Privacy Policy

1. Information We Collect

1.1 Account Information

When you connect to Corleh CRM using Google OAuth, we receive and store your name, email address, profile picture URL, and a unique Google account identifier. We do not receive or store your Google account password at any time.

1.2 Contact & CRM Data

The Service allows you to store and manage records about your professional contacts, including but not limited to: full names, email addresses, phone numbers, job titles, company names, LinkedIn profile URLs, mailing addresses, tags, pipeline stage, deal values, notes, activity history, and any other data fields you choose to populate or import. This data is input by you or imported at your direction (e.g. via CSV upload or LinkedIn import) and is processed on your behalf.

1.3 Google Integration Data

With your explicit authorisation via Google OAuth, we access:

• Gmail: metadata and content of emails in your connected inbox to the extent required to power inbox display, AI summarisation, and mail merge features.
• Google Calendar: event titles, times, attendees, and descriptions to power the in-app calendar view and meeting insights.
• Google Profile: name, email, and profile photo for account identification.

You may revoke Google access at any time via your Google Account security settings. Revoking access will disable Google-dependent features but will not delete other CRM data you have stored.

1.4 LinkedIn Integration Data

With your explicit authorisation via LinkedIn OAuth, we access your LinkedIn access token, organisation/page IDs you manage, and profile information. This data is used solely to enable the Social Media posting feature. LinkedIn tokens are encrypted at rest.

1.5 Campaign & Email Activity Data

We collect data about email campaigns you send via the Service, including send timestamps, recipient addresses, delivery status, open events, click events, and unsubscribe events. Open and click tracking is facilitated via webhook integrations with Resend. This data is tied to your account and the relevant contact records in your CRM.

1.6 AI Agent Interactions

When you use the AI Agent feature, your prompts and the context provided (such as contact summaries, email drafts, or social post requests) are transmitted to Anthropic's Claude API for processing. We log these interactions in your account's activity history. You should not submit sensitive personal data or confidential third-party information through the AI Agent that you would not want processed by a third-party AI provider.

1.7 Usage & Technical Data

We automatically collect technical data including IP address, browser type, device identifiers, pages viewed, features used, actions taken, session duration, and error logs. This data is used for security, fraud prevention, performance monitoring, and product improvement.

1.8 Cookies & Local Storage

We use session cookies issued by NextAuth to maintain your authenticated session. We do not use third-party advertising cookies. By using the Service, you consent to the use of strictly necessary session cookies. You may disable cookies in your browser, but doing so will prevent you from using the Service.

2. How We Use Your Information

We process personal information for the following purposes:

• Service Delivery: To operate, maintain, and improve the features of Corleh CRM, including contact management, campaign sending, AI assistance, and integrations.
• Authentication & Security: To verify your identity, maintain session security, detect fraud, and protect against unauthorised access.
• Communications: To send transactional notifications, security alerts, and feature updates related to your account.
• Analytics & Product Development: To understand how the Service is used in aggregate, identify bugs, measure feature adoption, and make product improvements. We may use anonymised or aggregated data derived from your usage to train internal models, improve algorithms, and develop new features.
• Legal & Compliance: To comply with applicable laws, respond to lawful requests from authorities, enforce our Terms of Service, and protect the rights, property, and safety of Corleh, our users, and others.
• Business Operations: For billing, audit trails, support, and internal business administration.

Data Licence for Service Improvement: By using the Service, you grant Corleh a worldwide, royalty-free, non-exclusive licence to process, analyse, and use your data (including contact data, activity data, and interaction data) in anonymised or aggregated form for the purpose of improving the Service and developing new features. We will not use your data in a form that personally identifies you or your contacts for any purpose other than those described in this Policy without your consent.

3. Legal Basis for Processing (GDPR)

Where applicable under the General Data Protection Regulation (GDPR) or UK GDPR, we process personal data on the following legal bases:

• Contract Performance: Processing necessary to provide the Service you have agreed to use.
• Legitimate Interests: Security monitoring, fraud prevention, analytics, and product improvement, where these interests are not overridden by your rights.
• Consent: Where you have explicitly authorised third-party integrations (Google, LinkedIn) or opted in to specific communications.
• Legal Obligation: Where processing is required to comply with applicable law.

With respect to data belonging to your contacts (third parties whose data you import or manage in the CRM), you act as the data controller and Corleh acts as a data processor processing that data on your behalf. You are responsible for ensuring you have a lawful basis to process your contacts' data within the Service and that you comply with applicable data protection laws, including providing any required notices to your contacts.

4. Data Sharing & Disclosure

We do not sell your personal data. We may share information in the following circumstances:

• Service Providers: We engage trusted sub-processors to help us operate the Service, including Vercel (hosting), Neon (database), Resend (email delivery), Anthropic (AI processing), Google (OAuth & API), and LinkedIn (OAuth & API). Each sub-processor is bound by contractual data protection obligations.
• Business Transfers: If Corleh is involved in a merger, acquisition, financing, or sale of all or a portion of its business or assets, your data may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service prior to your data becoming subject to a different privacy policy.
• Legal Requirements: We may disclose data if required to do so by law, court order, or government authority, or where we believe disclosure is necessary to protect the rights, property, or safety of Corleh, our users, or the public.
• With Your Consent: We may share data with third parties for any purpose with your express prior consent.

5. Data Retention

We retain your account data and CRM data for as long as your account is active. If you request deletion of your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law or legitimate business necessity (e.g. financial records, fraud prevention logs, or backup recovery purposes). Certain anonymised or aggregated data derived from your usage may be retained indefinitely for product analytics purposes.

Audit logs and security logs are retained for a minimum of 90 days. Email campaign delivery data is retained for the duration of your account plus 12 months post-deletion to support deliverability investigations.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your personal data, subject to legal retention obligations.
• Portability: Request your data in a machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdrawal of Consent: Withdraw consent for processing where consent was the basis, including by revoking OAuth access.
• California Residents (CCPA): You have the right to know what personal information is collected, request deletion, and opt out of sale (we do not sell personal data).

To exercise any of these rights, email us at privacy@corleh.com. We will respond within 30 days.

7. Security

We implement industry-standard technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These include AES-256 encryption at rest, TLS 1.2+ in transit, OAuth 2.0 authentication, encrypted secret management, and least-privilege database access controls. See our Security page for full details.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

8. International Data Transfers

Corleh operates from and stores data within cloud infrastructure that may span multiple regions. By using the Service, you consent to the transfer of your data to servers located outside your country of residence, including to countries that may not have data protection laws equivalent to those in your jurisdiction. We rely on Standard Contractual Clauses and sub-processor agreements to ensure adequate protection for cross-border data transfers.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you become aware that a minor has provided us with personal information, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the features of the Service. We will provide notice of material changes by updating the "Last updated" date above and, where appropriate, by emailing registered users or displaying a notice within the Service. Your continued use of the Service after any change constitutes your acceptance of the updated Policy.

11. Contact

For privacy-related enquiries, requests to exercise your rights, or questions about this Policy, please contact: