Privacy Policy

CRM Canvas ("we", "us", or "our") respects your privacy. This policy explains what data we collect and how we use it.

What We Collect

Email Address

When you join our waitlist, we collect your email address. That's it. We don't collect your name, company, or any other personal information unless you provide it voluntarily.

Analytics Data

We use Google Analytics to understand how visitors use our website. This collects anonymous data like pages visited, time on site, and general location (country/city level). This data is aggregated and cannot identify you personally.

How We Use Your Data

• Send you product updates and launch announcements
• Notify you about early access and founder pricing
• Occasionally share relevant content (blog posts, guides)
• Improve our website based on aggregate analytics

We will never sell your email address or share it with third parties for their marketing purposes.

Third-Party Services

We use the following services to operate:

• ConvertKit — Email service provider. Stores your email and sends our messages. Their privacy policy
• Google Analytics — Website analytics. Collects anonymous usage data. Their privacy policy
• Google Cloud — Website hosting. Their privacy policy

Your Rights

You can:

• Unsubscribe — Click the unsubscribe link in any email
• Delete your data — Email us and we'll remove you completely
• Access your data — Email us and we'll tell you what we have

Cookies

Google Analytics uses cookies to track website usage. These are small files stored in your browser. You can disable cookies in your browser settings, though this may affect functionality on some websites.

Data Security

Your email is stored securely by ConvertKit, which uses industry-standard encryption and security practices. Our website is served over HTTPS.

HubSpot Integration Security

When you connect your HubSpot account to CRM Canvas, we use OAuth 2.0 authentication — the industry standard for secure API access.

How OAuth Works

• We never see your password. You authenticate directly with HubSpot's login page.
• Limited permissions. We only request read access to contacts, companies, deals, owners, and email engagement history.
• Revocable access. You can disconnect CRM Canvas from HubSpot at any time.

Permissions We Request

• crm.objects.contacts.read — View contact names, emails, and properties
• crm.objects.companies.read — View company information
• crm.objects.deals.read — View deal associations and stages
• crm.objects.owners.read — View account owner assignments
• sales-email-read — View email engagement history (subjects, timestamps)

We cannot create, update, or delete any records in your HubSpot. Read-only means read-only.

Token Security

• OAuth tokens are encrypted with AES-256 before storage
• Access tokens expire every 30 minutes and are automatically refreshed
• Tokens are immediately deleted when you disconnect your HubSpot account

CRM Data Handling

Your CRM data is processed to generate relationship maps, but we do not store your CRM data.

• Contact and company data is fetched on-demand from HubSpot
• Data is processed in memory to generate your diagram
• CRM data is discarded after processing — not saved to any database
• Only the generated diagram image is stored (so you can access it later)

AI Processing (OpenAI)

CRM Canvas uses OpenAI's API to generate contact dossiers and relationship diagrams. Here's what you need to know:

What Data is Processed

To generate relationship insights and dossiers, we send relevant CRM data to OpenAI for analysis. This includes:

• Contact information (names, titles, departments)
• Company information (name, domain)
• Interaction history (emails, meetings, notes)

We only send data necessary for relationship mapping. We never send passwords, financial data, or unrelated personal information.

OpenAI Does Not Train on Your Data

Critical for enterprise security: We use OpenAI's API, not the ChatGPT consumer product. Per OpenAI's Enterprise Privacy:

• No training on API data. OpenAI does not use API inputs or outputs to train their models.
• Zero data retention. API requests are not stored beyond the immediate processing window.
• SOC 2 Type II certified. OpenAI maintains enterprise-grade security certifications.

Data Flow

1. CRM data is fetched from HubSpot and held in memory (not stored)
2. Relevant fields are sent to OpenAI API over TLS 1.3 encrypted connection
3. OpenAI processes the request and returns generated content
4. CRM data is immediately discarded from our servers
5. Only the generated dossiers/diagrams remain in your browser session

Your CRM data passes through our systems only as long as necessary to call the OpenAI API — typically seconds — and is never persisted.

Encryption Standards

• In Transit: TLS 1.3 encryption for all API communications
• At Rest: AES-256 encryption for stored OAuth tokens
• HTTPS: All website and API traffic is encrypted

GDPR & CCPA Compliance

We respect data privacy regulations worldwide:

• Right to Access: Request a copy of any data we hold about you
• Right to Deletion: Request complete deletion of your account and data
• Right to Portability: Export your diagrams in standard formats
• Right to Opt-Out: Disconnect HubSpot or unsubscribe at any time

We respond to all privacy requests within 30 days.

Changes to This Policy

If we make significant changes, we'll update the date at the top of this page. For major changes affecting your data, we'll notify you by email.

Contact

Questions? Email us at hello@crmcanvas.app