CRM Doc
Legal

Privacy notice

Last updated May 27, 2026. The short version: we collect the minimum needed to run the product, we never sell anything, and you can export or delete on demand.

Draft notice. This is the plain-language working draft for the v0.2 hosted beta. The counsel-reviewed version replaces this at v1.0. Material changes get 30 days notice via email and changelog.

What we collect

  • Account data: your name, email, and the credentials you use to sign in.
  • Workspace data: the funnels you build, their JSON, build logs, audit events, usage metering.
  • Connection metadata: which CRMs you connected, what scopes were granted, when. Encrypted credentials live in Supabase Vault.
  • Telemetry: aggregate usage (route hits, build counts, errors) for product decisions. No fingerprinting, no third-party tracking pixels.

What we do not collect

  • Your CRM's contact records, prospect data, or revenue numbers. We orchestrate the build; the data stays in your CRM.
  • Your AI provider key. CRM Doc never sees or proxies it.
  • Your prompts. They go from your AI client to your AI provider; we only receive the tool-call arguments your AI sends to our API.
  • Anything we don't need to run the product.

Cookies

One session cookie for auth and a few preference cookies for UI state (sidebar collapse, command palette history). No analytics cookies. No advertising cookies. No third parties dropping anything on our domain.

Who we share data with

Only the sub-processors needed to run the service:

  • Supabase (database + vault, US/EU region).
  • Stripe (billing).
  • Vercel (hosting).
  • The CRM you connect (only the funnel objects you ask us to push, nothing else).

We never sell your data. We never share it with advertisers. We respond to lawful requests only where legally required.

Where data lives

Primary region is US-East. EU residents can request EU-region storage; we route the workspace at provision time. Backups are encrypted at rest, retained 30 days.

Your controls

  • Export: POST /v1/export/funnel/[id] returns funnel JSON. Workspace-wide export lands v0.3.
  • Delete: Workspace deletion wipes API keys, builds, funnel JSON, and audit log within 30 days. CRM data stays in your CRM.
  • Access: Audit log in Account › Audit log shows every action on your data.
  • Email preferences: only transactional and incident emails. No marketing list.

Children

CRM Doc is not directed at people under 18. We do not knowingly collect data from minors.

Security posture

Encrypted-at-rest credentials, principle-of-least-privilege scoped tokens, OAuth where the target CRM supports it, full audit trail on every change. SOC 2 Type I path starts v0.4, Type II in Year 2.

If you find a vulnerability, please email future@anteai.com.au with "security" in the subject. We acknowledge within one business day.

Changes

Material changes to this notice get 30 days notice by email and changelog entry. The current version is always at crmdoc.ai/privacy.

Contact

Ante AI Pty Ltd, Brisbane, Australia. future@anteai.com.au.