Privacy Policy
Last updated: April 22, 2026
1. Data Protection Officer
TonCRM is responsible for the protection of personal information collected through the TonCRM platform and the toncrm.io website.
For any questions regarding this policy, you may contact us:
Email: support@toncrm.io
2. Information We Collect
We collect the following information:
- Registration information: name, email address, phone number
- Billing information: address, payment details (processed by Stripe)
- Usage data: pages visited, features used, activity logs
- CRM contact data: information you enter into your TonCRM account
- Communications: emails and messages exchanged through the platform
3. Purpose of Collection
Your information is collected and used to:
- Provide and improve TonCRM services
- Process payments and billing
- Communicate with you regarding your account and our services
- Ensure security and prevent fraud
- Comply with our legal obligations
4. Data Hosting and Retention
All data is hosted on servers located in Canada. Primary database infrastructure is in the AWS ca-central-1 region (Montreal). Some processing services are located in the United States (see Sub-processors below).
Information is retained as long as your account is active, then deleted within 90 days of account closure, unless required by law.
5. Sub-processors
We use the following third-party services to operate TonCRM. All sub-processors are bound by data processing agreements.
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database hosting | AWS ca-central-1, Canada |
| Stripe | Payment processing | San Francisco, USA |
| Twilio | SMS, VoIP telephony | San Francisco, USA |
| Resend | Transactional emails | USA |
| Anthropic | AI Copilot & voice assistant (Clodyne) | San Francisco, USA |
| Upstash | Rate limiting & cache | AWS ca-central-1, Canada |
| Netlify | Application hosting | USA |
| Meta | WhatsApp Business API | USA |
6. Information Sharing
We never sell your personal information. We may share it only with the sub-processors listed above, solely for the purposes described.
7. Your Rights (Quebec Law 25 / PIPEDA)
Under Quebec's Act respecting the protection of personal information in the private sector (Law 25) and federal PIPEDA, you have the right to:
- Access your personal information
- Request correction of inaccurate information
- Request deletion of your information
- Withdraw your consent to collection or use of your information
- Obtain data portability in a structured format
- Be notified of any privacy incident
To exercise these rights, contact us at support@toncrm.io. We will respond within 30 days.
8. Security
We implement technical and organizational security measures to protect your information, including:
- AES-256 encryption of data at rest
- TLS encryption in transit
- Two-factor authentication available
- Daily encrypted backups
- Role-based access control (RLS)
9. Electronic Communications (CASL)
TonCRM allows its clients to send commercial electronic messages (SMS and email) to their contacts. In compliance with Canada's Anti-Spam Legislation (CASL):
- Consent: No commercial messages are sent without explicit (active opt-in) or implied consent (existing business relationship, max 2 years).
- Unsubscribe: Every marketing message includes a functional unsubscribe mechanism. Unsubscribe requests are processed immediately for SMS (STOP keyword) and within 10 business days for email.
- Identification: Every message identifies the sending business (name, contact information).
- Audit trail: All consent changes are recorded in an immutable audit log for legal evidence.
10. Cookies and Tracking Technologies
We use strictly necessary cookies for platform operation and analytical cookies (Google Analytics) to improve our services. No advertising cookies are used.
You may configure your browser to reject cookies. This may affect some functionality.
11. Google User Data (Google API Services User Data Policy)
When a user connects their Google account (Gmail, Google Calendar, Google Business Profile, Google Ads, YouTube) to TonCRM, TonCRM's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We use Google user data only to provide and improve features explicitly activated by the user: email sync (Gmail), calendar sync (Google Calendar), Google Business Profile management, Google Ads reporting, YouTube publishing.
- We do not transfer Google user data to third parties except as necessary to provide the requested service, or to comply with applicable law.
- We do not use Google user data for advertising purposes.
- We do not use Google user data to train, develop, or improve any artificial intelligence or machine learning models, including large language models (LLMs).
- Users can revoke access at any time via TonCRM integration settings, or directly at https://myaccount.google.com/permissions.
Google user data is scoped per authenticated user and per organization (strict multi-tenant isolation). No cross-organization access is possible.
12. Children's Privacy
TonCRM is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
13. Changes
We may update this policy from time to time. Significant changes will be communicated by email or via an in-app notification. The last updated date is indicated at the top of this page.
14. Contact
For any questions about this privacy policy, contact us at support@toncrm.io.
