Privacy Policy

Last updated: June 12, 2026

This policy explains what ConversionCRM ("we", "us") collects, why, and what your rights are. It covers two audiences: workspace owners (you, our customer) and end users (people whose product activity you track using our widget).

1. Data we collect from workspace owners

• Account data: email address, company name, product name, sender name, and reply-to email collected at signup and onboarding.
• Configuration data: website URL, aha-moment settings, API keys, and — if you choose SMTP delivery — your SMTP host, port, username, and password, stored for the sole purpose of sending your emails.
• Billing data: handled by our payment processor (Lemon Squeezy); we store subscription state, not card numbers.

2. Data we process about end users (on your behalf)

When you install our widget, we process the following as a data processor on your instructions:

• Behavioral events: page views, clicks, time on page, and custom events you choose to send.
• Identity data you provide via identify(): a user ID and, optionally, an email address.
• Derived data: engagement scores, lifecycle stages, and email send logs.

You are responsible for ensuring you have a lawful basis (and any required notices or consents) to track your end users and to send them email. Do not send us sensitive data (health, financial account contents, government IDs) in event properties — our ingestion API enforces size limits and validation, but content choice is yours.

3. How we use data

• To provide the service: scoring, staging, dashboards, and email delivery.
• To send you operational email (e.g., the daily summary to workspace owners).
• To secure the service: rate limiting, abuse prevention, and API-key enforcement.

We do not sell personal data, and we do not use your end users' data to market to them on our own behalf.

4. Subprocessors

We rely on a small set of infrastructure providers: Supabase (database), Vercel (hosting), Resend (default email delivery), and Lemon Squeezy (billing). If you configure your own SMTP, email delivery flows through your chosen provider instead of Resend.

5. Retention & deletion

Workspace data is retained while your account is active. You can request deletion of your workspace — including end-user events, scores, stages, and email logs — by emailing support@conversioncrm.co. We honor deletion requests within 30 days.

6. Security

Data is encrypted in transit (TLS) and at rest by our infrastructure providers. The event ingestion API enforces per-key rate limits (~240 events/min), body-size caps, email validation, and timestamp checks; unknown API keys are rejected in production.

7. Your rights

Depending on your jurisdiction (e.g., GDPR, CCPA), you may have rights to access, correct, export, or delete personal data. Workspace owners can exercise these directly via support; end users should contact the product that tracks them (our customer), and we will assist that customer in fulfilling the request.

8. Changes

We'll update this page when the policy changes and adjust the date above. Material changes will be announced by email to workspace owners.

Questions: support@conversioncrm.co