Privacy Policy

2.1 Information You Provide

When you use CRMlet, you provide:

• Account Information: Email address, password (hashed), business name
• Onboarding Data: Industry/niche, business description, target audience, service offerings, location
• Profile Information: Headshot, hero images, logo, business photos
• Funnel Content: Headlines, copy, testimonials, pricing, calendar links
• Payment Information: Processed by Stripe (we do not store credit card details)
• Custom Domain: Domain name for Pro plan users

2.2 Automatically Collected Information

• Usage Data: Pages viewed, features used, time spent, interactions
• Device Information: Browser type, operating system, IP address, device identifiers
• Cookies: Session cookies for authentication, preference cookies for settings
• Analytics: Page views, user flows, feature adoption (anonymized when possible)

2.3 Lead and Customer Data

If you use CRMlet's outreach features, you may upload or import:

• Lead Information: Names, email addresses, phone numbers, business details
• Email Enrichment Data: Email addresses obtained via Hunter.io API
• Engagement Metrics: Email opens, clicks, responses, booking events

Important: You are the data controller for lead/customer data you upload. You must have legal rights to use this data and comply with CAN-SPAM, GDPR, and other regulations.

4.1 Where We Store Data

• Firebase/Firestore: Account data, onboarding responses, funnel content (Google Cloud, US region)
• Firebase Storage: Uploaded images (headshots, hero images, logos)
• Vercel: Application hosting and deployment (US region)
• Stripe: Payment processing and subscription management (PCI-compliant)

4.2 Security Measures

• Passwords hashed with bcrypt (industry-standard, 10 salt rounds)
• HTTPS encryption for all data transmission
• JWT-based session authentication with secure, HttpOnly cookies
• Regular security audits and dependency updates
• Access controls and role-based permissions
• Automated backups and disaster recovery

Note: No method of internet transmission or electronic storage is 100% secure. While we implement industry best practices, we cannot guarantee absolute security.

4.3 Data Retention

• Active Accounts: Data retained as long as your account is active
• Deleted Accounts: Data deleted within 30 days of account deletion
• Legal Requirements: Some data may be retained longer to comply with legal obligations
• Backups: Backup copies deleted within 90 days

6.1 Cookies We Use

• Essential Cookies: Required for authentication and security (cannot be disabled)
• Preference Cookies: Remember your settings and choices
• Analytics Cookies: Help us understand how you use CRMlet (anonymized)

6.2 Managing Cookies

Most browsers allow you to control cookies through settings. Disabling essential cookies may affect functionality. Learn more: All About Cookies

8.1 GDPR (European Users)

If you are in the European Economic Area (EEA), UK, or Switzerland, you have additional rights under GDPR:

• Legal Basis: We process your data based on contract performance, consent, and legitimate interests
• Data Minimization: We collect only necessary data for the Service
• Right to Object: You can object to processing based on legitimate interests
• Right to Restrict: You can request temporary restriction of processing
• Right to Erasure: You can request deletion ("right to be forgotten")
• Supervisory Authority: You can lodge complaints with your local data protection authority

To exercise GDPR rights, email gdpr@crmlet.com.

8.2 CCPA (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of data collected and how it's used
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: We do not sell personal information
• Non-Discrimination: We will not discriminate for exercising CCPA rights

To exercise CCPA rights, email privacy@crmlet.com or call 1-800-CRMLET (placeholder - update with actual number if available).