Privacy Policy

Effective date: 2026-05-28 · DRAFT v4 — counsel review required before public reliance

> Notice to readers. This document is a working draft prepared by CRMish staff and AI assistance. It is not legal advice and has not yet been reviewed by counsel. Until that review is complete, use it as a transparent statement of intent rather than a final binding agreement. If you have questions in the meantime, email privacy@crmish.io.


1. Who we are

CRMish ("CRMish," "we," "us," "our") is a software-as-a-service product operated by JAS Operations LLC dba CRMish (or its successor entity), reachable at privacy@crmish.io. The service is available at https://crmish.io and (when launched) https://crmish.app.

This Privacy Policy explains what personal information we collect from you, why we collect it, how we use and share it, and the rights you have over it.

2. Scope

This Policy applies to the CRMish web application, our marketing pages, our public profile pages at /r/[handle], and the optional integrations we offer (push notifications, webhook ingest, Stripe checkout, Anthropic-powered coaching). It does not cover third-party sites you reach from links in our app — those have their own privacy policies.

3. What we collect

We collect personal information in three ways: information you give us, information collected automatically as you use the service, and information we receive from third parties.

3.1 Information you provide

  • Account information. Email address, display name, password (stored as a bcrypt hash — we never store the plaintext password), time zone, and any profile picture URL you set.
  • Workspace data. Everything you put into the app to do your work: prospects, conversations, follow-ups, sales records, contacts, journal entries, daily plans, mood and productivity scores, locked weekly priorities, sacred-hour windows, Daily Drop content, testimonials, public bio, and any free-text you enter.
  • Coach Mode data. If you participate as a coach or affiliate, we store the coaching relationship, sprint assignments, nudge logs, and any messages exchanged through the platform.
  • Public profile data (opt-in). If you choose to make a public Track Record profile at /r/[handle], the fields you mark visible (handle, bio, headline stats) become publicly accessible and indexable by search engines. You control which stats are hidden via Settings.
  • Billing information. When you subscribe to a paid tier, our payment processor Stripe collects your name, billing address, and payment method directly. We receive only a Stripe customer ID, subscription ID, tier status, and renewal timestamp — we never see your card number.
  • Push notification subscriptions. If you enable web-push notifications, your browser generates a subscription object (an endpoint URL and two cryptographic keys) which we store so we can deliver Daily Drop, Sprint, and reminder notifications.
  • Communications. If you email us for support, your message and email address.

3.2 Information collected automatically

  • Usage signals. Timestamps of activity, the pages and features you use, basic device and browser information for display purposes, and aggregate counts (number of prospects you've added, streak length, etc.).
  • Cookies. A single strictly-necessary session cookie (accountable-crm-session). See Cookie Policy for the full list.
  • Server logs. Standard web-server access logs (IP address, request path, user agent, response code, timestamp) retained for up to 30 days for security and debugging.
  • Bot-protection signals. When you sign up or sign in we may invoke Cloudflare Turnstile, which performs a lightweight challenge in your browser. Cloudflare receives basic request metadata under its own privacy policy.

3.3 Information from third parties (webhook ingest)

If you enable our lead-gen webhook integrations (ClickFunnels, GoHighLevel, Kajabi, etc.), the third-party service will send us contact records — typically name, email, phone, and tags — when triggered by an event in your funnel. You are responsible for ensuring that you have the legal right to share that data with us under the laws applicable to those contacts (consent, lawful basis, etc.). We store each webhook event in an audit log so you can debug your integrations and so we have a forensic trail.

3.4 What we do not collect

We do not collect Social Security numbers, government IDs, biometric data, precise geolocation, or special-category personal data (race, religion, health, etc.). If you put such data into a free-text field, we will store it because the field is free-form, but we do not solicit it.

4. How we use your information

We use the information we collect to:

1. Operate the service — show you your data, compute scores, render dashboards, fire reminders, send the Daily Drop, run Coach Mode sprints, manage Locked 5 priorities. 2. Authenticate you — verify your password, manage your session, send password reset emails. 3. Bill you — manage subscriptions, handle upgrades and cancellations, deliver receipts. 4. Send transactional email — account confirmations, password resets, billing receipts, invite acceptances, sprint nudges. We use Resend as our email provider. 5. Send AI coaching responses — when you interact with the Coaching panel on a prospect, we send a structured summary of that prospect's context to Anthropic's API so it can return a personalized response. See §6. 6. Communicate with you about the service — outages, security incidents, material policy changes, occasional product updates. You cannot opt out of strictly-necessary service communications (security, billing), but you can opt out of product update emails from Settings. 7. Maintain security — detect and prevent abuse, fraud, and unauthorized access. 8. Improve the product — analyze aggregated, anonymized usage patterns to decide what to build next. We do not build user-level behavioral profiles for advertising. 9. Comply with law — respond to lawful legal process, enforce our Terms, protect our rights and the safety of others.

5. Legal bases (GDPR / UK GDPR users)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

| Purpose | Legal basis | |---|---| | Provide the service you signed up for | Contract (Art. 6(1)(b)) | | Bill you and prevent fraud | Contract + legitimate interest | | Transactional email | Contract | | Product analytics on aggregated data | Legitimate interest | | Marketing emails (if any) | Consent — withdrawable at any time | | AI coaching | Consent — by interacting with the coaching feature | | Public profile display | Consent — only if you opt in | | Push notifications | Consent — only if you enable them | | Webhook ingest from your funnel | Contract (with you) + your representation that you have lawful basis for the source data | | Compliance with legal obligations | Legal obligation |

6. AI coaching and third-party AI processing

If you use the AI Coaching feature (Pro tier and above), we send a structured summary of the relevant context — engagement scores, conversation excerpts, prospect notes — to Anthropic for processing via its API. Anthropic's processing is governed by its own terms and privacy policy at https://www.anthropic.com/privacy.

Highlights:

  • We send only what is needed to answer the prompt. We do not send your full account or other prospects.
  • Anthropic's API terms (as of the date above) state that prompts and completions submitted via the API are not used to train their models.
  • You can disable AI Coaching by leaving the Anthropic key unconfigured (self-hosted deployments) or by not interacting with the coaching panel. Without your interaction, no prompts are sent.
  • If you do not have a Pro tier, the canned playbook is used and no third-party AI call is made.

7. How we share your information

We share personal information only in the following situations.

7.1 Service providers (sub-processors)

We use the following sub-processors, each bound by contract to use the data only to provide the service to us:

| Provider | Purpose | Location | |---|---|---| | Vercel | Hosting, edge delivery, server functions | United States (with EU edge regions) | | Turso (libSQL) | Primary database | United States | | Stripe | Payment processing | United States, EU (per region) | | Resend | Transactional email delivery | United States | | Anthropic | AI coaching API (when you invoke it) | United States | | Cloudflare | Bot protection (Turnstile) | Global | | web-push (open-source library + browser push services) | Push notification delivery via Mozilla, Google, Apple endpoints | Global | | 1Password | Internal credential storage (not customer data) | Canada |

We may add or change sub-processors as the service evolves. Material changes will be reflected here.

7.2 Coach Mode visibility

If you accept a coaching relationship as an affiliate, your assigned coach can see the metrics and sprint progress relevant to that relationship. If you are a coach, your name appears in the affiliate's app. Either side can end the relationship from Settings, which immediately revokes visibility.

7.3 Public profiles (opt-in only)

Public Track Record profiles at /r/[handle] are visible to anyone with the link and to search engines, by your choice. You control which fields are public and which are hidden. Setting your profile back to private removes it from public view, though search engines may cache it temporarily.

7.4 Legal requests

We may disclose personal information when we have a good-faith belief that doing so is necessary to comply with applicable law, valid legal process, or a lawful government request. We will push back on overly-broad requests and notify you where lawfully permitted.

7.5 Business transfers

If we are involved in a merger, acquisition, sale of assets, or bankruptcy proceeding, personal information may be transferred as part of that transaction. The acquiring party will be bound by the same protections, or you will be notified of any change.

7.6 What we do not do

  • We do not sell your personal information.
  • We do not rent or trade your contact list to third parties.
  • We do not use your workspace content to train AI models.
  • We do not show third-party ads or share data with ad networks.

8. International data transfers

Our primary infrastructure is in the United States. If you access the service from outside the U.S., your information will be transferred to and processed in the U.S. and other countries where our sub-processors operate. Where the GDPR / UK GDPR applies, transfers are made under the Standard Contractual Clauses (SCCs) or another lawful transfer mechanism with each sub-processor.

9. Security

We take security seriously without overpromising.

  • Passwords are hashed with bcrypt at cost factor 12.
  • Sessions are stored in iron-session encrypted cookies with HTTPOnly + Secure + SameSite=Lax flags.
  • The database connection uses TLS and an auth token rotated periodically.
  • We follow a least-privilege approach to internal access.
  • We use Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, and Referrer-Policy headers in production.
  • We invoke Cloudflare Turnstile to slow down credential-stuffing attempts on auth surfaces.

No system is perfectly secure. We will notify affected users without undue delay if we learn of a personal-data breach that meets the threshold of applicable law.

10. Data retention

We retain personal information for as long as your account is active and for a reasonable period thereafter:

| Category | Retention | |---|---| | Active account data | While the account is active | | Account data after deletion request | Removed from production within 30 days; removed from encrypted backups within 90 days | | Server logs | Up to 30 days | | Webhook audit log | Up to 12 months | | Billing records | Retained as long as required by tax/accounting law, typically 7 years | | Push subscriptions | Retained until you toggle off or the browser endpoint expires | | Coaching messages | Retained for the lifetime of the coaching relationship + 90 days, unless either party requests earlier deletion |

11. Your rights

You can exercise the rights below by emailing privacy@crmish.io. We will respond within 30 days.

  • Access — Get a copy of the personal information we hold about you.
  • Correction — Correct anything inaccurate. Most account info you can edit in Settings yourself.
  • Deletion — Delete your account and the personal information associated with it. Some records (billing, security logs) may be retained as required by law.
  • Portability — Receive your workspace data in a structured, machine-readable format. (CSV/JSON export is on our roadmap; in the meantime we'll produce it manually on request.)
  • Objection / restriction — Object to specific processing or ask us to restrict it.
  • Withdraw consent — Where processing is based on consent (AI coaching, push notifications, public profile, marketing email), withdraw that consent at any time without affecting the lawfulness of past processing.
  • Lodge a complaint — You have the right to lodge a complaint with your local data-protection authority.

11.1 California (CCPA / CPRA)

California residents have the right to know, delete, correct, opt-out of sale or sharing, and limit use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising. We do not knowingly collect personal information from minors under 16. To exercise your rights, email privacy@crmish.io with subject "CCPA Request."

11.2 EEA / UK

You have the rights described in §11 above under the GDPR / UK GDPR. Our EU representative (where required) will be designated before we accept EU-based paid customers.

12. Children

The service is not intended for, marketed to, or directed at children under 13. We do not knowingly collect personal information from anyone under 13. If we learn we have collected information from a child under 13, we will delete it as quickly as possible. If you believe a child has provided us information, contact privacy@crmish.io.

13. Cookies

We use one strictly-necessary session cookie. See the Cookie Policy for the full breakdown.

14. Do Not Track

Our service does not currently respond to "Do Not Track" browser signals because there is no industry consensus on what they mean. We do not track you across other websites in any case.

15. Changes to this Policy

We will post material changes to this Policy at this URL at least 30 days before they take effect, and we will email you at the address on file if the change materially expands the categories of data we collect or the purposes for which we use it. Continued use of the service after the change date constitutes acceptance.

16. Contact

| For | Email | |---|---| | Privacy / data requests | privacy@crmish.io | | Security incidents | security@crmish.io | | General support | support@crmish.io | | Postal mail | JAS Operations LLC dba CRMish · (mailing address to be added) |


Document version: privacy-v2 · Last updated 2026-05-28. Counsel review pending. Material updates will be versioned and dated here.