Data Deletion Policy

1. Overview

This Data Deletion Policy describes what data DecoTech CRM stores, how you can request its deletion, and what happens during the deletion process. We are committed to giving you control over your information and honoring deletion requests in a timely manner.

2. What Data We Store

Within your tenant workspace, the following categories of data may be stored:

• Account data: your name, email address, hashed password, role assignment, and session information.
• Contact records: names, phone numbers, email addresses, company details, notes, tags, pipeline stages, tasks, and custom field values for your customers and leads.
• SMS messages: message content, sender/recipient numbers, delivery statuses, consent records, and mass text campaign data (powered by Twilio).
• Email data (Gmail): synced email messages, metadata (sender, recipients, subject lines, timestamps), OAuth access and refresh tokens (encrypted).
• Social media data: connected Facebook/Instagram account identifiers, scheduled and published post content, and engagement metrics.
• Accounting data: QuickBooks integration tokens and synchronization metadata.
• Integration credentials: OAuth tokens and API keys for connected services, all encrypted using AES-256-GCM.
• Automation data: workflow configurations, enrollment records, execution logs, and step definitions.
• Audit logs: records of data modifications for security and compliance purposes.

3. How to Request Deletion

You can request data deletion through any of these methods:

3.1 Individual Contact Deletion

Workspace administrators and authorized users can delete individual contact records directly within the CRM interface. This removes the contact and all associated notes, tasks, and communication history.

3.2 Account Deletion

To delete your entire user account or request deletion of all data within a tenant workspace, contact us at cmoraski@deco.technology with the subject line "Data Deletion Request." Include:

• Your full name and email address associated with the account.
• The tenant/workspace name (if requesting workspace-level deletion).
• Whether you are requesting deletion of your individual account or the entire workspace.

3.3 Facebook/Instagram Data Deletion

As required by Meta's platform policies, you may request deletion of all data obtained through your Facebook or Instagram connection. This can be done by disconnecting your social accounts in Settings or by contacting us directly.

4. Deletion Process & Timeline

Once a deletion request is received and verified:

1. Acknowledgment (within 48 hours): we will confirm receipt of your request and verify your identity.
2. Processing (within 14 days): your data will be queued for permanent deletion from our primary databases.
3. Backup purge (within 30 days): data will be removed from backup systems during the next scheduled purge cycle.
4. Confirmation: we will send a confirmation email once deletion is complete.

5. What Gets Deleted

5.1 Individual Account Deletion

When you delete your user account, we permanently remove:

• Your user profile (name, email, hashed password).
• Your session and authentication tokens.
• Activity attributable to your account within the workspace (your user record is disassociated from shared workspace data).

5.2 Workspace (Tenant) Deletion

When a workspace administrator requests full tenant deletion, we permanently remove:

• All user accounts within the workspace.
• All contact records, notes, tasks, and custom field data.
• All SMS messages, consent records, and mass text campaigns.
• All social media connections, posts, and engagement data.
• All synced email messages, metadata, and Gmail OAuth credentials.
• All QuickBooks integration data and synchronization records.
• All automation workflows, enrollments, and execution logs.
• All encrypted credentials (OAuth tokens, Twilio API keys) — these are cryptographically destroyed.

5.3 Contact Record Deletion

When you delete an individual contact record, we remove:

• The contact's profile data (name, email, phone, company, custom fields).
• All notes and tasks associated with that contact.
• SMS message history with that contact.
• Automation enrollment records for that contact.

6. What May Be Retained

Certain data may be retained after a deletion request in limited circumstances:

• Legal compliance records: TCPA consent records and opt-out logs may be retained as legally required to demonstrate compliance with telecommunications regulations.
• Audit logs: anonymized audit records may be retained for up to 12 months for security and fraud prevention purposes, with personally identifiable information removed.
• Aggregate analytics: de-identified, aggregate usage statistics that cannot be linked back to any individual.
• Legal holds: data subject to active legal proceedings or regulatory investigations may be preserved until the matter is resolved.

7. Encryption & Security During Deletion

All sensitive data stored in our system is encrypted using AES-256-GCM, an authenticated encryption standard. During the deletion process:

• Encrypted credentials (OAuth tokens, API keys) are cryptographically destroyed — the encryption keys are securely discarded, rendering the data permanently unrecoverable.
• Database records are hard-deleted (not soft-deleted or merely flagged).
• The deletion process runs within the same tenant-isolated environment, ensuring no cross-tenant data exposure.

8. Third-Party Data

When you delete data from our platform, please note that copies of certain data may still exist within third-party services:

• Google (Gmail): emails remain in your Gmail account and are not affected by deletion from our platform. We revoke our OAuth access upon disconnection. To manage data in Gmail itself, use Google's account settings.
• Twilio: SMS message logs may be retained by Twilio according to their data retention policies. We revoke API credentials but cannot control Twilio's retention.
• Meta: posts published to Facebook/Instagram remain on those platforms unless deleted separately through Meta's tools.
• QuickBooks: accounting data synchronized to QuickBooks remains in Intuit's systems and must be managed through QuickBooks directly.

We recommend reviewing the data deletion policies of any connected third-party services if you wish to remove data from those platforms as well.

9. Contact Us

For data deletion requests, questions about this policy, or to exercise your data rights: