Privacy Policy
This Privacy Policy explains how SyntonyCRM ("we", "us", "Company") collects, uses, stores, and shares personal data when you visit our website at www.syntonycrm.com or use our SaaS platform. We are committed to handling personal data responsibly and in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and applicable US state privacy laws.
1. Who We Are (Data Controller)
The data controller responsible for your personal data is:
SyntonyCRM
11126–11204 Belair Dr
San Antonio, TX 78213
United States of America
Email: info@syntonycrm.com
Response time: within 1 business day
2. What Personal Data We Collect
We collect personal data in the following categories, depending on how you interact with us:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, business email address, company name, job title, password (hashed) | Provided by you at registration |
| Billing data | Billing address, invoice records | Provided by you; payment card data is processed directly by Stripe and never stored on our servers |
| Usage data | Pages visited, features used, session duration, click interactions, error logs | Collected automatically via server logs and analytics tools |
| Device & technical data | IP address, browser type and version, operating system, screen resolution | Collected automatically |
| Communications data | Contents of support emails, demo requests, contact form submissions | Provided by you when contacting us |
| Customer Data (processed on behalf) | Contact records, notes, deal information, email logs stored within the platform by customers | Uploaded or created by customers; processed under a Data Processing Agreement |
3. How We Use Your Personal Data
- To provide and operate the Service: Account creation, authentication, feature delivery, customer support, and billing management.
- To communicate with you: Sending transactional emails (account confirmations, invoices, password resets), responding to support requests, and sending product updates relevant to your plan.
- To improve the Service: Analyzing aggregated usage patterns to identify bugs, improve user experience, and prioritize product development. This analysis uses anonymized or aggregated data wherever possible.
- To comply with legal obligations: Retaining invoices and tax records as required by law, responding to lawful requests from authorities.
- Marketing (with consent only): Sending optional newsletters or product announcements if you have opted in. You may withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us.
4. Legal Basis for Processing (GDPR)
For individuals located in the European Economic Area or United Kingdom, our legal bases for processing personal data are:
- Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service and manage your subscription.
- Legitimate interests (Art. 6(1)(f) GDPR): Product analytics, security monitoring, fraud prevention, and improving the Service, where these interests are not overridden by your rights.
- Legal obligation (Art. 6(1)(c) GDPR): Retaining billing records and responding to lawful requests.
- Consent (Art. 6(1)(a) GDPR): Marketing communications and non-essential cookies. You may withdraw consent at any time.
5. Data Sharing and Third-Party Processors
We do not sell your personal data. We share data only with trusted service providers who process data on our behalf under contractual data processing agreements. Our current sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and infrastructure | United States |
| Stripe Inc. | Payment processing | United States |
| Google Analytics | Website analytics (anonymized) | United States |
| Postmark (ActiveCampaign) | Transactional email delivery | United States |
| Intercom Inc. | Customer support chat (optional) | United States |
We may also disclose personal data if required to do so by law, court order, or government authority, or if we believe disclosure is necessary to protect our legal rights, the safety of any person, or to prevent fraud.
6. International Data Transfers
Our servers and most of our sub-processors are located in the United States. If you are located in the EEA or UK, your personal data will be transferred to the US. We ensure an adequate level of protection through Standard Contractual Clauses (SCCs) as approved by the European Commission, or through other lawful transfer mechanisms where applicable.
7. Data Retention
- Account data: Retained for the duration of your account and deleted within 30 days of account closure upon your request.
- Billing and invoicing data: Retained for 7 years as required by US tax and accounting regulations.
- Usage and analytics data: Retained in aggregated or anonymized form for up to 24 months.
- Support communications: Retained for up to 3 years to support future service requests and improve support quality.
- Marketing consent records: Retained until consent is withdrawn.
8. Your Rights
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction: Request that we restrict processing of your data in certain circumstances.
- Right to data portability: Request a structured, machine-readable copy of data you have provided to us.
- Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent: Withdraw any consent given at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please email info@syntonycrm.com. We will respond within 1 business day to acknowledge your request and aim to fulfill it within 30 days. We may ask you to verify your identity before processing certain requests.
9. Security
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for all data at rest
- Role-based access controls and least-privilege principles for all internal systems
- Daily automated backups with tested restore procedures
- Regular internal security reviews and vulnerability assessments
While we take these precautions seriously, no system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and applicable supervisory authorities as required by law.
10. Cookies
We use cookies and similar tracking technologies on our website. For full details on what cookies we use and how you can manage your preferences, please see our Cookie Policy.
11. Children's Privacy
The Service is intended for business use by individuals aged 18 and over. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. Please contact us at info@syntonycrm.com if you believe this has occurred.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. We encourage you to review this Policy periodically.
13. Complaints
If you are located in the EEA or UK and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority. In the US, you may contact the Federal Trade Commission (FTC). We would, however, always appreciate the opportunity to address your concerns first — please contact us at info@syntonycrm.com.