Privacy Policy

Last updated: 2026-05-01

What we collect

• Account data: email, name, hashed password (or Google OAuth profile).
• Workspace data: the leads, clients, projects, invoices, contracts and messages you create.
• Operational data: server logs, error reports (Sentry), webhook events from Stripe / Resend / Twilio / Meta.
• Cookies: a single httpOnly session cookie (Auth.js) and a Stripe fraud-prevention cookie when payment surfaces are loaded.

What we do not collect

• We do not sell, share, or profile your data with third parties for advertising.
• We never see your clients' card numbers — Stripe handles payment data.
• We do not collect SSN/EIN of your contractors. Tax addresses for 1099 reporting are stored only if you enter them.

Your rights (GDPR / CCPA)

• Access / portability: Workspace owners can download a full JSON export via Settings → Workspace.
• Erasure:Delete your workspace from Settings → Workspace. After 30 days the data is hard-deleted from the database. Backup retention follows the DB provider's schedule (Neon, ~7 days at MVP).
• Correction: Edit any record directly in the app. Email hello@allozacrm.com for help.

Subprocessors

• Vercel (hosting)
• Neon (PostgreSQL)
• Stripe (payments)
• Resend (email)
• Twilio (SMS)
• Anthropic (AI summaries — only when you trigger one)
• Sentry (error tracking)
• Google (OAuth + Calendar — only if you connect)
• Meta (Instagram DM — only if you connect)

Contact

Questions or requests: hello@allozacrm.com.