Loading...
Important information about our services
Last Updated: February 24, 2026 Effective Date: February 24, 2026 Version: 3.0.0 Document Reference: CMG-PP-2026-03
Legal Entity: CMG FRAMEWORKS SRL Registered Address: Drumul NISIPOASA, Nr. 46-52, Lot 1/2, Bl. C, Scara C7, Etaj P, Ap. 3, Bucuresti, Romania Trade Registry: J40/XXXXX/XXXX Contact Phone: +40 772 125 155 General Email: support@cmgworkflow.com Data Protection Officer (DPO): contact@cmgworkflow.com Lead Supervisory Authority: ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
CMG FRAMEWORKS SRL is the data controller within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") for the processing of personal data described in this Privacy Policy.
CMG FRAMEWORKS SRL ("we," "us," "our," the "Controller") operates CMG Workflow, a multi-tenant Customer Relationship Management (CRM) Software-as-a-Service (SaaS) platform (the "Service" or "Platform") that helps businesses manage leads, clients, WhatsApp conversations, tasks, deals, and email communications using AI-powered automation.
This Privacy Policy explains, in a concise, transparent, intelligible, and easily accessible manner, how we collect, use, store, share, and protect your personal data. It fulfills our obligations under Article 13 and Article 14 of the GDPR to provide information to data subjects at the time of collection and when data is obtained from third parties.
This Privacy Policy is issued in compliance with, and should be interpreted in accordance with:
This Privacy Policy applies to all individuals whose personal data we process, including:
| Scenario | Our Role | Your Role | |----------|----------|-----------| | Processing data of Organization users (owners, admins, agents) | Controller | Data Subject | | Processing CRM data (leads, clients) on behalf of organizations | Processor | Controller | | Processing website visitor analytics | Controller | Data Subject | | Processing payment data via Stripe | Controller (with Stripe as sub-processor) | Data Subject | | AI analysis of conversation data | Processor (acting on organization's instructions) | Controller |
When we act as a Processor on behalf of subscribing organizations, the organization is the Controller and determines the purposes and means of processing their CRM data. Our obligations as Processor are governed by our Data Processing Agreement (DPA), available upon request.
For the purposes of this Privacy Policy:
| Data Element | Purpose | Mandatory/Optional | |---|---|---| | Full name | Account identification, personalization | Mandatory | | Email address | Authentication, account recovery, communications | Mandatory | | Password (bcrypt-hashed) | Account security and access control | Mandatory | | Organization name | Multi-tenant identification | Mandatory | | Organization industry | Service customization | Optional | | Phone number | Account recovery, 2FA, support | Optional | | Payment information | Subscription billing (processed by Stripe; we do not store card numbers) | Mandatory for paid plans |
| Data Element | Purpose | Mandatory/Optional | |---|---|---| | Profile photo/avatar | Account personalization | Optional | | Communication preferences | Email notification management | Optional | | Time zone | Scheduling and date formatting | Optional (auto-detected) | | Language preference | Interface localization | Optional | | Theme preference | UI customization (dark/light mode) | Optional |
When subscribing organizations use the Platform to manage their business relationships, the following data is created or imported:
Lead and Client Information:
WhatsApp Conversation Data:
Email Data:
Task and Deal Data:
Where we obtain personal data not directly from the data subject, we inform you of:
| Source | Data Obtained | Purpose | Timing of Notification | |---|---|---|---| | WhatsApp Business Cloud API | Phone numbers, message content, profile names | CRM lead creation from conversations | Within 1 month or at first communication | | Google Forms (if connected) | Form responses, submission metadata | Automated lead creation | Within 1 month or at first communication | | Gmail API (if connected) | Inbound email content, sender info | Lead matching and import | Within 1 month or at first communication | | Meta Ads API (if connected) | Ad interaction data, lead form submissions | Lead source attribution | Within 1 month or at first communication | | Stripe | Payment status, subscription events | Billing and account management | At point of processing | | Sentry | Anonymized error data, device metadata | Error monitoring and debugging | Continuous (anonymized) |
We do not intentionally collect special categories of personal data (Article 9 GDPR). However, because the Platform allows organizations to create custom fields and store free-text notes, it is possible that special category data may be entered by organization users. Organizations, as Controllers of their CRM data, are responsible for ensuring a lawful basis for any special category data they process.
We do not process Romanian national identification numbers (CNP) as defined under Law 190/2018, Article 5.
Our AI features (powered by Google Gemini Enterprise API) may generate derived data including:
This derived data is clearly labeled as AI-generated within the Platform.
We process personal data only when we have a valid lawful basis under Article 6(1) GDPR. The following table details the lawful basis for each processing activity:
| Processing Activity | Lawful Basis | GDPR Article | Specific Justification | |---|---|---|---| | Account creation and authentication | Contract performance | Art. 6(1)(b) | Necessary to provide the subscribed Service | | CRM data storage and management | Contract performance | Art. 6(1)(b) | Core Service functionality | | Payment processing via Stripe | Contract performance | Art. 6(1)(b) | Necessary for subscription billing | | Sending service-related emails (account, billing, security) | Contract performance | Art. 6(1)(b) | Necessary for Service administration | | WhatsApp messaging (when enabled by organization) | Consent + Contract | Art. 6(1)(a) + (b) | Organization consents to integration; contract for Service delivery | | AI conversation analysis and response generation | Legitimate interest | Art. 6(1)(f) | LIA-01: Service quality improvement and automation | | AI lead extraction from conversations | Legitimate interest | Art. 6(1)(f) | LIA-02: Efficient lead management (core Service feature) | | Service improvement and anonymized analytics | Legitimate interest | Art. 6(1)(f) | LIA-03: Product improvement through aggregated usage insights | | Security monitoring, fraud prevention, abuse detection | Legitimate interest | Art. 6(1)(f) | LIA-04: Protecting users and infrastructure from threats | | Error monitoring via Sentry (anonymized) | Legitimate interest | Art. 6(1)(f) | LIA-05: Service reliability and debugging | | Tax record retention | Legal obligation | Art. 6(1)(c) | Romanian Fiscal Code, 7-year retention | | Responding to legal/regulatory requests | Legal obligation | Art. 6(1)(c) | Court orders, ANSPDCP investigations, regulatory inquiries | | Marketing communications | Consent | Art. 6(1)(a) | Explicit opt-in required | | Analytics cookies | Consent | Art. 6(1)(a) | Cookie consent banner opt-in | | Gmail integration (email import) | Consent | Art. 6(1)(a) | Organization explicitly connects Gmail account | | Google Forms integration | Consent | Art. 6(1)(a) | Organization explicitly connects Forms |
For each processing activity relying on legitimate interest under Article 6(1)(f), we have conducted a documented Legitimate Interest Assessment consisting of a three-part test (Purpose, Necessity, and Balancing):
| Test | Assessment | |---|---| | Purpose Test | We pursue the legitimate interest of providing intelligent, AI-powered CRM automation as a core feature of our Service, which significantly improves response times and customer engagement for our subscribers. | | Necessity Test | AI analysis of conversation content is necessary to generate contextual responses, extract key information, and provide automation. No less intrusive alternative can achieve the same level of Service quality. Processing uses a sliding window of the 10-15 most recent messages only. | | Balancing Test | Data subjects would reasonably expect their conversations with businesses to be analyzed to improve service quality. Safeguards include: (i) Google Gemini Enterprise API does not use data for model training; (ii) human review is disabled by default; (iii) data is processed within EU data centers where available; (iv) organizations can disable AI features entirely; (v) data minimization through the sliding-window approach; (vi) clear AI disclosure in the Platform interface. The processing does not cause undue harm and data subjects retain the right to object (Art. 21). | | Outcome | Legitimate interest is not overridden. Processing may proceed with documented safeguards. |
| Test | Assessment | |---|---| | Purpose Test | We pursue the legitimate interest of automating lead creation from WhatsApp conversations to reduce manual data entry for subscribers and improve CRM accuracy. | | Necessity Test | Automated extraction of contact information (name, email, phone) from unstructured messages is necessary for efficient lead management. Manual entry is error-prone and time-consuming. Only structured contact information is extracted; message content is not permanently stored beyond the conversation record. | | Balancing Test | Individuals messaging a business via WhatsApp reasonably expect that their contact information will be recorded in the business's CRM system. Safeguards include: (i) extracted data is verified before lead creation; (ii) organizations can review and edit extracted data; (iii) the right to object remains available. Impact on data subjects is minimal as the information would have been manually entered regardless. | | Outcome | Legitimate interest is not overridden. Processing may proceed. |
| Test | Assessment | |---|---| | Purpose Test | We pursue the legitimate interest of understanding how the Service is used to identify feature improvements, performance bottlenecks, and user experience enhancements. | | Necessity Test | Aggregated analytics are necessary to make informed decisions about product development and infrastructure optimization. Individual-level tracking is minimized; data is anonymized where possible. | | Balancing Test | Users reasonably expect a SaaS provider to monitor aggregate usage patterns for product improvement. Safeguards include: (i) data anonymization and aggregation; (ii) no PII in analytics data; (iii) short retention periods (24 months); (iv) right to object. The processing has negligible impact on privacy. | | Outcome | Legitimate interest is not overridden. Processing may proceed. |
| Test | Assessment | |---|---| | Purpose Test | We pursue the legitimate interest of protecting our Service, infrastructure, and users from security threats, unauthorized access, fraud, and abuse in accordance with Recital 49 GDPR. | | Necessity Test | Real-time monitoring of login patterns, IP addresses, rate limiting, and anomaly detection are necessary to prevent unauthorized access and maintain Service integrity. No less intrusive alternative provides adequate protection. | | Balancing Test | Users expect their SaaS provider to implement robust security measures. Processing is limited to security-relevant data. IP addresses are retained only as long as necessary for threat assessment. The strong interest in security substantially outweighs any minor privacy impact. | | Outcome | Legitimate interest is not overridden. Processing may proceed. |
| Test | Assessment | |---|---| | Purpose Test | We pursue the legitimate interest of maintaining Service reliability by monitoring, detecting, and resolving software errors and performance issues in real time. | | Necessity Test | Automated error tracking with contextual information (stack traces, anonymized user context, performance metrics) is necessary for timely bug identification and resolution. | | Balancing Test | Users benefit directly from rapid error resolution and Service stability. Safeguards include: (i) automatic PII scrubbing (passwords, tokens, emails, phone numbers removed); (ii) data minimization in error reports; (iii) short retention periods; (iv) anonymized user identifiers. Privacy impact is minimal given the safeguards. | | Outcome | Legitimate interest is not overridden. Processing may proceed. |
Copies of the full LIA documentation are available upon request to the Data Protection Officer at contact@cmgworkflow.com.
We process personal data for the following purposes directly related to Service delivery:
We make the following binding commitments regarding your data:
We are committed to transparency about our use of automated processing. The following automated processing activities occur within the Platform:
| Activity | Type | Produces Legal/Significant Effects? | Human Oversight | |---|---|---|---| | AI conversation response generation | Automated processing | No | Responses require human review before sending (configurable) | | AI lead extraction from conversations | Automated processing with profiling elements | No | Extracted data presented for human review; organization users confirm/edit | | Lead scoring and qualification suggestions | Profiling | No | Suggestions only; human makes final qualification decision | | AI conversation summaries | Automated processing | No | Summaries are informational; no decisions based solely on them | | Fraud detection and security monitoring | Automated processing | Potentially (account suspension) | Human review before any account suspension | | Rate limiting | Automated processing | Potentially (temporary access restriction) | Automatic lift after cooling period; human appeal available |
We do not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect data subjects, except where:
You have the right to:
To exercise these rights, contact our DPO at contact@cmgworkflow.com.
In accordance with Regulation (EU) 2024/1689 (EU AI Act), we disclose the following information about AI systems deployed within our Platform:
| AI System | Provider | Purpose | Risk Classification | Data Inputs | |---|---|---|---|---| | Google Gemini Enterprise API | Google LLC (via Google Ireland Ltd. for EEA) | Conversation analysis, response generation, lead extraction, summarization | Limited risk (per EU AI Act classification) | WhatsApp message content (sliding window of 10-15 messages), conversation metadata |
In compliance with Article 50 of the EU AI Act (transparency obligations applicable from August 2, 2026):
| Safeguard | Description | |---|---| | No model training on user data | Google Gemini Enterprise API does not use customer data to train or improve its models | | Human review disabled | Human review of API inputs/outputs is disabled by default for Enterprise customers | | Data minimization | Only the most recent 10-15 messages are sent per AI request (sliding window) | | EU data residency | Processing routed to EU data centers where available (Google Ireland Ltd.) | | Encryption | All data transmitted to Gemini API via TLS 1.3 | | Configurable automation | Organizations control AI feature activation and automation level | | Output labeling | AI-generated content is labeled as such in the Platform interface | | Audit trail | AI processing requests and outputs are logged for transparency |
AI processing within our Platform does not:
AI processing does:
AI Accuracy and Limitations: Based on internal evaluation, our AI features operate with the following approximate accuracy levels:
| Feature | Accuracy | Notes | |---------|----------|-------| | Lead name extraction | ~92% | May misparse compound or non-Latin names | | Email extraction | ~87% | May extract inactive or malformed addresses | | Phone number extraction | ~78% | International format variations may cause errors | | Conversation sentiment analysis | ~85% | Context-dependent; sarcasm and cultural nuance may be misinterpreted | | Lead qualification scoring | ~80% | Based on pattern matching; does not replace human judgment |
These figures are approximate, may vary based on input quality and language, and are updated periodically as models improve. You must independently verify all AI-generated data before making business decisions or sending communications based on AI outputs.
Where we rely on consent as a lawful basis, we ensure that consent meets all GDPR requirements:
| Consent Point | Mechanism | What You Consent To | How to Withdraw | |---|---|---|---| | Marketing emails | Opt-in checkbox during registration or in settings | Receiving product announcements, guides, and promotional content | Unsubscribe link in email, or Settings > Communication Preferences | | Analytics cookies | Cookie consent banner (granular selection) | Non-essential cookies for usage analytics | Cookie preferences banner (re-trigger on any page) or browser settings | | WhatsApp integration | Explicit toggle + confirmation in Settings | Connecting WhatsApp Business Account for messaging | Settings > WhatsApp Integration > Disconnect | | Gmail integration | OAuth consent flow + explicit toggle | Connecting Gmail for email import | Settings > Email Integration > Disconnect, or Google Account permissions | | Google Forms integration | OAuth consent flow + explicit toggle | Connecting Forms for lead creation | Settings > Integrations > Disconnect | | AI features | Organization-level toggle (default: enabled) | AI-powered conversation analysis and automation | Settings > AI Bot > Disable |
Consent Enforcement Status: As of February 24, 2026, consent verification is fully enforced for all WhatsApp marketing communications. No marketing messages will be sent via WhatsApp without documented prior consent from the data subject. Opt-out requests (STOP, unsubscribe, and equivalent keywords in supported languages) are processed immediately and irrevocably upon receipt, in accordance with GDPR Article 21.
You may withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR). Withdrawal of consent is as easy as giving consent:
We will process your withdrawal request without undue delay and, at most, within 72 hours.
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following table provides our detailed retention schedule:
| Data Category | Retention Period (Active Account) | Retention Period (After Account Closure) | Legal Basis for Retention | |---|---|---|---| | Account registration data (name, email) | Duration of account | 30 days post-cancellation (grace period), then deleted | Contract performance | | Authentication credentials (hashed passwords) | Duration of account | Deleted immediately upon account closure | Contract performance | | Profile data (avatar, preferences) | Duration of account | 30 days post-cancellation, then deleted | Contract performance | | CRM data (leads, clients, contacts) | Duration of account | 30 days post-cancellation (export window), then deleted | Contract performance | | WhatsApp conversation content | 36 months (configurable by organization) | 30 days post-cancellation, then deleted | Contract performance + Legitimate interest | | Email import data | Duration of account | 30 days post-cancellation, then deleted | Consent + Contract | | AI-generated summaries and extractions | Duration of account | 30 days post-cancellation, then deleted | Legitimate interest | | Task and deal data | Duration of account | 30 days post-cancellation, then deleted | Contract performance | | Payment and billing records | Duration of account + 7 years | 7 years from transaction date | Legal obligation (Romanian Fiscal Code) | | Tax invoices and financial documents | Duration of account + 10 years | 10 years from issuance | Legal obligation (Romanian Fiscal Code, Art. 25) | | Security and access logs | 12 months | 12 months from last activity | Legitimate interest (LIA-04) | | Error monitoring data (Sentry) | 90 days | 90 days (auto-purged) | Legitimate interest (LIA-05) | | Analytics data (anonymized/aggregated) | 24 months | 24 months (anonymized, cannot be linked to individuals) | Legitimate interest (LIA-03) | | Cookie consent records | Duration of consent + 3 years | 3 years from withdrawal | Legal obligation (demonstrating consent) | | Marketing consent records | Duration of consent + 5 years | 5 years from withdrawal | Legal obligation (demonstrating consent) | | Data subject request records | 6 years | 6 years from request completion | Legal obligation (demonstrating compliance) | | Backup data | 90-day rolling retention | Purged within 90 days of primary data deletion | Contract performance | | Litigation hold data | Duration of legal proceedings | Until obligation expires | Legal obligation |
Under the GDPR (Articles 15-22) and Romanian Law 190/2018, you have the following rights. We are committed to facilitating the exercise of these rights without undue delay.
| Right | GDPR Article | Applies When | Response Time | |---|---|---|---| | Right of Access | Art. 15 | Always | 30 days (extendable to 60 days) | | Right to Rectification | Art. 16 | Data is inaccurate or incomplete | 30 days | | Right to Erasure | Art. 17 | Various conditions (see below) | 30 days | | Right to Restriction of Processing | Art. 18 | Various conditions (see below) | Without undue delay | | Right to Data Portability | Art. 20 | Processing by automated means + consent or contract basis | 30 days | | Right to Object | Art. 21 | Legitimate interest or direct marketing basis | Without undue delay | | Right Not to Be Subject to Automated Decision-Making | Art. 22 | Solely automated decisions with legal/significant effects | Without undue delay | | Right to Withdraw Consent | Art. 7(3) | Consent-based processing | Without undue delay (max 72 hours) | | Right to Lodge a Complaint | Art. 77 | Always | N/A (supervisory authority process) | | Right to an Effective Judicial Remedy | Art. 79 | Always | N/A (judicial process) | | Right to Compensation | Art. 82 | Material or non-material damage from GDPR violation | N/A (judicial process) |
Primary Channel: Email contact@cmgworkflow.com (Data Protection Officer)
Alternative Channels:
Identification: To protect your rights, we may need to verify your identity before processing your request. We will request only the minimum information necessary for verification. We will never ask for a copy of your CNP (national identification number) for verification purposes, in compliance with Law 190/2018.
Free of Charge: The first request in any 12-month period is free. For manifestly unfounded or excessive requests (particularly repetitive ones), we may charge a reasonable fee based on administrative costs or refuse to act (Article 12(5) GDPR). In either case, we will inform you of the reasons.
What you can request:
What we provide:
Response time: 30 days from receipt of a verified request. If the request is complex or we receive numerous requests, we may extend the deadline by an additional 60 days, but we will notify you within the initial 30-day period with the reason for the delay.
Self-service options:
Assisted rectification: Email contact@cmgworkflow.com. We will rectify inaccurate data and complete incomplete data without undue delay. We will notify each recipient to whom data has been disclosed (unless disproportionate effort), per Article 19.
When you can request erasure:
Exceptions (we may lawfully refuse):
Erasure process:
When applicable:
Effect of restriction: Data is stored but not processed. We may only process restricted data with your consent, for legal claims, to protect the rights of another person, or for important public interest.
Notification: We will inform you before any restriction is lifted.
Self-service export:
Data included in portability export:
Conditions: This right applies to data processed by automated means, where processing is based on consent (Art. 6(1)(a)) or contract (Art. 6(1)(b)). It does not apply to data processed under legitimate interest.
Direct transfer: Where technically feasible, we can transmit your data directly to another controller upon your request.
Processing based on legitimate interest: If you object to processing based on our legitimate interest (Art. 6(1)(f)), we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for establishing, exercising, or defending legal claims.
Direct marketing: If you object to processing for direct marketing purposes, we will immediately cease all direct marketing processing. No balancing test is required for this right. Exercise by clicking "Unsubscribe" in any email, or contact us.
Right to object information: We explicitly bring this right to your attention, clearly and separately from other information, at the latest at the time of the first communication with you (Article 21(4)).
See Section 6 above for full details. You have the right to:
| Stage | Action | Timeline | |---|---|---| | 1. Acknowledgment | Written confirmation of receipt of your request | Within 5 business days | | 2. Identity verification | Verification of your identity (minimum data requested) | Within 5 business days | | 3. Processing | Assessment, data gathering, execution | Within 30 days of verified request | | 4. Response | Written response with outcome and explanation | Within 30 days of verified request | | 5. Extension (if needed) | Notification of extended deadline with reasons | Within initial 30-day period; max additional 60 days | | 6. Escalation | If unsatisfied, escalate to DPO, then ANSPDCP | See Section 19 |
When personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR (Articles 44-49):
| Mechanism | GDPR Article | When Used | |---|---|---| | Adequacy decisions | Art. 45 | Transfers to countries with adequate protection (e.g., UK, Switzerland, Japan, South Korea, Argentina) | | Standard Contractual Clauses (SCCs) | Art. 46(2)(c) | Primary mechanism for US-based sub-processors | | EU-US Data Privacy Framework (DPF) | Art. 45 (Adequacy Decision) | US companies certified under DPF (Supabase, Stripe, Sentry, Vercel, Google) | | Binding Corporate Rules | Art. 47 | Where applicable for sub-processor intra-group transfers | | Derogations for specific situations | Art. 49 | Explicit consent or contract necessity (used only as a last resort) |
| Sub-Processor | Location | Transfer Mechanism(s) | DPF Certified | SCCs in Place | TIA Conducted | |---|---|---|---|---|---| | Supabase Inc. | US (with EU hosting) | SCCs + DPF + EU data residency | Yes | Yes | Yes | | Meta Platforms (WhatsApp) | US / EU / Global | SCCs + DPF + Business Data Processing Terms | Yes | Yes | Yes | | Google LLC (Gemini API) | US (via Google Ireland Ltd.) | SCCs + DPF + EU data residency | Yes | Yes | Yes | | Stripe Inc. | US (with EU options) | SCCs + DPF | Yes | Yes | Yes | | Sentry (Functional Software Inc.) | US | SCCs + DPF | Yes | Yes | Yes | | Vercel Inc. | US (with EU edge network) | SCCs + DPF | Yes | Yes | Yes |
We have conducted Transfer Impact Assessments for all international transfers to US-based sub-processors, evaluating:
Key findings of our TIAs:
You have the right to object to international data transfers. If you exercise this right:
All sub-processors have executed Data Processing Agreements (DPAs) in compliance with Article 28 GDPR. The following is a complete list of our current sub-processors:
In accordance with Article 32 GDPR, we implement the following technical and organizational measures to ensure a level of security appropriate to the risk:
| Layer | Standard | Implementation | |---|---|---| | Data at rest | AES-256 | Database encryption (Supabase), file storage encryption, backup encryption | | Data in transit | TLS 1.3 | All client-server communications, API calls to sub-processors, webhook delivery | | OAuth tokens | AES-256 | WhatsApp and Google OAuth tokens encrypted at rest in database | | Passwords | bcrypt (cost factor 10+) | Passwords salted and hashed; never stored in plaintext | | Backup encryption | AES-256 | All database backups encrypted at rest |
In accordance with Article 35 GDPR and the ANSPDCP's published list of processing operations requiring DPIAs, we conduct Data Protection Impact Assessments where processing is likely to result in a high risk to the rights and freedoms of natural persons.
We have conducted DPIAs for the following processing activities:
| Processing Activity | Risk Factors | DPIA Outcome | Key Mitigations | |---|---|---|---| | AI-powered conversation analysis (Gemini) | Large-scale automated processing, profiling elements, third-party AI provider | Acceptable risk with mitigations | Data minimization (sliding window), no model training, EU data residency, human oversight, opt-out capability | | Multi-tenant CRM data processing | Large-scale processing, multiple data categories, cross-border transfers | Acceptable risk with mitigations | RLS isolation, encryption, access controls, DPAs with all sub-processors | | WhatsApp message processing | Communication content, metadata, international transfer to Meta | Acceptable risk with mitigations | End-to-end encryption (WhatsApp), DPA with Meta, consent mechanism, data minimization | | Automated lead extraction | Profiling elements, automated processing | Low risk with mitigations | Human review step, accuracy verification, organization control, right to object |
DPIAs are reviewed:
Full DPIA reports are maintained by the Data Protection Officer and are available:
We maintain a documented Data Breach Response Plan in compliance with Articles 33 and 34 GDPR:
| Phase | Action | Timeline | Responsible | |---|---|---|---| | Detection | Identify and confirm the breach through monitoring, employee reports, or third-party notification | T+0 (immediate) | Engineering team + DPO | | Containment | Contain the breach and prevent further unauthorized access | T+0 to T+4 hours | Engineering team | | Assessment | Assess the nature, scope, and severity of the breach; identify affected data and individuals | T+0 to T+24 hours | DPO + Engineering | | Internal documentation | Document all known facts: nature of breach, data categories, number of affected individuals, likely consequences, measures taken | T+0 to T+48 hours | DPO | | Supervisory authority notification | Notify ANSPDCP (unless the breach is unlikely to result in a risk to rights and freedoms) | Within 72 hours of becoming aware (Art. 33(1)) | DPO | | Data subject notification | Notify affected individuals (if the breach is likely to result in a high risk to their rights and freedoms) | Without undue delay after supervisory notification (Art. 34(1)) | DPO | | Remediation | Implement measures to prevent recurrence | T+72 hours onward | Engineering + DPO | | Post-incident review | Full investigation, root cause analysis, lessons learned | Within 30 days | DPO + Management |
Our notification to ANSPDCP will include:
If all information cannot be provided within 72 hours, we will provide information in phases without further undue delay.
If a breach is likely to result in a high risk to your rights and freedoms, we will notify you via email with:
We are not required to notify data subjects if (Article 34(3)):
We maintain a comprehensive breach register (Article 33(5)) documenting all personal data breaches, regardless of whether they are reportable, including the facts, effects, and remedial action taken.
We use cookies and similar technologies in compliance with the ePrivacy Directive (Directive 2002/58/EC as transposed by Romanian Law 506/2004) and GDPR. Non-essential cookies require your prior consent.
These cookies are necessary for the Service to function and cannot be disabled:
| Cookie Name | Purpose | Duration | Attributes |
|---|---|---|---|
| sb-*-auth-token | Supabase authentication session | Session (with 30-day refresh) | httpOnly, secure, sameSite=Lax |
| sb-*-auth-token.0, .1 | Chunked auth cookies for large JWTs | Session (with 30-day refresh) | httpOnly, secure, sameSite=Lax |
| cookie-consent | Record of your cookie preferences | 365 days | secure, sameSite=Strict |
| csrf-token | CSRF attack prevention | Session | secure, sameSite=Strict |
| __Host-next-auth-csrf-token | Next.js CSRF token | Session | secure, sameSite=Lax |
Legal basis: These cookies are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive because they are strictly necessary for the provision of the Service explicitly requested by you.
These cookies enhance your experience by remembering your preferences:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
| theme | Remember dark/light mode selection | 365 days | Preference |
| language | Remember language selection | 365 days | Preference |
| dashboard_layout | Remember dashboard layout preferences | 365 days | Preference |
| sidebar_state | Remember sidebar collapsed/expanded state | 365 days | Preference |
These cookies help us understand how you use the Service:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
| analytics_session | Internal usage tracking (anonymized) | 30 days | Analytics |
Data collected: Page views, feature usage frequency, session duration, anonymized user behavior patterns
Safeguards: IP addresses anonymized, user IDs hashed, no PII collected in analytics, data aggregated before analysis
| Provider | Cookie(s) | Purpose | When Set | |---|---|---|---| | Stripe | Stripe session cookies | Payment processing, fraud prevention | Only on checkout/billing pages | | Supabase | Authentication cookies | User session management | Essential (login required) |
We do NOT use:
Cookie Consent Banner: Upon first visit, you will be presented with a granular cookie consent banner allowing you to accept or reject each category of non-essential cookies. You can revisit your preferences at any time.
Browser Settings:
Effect of blocking cookies: Blocking essential cookies will prevent login and core Service functionality. Blocking preference cookies will reset your UI customization on each visit. Blocking analytics cookies has no effect on functionality.
Our Service is a B2B (business-to-business) CRM platform and is not directed at children. We observe the following age restrictions:
If we become aware that we have inadvertently collected personal data from a person under 16:
If you are a parent or legal guardian and believe your child has provided personal data to us:
In accordance with Article 37 GDPR, CMG FRAMEWORKS SRL has designated a Data Protection Officer (DPO) responsible for overseeing data protection strategy and implementation.
The DPO's tasks include (Article 39):
The DPO operates independently and is not instructed regarding the exercise of their tasks. The DPO reports directly to the highest management level of CMG FRAMEWORKS SRL. The DPO shall not be dismissed or penalized for performing their tasks (Article 38(3)).
ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
You have the right to lodge a complaint with ANSPDCP at any time (Article 77 GDPR). However, we encourage you to contact us first so we can try to resolve your concern directly.
Recommended complaint process:
If you reside or work in another EU/EEA Member State, you may also lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement (Article 77(1)). A list of EU supervisory authorities is maintained by the European Data Protection Board at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the Controller or Processor. This right may be exercised through the competent courts.
We may update this Privacy Policy to reflect changes in legal requirements, new Service features, feedback from regulators, or industry best practices.
| Change Type | Notification Method | Notice Period | |---|---|---| | Material changes (new processing purposes, new sub-processors, changes to data subject rights) | Email notification to all registered users + in-app banner | Minimum 30 days before effective date | | Significant changes (updated retention periods, new cookie categories, changed lawful basis) | Email notification to organization administrators + in-app banner | Minimum 15 days before effective date | | Minor/clarifying changes (typographical corrections, formatting, clarifications of existing practices) | Updated "Last Updated" date | Effective immediately |
When we make material changes to this Privacy Policy:
A full version history of this Privacy Policy, including tracked changes, is available upon request to support@cmgworkflow.com.
| Version | Date | Summary of Changes | |---|---|---| | 1.0.0 | January 11, 2025 | Initial publication | | 2.0.0 | January 11, 2025 | Comprehensive rewrite with full GDPR compliance | | 3.0.0 | February 24, 2026 | Maximum GDPR reinforcement: added LIAs, DPIAs, TIAs, TOMs, EU AI Act compliance, detailed retention schedules, expanded rights procedures, sub-processor management, breach procedures |
This Privacy Policy complies with:
Last Updated: February 24, 2026 Effective Date: February 24, 2026 Version: 3.0.0 Document Reference: CMG-PP-2026-03
By using CMG FRAMEWORKS SRL's CRM Service, you acknowledge that you have read and understood this Privacy Policy. Where processing is based on consent, your use of specific features constitutes consent only to the extent explicitly described in this Policy. Where processing is based on other lawful bases, your acknowledgment does not constitute consent but rather confirmation that you have been informed of the processing as required by Articles 13 and 14 GDPR.
This Privacy Policy was last reviewed on February 24, 2026, by the Data Protection Officer of CMG FRAMEWORKS SRL.