Privacy Policy

CrawlSpace CRM ("we," "our," or "us") is a customer relationship management platform offered through our web application, Chrome extension, and mobile applications (iOS and Android). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

Account Information: When you create an account, we collect your name, email address, phone number, company name, and billing information.

Customer Data: You may input contact information about your customers and leads into the CRM, including names, email addresses, phone numbers, addresses, company information, notes, custom fields, deal/pipeline data, account health scores, and renewal dates relevant to your business.

Communication Data: When you use our email, phone, or SMS features, we store records of those communications including:

• Email content, subjects, attachments, and timestamps
• Call logs, duration, dispositions, notes, and recordings (if enabled)
• SMS/text message content and timestamps
• Voicemail recordings and transcriptions
• Power Dialer session activity (lists used, contacts dialed, call outcomes)

Call Recording (Two-Party Consent): Our service includes optional call recording. Many jurisdictions (including states such as California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington) require all parties to a call to consent to recording. You are solely responsible for obtaining all required consents from call participants before initiating a recording. We provide the technical means to record; legal compliance is your responsibility.

Video Content: If you use our video messaging feature, we store your recorded videos and thumbnails on our servers.

Meeting Recording Library: If you connect Google Meet (via Google Workspace) or Microsoft Teams, our service syncs metadata about your meeting recordings - including title, date, duration, host, participants, and the meeting transcript - into our database for searchable in-app access. The actual video files remain stored in your Google Drive or Microsoft SharePoint and are streamed through fresh signed URLs at playback time. We do not host meeting video content on our servers.

Data from Third-Party Integrations: If you connect third-party services to CrawlSpace CRM, we receive data from those services:

• Google Sheets / OneDrive Excel: When you connect a spreadsheet provider, we read and write contact data to the file you authorize. This serves as your primary data source if you select spreadsheet storage mode.
• Google Calendar / Outlook Calendar: We read and create calendar events for scheduling meetings with your contacts.
• Gmail / Outlook Mail: We send emails on your behalf and access your inbox to display correspondence with your contacts.
• Google Meet / Microsoft Teams: We list your meeting recordings, fetch participant lists, and retrieve transcripts for the in-app meeting library.
• Square / Stripe: When you connect a payment processor, we create invoices and process subscription payments. Customer payment details are submitted directly to your processor - we do not store full card numbers.
• Facebook Lead Ads: If connected, leads submitted through your Facebook ads are imported automatically into the CRM, including the form fields the lead completed.
• LinkedIn Lead Gen Forms: If connected (when available), leads from your LinkedIn campaigns are imported into the CRM, including LinkedIn-supplied professional data.
• Twilio: Calls and SMS messages flow through Twilio's network. Phone numbers, audio, message bodies, and call metadata pass through Twilio servers.

Usage Data and Analytics: We use Google Analytics to understand how visitors use our marketing site and product. This includes IP address (truncated where possible), browser type, device type, pages visited, features used, referring URLs, and timestamps. You can opt out of Google Analytics by installing Google's opt-out browser add-on or by enabling "Do Not Track" settings in your browser.

Cookies: We use cookies and similar technologies for authentication, session management, and analytics. Essential cookies (authentication, session) are required for the service to function. Analytics cookies (Google Analytics) can be disabled via your browser settings.

Chrome Extension Data: If you use our Chrome extension for lead capture, it may access data from web pages you visit to help import contact information into your CRM. This data is only processed when you explicitly initiate an import action; the extension does not passively monitor your browsing.

Mobile App Permissions: Our mobile applications request the following permissions on Android and iOS, used only for the purposes described:

• Microphone (RECORD_AUDIO): Required for in-call audio capture during click-to-call dialing, voicemail drop recording, and optional call recording.
• Phone (CALL_PHONE, READ_PHONE_STATE): Required to place outbound calls through the in-app dialer and to detect call state changes (ringing, answered, ended).
• SMS (SEND_SMS): Required only if you use direct device-SMS sending (most users send via Twilio, which does not require this permission).
• Bluetooth, Audio Settings (BLUETOOTH, MODIFY_AUDIO_SETTINGS): Required for routing call audio to Bluetooth headsets and managing speakerphone.
• Foreground Service (FOREGROUND_SERVICE, FOREGROUND_SERVICE_MICROPHONE): Required to keep an active call running when the app is in the background.
• Network State (ACCESS_NETWORK_STATE): Required to detect connectivity changes and resume sync when the device returns online.
• Camera and Photo Library (iOS/Android): Requested only when you use video messaging or attach a file to a contact record.

The mobile app does not collect location data, contacts from your device's address book, or any data unrelated to operating the CRM features you use.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our CRM service
• Sync your contact data with Google Sheets
• Send emails and SMS messages on your behalf to your contacts
• Place phone calls and manage voicemail on your behalf
• Execute automated email sequences you configure
• Schedule and manage calendar events
• Process subscription payments
• Send you technical notices, updates, and support messages
• Respond to your comments, questions, and customer service requests
• Monitor and analyze trends, usage, and activities to improve our service
• Detect, investigate, and prevent fraudulent transactions and abuse

3. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

• Subprocessors / Service Providers: We share data with third-party vendors who perform services on our behalf:
  • Supabase - database hosting, authentication, file storage
  • Netlify - application hosting and serverless functions
  • Twilio - phone calls, SMS, voicemail, and call recording infrastructure
  • Square - payment processing for subscriptions and customer invoices
  • Stripe - payment processing for subscriptions and customer invoices
  • Google - email (Gmail), calendar, spreadsheets, Drive, and Meet recording APIs
  • Microsoft - email (Outlook), calendar, OneDrive Excel, and Teams meeting recording APIs
  • Meta (Facebook) - Lead Ads integration for importing leads
  • LinkedIn (Microsoft) - Lead Gen Forms integration for importing leads
  • Google Analytics - usage analytics on our marketing website and product
  A list of subprocessors is maintained on our website and may be updated as we add or remove vendors. For B2B customers, a Data Processing Addendum (DPA) is available on request.
• Legal Requirements: We may disclose information if required by law or in response to valid legal requests (e.g., subpoenas, court orders).
• Business Transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before any such transfer.
• With Your Consent: We may share information with your consent or at your direction.

Important: Your customer data is stored only in your individual CRM account (and your connected spreadsheet, if applicable). We do not combine customer data across different CrawlSpace CRM users, sell it, or use it for any purpose other than providing the CRM service to you. We do not use your customer data to train artificial intelligence models.

4. Third-Party Integrations

Our service integrates with the third-party platforms listed in Section 3. Each has its own privacy policy. When you connect these services, you authorize us to access only the data described during the connection process via OAuth. You can disconnect any integration at any time from your account settings.

Google API Services: CrawlSpace CRM's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data obtained through Google APIs (Gmail, Calendar, Sheets, Drive, Meet) is used only to provide the user-facing features you have explicitly enabled, is not transferred to third parties except as required for service operation, is not used for advertising, and is not read by humans except for security/abuse investigation, support with your consent, or as required by law.

Microsoft Graph: Similarly, our use of data from Microsoft Graph (Outlook, OneDrive, Teams) is limited to providing the user-facing features you have enabled. Some Microsoft scopes (such as OnlineMeetingRecording.Read.All) require approval from your Microsoft 365 tenant administrator before access is granted.

5. Data Storage and Location

Your data is stored in the following locations:

• Contact Data: Stored either natively in our Supabase database or in your connected Google Sheet / OneDrive Excel file (depending on the storage mode you select). In spreadsheet mode, the spreadsheet is the source of truth and Supabase holds a sync cache.
• Account Settings, Permissions, and Org Membership: Stored in our Supabase database
• Communication Logs (calls, SMS, email): Stored in our Supabase database
• Call Recordings: Stored on Twilio's infrastructure; we store the recording metadata (Twilio Recording SID + URL) in Supabase to surface playback in the CRM
• Voicemail Recordings and Drops: Stored on Twilio's infrastructure
• Video Messages: Stored in Supabase storage
• Meeting Recordings (Google Meet / Microsoft Teams): The video files remain in your Google Drive or Microsoft SharePoint - we never copy the files to our servers. Only metadata (title, time, participants, transcript text) is cached in our Supabase database for in-app browsing and search.
• Documents and Files: Stored in Supabase storage

Our primary database and application infrastructure is hosted in the United States. By using the service, you consent to your data being processed in the United States, which may have different data protection laws than your country of residence.

6. Data Retention

We retain your account information and customer data for as long as your account is active. Communication logs, call recordings, and voicemails are retained according to your account settings and applicable regulations. You may delete your data or close your account at any time by contacting us. Upon account deletion, we will remove your data from our systems within 30 days, except where retention is required by law (e.g., billing records typically retained 7 years for tax purposes). Backups are purged within 90 days. Subprocessors that hold your data (Twilio call recordings, Stripe/Square transaction records, Google Drive meeting recordings) are governed by their own retention policies and your direct relationship with those services.

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS/SSL)
• Encryption of sensitive data at rest
• Secure authentication via Supabase Auth
• OAuth 2.0 for third-party service connections
• Access controls and authentication requirements
• Regular security assessments

We do not store your Google, Microsoft, or other third-party passwords. All integrations use secure OAuth tokens that you can revoke at any time. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request that we correct inaccurate information
• Deletion: Request that we delete your personal information ("right to be forgotten")
• Portability: Request a copy of your data in a portable, machine-readable format. Your contact data is also always accessible in your connected spreadsheet (if you use spreadsheet mode), and you can export to CSV from within the app at any time.
• Restriction / Objection: Request that we restrict or stop processing your data in specific ways
• Withdraw Consent: Withdraw any consent you previously gave (e.g., for marketing communications, integrations)
• Opt-Out: Opt out of marketing communications at any time using the unsubscribe link in our emails
• Disconnect Integrations: Revoke access to connected services at any time through your account settings; we delete the cached OAuth tokens immediately upon disconnect
• Lodge a Complaint: If you are in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection authority

To exercise these rights, please contact us using the information below. We will respond to verifiable requests within 30 days (or 45 days for complex requests, with notice). We may need to verify your identity before processing certain requests.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:

• The right to know what categories of personal information we collect, use, disclose, and sell or share (we do not sell or share personal information for cross-context behavioral advertising)
• The right to delete your personal information, subject to certain exceptions
• The right to correct inaccurate personal information
• The right to limit the use and disclosure of "sensitive personal information"
• The right to non-discrimination for exercising any of these rights
• The right to opt out of automated decision-making (we do not currently use such systems)

We do not sell personal information and have not done so in the preceding 12 months. Categories of personal information we collect are described in Section 1 above.

10. International Users (GDPR / EEA, UK, Switzerland)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and similar laws apply. Under those laws:

• Legal basis: We process personal data on the basis of contract performance (to provide the service you signed up for), legitimate interest (to improve the service and prevent abuse), legal obligation (e.g., billing records), or consent (e.g., marketing communications, optional integrations).
• Data Controller vs. Processor: For your account information and usage data, we are the data controller. For your customer data (the contacts you input into the CRM), we act as a data processor on your behalf - you are the controller of that data and responsible for the legal basis for processing it.
• International Transfers: Your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards as required by applicable law.
• Data Processing Addendum: A GDPR-compliant DPA is available on request for B2B customers - contact us at the email below.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the data protection authority in your country of residence.

11. Children's Privacy

Our service is intended for business users and is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. Under the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13 without verifiable parental consent. If we learn that we have collected personal information from someone in these categories, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For material changes (e.g., new categories of data collection, new subprocessors handling personal data, changes affecting your rights), we will provide additional notice through the CRM application or via email at least 30 days before the changes take effect, where reasonably practicable. You are advised to review this Privacy Policy periodically.

13. Contact Us