← Paper CRM

Privacy Policy

Last updated: April 25, 2026

1. Introduction

This Privacy Policy describes how Paper CRM (“Paper CRM,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information when you access or use our customer relationship management software, websites, and related services (collectively, the “Service”). By using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, do not use the Service.

We do not sell your personal information, share it with advertisers, or use the contents of your CRM data for any purpose beyond operating the Service for you.

2. Information we collect

Information you provide:

  • Account information — email address, password (hashed), and any profile details you provide at signup.
  • Contact data — names, emails, phone numbers, companies, and other details you add to the CRM.
  • Notes, tasks, and pipeline data — anything you record inside the app.
  • Email content — subjects and bodies of emails you compose and send through the Service.
  • Billing information — processed by our payment provider (Stripe). We do not store full card numbers on our servers.

Information collected automatically:

  • Usage data — pages viewed, features used, timestamps, and approximate location derived from IP.
  • Device data — browser type, operating system, and device identifiers.
  • Cookies and similar technologies — used for authentication, session management, and basic analytics.

Information from third parties:

  • Google OAuth — when you connect Gmail, we receive an email address and OAuth tokens (see Section 3).
  • Payment provider — confirmation of subscription status from Stripe.

3. Gmail / Google user data

Paper CRM uses Google OAuth 2.0 to connect your Gmail account. We request only the minimum scopes necessary:

  • gmail.send — to send emails on your behalf from within the app.
  • gmail.readonly (optional) — only requested if you enable the Follow-ups feature, which reads your sent folder to surface unanswered emails. You can revoke this at any time in Settings.
  • userinfo.email — to identify which Gmail account is connected.

Paper CRM's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with prior notice. We do not use Google user data for serving advertisements and do not allow humans to read it unless we have your explicit consent for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations where the data has been aggregated and de-identified.

OAuth tokens are encrypted at rest. Email body content used for AI follow-up suggestions is processed ephemerally and is not used to train AI models.

4. How we use your information

  • To provide, operate, maintain, and improve the Service.
  • To personalise your experience and generate AI-powered suggestions (follow-up drafts, action recommendations). Your data is sent to AI providers solely for this purpose and is not used to train their models.
  • To send transactional communications (account, billing, security, and product updates).
  • To detect, investigate, and prevent fraud, abuse, or security incidents.
  • To comply with legal obligations, enforce our terms, and protect our rights.

5. Legal bases for processing (EEA / UK)

If you are located in the European Economic Area or United Kingdom, we rely on the following legal bases: (a) performance of a contract — to provide the Service you signed up for; (b) legitimate interests — to secure, improve, and operate the Service in ways that do not override your rights; (c) consent — for optional integrations such as Gmail read access; and (d) compliance with legal obligations.

6. How we share information

We do not sell your personal information. We share information only with:

  • Service providers (sub-processors) listed in Section 7, under contractual obligations to protect your data.
  • Recipients you direct us to send to (e.g., emails you compose to your contacts).
  • Authorities, when required by law, subpoena, or to protect rights, property, or safety.
  • Acquirers, in the event of a merger, acquisition, or sale of assets — with notice to you and continued protection of your data.

7. Sub-processors

  • Supabase — database, authentication, and storage.
  • Vercel — hosting and edge delivery.
  • Stripe — payment processing and subscription billing.
  • Google (Gmail API) — sending and (optionally) reading email on your behalf.
  • OpenRouter / Google Gemini — AI text generation for drafts and summaries (Limited Use; not used for model training).

Each sub-processor is bound by their own privacy commitments. We periodically review providers and update this list as the Service evolves.

8. Data storage and security

Data is stored in Supabase with row-level security (RLS) enforced at the database layer — only you can access your own records. We use TLS/HTTPS for all data in transit, encrypt sensitive credentials and OAuth tokens at rest, and follow the principle of least privilege for administrative access. No system is perfectly secure; we do not warrant that the Service will be free from unauthorized access. In the event of a data breach affecting your information, we will notify you and applicable regulators as required by law.

9. International data transfers

Our service providers may process your information in the United States and other jurisdictions. Where required, we rely on appropriate safeguards (such as the Standard Contractual Clauses) to protect transfers from the EEA, UK, and other regions.

10. Data retention and deletion

We retain your data for as long as your account is active or as needed to provide the Service. You can delete individual contacts, notes, and emails from within the app at any time. To permanently delete your account and all associated data, use the account deletion option in Settings or email us at the address below; we will action requests within 30 days, subject to legal retention obligations (e.g., billing records).

11. Your rights

Depending on your jurisdiction, you may have the right to (a) access the personal information we hold about you, (b) correct inaccurate data, (c) request deletion, (d) restrict or object to processing, (e) data portability, and (f) withdraw consent. Residents of California (CCPA/CPRA), the EEA/UK (GDPR), and other regions with comparable laws may exercise these rights by contacting us at the address below. We will not discriminate against you for exercising any of these rights.

12. Children's privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

13. Cookies

We use strictly necessary cookies for authentication and session management, and limited analytics cookies to understand product usage. You can control cookies through your browser settings; disabling essential cookies may impair the Service.

14. Changes to this policy

We may update this Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page and, for material changes, provide additional notice (e.g., email or in-product banner). Your continued use of the Service after the updated Policy takes effect constitutes your acceptance of the changes.

15. Contact

For privacy questions, requests, or to exercise any of the rights above, contact us at support@useusepapercrm.com. We aim to respond to verified requests within 30 days.