crimbox

Privacy Policy

Effective 30 June 2026

This is a plain-language template to get you live. Please have a qualified lawyer review and adapt it to your jurisdiction (e.g. GDPR / India DPDP) before relying on it.

This Policy explains how Crimbox (“we”) handles personal data in connection with Crimbox (the “Service”).

1. Two roles

For data an organisation enters into the Service about its own contacts and business, the organisation is the data controller and we are the data processor acting on its instructions. For account and billing data of the people who run organisations, we are the controller.

2. What we collect

Account data: name, email, password hash, role, login activity.
Organisation & billing data: organisation name, plan, invoices, payment references (we do not store full card numbers — those stay with the payment gateway).
Customer data you upload: contacts, messages, files and related records (processed on your behalf).
Technical data: IP address, device/browser info, and logs used for security and troubleshooting.

3. How we use it

To provide and secure the Service, process payments, provide support, prevent abuse, comply with law, and communicate service and account messages.

4. Administrative access & impersonation

Our authorised staff may access or impersonate an organisation’s account to provide support, investigate security incidents, prevent abuse, or meet legal obligations. This access is restricted to those purposes and is recorded in an audit log.

5. Sub-processors & sharing

We use trusted providers to run the Service, which may process data on our behalf, including: hosting (e.g. Hostinger), file storage and CDN (e.g. Cloudflare R2), payment gateways you enable, WhatsApp/Meta and email providers you connect, and Google (for “Continue with Google” sign-in). We share data only as needed to provide the Service or as required by law. We do not sell personal data.

6. Storage & retention

Data is retained while your account is active and for a reasonable period afterwards, then deleted or anonymised, subject to legal and backup-retention requirements. Backups are kept on a rolling schedule and rotate out over time.

7. Security

We use measures such as encrypted connections, hashed passwords, access controls, optional two-factor authentication for platform staff, login protection, and audit logging. No system is perfectly secure, but we work to protect your data.

8. Your rights

Depending on your location you may have rights to access, correct, export, or delete personal data. For data your organisation controls, please contact your organisation’s Admin; we will assist them as processor. For account data we control, contact us.

9. Cookies

We use strictly necessary cookies for sign-in sessions and security. We do not use advertising cookies.

10. Changes & contact

We may update this Policy; material changes will be notified. Questions or requests: [email protected].

← Back to sign in · Terms of Service · Status