Privacy Policy

1. INFORMATION WE COLLECT

Information you provide directly

• Account information: Your email address when you sign up or sign in via one-time passcode (OTP).
• Organization data: Your organization name, role (admin, manager, or rep), and subscription details.
• CRM data: Accounts, contacts, touch logs, tasks, pipeline opportunities, and notes that you enter into the application. This data may include names, email addresses, phone numbers, and other business contact information belonging to your customers and prospects.
• Communications: Emails or support messages you send to us.

Information collected automatically

• Usage data: Features you use, actions you take, and how you interact with the Services (e.g., touches logged, tasks completed).
• Device information: Device type, operating system version, and app version for diagnostic purposes.
• Inbound email: If you use the Email Integration feature, emails forwarded to your unique inbound address are processed to create touch records. We store the sender, subject, and body of these emails.

Information from third parties

• Payment information: Billing and subscription data is handled by Stripe. We do not store full credit card numbers. We receive subscription status and billing event data from Stripe.

2. HOW WE USE YOUR INFORMATION

We use the information we collect to:

• Provide, maintain, and improve the Services
• Authenticate your identity and manage your account and organization
• Process your subscription and billing through Stripe
• Send transactional emails (e.g., OTP codes, team invitations) via Resend
• Process inbound emails to create touch records via Mailgun
• Generate AI-powered touch drafts and account summaries via the Anthropic API (when you use AI Capture Assist on eligible plans)
• Send local push notifications for task reminders (only if you enable this feature and grant permission)
• Respond to your support requests and feedback
• Monitor for fraud, abuse, and security incidents
• Comply with legal obligations

We do not sell your personal information or use it for advertising purposes.

3. HOW WE SHARE YOUR INFORMATION

We share your information only in these limited circumstances:

• Within your organization: CRM data (accounts, contacts, touches, tasks, pipelines) is shared with other members of your organization based on their assigned role.
• Service providers: We share data with trusted vendors who help us operate the Services (see Section 4). These providers are contractually bound to protect your data.
• Legal requirements: We may disclose information if required by law, court order, or to protect our legal rights.
• Business transfers: If Touchstone CRM is acquired or merged, your information may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.

We do not sell, rent, or trade your personal information to third parties.

4. THIRD-PARTY SERVICES

The Services rely on the following third-party providers. Each has their own privacy policy:

• Supabase — Database, authentication, and backend infrastructure. Your data is stored in Supabase's cloud database with row-level security enforced at the database level.
• Stripe — Payment processing and subscription management. Stripe stores your payment method and billing details. We only receive subscription status events.
• Resend — Transactional email delivery (OTP codes, team invitations).
• Mailgun — Inbound email routing for the Email Integration feature. Emails sent to your inbound address are forwarded to our backend for processing.
• Anthropic — AI features (touch drafts, account summaries) on eligible plans. Notes and account activity data are sent to the Anthropic API to generate responses. We do not send personally identifiable information about your contacts to Anthropic unless it is included in the notes you ask the AI to process.
• Expo / React Native — Mobile app framework. Push notification tokens are managed via Expo's notification service when you enable task reminders.

5. DATA RETENTION

We retain your data for as long as your account is active or as needed to provide the Services. Specifically:

• Account data: Retained until you delete your account.
• CRM data (accounts, contacts, touches, tasks, pipelines): Retained as long as your organization exists. When an organization is deleted (e.g., when the last member deletes their account), all associated CRM data is permanently deleted via database cascade.
• Billing records: Retained as required by law and Stripe's data retention policies (typically 7 years for financial records).
• Support communications: Retained for up to 3 years.

When you delete your account, your personal data is permanently removed from our systems. See Section 9 for how to request account deletion.

6. SECURITY

We implement reasonable technical and organizational measures to protect your information, including:

• Row-level security (RLS) on all database tables to enforce tenant isolation — users can only access data belonging to their organization
• All data transmitted between the app and our servers is encrypted via HTTPS/TLS
• Authentication tokens are stored in your device's secure storage (not in plain-text storage)
• API keys and secrets are stored as environment secrets, never in source code

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. CHILDREN'S PRIVACY

The Services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us at support@touchstonecrmapp.com and we will promptly delete it.

8. YOUR RIGHTS AND CHOICES

Depending on your location, you may have certain rights regarding your personal information:

• Access: You can view your account information and CRM data directly within the app at any time.
• Export: You can export your data in CSV format from the app's export features.
• Correction: You can update your organization information and CRM data directly within the app.
• Deletion: You can permanently delete your account and all associated data (see Section 9).
• Notifications: You can disable push notifications at any time in the app's Profile settings or in your device's notification settings.

For requests related to your personal data that are not covered by the above in-app options, contact us at support@touchstonecrmapp.com.

9. ACCOUNT AND DATA DELETION

You can permanently delete your account and all associated data directly within the app:

1. Open the app and tap the Profile tab
2. Scroll down and tap Delete Account
3. Confirm the deletion in the prompt

Upon deletion:

• Your user account is permanently removed from our authentication system
• Your profile and membership records are deleted
• If you are the sole member of an organization, the entire organization and all its CRM data (accounts, contacts, touches, tasks, pipelines, opportunities) is permanently deleted
• If you are the sole admin of an organization with other members, you must first promote another member to admin or remove all other members before you can delete your account

This action is irreversible. If you have difficulty deleting your account in the app, email us at support@touchstonecrmapp.com and we will process the deletion within 30 days.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If changes are material, we will notify you via email or a prominent notice in the app. Your continued use of the Services after any changes constitutes your acceptance of the updated policy.

11. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Touchstone CRM
support@touchstonecrmapp.com

We will respond to all privacy-related inquiries within 30 days.