Privacy Policy

1. Introduction

This Privacy Policy explains how DecoTech CRM ("we," "us," or "our") collects, uses, discloses, and safeguards your information when you use our customer relationship management platform, including all associated services, integrations, and APIs (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Account & Profile Data

When you register or are invited to a tenant workspace, we collect your name, email address, and a hashed password. Administrators may also provide role assignments (admin, manager, or member).

2.2 Contact & CRM Data

Information you enter about your customers and leads — including names, phone numbers, email addresses, company details, notes, tags, pipeline stages, and any custom fields — is stored within your tenant workspace.

2.3 Communications Data

When you use our SMS features (powered by Twilio), we store message content, sender/recipient phone numbers, delivery status, consent records for TCPA compliance, and timestamps. Inbound messages received via webhooks are also stored.

2.4 Social Media Data

If you connect Facebook or Instagram accounts through our social media integration (via the Meta Graph API v21.0), we store OAuth tokens (encrypted), page/account identifiers, scheduled and published post content, and engagement metrics.

2.5 Email Integration Data (Google Gmail)

If you connect a Google Gmail account through our email integration, we request access to read your emails and send emails on your behalf using the following Google API scopes:

• gmail.readonly — to sync and display your email messages within the CRM so you can view correspondence alongside contact records.
• gmail.send — to send emails on your behalf directly from the CRM interface.

When you connect your Gmail account, we store your OAuth access token and refresh token (encrypted using AES-256-GCM), your email address, and synced email metadata (sender, recipients, subject lines, message bodies, and timestamps). We use this data solely to display your email conversations within the CRM and to send emails you compose in the platform.

We do not use your Gmail data for advertising, market research, or any purpose unrelated to providing the CRM email functionality. We do not allow any third parties to access your Gmail data. You can disconnect your Gmail account at any time from the Settings page, which will revoke our access and delete your stored email data from our systems.

2.6 Accounting Integration Data

If you connect a QuickBooks account, we store OAuth tokens (encrypted) and synchronization metadata needed to link CRM contacts with accounting records.

2.7 Usage & Technical Data

We automatically collect standard server logs including IP addresses, browser type, referring pages, and timestamps. We may use cookies or similar technologies for session management and analytics.

3. How We Use Your Information

• Provide the Service: operate, maintain, and improve the CRM platform and its integrations.
• Communications: send and receive SMS messages and emails on your behalf, publish social media posts, and deliver system notifications.
• Scheduling & Automation: execute scheduled social posts (via cron jobs every 5 minutes) and process queued mass texts (every 2 minutes).
• Security: detect, prevent, and respond to fraud, unauthorized access, and other malicious activity.
• Compliance: fulfill legal obligations including TCPA consent tracking for SMS communications.
• Analytics: generate aggregate reports and insights to improve the Service.

4. Third-Party Services

We integrate with the following third-party services to provide functionality within the CRM:

• Twilio — for SMS messaging, phone number management, and delivery status tracking. Twilio's privacy practices are governed by their own Privacy Policy.
• Google (Gmail) — for email integration, including reading and sending emails on your behalf. Google's privacy practices are governed by their Privacy Policy. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• Meta (Facebook & Instagram) — for social media account connection, post publishing, and engagement tracking. Meta's data practices are governed by their Privacy Policy.
• Intuit QuickBooks — for accounting data synchronization. Intuit's privacy practices are governed by their Privacy Statement.

OAuth tokens and API credentials for these services are encrypted using AES-256-GCM before storage.

5. Data Sharing & Disclosure

We do not sell your personal data. We may share information:

• With third-party integrations you explicitly connect (Twilio, Meta, QuickBooks) to the extent necessary to provide the requested functionality.
• With service providers who help us operate the platform (hosting, infrastructure) under strict data processing agreements.
• When required by law, such as in response to a subpoena, court order, or government request.
• To protect rights and safety, when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Data Security

We implement industry-standard security measures to protect your data:

• Sensitive fields (OAuth tokens, API credentials) are encrypted using AES-256-GCM encryption at rest.
• All data is transmitted over HTTPS/TLS encrypted connections.
• Authentication uses JWT-based sessions with 30-day expiration.
• Multi-tenant architecture ensures complete data isolation between workspaces — each tenant's data is scoped and inaccessible to other tenants.
• Passwords are salted and hashed before storage.

7. Cookies

We use essential cookies for authentication and session management. We may also use analytics cookies to understand how the Service is used. You can control cookie preferences through your browser settings, though disabling essential cookies may affect functionality.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account data: retained until account deletion is requested.
• CRM contact data: retained until deleted by a workspace administrator or upon account deletion.
• SMS messages: retained for the duration of the account plus any legally required retention period for TCPA compliance records.
• Email data (Gmail): synced email messages and metadata are retained until you disconnect your Gmail account or delete your workspace. Upon disconnection, all stored email data and OAuth tokens are permanently deleted.
• Audit logs: retained for up to 12 months for security and compliance purposes.

For information about requesting data deletion, see our Data Deletion Policy.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your personal data (see our Data Deletion Policy).
• Portability: request your data in a structured, commonly used format.
• Objection: object to processing of your data in certain circumstances.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at the address below.

10. GDPR & International Users

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdiction with data protection laws, we process your personal data based on the following legal bases:

• Contract performance: processing necessary to provide the Service you requested.
• Legitimate interests: improving and securing the Service.
• Consent: where you have explicitly opted in (e.g., connecting third-party integrations).
• Legal obligation: compliance with applicable laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: