Privacy Policy

PlainCRM Ltd is a company registered in England and Wales (company number [Companies House number]). Our registered office is [Registered office address, United Kingdom]. We are registered with the UK Information Commissioner’s Office (ICO) under registration number [ICO registration number].

PlainCRM is used by three broad groups of people, and our role under UK GDPR depends on which group you fall into:

• Visitors to plaincrm.com. When you browse our marketing site or contact us, we are the controller of your personal data.
• Our customers and their staff (“Account Users”). When you sign up for an account, log in, connect integrations or are invited as a teammate, we are the controller of the account, billing and authentication data we hold about you.
• Leads, contacts and end-customers (“Brand Contacts”).When members of the public phone, email, chat with, or submit a form to one of our customers’ brands, our customer is the controller of that information and we act as a processoron their behalf under our Data Processing Addendum (“DPA”). If you are a Brand Contact and want to exercise your rights, please contact the brand you interacted with first; we will assist them in responding.

The categories of personal data we process include:

• Account & identity data — name, email address, password (hashed), phone number, profile photo, role, brand membership.
• Billing data — billing contact, billing address, VAT number, plan, invoice history. Card details are handled by our payment processor and never stored on our servers.
• Usage & technical data — IP address, device and browser information, log-in timestamps, audit logs of actions taken inside the app.
• Integration data — OAuth tokens and metadata for services you connect (Google, Postmark, Plivo, Twilio, etc.).
• Communications content — call recordings and transcripts, voicemail audio, inbound and outbound emails, SMS messages, web chat transcripts, and the content of lead-form submissions sent to your brand.
• Contact & CRM records — names, phone numbers, email addresses, addresses, notes, tags, opportunity status, and other fields entered by Account Users about Brand Contacts.
• Calendar data — booking events, meeting times, attendees and free/busy information that you authorise us to read or write to your Google Calendar (see Section 5).

• To provide, operate and support the Service.
• To authenticate you and protect your account.
• To unify enquiries from calls, email, SMS, chat and forms into a single contact record, and to generate AI summaries, transcripts, entity extraction and triage suggestions.
• To sync booking and availability information with your calendar.
• To bill you for the Service and keep accounting records.
• To send service messages (security, billing, downtime, product updates) and, where you have opted in, marketing communications you can unsubscribe from at any time.
• To investigate and prevent fraud, abuse and security incidents, and to comply with legal obligations.

Where we are the controller, our legal bases under UK GDPR are:

• Contract (Art. 6(1)(b)) — to provide the Service you have signed up for.
• Legitimate interests (Art. 6(1)(f)) — to secure our platform, prevent fraud, improve the product, and send service-related communications. We balance these interests against your rights.
• Consent (Art. 6(1)(a)) — for non-essential cookies, marketing emails, and where you connect optional integrations such as Google Calendar.
• Legal obligation (Art. 6(1)(c)) — to keep accounting records, respond to lawful requests from authorities, and meet our regulatory duties.

Where we process data on behalf of an Account customer (Brand Contacts), our customer is responsible for establishing the legal basis under their own privacy notice.

PlainCRM offers an optional integration with Google Calendar so that your team’s availability, bookings and follow-up appointments stay in sync with your CRM. The integration uses Google’s OAuth 2.0 flow.

What we request. When you connect Google Calendar we ask for the minimum scopes needed to:

• read your list of calendars and free/busy information;
• create, update and delete events that PlainCRM has scheduled (for example, a meeting booked from a lead conversation); and
• read attendee responses for events PlainCRM has created.

We do not read or store the content of unrelated calendar events beyond what is necessary to detect conflicts and to display events you have asked PlainCRM to surface.

How we use it. Google Calendar data is used solely to provide the calendar features inside PlainCRM (availability checks, booking, reminders, conflict detection). We do not sell, share or use Google user data for advertising. We do not use it to train generalised or third-party AI/ML models.

Storage. OAuth refresh tokens are encrypted at rest. Cached event data is kept only as long as needed to display your calendar inside PlainCRM and is refreshed from Google.

Compliance with Google API Services User Data Policy. PlainCRM’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Revoking access. You can disconnect the integration at any time from your PlainCRM account settings, and you can additionally revoke our access via your Google Account permissions page. When access is revoked we delete the OAuth tokens and any cached calendar data within 30 days.

When a call is made or received through a number provisioned by PlainCRM (via Plivo or Twilio), we may, on behalf of the brand:

• record the audio of the call;
• transcribe the recording using a speech-to-text provider (such as Soniox);
• run AI models to summarise the call, extract entities (names, phone numbers, addresses, job types) and create or update CRM records.

Brands are responsible for telling callers that calls may be recorded (for example, via a pre-call announcement) and for establishing a lawful basis under UK GDPR and PECR. PlainCRM provides tooling to play call-recording notices, but the brand is the controller of the recording.

Recordings, transcripts and AI-derived data are stored alongside the contact record, are accessible only to authorised users of the relevant brand, and are retained according to the brand’s configured retention period (see Section 10).

Inbound and outbound email is delivered through Postmark. Inbound messages addressed to a brand mailbox are parsed, attached to the matching contact and stored in PlainCRM. SMS and web-chat messages are processed similarly. Lead-form submissions captured via PlainCRM-hosted forms are written directly to the brand’s CRM.

The content of these communications is treated as the brand’s data. We process it solely to deliver the Service and on the documented instructions of the brand.

We do not sell personal data. We share personal data only with:

• Sub-processors who help us run the Service, under written contracts that meet UK GDPR Art. 28 requirements. Current sub-processors include (non-exhaustive): cloud hosting and storage, Postmark (email), Plivo and Twilio (telephony), Soniox (speech-to-text), our AI model providers, our payment processor, and our error/monitoring tooling. A current list is available on request.
• Account administrators within your organisation, who can access account data, audit logs and integration settings.
• Authorities, where we are legally required to disclose information (for example, in response to a valid court order).
• Successors in the event of a merger, acquisition, restructuring or sale of assets, subject to appropriate confidentiality and data-protection commitments.

Some of our sub-processors are located outside the United Kingdom and the European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards under UK GDPR, such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to countries covered by an adequacy decision. A copy of the relevant safeguards is available on request.

We retain personal data only for as long as needed for the purposes described in this policy:

• Account data — for the lifetime of your account and for up to 90 days after closure, then deleted or anonymised (longer where required by law, e.g. accounting records for 6 years).
• Brand Contact data, conversations and recordings — retained according to the brand’s configured retention settings. On termination of a customer’s account, data is deleted within 30 days unless a longer period is agreed in writing.
• Google Calendar data & OAuth tokens — deleted within 30 days of disconnection or account closure.
• Logs and security data — typically retained for up to 12 months.

We use industry-standard technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, regular backups, principle-of-least-privilege access for staff, and security review of changes. No system can be guaranteed completely secure; we will notify the ICO and affected individuals where a breach meets the UK GDPR notification threshold.

Subject to UK GDPR, you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• request erasure (“the right to be forgotten”);
• restrict or object to processing;
• data portability;
• withdraw consent at any time (without affecting the lawfulness of prior processing); and
• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

To exercise these rights, email [email protected]. If your request relates to data held about you by one of our customers (a Brand Contact), please contact that brand directly; we will assist them as their processor.

We use strictly necessary cookies to keep you logged in and to secure the Service. We may also use analytics cookies to understand how the Service is used; these are only set with your consent where required. You can manage cookies in your browser at any time.

The Service is not intended for children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

We may update this Privacy Policy from time to time. Where the changes are material we will notify Account Users by email or in-product notice. The “last updated” date at the top of this page reflects the latest version.

For privacy questions, requests or to contact our Data Protection point of contact:

• PlainCRM Ltd, [Registered office address, United Kingdom]
• Email: [email protected] (privacy) or [email protected] (data protection).

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint.