Privacy Policy

Last updated: May 27, 2026.
Data controller: [smallCRM Legal Entity, address pending].

This Privacy Policy describes how smallCRM collects, uses, and shares personal information when you use the Service. We are committed to GDPR compliance and to handling your data with care.

1. Information We Collect

Account data

When you create an account we collect your name, email address, and a hashed password. If you enable two-factor authentication we additionally store an encrypted TOTP secret and recovery codes.

Customer Data

The information you store inside the Service — companies, contacts, deals, tickets, comments, activities, and any custom fields — is "Customer Data". You control what enters Customer Data; we host it on your behalf.

Usage data

We record pageviews (path, timestamp, IP address, user agent) and attribution metadata (UTM parameters, HTTP referrer, referral code if any) to understand how the Service is used and to operate marketing analytics. Usage data is automatically purged after 13 months.

Payment data

Payment information (card number, billing address, tax ID) is collected and processed by Paddle.com Market Limited as our Merchant of Record. We do not receive or store card numbers; we receive only the subscription identifier and an obfuscated summary (e.g. "Visa ending 1234") that we use to render your invoices.

2. How We Use Information

• Provide, maintain, and improve the Service.
• Process subscriptions, invoices, and refunds (via Paddle).
• Send transactional email (account verification, password reset, ticket notifications) via Resend.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Aggregate and anonymise usage data to improve product decisions.
• Comply with legal obligations (tax reporting, court orders, lawful requests).

We do not sell personal data, and we do not use Customer Data to train external machine-learning models.

3. Cookies & Tracking

We use three cookies:

• Session cookie — keeps you logged in. Required for the Service to function.
• Theme cookie — remembers your light/dark/system preference. Optional.
• Attribution cookie (smallcrm_attribution) — records the UTM and referral parameters from the request that brought you to the site, so we know which marketing channels work. Expires after 30 days. Does not identify you.

We do not use third-party analytics pixels (no Google Analytics, no Facebook Pixel, no advertising trackers). Our self-hosted analytics is Umami, running on our own infrastructure with no cross-site identifiers.

4. Data Sharing & Sub-Processors

We share personal data only with the following sub-processors, each contractually bound to GDPR-compliant data handling:

• Hetzner Online GmbH (Falkenstein, Germany) — hosting infrastructure (compute, storage, network).
• Paddle.com Market Limited (United Kingdom) — Merchant of Record for billing and payments.
• Resend, Inc. (United States) — transactional email delivery.

We do not share Customer Data with any other parties except when required by law (subpoena, court order) or to protect against fraud, abuse, or security threats.

5. Data Storage & Security

All Customer Data is stored on servers in Falkenstein, Germany (EU). Daily encrypted backups are written to a Hetzner Storage Box in the same region. Passwords are hashed with bcrypt; TOTP secrets and recovery codes are encrypted at rest with application-level keys.

Database access is restricted to the application server. We use TLS for all client-server traffic. Tenant data isolation is enforced at the application layer via a fail-closed query scope that filters every database read and write by tenant identifier.

6. Data Retention

• Customer Data: retained while your account is active; deleted at the end of the 30-day export window after permanent termination.
• Account data: retained while your account is active; deleted within 30 days of termination.
• Usage data (pageviews, attribution): automatically purged after 13 months.
• Backups: rolling 30-day retention with daily, weekly, and monthly snapshots.
• Invoices and tax records: retained for the period required by applicable tax law (typically 7 years).

7. Your Rights (GDPR)

If you are in the EU/EEA you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your personal data ("right to be forgotten").
• Export your data in a portable format (ZIP of CSVs).
• Object to certain types of processing.
• Withdraw consent at any time where processing relies on consent.
• Lodge a complaint with your local data protection authority.

To exercise these rights, email privacy@smallcrm.app. We will respond within 30 days.

8. Children's Privacy

The Service is not directed to anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please email privacy@smallcrm.app and we will delete it.

9. International Data Transfers

Customer Data is stored in the EU. Some sub-processors (Resend) are based in the United States; transfers to them are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission.

10. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and via an in-app notice at least 30 days before they take effect.

11. Contact

Privacy questions, data-rights requests, or complaints: privacy@smallcrm.app.