Privacy Policy
Last updated: June 2026
This Privacy Policy describes how PersonalCRM (“we”, “us”, or “our”) collects, uses, and protects your personal data when you use our web application and related services (the “Service”). We are committed to protecting your privacy and processing your data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Who We Are
PersonalCRM is the data controller for the personal data you provide when using this Service. If you have questions about this Privacy Policy or our data practices, please contact us at privacy@personalcrm.me.
2. Data We Collect
Account information
When you create an account, we collect your email address. This is the only account-level personal data we require. We use email-based magic link authentication — no password is stored.
User-generated content
The Service allows you to store data about your personal and professional contacts. This may include:
- Contact names, phone numbers, and email addresses
- Notes, interaction history, and meeting records (pings, meetings, follow-ups)
- Network labels you define
- Reminder settings and follow-up dates
You are responsible for ensuring you have a lawful basis for storing personal data about third parties in the Service. We recommend using PersonalCRM only for data about people who have consented to being in your contact list, or where you have another legitimate basis.
Usage data
We collect basic, anonymised analytics data to understand how the Service is used and to improve it. This includes information such as pages visited, features used, and general usage patterns. This data does not identify you personally and is not linked to your account content.
3. How We Use Your Data
We use your personal data to:
- Provide, operate, and maintain the Service
- Authenticate your identity via magic link emails
- Send transactional communications (login links, account-related notices)
- Improve and develop the Service using anonymised analytics
- Comply with legal obligations
We do not use your data for advertising, profiling, or marketing. We do not sell your data to any third party. We do not use your contact data to train AI or machine learning models.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), our legal basis for collecting and using your personal data depends on the type of data and context:
- Contract performance — processing your account email to provide the Service you have requested
- Legitimate interests — improving the Service and preventing fraud, where these interests are not overridden by your rights
- Legal obligation — where we are required to retain or disclose data by law
5. Data Storage and Security
Your data is stored in a Supabase PostgreSQL database hosted in the EU (Frankfurt, Germany). All data is encrypted at rest and encrypted in transit using TLS. The Service is hosted on Vercel, which uses a global edge network; static assets and serverless function responses may be processed at edge nodes in various regions, but your primary data always resides in the EU database.
We implement appropriate technical and organisational security measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These measures include access controls, encryption, and regular security reviews.
No system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
6. Third-Party Services
We use a small number of third-party service providers to operate the Service:
- Supabase — database (PostgreSQL) and authentication provider. Supabase processes your account email and stores all your data. Their infrastructure is hosted in the EU (Frankfurt). See Supabase's Privacy Policy.
- Vercel — application hosting and content delivery. Vercel serves the web application and may process request metadata (e.g., IP addresses) at edge nodes globally. See Vercel's Privacy Policy.
We do not share your data with any other third parties, except where required by law.
7. Cookies
We use only essential cookies necessary for authentication and session management. These cookies allow you to remain logged in to the Service. We do not use tracking cookies, advertising cookies, or any cookies for analytics or profiling purposes.
Because we use only essential cookies, we do not display a cookie consent banner. If we introduce non-essential cookies in the future, we will update this policy and obtain your consent where required by applicable law.
8. Data Retention
We retain your personal data for as long as your account is active. When you delete your account, we will permanently delete your account data and all associated user content within 30 days. Anonymised or aggregated data (which cannot be used to identify you) may be retained beyond this period for analytical purposes.
You can export your data at any time before deleting your account.
9. Your Rights (GDPR)
If you are located in the EEA or UK, you have the following rights under the GDPR and applicable national data protection law:
- Right of access (Article 15) — you can request a copy of the personal data we hold about you
- Right to rectification (Article 16) — you can correct inaccurate or incomplete data
- Right to erasure (Article 17) — you can request deletion of your data (“right to be forgotten”)
- Right to data portability (Article 20) — you can request your data in a structured, machine-readable format
- Right to restriction of processing (Article 18) — you can ask us to restrict processing of your data in certain circumstances
- Right to object (Article 21) — you can object to processing of your data based on legitimate interests
- Right to lodge a complaint — you have the right to lodge a complaint with your local supervisory authority
Many of these rights can be exercised directly within the Service (e.g., editing or deleting your data, exporting your contacts). To exercise any other right, or if you need assistance, please contact us at privacy@personalcrm.me. We will respond within 30 days.
10. California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know — you can request disclosure of the categories and specific pieces of personal information we have collected about you
- Right to delete — you can request deletion of your personal information
- Right to opt out of sale — we do not sell personal information, so this right does not apply
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
To exercise your CCPA rights, contact us at privacy@personalcrm.me.
11. Children's Privacy
The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will delete it promptly. If you believe we may have collected data from a child under 16, please contact us at privacy@personalcrm.me.
12. International Data Transfers
Your primary data is stored in the EU (Frankfurt, Germany) via Supabase, which operates within the European Economic Area and complies with GDPR requirements.
The Service is delivered via Vercel's global edge network, which means that web requests may be processed at edge nodes located outside the EEA. However, Vercel does not persistently store your personal data at these edge nodes; they are used solely to serve the application. Vercel participates in the EU-US Data Privacy Framework and maintains appropriate safeguards for any international data transfers.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or by displaying a prominent notice in the Service at least 14 days before the changes take effect. The date at the top of this page reflects when the policy was last revised.
14. Contact and Data Requests
For any privacy-related questions, requests to exercise your rights, or to report a concern about our data practices, please contact us at:
PersonalCRM — Data Privacy
Email: privacy@personalcrm.me
We aim to respond to all privacy requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.