Data

Payments are processed exclusively by Paddle (our PCI-DSS Level 1 compliant payment processor and global Merchant of Record). We only receive non-sensitive billing metadata: billing email, subscription status, plan name, and last 4 card digits where applicable. We never see, store, or process full card numbers.

2.4 Usage & Technical Data

• IP address and approximate location (country/city)
• Browser type, operating system, and device type
• Pages visited, features used, and session duration
• Referring website or traffic source
• Error logs and performance diagnostics
• Google reCAPTCHA v3 score (bot detection)

2.5 Communications Data

When you contact us via the contact form or support email, we collect your name, email, and message content to respond to your enquiry.

3. How We Use Your Data

Purpose	Data Used	Legal Basis
Providing and operating the CRM platform	Account data, CRM data	Contract performance
Processing subscription payments	Email, billing details	Contract performance
Sending receipts, invoices, and billing alerts	Email, payment data	Contract performance
Sending system emails (password reset, OTP, verification)	Email address	Contract performance
Customer support and responding to enquiries	Email, contact form data	Legitimate interest
Security, fraud prevention, bot detection	IP address, reCAPTCHA score	Legitimate interest
Platform improvement (anonymised analytics)	Usage data (aggregated)	Legitimate interest
Legal compliance	As required by applicable law	Legal obligation

We do not use your data for advertising, profiling, or selling to any third party.

4. Data Sharing

We share data only with the following trusted service providers to operate the platform. All are bound by data processing agreements:

Provider	Purpose	Data Shared
Paddle Privacy Policy →	Payment processing, subscription billing & global tax compliance (Merchant of Record)	Email, billing details, subscription plan
Twilio Privacy Policy →	SMS & WhatsApp messaging (only when you actively use these features)	Phone numbers you message, message content
Google reCAPTCHA v3 Privacy Policy →	Bot and spam protection on public forms	IP address, browser fingerprint
Hosting / Infrastructure	Servers and database hosting	All platform data (encrypted at rest)
SMTP Email Provider	Delivering transactional emails (resets, OTPs, alerts)	Email address and message content

We may also disclose data when required by law, court order, or to protect the safety of CRM Stack or its users.

5. Data Retention

• Active accounts: All data retained while your subscription is active.
• After cancellation: Retained for 30 days for possible reactivation, then permanently deleted.
• Contact & support messages: Deleted within 12 months of resolution.
• Payment records: Retained for 7 years (financial and tax regulations).
• Server & access logs: Purged after 90 days.
• Failed login attempts: Purged after 30 days.

6. Security

• Passwords: Hashed with bcrypt — never stored in plain text, never visible to staff
• CSRF protection: Every form uses a cryptographic one-time token
• Multi-tenant isolation: Data is logically separated by account — no cross-tenant access is possible
• HTTPS / TLS 1.2+: All data in transit is encrypted
• Payment security: Handled exclusively by Paddle (PCI-DSS Level 1)
• Role-based access control: Super Admin, Admin, and Staff roles
• Two-factor authentication: Super admin login requires email OTP
• Bot protection: Google reCAPTCHA v3 on all public forms

In the event of a data breach affecting your rights, we will notify affected users and relevant authorities within 72 hours of becoming aware.

7. Your Rights — All Users Worldwide

Regardless of which country you are in, you have the following rights:

• Access: Request a copy of all personal data we hold about you
• Correction: Ask us to correct inaccurate or incomplete data
• Deletion: Request complete deletion of your account and all associated data
• Portability: Receive your CRM data in a machine-readable format (CSV export)
• Objection: Object to how we process your data
• Withdraw consent: Where processing is consent-based, withdraw it at any time

To exercise any right: email support@crmstack.co. We respond within 30 days. Identity verification may be required.

8. 🇦🇺 Australian Residents — Privacy Act 1988

8.1 Key APPs We Follow

• APP 1 — Open & transparent: This policy is publicly available and describes all data handling.
• APP 3 — We only collect what is reasonably necessary for our functions.
• APP 5 — We notify you of the purpose of collection at the point of collection.
• APP 6 — We use/disclose data only for the primary purpose it was collected.
• APP 8 — Before disclosing data overseas, we take reasonable steps to ensure equivalent protection.
• APP 11 — We protect personal information from misuse, loss, and unauthorised access.
• APP 12 — You have the right to access personal information we hold about you.
• APP 13 — You can request correction of inaccurate, incomplete, or misleading information.

8.2 Complaints

First contact us at support@crmstack.co. If unresolved, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC): oaic.gov.au

9. 🇪🇺 EU & UK Residents — GDPR / UK GDPR

9.1 Lawful Bases for Processing

• Contract performance — providing and billing for the CRM platform
• Legitimate interest — security, fraud prevention, service improvement
• Legal obligation — financial record-keeping and regulatory compliance

9.2 Additional GDPR Rights

• Restriction: Request we limit processing in specific circumstances
• Object: Object to processing based on legitimate interest
• No automated decisions: You will not be subject to solely automated decisions with significant legal effects

9.3 Supervisory Authority

You may lodge a complaint with your local Data Protection Authority — e.g., the ICO (UK), CNIL (France), BfDI (Germany), or your national authority at edpb.europa.eu.

10. 🇺🇸 United States Residents — CCPA & CAN-SPAM

10.1 California Rights (CCPA/CPRA)

• Right to Know: Request disclosure of what personal information we collect, use, share, or sell (we don't sell it)
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale: We do not sell personal information — no opt-out required
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA right
• Right to Limit Sensitive Data Use: We do not process sensitive personal information beyond what is necessary to provide the Service

To exercise your California rights, email support@crmstack.co. We will respond within 45 days (extendable once by an additional 45 days where reasonably necessary).

10.2 Do Not Sell or Share

CRM Stack does not sell, share, or disclose personal information to third parties for cross-context behavioural advertising. There is nothing to opt out of.

10.3 CAN-SPAM Compliance

All marketing emails we send comply with the CAN-SPAM Act: we include a physical address, a clear unsubscribe mechanism, and honour opt-out requests within 10 business days.

10.4 Other US States

We extend similar privacy rights and protections to residents of Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other US states with active privacy laws. Contact us to exercise your rights.

11. 🇨🇦 Canadian Residents — PIPEDA

11.1 PIPEDA Principles

• Accountability: We are responsible for all personal information under our control.
• Identifying purposes: We identify why we collect personal information before or at the time of collection.
• Consent: We obtain meaningful consent for the collection, use, and disclosure of personal information.
• Limiting collection: We collect only what is necessary for the identified purposes.
• Accuracy: We keep personal information as accurate, complete, and up-to-date as necessary.
• Safeguards: We use appropriate security measures to protect personal information.
• Openness: Our privacy practices are publicly available.
• Individual access: You have the right to access your personal information and challenge its accuracy.

11.2 CASL Compliance

All commercial electronic messages we send to Canadian recipients comply with Canada's Anti-Spam Legislation (CASL): we obtain express or implied consent, identify ourselves clearly, and include a functional unsubscribe mechanism honoured within 10 business days.

11.3 Complaints

You may lodge a complaint with the Office of the Privacy Commissioner of Canada: priv.gc.ca

12. 🌍 Other Countries & Regions

CRM Stack serves customers in every country. Below is a summary of applicable laws and how we handle them:

Region / Country	Applicable Law	How We Comply
🇬🇧 United Kingdom	UK GDPR + Data Protection Act 2018	Same as EU GDPR — see Section 9. ICO is the supervisory authority.
🇮🇳 India	Digital Personal Data Protection Act 2023 (DPDP)	We collect only necessary data, allow correction and erasure, and respond to requests within 30 days.
🇦🇪 UAE / GCC	UAE PDPL (Federal Decree-Law No. 45 of 2021)	We process data only for stated purposes, implement appropriate security, and honour access/deletion requests.
🇸🇬 Singapore	Personal Data Protection Act 2012 (PDPA)	We obtain consent, limit collection to stated purposes, protect data with reasonable security, and allow access and correction.
🇿🇦 South Africa	Protection of Personal Information Act (POPIA)	We process data lawfully, collect only what is necessary, ensure data quality, and implement security safeguards.
🇳🇿 New Zealand	Privacy Act 2020	We collect data from users directly, use it only for stated purposes, and allow access and correction upon request.
🇵🇰 Pakistan	Personal Data Protection Bill (PDPB)	We handle personal data responsibly, maintain security standards, and honour user requests for access and deletion.
All other countries	Local applicable law	We apply the universal rights in Section 7 to all users worldwide regardless of local law requirements.

13. Cookies

CRM Stack uses only essential, functional cookies. We do not use advertising, tracking, or analytics cookies:

Cookie	Purpose	Duration
crm_session	Session authentication — keeps you logged in	Session or 30 days ("Keep me signed in")
crm_rm	Secure remember-me token (hashed, stored in DB)	30 days
Google reCAPTCHA	Bot detection on public forms (set by Google)	Up to 6 months

We do not use Google Analytics, Facebook Pixel, advertising cookies, or any third-party tracking cookies.

14. Third-Party Services

• Paddle — global payment processing and Merchant of Record. Privacy Policy →
• Twilio — SMS and WhatsApp messaging (only when you use these features). Privacy Policy →
• Google reCAPTCHA v3 — bot and spam prevention. Google Privacy Policy →
• Google Fonts & Font Awesome CDN — font and icon delivery on marketing pages (may log IP addresses).
• Transactional SMTP — delivery of system emails (password resets, OTP codes, alerts).

15. International Data Transfers

CRM Stack operates globally. Your personal data may be transferred to and processed in countries other than your own — including the United States, Ireland, Australia, and other countries where our service providers operate.

Where we transfer data internationally, we ensure appropriate safeguards:

• EU/UK users: Standard Contractual Clauses (SCCs) or adequacy decisions
• Australian users: Contractual obligations on overseas recipients (APP 8 compliance)
• All other users: We require all service providers to maintain security standards at least equivalent to those described in this Policy

16. Children's Privacy

CRM Stack is a professional business tool intended exclusively for persons aged 18 and over. We do not knowingly collect personal data from minors. If you believe a minor has registered an account, contact us at support@crmstack.co and we will permanently delete the account within 48 hours.

17. Policy Changes

We may update this Policy to reflect changes in our practices or applicable law. For material changes, we will:

• Notify all active users by email at least 14 days before changes take effect
• Update the "Last updated" date at the top of this page
• Display an in-app notice in the platform dashboard

Continued use after the effective date constitutes acceptance. If you disagree, you may cancel your account before the effective date.

18. Contact Us

For privacy questions, data access requests, correction requests, deletion requests, or complaints — from any country:

• Email: support@crmstack.co
• Contact form: crmstack.co/contact
• Response time: Within 5 business days for general enquiries; within 30 days for formal data rights requests.