Privacy Policy

Coltrane CRM ("Coltrane," "we," "us," or "our") collects the following categories of personal data when you use our service:

Account & Identity Data

• Name — provided during registration to personalize your account
• Email address — used for authentication, notifications, and support
• Password — stored as a one-way cryptographic hash; we never store your plaintext password

CRM Data You Enter

• Contact records (names, emails, phone numbers, company names, notes)
• Deal and pipeline information (titles, values, stages, close dates)
• Activity logs, meeting notes, and task records you create
• Any other content you choose to upload or input into the platform

Usage & Technical Data

• IP address and approximate geographic location (country/region)
• Browser type, operating system, and device type
• Pages visited, features used, and time spent in the app
• Session timestamps and error logs for debugging purposes
• Referral URL (which website sent you to us)

Payment Data

• We do not store full credit card numbers. Payments are processed by Stripe, which stores your card details securely under their PCI-DSS compliance. We receive only a tokenized payment reference and last-four digits.

We use the data we collect for the following purposes:

• Provide the Service: Create and manage your account, run the CRM application, store your contacts and deals, and enable all platform features
• Process Payments: Charge your subscription fee via Stripe and manage billing records
• Customer Support: Respond to your questions, bug reports, and account requests
• Product Improvement: Analyze aggregated usage patterns to identify what features to build or improve (this analysis is performed on anonymized data)
• Security & Fraud Prevention: Detect and prevent unauthorized access, abuse, and fraudulent activity
• Legal Compliance: Fulfill legal obligations, respond to lawful requests, and enforce our Terms of Service
• Transactional Communications: Send password resets, subscription confirmations, billing receipts, and critical service notifications
• Optional Marketing: Send product updates, tips, and promotional offers — only if you have opted in. You can unsubscribe at any time via any marketing email we send.

We will not use your data for any purpose other than those listed above without your explicit consent.

Under GDPR and similar data protection laws, we must have a legal basis for each way we process your personal data:

• Contract Performance: Processing your account information and CRM data is necessary to provide the service you signed up for. Without this, we cannot operate your account.
• Legitimate Interest: We process usage and technical data to maintain platform security, prevent fraud, debug issues, and improve our product. These interests do not override your fundamental privacy rights.
• Consent: If we send optional marketing communications, we do so only on the basis of your explicit consent. You can withdraw this consent at any time.
• Legal Obligation: We may process data where required to comply with applicable law (for example, retaining billing records for tax purposes).

We do not sell, rent, or trade your personal data. We share data only in these limited circumstances:

• Stripe (Payments): Your payment information is shared with Stripe, Inc. to process subscription billing. Stripe is PCI-DSS Level 1 certified. See Stripe's Privacy Policy for details.
• Hosting & Infrastructure Providers: We use Render (application hosting) and Neon (database hosting) to run the platform. Your data is stored on their infrastructure under our instructions and is not accessible to these providers for their own purposes.
• Legal Requirements: We may disclose data if required by law, court order, or government authority, or if we believe disclosure is necessary to protect our rights or the safety of others.
• Business Transfers: If Coltrane CRM is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you via email before any such transfer and give you the option to delete your account.

All third-party service providers we use are bound by contractual obligations to keep your data secure and confidential.

We retain your data for as long as your account is active or as needed to provide the service. Specific retention periods:

• Active account data (contacts, deals, activities): Retained indefinitely while your subscription is active, available for export at any time
• After account cancellation: All data is retained for 30 days, after which it is permanently and irreversibly deleted from our systems and backups
• Billing records: Retained for 7 years to comply with tax and financial reporting obligations
• Server logs: Retained for 90 days for security and debugging, then automatically purged
• Marketing consent records: Retained for the duration your account is active plus 1 year, to demonstrate compliance

You may request early deletion of your data at any time. See Section 8 for how to submit a deletion request.

Regardless of where you live, you have the following rights over your personal data:

To exercise any of these rights, see Section 8. We respond to all valid requests within 30 days. We will never discriminate against you for exercising your privacy rights.

We use cookies and similar technologies to make the service work and to understand how it is used. Here's what we use:

Essential Cookies (required)

• Authentication token: Stored in localStorage to keep you logged in between sessions
• Session state: Stores temporary UI state (e.g., which pipeline column you last viewed) for a smooth experience

Analytics (optional)

• We may use privacy-respecting analytics to understand aggregate usage patterns (e.g., which features are popular). This data is anonymized before analysis.
• We do not use Google Analytics or any third-party tracking pixels that share your data with advertisers.

No Advertising Trackers

• We do not place advertising cookies, third-party tracking pixels, or cross-site behavioral tracking on our platform.

To exercise any of your privacy rights — including access, correction, deletion, portability, restriction, or objection — submit a request by emailing us at:

Please include:

• Your full name and the email address associated with your Coltrane account
• The specific right you wish to exercise (access, deletion, portability, etc.)
• Any additional context that helps us identify your request

We will verify your identity before processing your request to protect against unauthorized access. We respond to all valid requests within 30 days. If we need more time (up to 60 additional days for complex requests), we will notify you.

You will never be charged a fee for making a data request. We will not discriminate against you in any way for exercising your rights.

Coltrane CRM is a business-to-business software platform. It is not intended for use by individuals under the age of 16.

We do not knowingly collect personal data from anyone under 16 years old. If we discover that we have inadvertently collected data from a minor, we will delete it immediately. If you believe a minor has created an account, please contact us at coltrane-sales@polsia.app and we will take prompt action.

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights:

Categories of Personal Information We Collect

• Identifiers (name, email, IP address)
• Commercial information (subscription and payment history)
• Internet or network activity (usage data, log files)
• Customer-generated content (contacts, deals, notes you enter)

Your California Rights

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising — this right is automatically honored
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the service
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

To submit a California privacy request, contact us at coltrane-sales@polsia.app with the subject line "California Privacy Request." We respond within 45 days as required by law.

If you are in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to the processing of your personal data.

Data Controller

Coltrane CRM is the data controller for personal data you provide when creating your account and using the platform. We are responsible for ensuring your data is processed lawfully, fairly, and transparently.

Your GDPR Rights

• Right of Access (Article 15): Obtain a copy of your personal data and information about how it is processed
• Right to Rectification (Article 16): Have inaccurate data corrected without undue delay
• Right to Erasure (Article 17): Have your data deleted when it is no longer necessary or you withdraw consent
• Right to Restriction of Processing (Article 18): Restrict how we use your data in certain circumstances
• Right to Data Portability (Article 20): Receive your data in a structured, commonly-used, machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests, including profiling
• Rights related to automated decision-making (Article 22): We do not use fully automated individual decision-making that produces legal or similarly significant effects

International Transfers

Your data is stored on servers located in the United States. When we transfer data from the EU/EEA to the US, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure adequate protection.

Right to Complain

You have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe we have not handled your data in accordance with GDPR. We encourage you to contact us first so we can resolve the issue directly.

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, loss, or disclosure:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS)
• Encryption at rest: Database contents are encrypted at rest by our hosting infrastructure
• Password hashing: Passwords are never stored in plaintext — they are hashed using a one-way cryptographic function with a unique salt
• JWT authentication: Session tokens are cryptographically signed and expire after 30 days
• Access controls: Only authorized personnel can access production systems, and all access is logged
• PCI-DSS compliance: Payment card data is handled exclusively by Stripe, which maintains PCI-DSS Level 1 certification
• Regular security reviews: We perform periodic reviews of our security practices and address vulnerabilities promptly

Despite our best efforts, no security system is impenetrable. In the event of a data breach that affects your personal data, we will notify you within 72 hours as required by applicable law, describing what happened and what steps we are taking.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other business reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Send an email notification to the address on file for your account at least 14 days before the changes take effect
• Display a notice within the application for 30 days following the change

For non-material changes (corrections, clarifications), we may update the policy without prior notice beyond updating the date.

Your continued use of Coltrane CRM after a Privacy Policy update constitutes acceptance of the revised policy. If you do not agree with the changes, you may request deletion of your account and data before the effective date.

If you have any questions, concerns, or requests related to this Privacy Policy or how we handle your personal data, please reach out: