Privacy Policy

We collect information necessary to provide, secure, and improve the CRM Factory platform. The categories of data we collect, their purposes, and retention periods are summarized in the table above.

We collect information directly from you (account registration, CRM data entry, support requests), automatically through your use of the Service (usage telemetry, device information, IP addresses), and from third-party integrations you choose to connect (Salesforce, SAP, Twilio, etc.).

We do not collect sensitive personal information (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation) unless you voluntarily store such data in custom CRM fields. If you do, you are responsible for ensuring lawful basis for processing under applicable regulations.

We process your data to: (a) provide and maintain the Service, including CRM features, integrations, automations, and AI-powered analysis; (b) authenticate users and protect account security; (c) send transactional communications (password resets, billing notices, service alerts); (d) provide customer support and respond to inquiries; (e) improve the Service through aggregated analytics and performance monitoring; (f) comply with legal obligations and enforce our Terms of Service.

For users in the European Economic Area, our legal bases for processing are: performance of a contract (providing the Service), legitimate interests (security, fraud prevention, service improvement), consent (marketing communications), and legal obligation (tax records, law enforcement requests).

We do not use Customer Data to train machine learning models outside your tenant context. AI features (lead scoring, conversation analysis, voice agents) process data within your organization's scope and outputs are not shared across tenants.

We do not sell, rent, or trade personal information to third parties. We share data only in the following circumstances:

Subprocessors: We use carefully selected service providers to host, secure, and operate the platform. Key subprocessors include Vercel (hosting, CDN), Neon (database), Twilio (SMS/voice), Stripe (payments), and Resend (transactional email). Each subprocessor is contractually bound to use data solely for providing their service and to maintain appropriate security measures.

Legal compliance: We may disclose information when required by law, subpoena, court order, or government request. Where permitted, we will notify you before disclosure. We publish a transparency report annually summarizing government data requests received.

Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity under the same privacy commitments. We will notify you of any such transfer before your data is subject to a different privacy policy.

We implement industry-standard security measures to protect your data including: AES-256 encryption for data at rest, TLS 1.3 for data in transit, schema-per-tenant database isolation, encrypted credential storage for integrations, automatic session token rotation, and DDoS protection via edge CDN.

Our infrastructure is hosted on SOC 2 Type II certified platforms (Vercel and Neon). We conduct regular vulnerability assessments, dependency scanning on every deployment, and maintain a documented incident response plan with customer notification within 72 hours of a confirmed breach.

We implement role-based access control (RBAC) with four permission levels. Administrator actions are logged in an immutable audit trail. Production database access is restricted to authorized operations personnel and all access is logged and reviewed.

Our platform facilitates SMS and WhatsApp communications between your organization and your contacts. We comply with the Telephone Consumer Protection Act (TCPA), A2P 10DLC registration requirements, and carrier guidelines for commercial messaging.

Opt-in consent is managed through web forms, keyword-based SMS opt-in (texting START), and explicit consent collection during business interactions. Contacts can opt out at any time by texting STOP. Opt-out requests are processed immediately and an opt-out confirmation is sent as required by regulations.

Consent records (opt-in/opt-out events, timestamps, channels, keywords) are maintained in an auditable log for compliance purposes. These records are retained for the duration of the business relationship plus 5 years to satisfy regulatory requirements.

CRM Factory uses AI features to enhance productivity, including: lead and deal scoring, conversation sentiment analysis, automated response suggestions, voice agent processing, workflow automation, and predictive analytics.

AI processing occurs within your tenant context. We do not use your Customer Data to train general-purpose AI models shared with other customers. You may disable specific AI features in your workspace settings.

Automated decisions that significantly affect individuals (e.g., automated lead disqualification, AI-drafted customer communications) include human review checkpoints. You are responsible for configuring these features appropriately and reviewing AI outputs before they result in consequential actions.

We use essential cookies for authentication, session management, and security. These are strictly necessary for the Service to function and cannot be disabled.

We use privacy-respecting analytics (no third-party advertising trackers) to understand feature usage patterns and improve the product. Analytics data is aggregated and not linked to individual user profiles. We do not participate in cross-site tracking or advertising networks.

You can manage cookie preferences through your browser settings. Blocking essential cookies may prevent you from accessing the Service.

CRM Factory is headquartered in the United States. Our primary infrastructure is hosted in the AWS us-east-1 region. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical measures including encryption and tenant isolation. Enterprise customers may request a Data Processing Agreement (DPA) that includes SCCs.

We do not currently offer data residency options, but plan to support EU-hosted tenants in a future release. Contact us for updates on regional availability.

Depending on your jurisdiction, you may have the following rights regarding your personal information: the right to access (obtain a copy of your data), rectification (correct inaccurate data), erasure (request deletion), portability (receive data in a machine-readable format), restriction (limit processing), objection (opt out of certain processing), and the right to withdraw consent.

To exercise any of these rights, contact us at privacy@crmfactory.ai or use the data export and deletion tools available in Settings > Data Management. We will respond to verified requests within 30 days (or 45 days for complex requests with prior notice).

California residents: Under the CCPA/CPRA, you have the right to know what personal information we collect, request deletion, opt out of sale (we do not sell data), and not be discriminated against for exercising your rights. We do not sell personal information and have not done so in the preceding 12 months.

CRM Factory is a business-to-business platform and is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us immediately and we will take steps to delete such information.

We retain your data only as long as necessary to provide the Service and fulfill the purposes described in this policy. Specific retention periods vary by data category as outlined in the data table above.

When you close your account or your subscription ends, you have a 30-day window to export your Customer Data. After this period, Customer Data is deleted within 90 days. Certain data may be retained longer where required by law (e.g., billing records for 7 years) or for legitimate purposes (e.g., audit logs, security incident records).

You can request early deletion of specific data by contacting privacy@crmfactory.ai. We will process deletion requests within 30 days, subject to legal retention obligations.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email notification to account administrators and through an in-app banner at least 30 days before taking effect.

We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the most recent changes were made. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

CRM Factory is designed to help organizations meet their data protection obligations. Our platform supports compliance with: GDPR (EU General Data Protection Regulation), CCPA/CPRA (California Consumer Privacy Act), TCPA (Telephone Consumer Protection Act), CAN-SPAM Act, A2P 10DLC messaging regulations, and SOC 2 Type II controls through certified infrastructure providers.

Enterprise customers may request a Data Processing Agreement (DPA), Standard Contractual Clauses (SCCs), subprocessor list, or security questionnaire completion by contacting legal@crmfactory.ai.