Privacy Policy

Last Updated: January 11, 2025 Effective Date: January 11, 2025

1. Introduction and Scope

CMG FRAMEWORKS SRL ("we," "us," "our") operates a multi-tenant CRM SaaS platform ("Service") that helps businesses manage leads, clients, and WhatsApp conversations using AI-powered automation. This Privacy Policy explains how we collect, use, process, and protect your personal data in compliance with:

EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
Romanian Data Protection Law 190/2018
Romanian E-Commerce Law 365/2002
Google API Services User Data Policy
Meta WhatsApp Business Data Processing Terms

This policy applies to all users of our Service, including:

Organization owners and administrators who manage CRM accounts
Team members and agents who use the CRM daily
End customers whose data is processed through our platform (leads, clients)

2. Information We Collect

2.1 Personal Information You Provide

When you register and use our Service, we collect:

Account Registration Data

Full name - To identify your account and personalize your experience
Email address - For authentication, account recovery, and communications
Password (encrypted) - For account security and access control
Organization details - Company name, industry, business information
Payment information - Processed securely by Stripe (we do not store credit card numbers)

Profile and Settings

Profile photo - Optional avatar for account personalization
Communication preferences - Email notification settings, language preferences
Time zone and regional settings - For proper scheduling and date formatting

2.2 CRM Data You Create or Import

When you use our Service to manage your business relationships, we collect:

Lead Information

Contact details - Name, email, phone number (including international formats)
Lead source - Where the lead originated (WhatsApp, manual entry, third-party integrations)
Status and qualification - Pipeline stage (new, talking_stage, qualified, lost)
Conversation history - WhatsApp messages exchanged with leads
Custom fields - Additional data you choose to collect (industry, company size, interests)
Assignment data - Which team member is responsible for the lead

Client Information

Business relationship data - Account manager, subscription tier, client status
Company information - Business name, address, tax identification
Activity timeline - Interaction history, notes, status changes
Financial data - Subscription details, billing history (processed by Stripe)

WhatsApp Conversations

Message content - Text, media, and interactive messages sent and received
Metadata - Timestamps, sender/recipient phone numbers, message status
Conversation context - AI-processed data for automated responses and lead extraction
Phone numbers - WhatsApp Business Account phone numbers you connect

2.3 Data from Third-Party Integrations

When you connect third-party services:

Google APIs (If Used in Future)

OAuth tokens - Access and refresh tokens for Google API access (encrypted at rest)
Form metadata - Form names, IDs, and configuration settings
Form responses - Submission data used to create CRM leads

WhatsApp Business Cloud API

WhatsApp Business Account ID - To identify your WhatsApp connection
Phone number ID - The WhatsApp phone number linked to your account
Message templates - Pre-approved message templates you create
Webhook verification tokens - For secure webhook authentication

Stripe (Payment Processing)

Subscription data - Plan details, billing cycle, payment status
Transaction history - Invoices, payment attempts, refunds
Customer ID - Stripe's identifier for your billing account

2.4 Technical Information and Analytics

We automatically collect technical data to operate and improve our Service:

Device and Browser Information

IP address - For security, fraud prevention, and regional compliance
Browser type and version - For compatibility and feature support (Chrome, Firefox, Safari, Edge)
Operating system - Desktop (Windows, macOS, Linux) or mobile (iOS, Android)
Device identifiers - Anonymized device fingerprints for security monitoring
Screen resolution - For responsive design optimization

Usage Data and Analytics

Feature usage - Which CRM features you use most (Kanban, clients, AI automation)
Page views and navigation - Routes accessed, time spent on each page
Click events - Button clicks, form submissions, drag-and-drop actions
Performance metrics - Page load times, API response times, error rates
Session duration - How long you're logged in and actively using the Service

Cookies and Local Storage

Authentication cookies - Keep you logged in securely (httpOnly, secure, sameSite)
Preference cookies - Remember your theme, language, and dashboard layout
Analytics cookies - Understand feature usage and user behavior (anonymized)
Local storage - Temporary caching for offline functionality (cleared on logout)

2.5 AI-Generated Data

Our AI features process your data to provide intelligent automation:

Google Gemini Enterprise API

Conversation analysis - WhatsApp messages analyzed to understand context and intent
Lead extraction - Automated extraction of name, email, phone, and interest from conversations
Response generation - AI-generated replies to customer inquiries (reviewed by you)
Conversation summaries - Historical conversations summarized for context retention

Important: We use Google Gemini Enterprise API (not consumer version), which means:

✅ Your data is NOT used to train Google's AI models
✅ Data processing complies with GDPR and includes automatic Data Processing Addendum
✅ Human review is disabled by default for enterprise users
✅ Data processed within EU data centers where possible

3. How We Use Your Data

3.1 Core Service Provision

We use your data to deliver our CRM services:

Lead and Client Management

Create and update records - Store leads and clients you add to the CRM
Track relationships - Monitor lead status progression and client activity timelines
Organize data - Enable filtering, searching, sorting, and categorization
Assign responsibilities - Route leads to appropriate team members

WhatsApp Automation

Send automated messages - Deliver welcome messages to new leads
Process incoming messages - Receive and store WhatsApp conversations
AI-powered responses - Generate contextual replies using Gemini Enterprise AI
Extract lead information - Automatically create leads from WhatsApp conversations

Team Collaboration

Multi-user access - Allow your team members to access your organization's CRM data
Activity tracking - Show who made changes and when
Notifications - Alert team members about important events (new leads, status changes)

3.2 AI-Powered Features

Conversation Intelligence

Understand customer intent - Analyze message content to determine customer needs
Generate contextual responses - Create appropriate replies based on conversation history
Maintain conversation context - Use sliding window approach (last 10-15 messages) for relevance
Escalate complex queries - Identify when human intervention is needed

Data Extraction and Enrichment

Extract contact information - Pull names, emails, phones from unstructured messages
Validate extracted data - Verify phone formats (E.164), email validity
Enrich lead profiles - Add contextual information from conversations

3.3 Service Improvement and Analytics

We analyze aggregated, anonymized data to improve our Service:

Performance Optimization

Identify bottlenecks - Find slow-loading pages or API endpoints
Monitor errors - Detect and fix bugs affecting user experience
Optimize infrastructure - Scale resources based on usage patterns

Feature Development

Understand feature usage - Determine which features are most valuable
Prioritize roadmap - Build features users need most
A/B testing - Test new features with small user groups (anonymized)

3.4 Communication and Support

We use your email address to communicate with you:

Service Communications (Cannot Opt Out)

Account notifications - Password changes, security alerts, login from new devices
Billing notifications - Subscription renewals, payment failures, invoices
Service updates - Critical updates, maintenance windows, terms changes
Security alerts - Data breach notifications, suspicious activity warnings

Marketing Communications (Optional - Can Opt Out)

Product announcements - New features, improvements, use case guides
Educational content - Best practices, CRM strategies, industry insights
Promotional offers - Discounts, referral bonuses, special campaigns

You can opt out of marketing emails at any time via:

Unsubscribe link in every marketing email
Account settings → Communication Preferences
Email us at support@cmgworkflow.com

3.5 Legal Compliance and Security

We process data to comply with legal obligations and protect our Service:

Fraud Prevention

Detect suspicious activity - Monitor for unusual login patterns or data access
Prevent abuse - Block spam, unauthorized API usage, or malicious behavior
Verify identity - Confirm account ownership during support requests

Legal Obligations

Respond to legal requests - Court orders, subpoenas, regulatory inquiries
Enforce our Terms - Investigate violations of our Terms of Service
Protect rights - Defend our legal rights and those of our users
Tax compliance - Maintain records for Romanian tax authorities

3.6 What We Do NOT Do with Your Data

We explicitly commit to the following:

❌ No data selling - We NEVER sell your personal data to third parties
❌ No advertising - We do NOT use your data for targeted advertising
❌ No data sharing - We do NOT share data between organizations (multi-tenant isolation)
❌ No unauthorized access - We NEVER access your CRM data except for support requests (with consent) or legal obligations
❌ No AI training - We do NOT use your data to train our own AI models (Gemini Enterprise also does not train on your data)
❌ No cross-tenant access - Row-Level Security ensures organizations cannot access each other's data

4. Data Storage, Security, and Retention

4.1 Storage Infrastructure

Your data is stored using industry-leading, GDPR-compliant infrastructure:

Primary Database

Provider: Supabase (Supabase Inc.)
Technology: PostgreSQL with Row-Level Security (RLS)
Encryption: AES-256 encryption at rest, TLS 1.3 in transit
Location: EU data centers (primary), with optional regional selection
Backups: Automated daily backups, 90-day retention for disaster recovery
Compliance: SOC 2 Type II, ISO 27001, GDPR-compliant

Application Hosting

Provider: Vercel (Vercel Inc.)
Technology: Serverless Next.js deployment
Encryption: HTTPS enforced (TLS 1.3), automatic SSL certificate renewal
Location: Global edge network with EU data residency options
Compliance: SOC 2 Type II, GDPR-compliant

File Storage

Provider: Supabase Storage
Encryption: AES-256 for stored files, TLS 1.3 for uploads/downloads
Access control: Signed URLs with time-limited access
Compliance: GDPR-compliant

4.2 Security Measures

We implement comprehensive technical and organizational security measures:

Multi-Tenant Data Isolation

Row-Level Security (RLS) - PostgreSQL RLS policies enforce organization_id filtering at database level
JWT-based authentication - Organization ID stored in app_metadata (user cannot modify)
Automatic filtering - Database automatically restricts queries to user's organization
No cross-tenant access - Even if application code has bugs, RLS prevents data leaks

Access Controls

Role-based access (RBAC) - Owner, admin, agent, viewer roles with hierarchical permissions
Two-factor authentication (2FA) - Optional TOTP-based 2FA for enhanced security
Session management - Automatic logout after 30 days of inactivity
IP monitoring - Detection of suspicious login patterns from unusual locations

Encryption

Data at rest - AES-256 encryption for database, file storage, and backups
Data in transit - TLS 1.3 for all client-server communications
OAuth tokens - WhatsApp and Google OAuth tokens encrypted at rest
Password hashing - Bcrypt with salt for password storage

Application Security

Input validation - Zod schema validation for all user inputs
SQL injection prevention - Parameterized queries via Supabase client
XSS protection - React automatic escaping, Content Security Policy headers
CSRF protection - Anti-CSRF tokens on all state-changing operations
Rate limiting - API rate limiting to prevent abuse and DDoS attacks

Monitoring and Incident Response

Error tracking - Sentry for real-time error monitoring (anonymized)
Uptime monitoring - BetterUptime for service availability tracking
Security audits - Regular third-party security assessments
Incident response plan - Documented procedures for data breach response

4.3 Data Retention

We retain personal data only as long as necessary for legitimate purposes:

Active Accounts

CRM data - Retained indefinitely while your account is active
Conversation history - Retained for 36 months, then archived (configurable)
Analytics data - Aggregated usage data retained for 24 months
Backup data - 90-day rolling retention for disaster recovery

Inactive Accounts

Grace period - 30 days after subscription cancellation (data accessible for export)
Data deletion - Permanent deletion 30 days after cancellation (unless legal hold)
Backup purge - Deleted data purged from backups after 90 days

Legal Holds

Litigation hold - Data retained if subject to legal proceedings
Regulatory investigation - Data retained until investigation concludes
Tax records - Financial data retained for 7 years (Romanian tax law)

User-Requested Deletion

Immediate deletion - GDPR "right to erasure" honored within 30 days
Exceptions - Data retained if required by law or for legitimate business purposes
Anonymization - Data anonymized instead of deleted where legally permissible

5. Third-Party Service Providers and Data Processing

We share data with carefully vetted third-party processors to operate our Service. All processors have signed Data Processing Agreements (DPAs) in compliance with GDPR Article 28.

5.1 Supabase (Database and Authentication)

Purpose: Primary database, user authentication, real-time subscriptions
Data shared: All CRM data (leads, clients, conversations, users, organizations)
Legal basis: Necessary for contract performance (GDPR Art. 6(1)(b))
Safeguards: Data Processing Addendum, Standard Contractual Clauses, EU data centers
Location: EU (primary), US (optional with SCCs)
Privacy policy: https://supabase.com/privacy
DPA: Automatically included for all EU customers

5.2 Meta WhatsApp Business Cloud API

Purpose: WhatsApp messaging, conversation tracking, automated outreach
Data shared: Phone numbers, message content (text, media, interactive buttons), conversation metadata
Legal basis: Consent (GDPR Art. 6(1)(a)) + Contract performance (GDPR Art. 6(1)(b))
Safeguards: WhatsApp Business Data Processing Terms, Standard Contractual Clauses, Data Privacy Framework
Location: Global (Meta data centers in US, EU, and other regions)
Privacy policy: https://www.facebook.com/privacy/policy
Business terms: https://www.whatsapp.com/legal/business-data-processing-terms
Important: We use WhatsApp Business Cloud API (GDPR-compliant) with EU-based Business Solution Provider (BSP), NOT the consumer WhatsApp app

5.3 Google Gemini Enterprise API

Purpose: AI-powered conversation handling, lead extraction, automated response generation
Data shared: WhatsApp message content, conversation context (anonymized where possible)
Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) for service improvement
Safeguards: Data Processing Addendum, Standard Contractual Clauses, EU data residency
Location: EU data centers (Google Ireland Ltd. for EEA customers)
Privacy policy: https://policies.google.com/privacy
AI privacy: https://ai.google.dev/gemini-api/terms
DPA: Automatically included for EU customers
Critical: We use Gemini Enterprise API - your data is NOT used to train AI models, human review is disabled by default

5.4 Stripe (Payment Processing)

Purpose: Subscription billing, payment processing, invoice generation
Data shared: Email, organization name, payment information (credit card, bank account)
Legal basis: Necessary for contract performance (GDPR Art. 6(1)(b))
Safeguards: Data Processing Agreement, PCI DSS Level 1 certification, Standard Contractual Clauses
Location: US (Stripe Inc.) with EU data residency options
Privacy policy: https://stripe.com/privacy
DPA: https://stripe.com/legal/dpa
Note: We do NOT store credit card numbers - all payment data processed directly by Stripe

5.5 Sentry (Error Monitoring)

Purpose: Real-time error tracking, performance monitoring, debugging
Data shared: Error messages, stack traces, user IDs (anonymized), performance metrics
Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) for service improvement
Safeguards: Data Processing Addendum, data scrubbing (PII removed), Standard Contractual Clauses
Location: US (Sentry.io) with EU data residency options
Privacy policy: https://sentry.io/privacy/
DPA: https://sentry.io/legal/dpa/
PII protection: Automatic scrubbing of passwords, tokens, emails, phone numbers from error logs

5.6 International Data Transfers

When data is transferred outside the European Economic Area (EEA):

Legal Mechanisms

Standard Contractual Clauses (SCCs) - EU Commission-approved contracts for data protection
EU-US Data Privacy Framework - For transfers to US companies certified under DPF
Adequacy decisions - Transfers to countries with adequate data protection (UK, Switzerland, etc.)

Additional Safeguards

Encryption in transit and at rest - AES-256 and TLS 1.3 for all transfers
Contractual obligations - Processors bound by same data protection standards
Right to object - You can object to international transfers (may limit service functionality)

Transfer Impact Assessment

We have conducted Transfer Impact Assessments (TIAs) for all US-based processors (Vercel, Stripe, Sentry) confirming adequate protection despite Schrems II ruling:

✅ All processors certified under EU-US Data Privacy Framework
✅ Additional contractual safeguards beyond SCCs
✅ Encryption prevents access by US authorities without our knowledge
✅ No government access requests received to date

6. Your Rights Under GDPR and Romanian Law

As a data subject in the European Economic Area or Romania, you have the following rights:

6.1 Right of Access (GDPR Art. 15)

What it means: You can request a copy of all personal data we hold about you.

How to exercise: Email support@cmgworkflow.com with subject "Data Access Request"

What we provide:

Complete copy of your account data (JSON or CSV format)
Categories of data processed
Purposes of processing
Recipients of your data (sub-processors)
Storage duration
Source of data (if not collected directly from you)

Response time: 30 days (extendable to 60 days for complex requests)

Free of charge: First request free; excessive requests may incur reasonable fee

6.2 Right to Rectification (GDPR Art. 16)

What it means: You can correct inaccurate or incomplete personal data.

How to exercise:

Self-service: Update your profile in Account Settings
Request assistance: Email support@cmgworkflow.com

What you can correct:

Account information (name, email, phone)
Organization details
CRM data (leads, clients, conversations)

Response time: Immediate (self-service) or 30 days (assisted)

6.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

What it means: You can request deletion of your personal data.

How to exercise: Email support@cmgworkflow.com with subject "Data Deletion Request"

When applicable:

✅ Data no longer necessary for original purpose
✅ You withdraw consent (for consent-based processing)
✅ You object to processing based on legitimate interest
✅ Data processed unlawfully

Exceptions (we may refuse):

❌ Legal obligation to retain data (tax records, legal proceedings)
❌ Contract performance requires data retention
❌ Public interest or scientific research (anonymized data)

What happens:

Account and CRM data deleted within 30 days
Backups purged within 90 days
Legal hold data retained until obligation expires

6.4 Right to Restrict Processing (GDPR Art. 18)

What it means: You can limit how we use your data while disputes are resolved.

How to exercise: Email support@cmgworkflow.com with subject "Restrict Processing"

When applicable:

✅ Accuracy of data is contested (restriction during verification)
✅ Processing is unlawful, but you prefer restriction over deletion
✅ We no longer need data, but you need it for legal claims
✅ You object to processing (restriction pending verification of legitimate grounds)

Effect: Data stored but not processed (except with consent, legal claims, or protection of others)

6.5 Right to Data Portability (GDPR Art. 20)

What it means: You can receive your data in a structured, machine-readable format and transfer it to another service.

How to exercise:

Self-service: Account Settings → Export Data
Request assistance: Email support@cmgworkflow.com

What you receive:

Leads - JSON or CSV export with all fields
Clients - JSON or CSV export with all fields
Conversations - JSON export with full message history
Account data - JSON export of profile and settings

Format: JSON (machine-readable), CSV (spreadsheet-compatible)

Response time: Immediate (self-service) or 30 days (assisted)

6.6 Right to Object (GDPR Art. 21)

What it means: You can object to processing based on legitimate interest or direct marketing.

How to exercise:

Marketing emails: Click "Unsubscribe" in any marketing email
Legitimate interest processing: Email support@cmgworkflow.com

Processing you can object to:

✅ Marketing communications (immediate effect)
✅ Analytics and profiling (we will stop unless compelling legitimate grounds)
✅ Direct marketing (we will stop immediately)

Processing you CANNOT object to:

❌ Contract performance (necessary to provide CRM services)
❌ Legal compliance (required by Romanian or EU law)

6.7 Right to Withdraw Consent (GDPR Art. 7(3))

What it means: Where processing is based on consent, you can withdraw it at any time.

How to exercise:

WhatsApp automation: Settings → WhatsApp Integration → Disconnect
Marketing emails: Unsubscribe link in emails
Analytics cookies: Cookie preferences banner (re-trigger on any page)

Effect: We will stop processing from withdrawal point forward (does not affect lawfulness of previous processing)

6.8 Right to Lodge a Complaint (GDPR Art. 77)

What it means: You can complain to a data protection supervisory authority.

Romanian Supervisory Authority:

Name: ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, Romania
Phone: +40 21 252 5599
Email: anspdcp@dataprotection.ro
Website: https://www.dataprotection.ro

EU Supervisory Authorities: You may also complain to the authority in your EU country of residence or workplace.

Our commitment: We prefer to resolve concerns directly - please contact us first at contact@cmgworkflow.com

7. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our Service. You can control cookie preferences via our cookie consent banner (re-trigger on any page) or browser settings.

7.1 Essential Cookies (Cannot be Disabled)

These cookies are necessary for the Service to function:

| Cookie Name | Purpose | Duration | Type | |-------------|---------|----------|------| | sb-access-token | Supabase authentication | Session | httpOnly, secure, sameSite | | sb-refresh-token | Supabase session renewal | 30 days | httpOnly, secure, sameSite | | cookie-consent | Remember your cookie preferences | 365 days | Functional | | csrf-token | CSRF attack prevention | Session | secure, sameSite |

7.2 Analytics Cookies (Optional - Requires Consent)

These cookies help us understand how you use the Service:

| Cookie Name | Purpose | Duration | Type | |-------------|---------|----------|------| | _ga | Google Analytics visitor ID (if enabled) | 2 years | Analytics | | _gid | Google Analytics session ID (if enabled) | 24 hours | Analytics | | analytics_session | Internal usage tracking | 30 days | Analytics |

Data collected: Page views, feature usage, session duration, anonymized user behavior

Anonymization: IP addresses anonymized, user IDs hashed, no PII collected

Control: Disable via cookie consent banner or browser settings

7.3 Preference Cookies (Optional)

These cookies remember your preferences:

| Cookie Name | Purpose | Duration | Type | |-------------|---------|----------|------| | theme | Remember dark/light mode | 365 days | Preference | | language | Remember language selection | 365 days | Preference | | dashboard_layout | Remember Kanban column order | 365 days | Preference |

7.4 Third-Party Cookies

We do NOT use third-party advertising cookies. The only third-party cookies are from:

Stripe - Payment processing (only on checkout pages)
Supabase - Authentication (essential for login)

7.5 Managing Cookies

Browser Settings:

Chrome: Settings → Privacy and security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Cookies and website data
Edge: Settings → Cookies and site permissions → Cookies and site data

Note: Blocking essential cookies will prevent you from logging in or using core features.

8. Data Breach Notification

8.1 Our Obligations

In the event of a personal data breach, we will:

Within 72 hours of discovery:

Notify ANSPDCP (Romanian supervisory authority) unless breach unlikely to result in risk to rights and freedoms
Document the breach (nature, categories of data, number of affected individuals, likely consequences)

Without undue delay:

Notify affected users if breach likely to result in high risk to rights and freedoms
Provide clear, plain language explanation of breach and recommended actions

8.2 What We Will Tell You

If you are affected by a data breach, we will notify you via email with:

Nature of breach - What happened and how data was compromised
Categories of data affected - Which types of personal data were involved
Likely consequences - Potential impact on your privacy or security
Measures taken - Steps we've taken to mitigate harm and prevent recurrence
Recommended actions - What you should do (change password, monitor accounts, etc.)
Contact information - Who to contact for questions (contact@cmgworkflow.com)

8.3 Your Rights After a Breach

If your data is breached, you have the right to:

✅ Complain to ANSPDCP - Lodge complaint with Romanian data protection authority
✅ Request details - Full information about the breach and affected data
✅ Seek compensation - Claim damages for material or non-material harm (GDPR Art. 82)
✅ Terminate service - Cancel your subscription and request full data deletion

9. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

If you are a parent or guardian:

If you believe your child has provided us with personal data, contact us immediately at support@cmgworkflow.com
We will delete the data within 30 days of verification

If you are under 18:

Do not create an account or provide any personal information
Ask your parent or legal guardian to contact us if you have questions

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

Changes in legal requirements (new GDPR guidance, Romanian law amendments)
New features or services (additional integrations, AI capabilities)
Feedback from users or regulators
Industry best practices

How we notify you of changes:

Material changes - Email notification at least 30 days before effective date
Minor changes - Update "Last Updated" date at top of policy
Continued use - Using Service after effective date constitutes acceptance

Your options:

✅ Accept changes - Continue using the Service
✅ Reject changes - Cancel subscription and request data deletion before effective date
✅ Request clarification - Email contact@cmgworkflow.com with questions

Version history: Available upon request at support@cmgworkflow.com

11. Contact Information and Data Protection Officer

For Privacy Questions or Requests:

General Inquiries: Email: support@cmgworkflow.com Phone: +40 772 125 155 Address: Drumul NISIPOASA, Nr. 46-52, Lot 1/2, Bl. C, Scara C7, Etaj P, Ap. 3, București, Romania

Data Protection Officer: Email: contact@cmgworkflow.com Response time: 30 days (extendable to 60 days for complex requests)

Legal/Compliance: Email: contact@cmgworkflow.com

Supervisory Authority:

If you are not satisfied with our response, you can contact:

ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, Romania Phone: +40 21 252 5599 Email: anspdcp@dataprotection.ro Website: https://www.dataprotection.ro

12. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Art. 6):

| Processing Activity | Legal Basis | GDPR Article | |---------------------|-------------|--------------| | Account creation and management | Contract performance | Art. 6(1)(b) | | CRM data storage and processing | Contract performance | Art. 6(1)(b) | | Payment processing | Contract performance | Art. 6(1)(b) | | WhatsApp automation | Consent + Contract | Art. 6(1)(a) + (b) | | AI conversation analysis | Legitimate interest | Art. 6(1)(f) | | Service improvement and analytics | Legitimate interest | Art. 6(1)(f) | | Security and fraud prevention | Legitimate interest | Art. 6(1)(f) | | Legal compliance (tax, litigation) | Legal obligation | Art. 6(1)(c) | | Marketing communications | Consent | Art. 6(1)(a) |

Legitimate interest balancing test:

Our interest: Improve service quality, prevent fraud, ensure security
Your interest: Privacy protection, minimal data processing
Safeguards: Anonymization, data minimization, encryption, right to object

13. Compliance Certifications

This Privacy Policy complies with:

✅ EU GDPR - General Data Protection Regulation (EU) 2016/679 ✅ Romanian Law 190/2018 - Data Protection Law ✅ Romanian Law 365/2002 - E-Commerce Law ✅ CCPA - California Consumer Privacy Act (for California users) ✅ Google API Services User Data Policy ✅ Meta WhatsApp Business Data Processing Terms

Independent audits: Available upon request for enterprise customers

Last Updated: January 11, 2025 Effective Date: January 11, 2025 Version: 2.0.0

By using CMG FRAMEWORKS SRL's CRM Service, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Privacy Policy

Last Updated: January 11, 2025 Effective Date: January 11, 2025

1. Introduction and Scope

EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
Romanian Data Protection Law 190/2018
Romanian E-Commerce Law 365/2002
Google API Services User Data Policy
Meta WhatsApp Business Data Processing Terms

This policy applies to all users of our Service, including:

Organization owners and administrators who manage CRM accounts
Team members and agents who use the CRM daily
End customers whose data is processed through our platform (leads, clients)

2. Information We Collect

2.1 Personal Information You Provide

When you register and use our Service, we collect:

Account Registration Data

Full name - To identify your account and personalize your experience
Email address - For authentication, account recovery, and communications
Password (encrypted) - For account security and access control
Organization details - Company name, industry, business information
Payment information - Processed securely by Stripe (we do not store credit card numbers)

Profile and Settings

Profile photo - Optional avatar for account personalization
Communication preferences - Email notification settings, language preferences
Time zone and regional settings - For proper scheduling and date formatting

2.2 CRM Data You Create or Import

When you use our Service to manage your business relationships, we collect:

Lead Information

Contact details - Name, email, phone number (including international formats)
Lead source - Where the lead originated (WhatsApp, manual entry, third-party integrations)
Status and qualification - Pipeline stage (new, talking_stage, qualified, lost)
Conversation history - WhatsApp messages exchanged with leads
Custom fields - Additional data you choose to collect (industry, company size, interests)
Assignment data - Which team member is responsible for the lead

Client Information

Business relationship data - Account manager, subscription tier, client status
Company information - Business name, address, tax identification
Activity timeline - Interaction history, notes, status changes
Financial data - Subscription details, billing history (processed by Stripe)

WhatsApp Conversations

Message content - Text, media, and interactive messages sent and received
Metadata - Timestamps, sender/recipient phone numbers, message status
Conversation context - AI-processed data for automated responses and lead extraction
Phone numbers - WhatsApp Business Account phone numbers you connect

2.3 Data from Third-Party Integrations

When you connect third-party services:

Google APIs (If Used in Future)

OAuth tokens - Access and refresh tokens for Google API access (encrypted at rest)
Form metadata - Form names, IDs, and configuration settings
Form responses - Submission data used to create CRM leads

WhatsApp Business Cloud API

WhatsApp Business Account ID - To identify your WhatsApp connection
Phone number ID - The WhatsApp phone number linked to your account
Message templates - Pre-approved message templates you create
Webhook verification tokens - For secure webhook authentication

Stripe (Payment Processing)

Subscription data - Plan details, billing cycle, payment status
Transaction history - Invoices, payment attempts, refunds
Customer ID - Stripe's identifier for your billing account

2.4 Technical Information and Analytics

We automatically collect technical data to operate and improve our Service:

Device and Browser Information

IP address - For security, fraud prevention, and regional compliance
Browser type and version - For compatibility and feature support (Chrome, Firefox, Safari, Edge)
Operating system - Desktop (Windows, macOS, Linux) or mobile (iOS, Android)
Device identifiers - Anonymized device fingerprints for security monitoring
Screen resolution - For responsive design optimization

Usage Data and Analytics

Feature usage - Which CRM features you use most (Kanban, clients, AI automation)
Page views and navigation - Routes accessed, time spent on each page
Click events - Button clicks, form submissions, drag-and-drop actions
Performance metrics - Page load times, API response times, error rates
Session duration - How long you're logged in and actively using the Service

Cookies and Local Storage

Authentication cookies - Keep you logged in securely (httpOnly, secure, sameSite)
Preference cookies - Remember your theme, language, and dashboard layout
Analytics cookies - Understand feature usage and user behavior (anonymized)
Local storage - Temporary caching for offline functionality (cleared on logout)

2.5 AI-Generated Data

Our AI features process your data to provide intelligent automation:

Google Gemini Enterprise API

Conversation analysis - WhatsApp messages analyzed to understand context and intent
Lead extraction - Automated extraction of name, email, phone, and interest from conversations
Response generation - AI-generated replies to customer inquiries (reviewed by you)
Conversation summaries - Historical conversations summarized for context retention

Important: We use Google Gemini Enterprise API (not consumer version), which means:

✅ Your data is NOT used to train Google's AI models
✅ Data processing complies with GDPR and includes automatic Data Processing Addendum
✅ Human review is disabled by default for enterprise users
✅ Data processed within EU data centers where possible

3. How We Use Your Data

3.1 Core Service Provision

We use your data to deliver our CRM services:

Lead and Client Management

Create and update records - Store leads and clients you add to the CRM
Track relationships - Monitor lead status progression and client activity timelines
Organize data - Enable filtering, searching, sorting, and categorization
Assign responsibilities - Route leads to appropriate team members

WhatsApp Automation

Send automated messages - Deliver welcome messages to new leads
Process incoming messages - Receive and store WhatsApp conversations
AI-powered responses - Generate contextual replies using Gemini Enterprise AI
Extract lead information - Automatically create leads from WhatsApp conversations

Team Collaboration

Multi-user access - Allow your team members to access your organization's CRM data
Activity tracking - Show who made changes and when
Notifications - Alert team members about important events (new leads, status changes)

3.2 AI-Powered Features

Conversation Intelligence

Understand customer intent - Analyze message content to determine customer needs
Generate contextual responses - Create appropriate replies based on conversation history
Maintain conversation context - Use sliding window approach (last 10-15 messages) for relevance
Escalate complex queries - Identify when human intervention is needed

Data Extraction and Enrichment

Extract contact information - Pull names, emails, phones from unstructured messages
Validate extracted data - Verify phone formats (E.164), email validity
Enrich lead profiles - Add contextual information from conversations

3.3 Service Improvement and Analytics

We analyze aggregated, anonymized data to improve our Service:

Performance Optimization

Identify bottlenecks - Find slow-loading pages or API endpoints
Monitor errors - Detect and fix bugs affecting user experience
Optimize infrastructure - Scale resources based on usage patterns

Feature Development

Understand feature usage - Determine which features are most valuable
Prioritize roadmap - Build features users need most
A/B testing - Test new features with small user groups (anonymized)

3.4 Communication and Support

We use your email address to communicate with you:

Service Communications (Cannot Opt Out)

Account notifications - Password changes, security alerts, login from new devices
Billing notifications - Subscription renewals, payment failures, invoices
Service updates - Critical updates, maintenance windows, terms changes
Security alerts - Data breach notifications, suspicious activity warnings

Marketing Communications (Optional - Can Opt Out)

Product announcements - New features, improvements, use case guides
Educational content - Best practices, CRM strategies, industry insights
Promotional offers - Discounts, referral bonuses, special campaigns

You can opt out of marketing emails at any time via:

Unsubscribe link in every marketing email
Account settings → Communication Preferences
Email us at support@cmgworkflow.com

3.5 Legal Compliance and Security

We process data to comply with legal obligations and protect our Service:

Fraud Prevention

Detect suspicious activity - Monitor for unusual login patterns or data access
Prevent abuse - Block spam, unauthorized API usage, or malicious behavior
Verify identity - Confirm account ownership during support requests

Legal Obligations

Respond to legal requests - Court orders, subpoenas, regulatory inquiries
Enforce our Terms - Investigate violations of our Terms of Service
Protect rights - Defend our legal rights and those of our users
Tax compliance - Maintain records for Romanian tax authorities

3.6 What We Do NOT Do with Your Data

We explicitly commit to the following:

❌ No data selling - We NEVER sell your personal data to third parties
❌ No advertising - We do NOT use your data for targeted advertising
❌ No data sharing - We do NOT share data between organizations (multi-tenant isolation)
❌ No unauthorized access - We NEVER access your CRM data except for support requests (with consent) or legal obligations
❌ No AI training - We do NOT use your data to train our own AI models (Gemini Enterprise also does not train on your data)
❌ No cross-tenant access - Row-Level Security ensures organizations cannot access each other's data

4. Data Storage, Security, and Retention

4.1 Storage Infrastructure

Your data is stored using industry-leading, GDPR-compliant infrastructure:

Primary Database

Provider: Supabase (Supabase Inc.)
Technology: PostgreSQL with Row-Level Security (RLS)
Encryption: AES-256 encryption at rest, TLS 1.3 in transit
Location: EU data centers (primary), with optional regional selection
Backups: Automated daily backups, 90-day retention for disaster recovery
Compliance: SOC 2 Type II, ISO 27001, GDPR-compliant

Application Hosting

Provider: Vercel (Vercel Inc.)
Technology: Serverless Next.js deployment
Encryption: HTTPS enforced (TLS 1.3), automatic SSL certificate renewal
Location: Global edge network with EU data residency options
Compliance: SOC 2 Type II, GDPR-compliant

File Storage

Provider: Supabase Storage
Encryption: AES-256 for stored files, TLS 1.3 for uploads/downloads
Access control: Signed URLs with time-limited access
Compliance: GDPR-compliant

4.2 Security Measures

We implement comprehensive technical and organizational security measures:

Multi-Tenant Data Isolation

Row-Level Security (RLS) - PostgreSQL RLS policies enforce organization_id filtering at database level
JWT-based authentication - Organization ID stored in app_metadata (user cannot modify)
Automatic filtering - Database automatically restricts queries to user's organization
No cross-tenant access - Even if application code has bugs, RLS prevents data leaks

Access Controls

Role-based access (RBAC) - Owner, admin, agent, viewer roles with hierarchical permissions
Two-factor authentication (2FA) - Optional TOTP-based 2FA for enhanced security
Session management - Automatic logout after 30 days of inactivity
IP monitoring - Detection of suspicious login patterns from unusual locations

Encryption

Data at rest - AES-256 encryption for database, file storage, and backups
Data in transit - TLS 1.3 for all client-server communications
OAuth tokens - WhatsApp and Google OAuth tokens encrypted at rest
Password hashing - Bcrypt with salt for password storage

Application Security

Input validation - Zod schema validation for all user inputs
SQL injection prevention - Parameterized queries via Supabase client
XSS protection - React automatic escaping, Content Security Policy headers
CSRF protection - Anti-CSRF tokens on all state-changing operations
Rate limiting - API rate limiting to prevent abuse and DDoS attacks

Monitoring and Incident Response

Error tracking - Sentry for real-time error monitoring (anonymized)
Uptime monitoring - BetterUptime for service availability tracking
Security audits - Regular third-party security assessments
Incident response plan - Documented procedures for data breach response

4.3 Data Retention

We retain personal data only as long as necessary for legitimate purposes:

Active Accounts

CRM data - Retained indefinitely while your account is active
Conversation history - Retained for 36 months, then archived (configurable)
Analytics data - Aggregated usage data retained for 24 months
Backup data - 90-day rolling retention for disaster recovery

Inactive Accounts

Grace period - 30 days after subscription cancellation (data accessible for export)
Data deletion - Permanent deletion 30 days after cancellation (unless legal hold)
Backup purge - Deleted data purged from backups after 90 days

Legal Holds

Litigation hold - Data retained if subject to legal proceedings
Regulatory investigation - Data retained until investigation concludes
Tax records - Financial data retained for 7 years (Romanian tax law)

User-Requested Deletion

Immediate deletion - GDPR "right to erasure" honored within 30 days
Exceptions - Data retained if required by law or for legitimate business purposes
Anonymization - Data anonymized instead of deleted where legally permissible

5. Third-Party Service Providers and Data Processing

We share data with carefully vetted third-party processors to operate our Service. All processors have signed Data Processing Agreements (DPAs) in compliance with GDPR Article 28.

5.1 Supabase (Database and Authentication)

Purpose: Primary database, user authentication, real-time subscriptions
Data shared: All CRM data (leads, clients, conversations, users, organizations)
Legal basis: Necessary for contract performance (GDPR Art. 6(1)(b))
Safeguards: Data Processing Addendum, Standard Contractual Clauses, EU data centers
Location: EU (primary), US (optional with SCCs)
Privacy policy: https://supabase.com/privacy
DPA: Automatically included for all EU customers

5.2 Meta WhatsApp Business Cloud API

Purpose: WhatsApp messaging, conversation tracking, automated outreach
Data shared: Phone numbers, message content (text, media, interactive buttons), conversation metadata
Legal basis: Consent (GDPR Art. 6(1)(a)) + Contract performance (GDPR Art. 6(1)(b))
Safeguards: WhatsApp Business Data Processing Terms, Standard Contractual Clauses, Data Privacy Framework
Location: Global (Meta data centers in US, EU, and other regions)
Privacy policy: https://www.facebook.com/privacy/policy
Business terms: https://www.whatsapp.com/legal/business-data-processing-terms
Important: We use WhatsApp Business Cloud API (GDPR-compliant) with EU-based Business Solution Provider (BSP), NOT the consumer WhatsApp app

5.3 Google Gemini Enterprise API

Purpose: AI-powered conversation handling, lead extraction, automated response generation
Data shared: WhatsApp message content, conversation context (anonymized where possible)
Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) for service improvement
Safeguards: Data Processing Addendum, Standard Contractual Clauses, EU data residency
Location: EU data centers (Google Ireland Ltd. for EEA customers)
Privacy policy: https://policies.google.com/privacy
AI privacy: https://ai.google.dev/gemini-api/terms
DPA: Automatically included for EU customers
Critical: We use Gemini Enterprise API - your data is NOT used to train AI models, human review is disabled by default

5.4 Stripe (Payment Processing)

Purpose: Subscription billing, payment processing, invoice generation
Data shared: Email, organization name, payment information (credit card, bank account)
Legal basis: Necessary for contract performance (GDPR Art. 6(1)(b))
Safeguards: Data Processing Agreement, PCI DSS Level 1 certification, Standard Contractual Clauses
Location: US (Stripe Inc.) with EU data residency options
Privacy policy: https://stripe.com/privacy
DPA: https://stripe.com/legal/dpa
Note: We do NOT store credit card numbers - all payment data processed directly by Stripe

5.5 Sentry (Error Monitoring)

Purpose: Real-time error tracking, performance monitoring, debugging
Data shared: Error messages, stack traces, user IDs (anonymized), performance metrics
Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) for service improvement
Safeguards: Data Processing Addendum, data scrubbing (PII removed), Standard Contractual Clauses
Location: US (Sentry.io) with EU data residency options
Privacy policy: https://sentry.io/privacy/
DPA: https://sentry.io/legal/dpa/
PII protection: Automatic scrubbing of passwords, tokens, emails, phone numbers from error logs

5.6 International Data Transfers

When data is transferred outside the European Economic Area (EEA):

Legal Mechanisms

Standard Contractual Clauses (SCCs) - EU Commission-approved contracts for data protection
EU-US Data Privacy Framework - For transfers to US companies certified under DPF
Adequacy decisions - Transfers to countries with adequate data protection (UK, Switzerland, etc.)

Additional Safeguards

Encryption in transit and at rest - AES-256 and TLS 1.3 for all transfers
Contractual obligations - Processors bound by same data protection standards
Right to object - You can object to international transfers (may limit service functionality)

Transfer Impact Assessment

We have conducted Transfer Impact Assessments (TIAs) for all US-based processors (Vercel, Stripe, Sentry) confirming adequate protection despite Schrems II ruling:

✅ All processors certified under EU-US Data Privacy Framework
✅ Additional contractual safeguards beyond SCCs
✅ Encryption prevents access by US authorities without our knowledge
✅ No government access requests received to date

6. Your Rights Under GDPR and Romanian Law

As a data subject in the European Economic Area or Romania, you have the following rights:

6.1 Right of Access (GDPR Art. 15)

What it means: You can request a copy of all personal data we hold about you.

How to exercise: Email support@cmgworkflow.com with subject "Data Access Request"

What we provide:

Complete copy of your account data (JSON or CSV format)
Categories of data processed
Purposes of processing
Recipients of your data (sub-processors)
Storage duration
Source of data (if not collected directly from you)

Response time: 30 days (extendable to 60 days for complex requests)

Free of charge: First request free; excessive requests may incur reasonable fee

6.2 Right to Rectification (GDPR Art. 16)

What it means: You can correct inaccurate or incomplete personal data.

How to exercise:

Self-service: Update your profile in Account Settings
Request assistance: Email support@cmgworkflow.com

What you can correct:

Account information (name, email, phone)
Organization details
CRM data (leads, clients, conversations)

Response time: Immediate (self-service) or 30 days (assisted)

6.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

What it means: You can request deletion of your personal data.

How to exercise: Email support@cmgworkflow.com with subject "Data Deletion Request"

When applicable:

✅ Data no longer necessary for original purpose
✅ You withdraw consent (for consent-based processing)
✅ You object to processing based on legitimate interest
✅ Data processed unlawfully

Exceptions (we may refuse):

❌ Legal obligation to retain data (tax records, legal proceedings)
❌ Contract performance requires data retention
❌ Public interest or scientific research (anonymized data)

What happens:

Account and CRM data deleted within 30 days
Backups purged within 90 days
Legal hold data retained until obligation expires

6.4 Right to Restrict Processing (GDPR Art. 18)

What it means: You can limit how we use your data while disputes are resolved.

How to exercise: Email support@cmgworkflow.com with subject "Restrict Processing"

When applicable:

✅ Accuracy of data is contested (restriction during verification)
✅ Processing is unlawful, but you prefer restriction over deletion
✅ We no longer need data, but you need it for legal claims
✅ You object to processing (restriction pending verification of legitimate grounds)

Effect: Data stored but not processed (except with consent, legal claims, or protection of others)

6.5 Right to Data Portability (GDPR Art. 20)

What it means: You can receive your data in a structured, machine-readable format and transfer it to another service.

How to exercise:

Self-service: Account Settings → Export Data
Request assistance: Email support@cmgworkflow.com

What you receive:

Leads - JSON or CSV export with all fields
Clients - JSON or CSV export with all fields
Conversations - JSON export with full message history
Account data - JSON export of profile and settings

Format: JSON (machine-readable), CSV (spreadsheet-compatible)

Response time: Immediate (self-service) or 30 days (assisted)

6.6 Right to Object (GDPR Art. 21)

What it means: You can object to processing based on legitimate interest or direct marketing.

How to exercise:

Marketing emails: Click "Unsubscribe" in any marketing email
Legitimate interest processing: Email support@cmgworkflow.com

Processing you can object to:

✅ Marketing communications (immediate effect)
✅ Analytics and profiling (we will stop unless compelling legitimate grounds)
✅ Direct marketing (we will stop immediately)

Processing you CANNOT object to:

❌ Contract performance (necessary to provide CRM services)
❌ Legal compliance (required by Romanian or EU law)

6.7 Right to Withdraw Consent (GDPR Art. 7(3))

What it means: Where processing is based on consent, you can withdraw it at any time.

How to exercise:

WhatsApp automation: Settings → WhatsApp Integration → Disconnect
Marketing emails: Unsubscribe link in emails
Analytics cookies: Cookie preferences banner (re-trigger on any page)

Effect: We will stop processing from withdrawal point forward (does not affect lawfulness of previous processing)

6.8 Right to Lodge a Complaint (GDPR Art. 77)

What it means: You can complain to a data protection supervisory authority.

Romanian Supervisory Authority:

Name: ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, Romania
Phone: +40 21 252 5599
Email: anspdcp@dataprotection.ro
Website: https://www.dataprotection.ro

EU Supervisory Authorities: You may also complain to the authority in your EU country of residence or workplace.

Our commitment: We prefer to resolve concerns directly - please contact us first at contact@cmgworkflow.com

7. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our Service. You can control cookie preferences via our cookie consent banner (re-trigger on any page) or browser settings.

7.1 Essential Cookies (Cannot be Disabled)

These cookies are necessary for the Service to function:

7.2 Analytics Cookies (Optional - Requires Consent)

These cookies help us understand how you use the Service:

Data collected: Page views, feature usage, session duration, anonymized user behavior

Anonymization: IP addresses anonymized, user IDs hashed, no PII collected

Control: Disable via cookie consent banner or browser settings

7.3 Preference Cookies (Optional)

These cookies remember your preferences:

7.4 Third-Party Cookies

We do NOT use third-party advertising cookies. The only third-party cookies are from:

Stripe - Payment processing (only on checkout pages)
Supabase - Authentication (essential for login)

7.5 Managing Cookies

Browser Settings:

Chrome: Settings → Privacy and security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Cookies and website data
Edge: Settings → Cookies and site permissions → Cookies and site data

Note: Blocking essential cookies will prevent you from logging in or using core features.

8. Data Breach Notification

8.1 Our Obligations

In the event of a personal data breach, we will:

Within 72 hours of discovery:

Notify ANSPDCP (Romanian supervisory authority) unless breach unlikely to result in risk to rights and freedoms
Document the breach (nature, categories of data, number of affected individuals, likely consequences)

Without undue delay:

Notify affected users if breach likely to result in high risk to rights and freedoms
Provide clear, plain language explanation of breach and recommended actions

8.2 What We Will Tell You

If you are affected by a data breach, we will notify you via email with:

Nature of breach - What happened and how data was compromised
Categories of data affected - Which types of personal data were involved
Likely consequences - Potential impact on your privacy or security
Measures taken - Steps we've taken to mitigate harm and prevent recurrence
Recommended actions - What you should do (change password, monitor accounts, etc.)
Contact information - Who to contact for questions (contact@cmgworkflow.com)

8.3 Your Rights After a Breach

If your data is breached, you have the right to:

✅ Complain to ANSPDCP - Lodge complaint with Romanian data protection authority
✅ Request details - Full information about the breach and affected data
✅ Seek compensation - Claim damages for material or non-material harm (GDPR Art. 82)
✅ Terminate service - Cancel your subscription and request full data deletion

9. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

If you are a parent or guardian:

If you believe your child has provided us with personal data, contact us immediately at support@cmgworkflow.com
We will delete the data within 30 days of verification

If you are under 18:

Do not create an account or provide any personal information
Ask your parent or legal guardian to contact us if you have questions

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

Changes in legal requirements (new GDPR guidance, Romanian law amendments)
New features or services (additional integrations, AI capabilities)
Feedback from users or regulators
Industry best practices

How we notify you of changes:

Material changes - Email notification at least 30 days before effective date
Minor changes - Update "Last Updated" date at top of policy
Continued use - Using Service after effective date constitutes acceptance

Your options:

✅ Accept changes - Continue using the Service
✅ Reject changes - Cancel subscription and request data deletion before effective date
✅ Request clarification - Email contact@cmgworkflow.com with questions

Version history: Available upon request at support@cmgworkflow.com

11. Contact Information and Data Protection Officer

For Privacy Questions or Requests:

General Inquiries: Email: support@cmgworkflow.com Phone: +40 772 125 155 Address: Drumul NISIPOASA, Nr. 46-52, Lot 1/2, Bl. C, Scara C7, Etaj P, Ap. 3, București, Romania

Data Protection Officer: Email: contact@cmgworkflow.com Response time: 30 days (extendable to 60 days for complex requests)

Legal/Compliance: Email: contact@cmgworkflow.com

Supervisory Authority:

If you are not satisfied with our response, you can contact:

12. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Art. 6):

Legitimate interest balancing test:

Our interest: Improve service quality, prevent fraud, ensure security
Your interest: Privacy protection, minimal data processing
Safeguards: Anonymization, data minimization, encryption, right to object

13. Compliance Certifications

This Privacy Policy complies with:

Independent audits: Available upon request for enterprise customers

Last Updated: January 11, 2025 Effective Date: January 11, 2025 Version: 2.0.0

By using CMG FRAMEWORKS SRL's CRM Service, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Legal Documents

Privacy Notice

Privacy Policy

Company Information

1. Introduction and Scope

2. Information We Collect

2.1 Personal Information You Provide

Account Registration Data

Profile and Settings

2.2 CRM Data You Create or Import

Lead Information

Client Information

WhatsApp Conversations

2.3 Data from Third-Party Integrations

Google APIs (If Used in Future)

WhatsApp Business Cloud API

Stripe (Payment Processing)

2.4 Technical Information and Analytics

Device and Browser Information

Usage Data and Analytics

Cookies and Local Storage

2.5 AI-Generated Data

Google Gemini Enterprise API

3. How We Use Your Data

3.1 Core Service Provision

Lead and Client Management

WhatsApp Automation

Team Collaboration

3.2 AI-Powered Features

Conversation Intelligence

Data Extraction and Enrichment

3.3 Service Improvement and Analytics

Performance Optimization

Feature Development

3.4 Communication and Support

Service Communications (Cannot Opt Out)

Marketing Communications (Optional - Can Opt Out)

3.5 Legal Compliance and Security

Fraud Prevention

Legal Obligations

3.6 What We Do NOT Do with Your Data

4. Data Storage, Security, and Retention

4.1 Storage Infrastructure

Primary Database

Application Hosting

File Storage

4.2 Security Measures

Multi-Tenant Data Isolation

Access Controls

Encryption

Application Security

Monitoring and Incident Response

4.3 Data Retention

Active Accounts

Inactive Accounts

Legal Holds

User-Requested Deletion

5. Third-Party Service Providers and Data Processing

5.1 Supabase (Database and Authentication)

5.2 Meta WhatsApp Business Cloud API

5.3 Google Gemini Enterprise API

5.4 Stripe (Payment Processing)

5.5 Sentry (Error Monitoring)

5.6 International Data Transfers

Legal Mechanisms

Additional Safeguards

Transfer Impact Assessment

6. Your Rights Under GDPR and Romanian Law

6.1 Right of Access (GDPR Art. 15)

6.2 Right to Rectification (GDPR Art. 16)

6.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

6.4 Right to Restrict Processing (GDPR Art. 18)

6.5 Right to Data Portability (GDPR Art. 20)

6.6 Right to Object (GDPR Art. 21)

6.7 Right to Withdraw Consent (GDPR Art. 7(3))

6.8 Right to Lodge a Complaint (GDPR Art. 77)

7. Cookies and Tracking Technologies

7.1 Essential Cookies (Cannot be Disabled)

7.2 Analytics Cookies (Optional - Requires Consent)

7.3 Preference Cookies (Optional)