Privacy Policy

1. Overview

CRM Connector ("we," "our," or "us") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our platform and services. Company Details: - Trade Name: CRM Connector - VAT Number: NL867523372B01 - Chamber of Commerce (KvK): 96231866 - Registered Address: Opalstraat 17, 4421LK Kapelle, The Netherlands - Contact: support@crm-connector.com This Privacy Policy applies to all users of our Platform, including agency owners, sub-account users, and visitors to our website at https://crm-connector.com.

2. Definitions

For the purposes of this Privacy Policy: - "Platform" refers to the CRM Connector website, application (https://app.crm-connector.com), and all related services. - "Personal Data" means any information relating to an identified or identifiable natural person, as defined by Article 4(1) of the GDPR. - "Processing" means any operation performed on Personal Data, as defined by Article 4(2) of the GDPR. - "Data Controller" means the entity that determines the purposes and means of the processing of Personal Data. - "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller. - "User" refers to any person who accesses or uses the Platform, including agency owners, sub-account users, and website visitors. - "Synced Data" refers to the data that is transferred between third-party platforms and GoHighLevel through our Service.

3. Our Role Under the GDPR

2.1 As Data Controller CRM Connector acts as a Data Controller for the Personal Data we collect directly from you in connection with your use of our Platform. This includes your account information, payment details, communication data, and website usage data. 2.2 As Data Processor CRM Connector acts as a Data Processor when we process Synced Data on your behalf — that is, when we transfer and synchronize data between your third-party platforms and GoHighLevel. In this capacity: (a) You (the User) are the Data Controller for the Synced Data; (b) You are responsible for ensuring that you have appropriate legal bases (such as consent, legitimate interest, or contractual necessity) for the collection, processing, and transfer of Synced Data through our Platform; (c) You are responsible for informing data subjects (e.g., your clients, customers, patients) about the processing of their data through integration services, where required by applicable law; (d) We process Synced Data only in accordance with your instructions as configured through your integration settings and as necessary to provide the Service.

4. What Personal Data We Collect

3.1 Data You Provide Directly | Data Category | Examples | Purpose | |---|---|---| | Account Information | Name, email address, company name | Account creation, communication, and service delivery | | Payment Information | Payment method details, billing address, VAT number | Subscription billing and tax compliance (processed through Stripe) | | API Keys & Authentication Credentials | API keys, OAuth tokens | Establishing and maintaining integrations (stored encrypted) | | Communication Data | Support emails, chat messages, feedback | Providing support and improving the Service | | GoHighLevel Identifiers | Location ID, sub-account API key, session key | Connecting and configuring integrations | 3.2 Synced Data (Processed on Your Behalf) When you connect a third-party platform through CRM Connector, we process Synced Data that may include: - Contact information (names, email addresses, phone numbers, addresses) - Appointment and calendar data - Invoice and transaction data - Service history and custom fields - Tags and status information - Any other data made available through the third-party platform's API The specific data synced depends on the third-party platform, its API capabilities, and your integration configuration. We do not determine what Synced Data is collected — this is determined by your configuration and the third-party platform's API. 3.3 Data Collected Automatically | Data Category | Collection Method | Purpose | |---|---|---| | Website Usage Data | PostHog analytics | Understanding website traffic, improving user experience | | Functional Cookies | Essential cookies | Maintaining sessions, remembering preferences | | Log Data | Server logs | Security monitoring, debugging, and platform performance | | IP Address | Automatic collection | Security, fraud prevention, approximate geolocation for analytics | | Device and Browser Information | Automatic collection | Optimizing the Platform for different devices and browsers |

5. How We Use Your Data

4.1 Legal Bases for Processing (GDPR Article 6) We process your Personal Data based on the following legal bases: | Purpose | Legal Basis (Art. 6 GDPR) | |---|---| | Providing and maintaining the Service | Performance of contract (Art. 6(1)(b)) | | Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) | | Processing Synced Data on your behalf | Performance of contract (Art. 6(1)(b)) | | Responding to support requests | Performance of contract (Art. 6(1)(b)) | | Sending important service notifications | Legitimate interest (Art. 6(1)(f)) | | Website analytics and session replay (PostHog) | Consent (Art. 6(1)(a)) | | Fraud prevention and security monitoring | Legitimate interest (Art. 6(1)(f)) | | Compliance with legal obligations (e.g., tax records) | Legal obligation (Art. 6(1)(c)) | 4.2 Specific Processing Activities (a) Service Delivery: We use your account information, GoHighLevel identifiers, and API credentials to establish and maintain your integrations, perform data synchronization, and provide the Service as described in our Terms of Use. (b) Payment Processing: Payment information is processed by Stripe, our third-party payment processor. We do not store full credit card numbers on our servers. Please refer to Stripe's privacy policy at https://stripe.com/privacy for information on how Stripe handles your payment data. (c) API Key Storage: Your API keys and OAuth tokens are stored in encrypted form in our systems solely for the purpose of maintaining your active integrations. We do not use these credentials for any purpose other than providing the Service. (d) Communication: We use your email address to send service-related communications, including subscription confirmations, integration alerts, and support responses. We do not send unsolicited marketing emails without your consent. (e) Analytics: We use PostHog to understand how visitors interact with our website, which pages help users reach checkout, and where users encounter friction. This may include analytics events, page views, click interactions, referrer information, browser/device data, and limited session replay on selected high-intent pages.

6. Cookies and Tracking Technologies

5.1 What Cookies We Use | Cookie Type | Purpose | Legal Basis | |---|---|---| | Essential/Functional Cookies | Session management, login state, user preferences, CSRF protection | Legitimate interest (necessary for platform operation) | | Analytics Cookies (PostHog) | Website traffic analysis, user behavior insights, session replay on selected pages, and performance monitoring | Consent | 5.2 PostHog Analytics, Session Replay, and Error Monitoring We use PostHog to collect information about how visitors use our website. PostHog may use cookies or similar browser storage technologies to collect information such as: - Pages visited and time spent on pages - Clicks and navigation patterns - Referral source - Approximate geographic location (based on IP address) - Browser and device type - Errors encountered in the browser On selected high-intent pages, we may also use session replay to understand usability issues and technical friction. Session replay helps us review how visitors move through those pages so we can improve the website experience. We do not use PostHog to process payment card details entered into Stripe Checkout, and Stripe remains our payment processor for transactions. PostHog data is processed by PostHog. For more information, see PostHog's privacy policy at https://posthog.com/privacy. 5.3 Managing Cookies You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of the Platform. We will ask for your consent before placing non-essential cookies (such as analytics cookies) on your device, in compliance with the Dutch Telecommunications Act (Telecommunicatiewet) and the ePrivacy Directive.

7. How We Share Your Data

6.1 We Do Not Sell Your Data CRM Connector does not sell, rent, or trade your Personal Data to third parties for marketing or advertising purposes. 6.2 Third-Party Service Providers (Sub-Processors) We share data with the following categories of third-party service providers who assist us in operating the Platform: | Sub-Processor | Purpose | Location | |---|---|---| | Stripe | Payment processing and subscription management | United States / EU | | PostHog | Website analytics, session replay, and error monitoring | United States | | OVH | Web application hosting and data storage (app.crm-connector.com) | EU (France) | | Vercel | Website hosting (crm-connector.com) | United States / EU | | GoHighLevel | CRM platform and target platform for data synchronization (as instructed by you) | United States | | Connected Third-Party Platforms | Source/target platforms for data synchronization (as instructed by you) | Varies | All sub-processors are contractually obligated to process data in accordance with our instructions and applicable data protection laws. 6.3 Legal Requirements We may disclose your Personal Data if required to do so by law, regulation, legal process, or enforceable governmental request, or if disclosure is reasonably necessary to protect the rights, property, or safety of CRM Connector, our users, or the public. 6.4 Business Transfers In the event of a merger, acquisition, reorganization, or sale of assets, your Personal Data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

8. International Data Transfers

7.1 Transfer Mechanisms As our Platform uses service providers located in both the EU and the United States, your Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). For transfers to countries that do not benefit from an EU adequacy decision, we ensure appropriate safeguards are in place, such as: (a) EU-US Data Privacy Framework (DPF): For transfers to US-based service providers certified under the DPF; (b) Standard Contractual Clauses (SCCs): As approved by the European Commission, where applicable; (c) Other legally recognized transfer mechanisms under Chapter V of the GDPR. 7.2 Your Acknowledgment By using the Platform, you acknowledge that your data may be processed in jurisdictions outside the EEA and that we will take reasonable steps to ensure adequate protection for your data in accordance with this Privacy Policy and applicable law.

9. Data Retention

8.1 Active Accounts We retain your Personal Data for as long as your account is active and as necessary to provide the Service. 8.2 After Cancellation or Termination (a) Upon cancellation or termination of your account, we will retain your data for a period of 90 days to allow for account reactivation or data retrieval upon request; (b) After the 90-day retention period, your Personal Data, including stored API keys and authentication credentials, will be permanently deleted from our systems; (c) Synced Data that has been transferred to GoHighLevel or your third-party platforms remains in those systems and is governed by their respective privacy policies. CRM Connector is not responsible for data stored on third-party platforms after synchronization. 8.3 Extended Retention We may retain certain data for longer periods where required by law (e.g., financial records for tax compliance under Dutch fiscal law, which requires retention for 7 years) or where necessary to resolve disputes, enforce our agreements, or protect our legal rights. 8.4 Anonymized Data We may retain and use anonymized and aggregated data (which cannot identify any individual) for analytical and improvement purposes indefinitely.

10. Data Security

9.1 Security Measures We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction, including: (a) Encryption: API keys and authentication credentials are stored in encrypted form; (b) Access Controls: Access to Personal Data is restricted to authorized personnel only; (c) Secure Transmission: Data is transmitted using industry-standard encryption protocols (TLS/SSL); (d) Monitoring: We monitor our systems for security threats and unauthorized access. 9.2 No Absolute Security Despite our best efforts, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data, and you transmit data to us at your own risk. 9.3 Data Breach Notification In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will: (a) Notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR; (b) Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR; (c) Where we act as Data Processor, notify you (the Data Controller) without undue delay so that you can fulfill your own notification obligations.

11. Your Rights Under the GDPR

As a data subject, you have the following rights regarding your Personal Data under the GDPR and the Dutch GDPR Implementation Act: 10.1 Right of Access (Article 15) You have the right to request a copy of the Personal Data we hold about you. 10.2 Right to Rectification (Article 16) You have the right to request correction of inaccurate or incomplete Personal Data. 10.3 Right to Erasure (Article 17) You have the right to request deletion of your Personal Data, subject to legal retention obligations and other applicable exceptions. 10.4 Right to Restriction of Processing (Article 18) You have the right to request restriction of processing of your Personal Data in certain circumstances. 10.5 Right to Data Portability (Article 20) You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. 10.6 Right to Object (Article 21) You have the right to object to processing of your Personal Data based on legitimate interests, including profiling. 10.7 Right to Withdraw Consent (Article 7(3)) Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. 10.8 Right to Lodge a Complaint You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): - Website: https://autoriteitpersoonsgegevens.nl - Address: Bezuidenhoutseweg 30, 2594 AV Den Haag, The Netherlands 10.9 Exercising Your Rights To exercise any of your rights, please contact us at: - Email: support@crm-connector.com - Address: CRM Connector, Opalstraat 17, 4421LK Kapelle, The Netherlands We will respond to your request within one (1) month of receipt, as required by the GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We may ask you to verify your identity before processing your request, to ensure the security of your data.

12. Data Processing Agreement

11.1 Availability Where CRM Connector acts as a Data Processor on your behalf, you may request a Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR by contacting us at support@crm-connector.com. 11.2 Scope A DPA covers the processing of Synced Data performed by CRM Connector on your behalf and defines the obligations and rights of both parties regarding data protection.

13. Children's Privacy

12.1 Age Requirement CRM Connector is a B2B service intended for business use. Our Platform is not directed at individuals under the age of 16, in accordance with the Dutch GDPR Implementation Act. 12.2 No Intentional Collection We do not knowingly collect Personal Data from individuals under the age of 16. If we become aware that we have collected Personal Data from a person under 16, we will take steps to delete that data promptly.

14. Third-Party Links and Services

Our Platform and website may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party websites or services. We encourage you to read the privacy policies of any third-party services you visit or use.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Platform, or applicable law. Changes will be posted on this page with an updated effective date. Your continued use of the Platform after any changes constitutes your acceptance of the revised Privacy Policy. For significant changes, we will make reasonable efforts to notify you (e.g., through a notice on our website or an email notification).