SubCRMSign in →

Privacy Policy

Effective 2026-05-04

Template content — review before launch

This page contains placeholder language. Replace bracketed fields (company name, contact email, jurisdiction, etc.) and have legal counsel review the substantive terms before public launch.

This Privacy Policy describes how [Company Legal Name] ("we," "us," or "our") collects, uses, shares, and protects information when you use the SubCRM platform and related services (the "Services"). By using the Services you consent to the practices described below.

1. Information we collect

Information you provide

  • Account information: name, email address, password (stored as a salted bcrypt hash), business contact details.
  • Billing information: shipping and billing addresses, transaction history, subscription preferences. Card primary account numbers (PANs) are tokenized in our payment vault provider and are never stored on our systems in plaintext.
  • Communications you send to us, including support inquiries.

Information collected automatically

  • Usage data: pages viewed, features used, timestamps, referring URL, approximate location derived from IP address.
  • Device data: browser type, operating system, device identifiers.
  • Cookies and similar technologies. See our Cookie Policy for the specific cookies we set.

2. How we use information

We use the information we collect to:

  • Provide, maintain, and improve the Services.
  • Process payments, prevent fraud, and enforce our terms.
  • Send transactional notifications (receipts, payment failures, account changes).
  • Send service announcements and, where you have opted in, marketing communications.
  • Comply with legal obligations and respond to lawful requests.

3. Third-party processors

We share information with the following service providers to operate the Services. Each is bound by contractual confidentiality and data protection terms.

  • Vercel — application hosting and edge network.
  • Neon — managed Postgres database hosting.
  • Resend — transactional and operational email delivery.
  • Basis Theory — PCI-scoped tokenization vault for payment card data.
  • NMI — card payment gateway processing.
  • NowPayments — cryptocurrency payment processing.
  • ShipStation — fulfillment, shipping label generation, and carrier tracking.
  • Upstash — rate-limit and ephemeral session data store.
  • Sentry (when configured) — application error and performance monitoring.

4. Legal bases for processing (EEA/UK)

For users in the European Economic Area or the United Kingdom, we process personal data under one or more of the following legal bases: performance of a contract; compliance with a legal obligation; legitimate interests (operating, securing, and improving the Services); and consent (for marketing communications and certain cookies).

5. Data retention

We retain personal data only as long as needed to provide the Services, comply with legal obligations (including tax and accounting retention), resolve disputes, and enforce agreements. Account-level data is retained while your account is active and for a reasonable period afterwards. Audit log entries are retained for the duration required by applicable regulations.

6. Your rights

Depending on where you reside, you may have the right to: access the personal data we hold about you; correct inaccurate data; request deletion of your data; object to or restrict certain processing; obtain a portable copy of your data; and lodge a complaint with a supervisory authority.

Account holders can manage many of these rights directly from the customer portal. For other requests, contact us at [privacy@example.com].

7. Security

We employ administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS), encryption of sensitive credentials at rest (AES-256-GCM), rate limiting, account lockout for repeated failed logins, and principle-of-least-privilege access controls. No system can be made completely secure; please use a strong, unique password and enable two-factor authentication where available.

8. International transfers

The Services are operated from [Country / State]. If you access the Services from another jurisdiction, your information may be transferred to, stored, and processed in [Country / State] or other countries where our service providers operate. We rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) where required by law.

9. Children's privacy

The Services are not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

10. Changes to this Policy

We may update this Privacy Policy from time to time. The "Effective" date at the top of this page reflects the most recent revision. Material changes will be communicated through the Services or by email where appropriate.

11. Contact

Questions about this Policy or our data practices may be directed to:

[Company Legal Name]
[Company Mailing Address]
[privacy@example.com]