1. Who We Are
Seedly CRM is operated by Andrew Lee Jenkins LLC ("Company", "we", "us"). This Privacy Policy explains how we collect, use, and protect your information when you visit our website, purchase our source code Product, or use our hosted CRM Service.
2. Information We Collect
Information you provide
- Name and email address (account signup, waitlist, or purchase)
- Payment information (processed by Stripe — we do not store card details)
- Business information you enter into the CRM (contacts, conversations, invoices, documents, notes)
- Files and attachments you upload to the CRM
- Feedback and screenshots submitted via the beta feedback widget
Information collected automatically
- IP address and browser user agent
- Page views and feature usage (PostHog analytics)
- Error reports and performance data (Sentry)
- Authentication session data (Clerk)
3. How We Use Your Information
- To provide and operate the CRM Service
- To process purchases and deliver the source code Product
- To authenticate your identity and manage your account
- To send transactional emails (invoices, appointment confirmations, notifications)
- To send SMS messages on your behalf through your configured providers
- To prevent fraud and abuse
- To improve our website and Service through analytics
- To respond to support requests and feedback
4. Third-Party Services (Sub-Processors)
We use the following third-party services that may process your data:
Infrastructure & Hosting
- Convex — Backend database, real-time sync, file storage, and serverless functions (SOC 2 Type II). DPA
- Vercel — Frontend hosting, CDN, and serverless compute (SOC 2 Type II, ISO 27001). DPA
- Railway — Sales portal hosting and database
Authentication & Payments
- Clerk — User authentication, session management, and multi-factor authentication (SOC 2 Type II). DPA
- Stripe — Payment processing and subscription billing (PCI DSS Level 1). Privacy Policy
Communications (configured by you)
- Twilio — SMS messaging (when configured by account administrator)
- Telnyx — SMS messaging, fallback provider (when configured)
- Postmark — Transactional email delivery (when configured)
- SendGrid — Marketing email delivery (when configured)
- Google APIs — Gmail sync, Google Calendar sync, Google Business Profile reviews (when connected via OAuth)
- Meta Graph API — Facebook Messenger and Instagram DM (when connected via OAuth)
- Zoom — Video meeting creation (when connected via OAuth)
Analytics & Monitoring
- PostHog — Product analytics and feature usage tracking
- Sentry — Error monitoring and performance tracking
5. Data You Store in the CRM
When you use the hosted CRM Service, you may store your customers' personal information (names, emails, phone numbers, addresses, communication history). You are the data controller for this information and are responsible for ensuring you have a lawful basis to collect and process it. We act as a data processor on your behalf.
6. Data Retention
CRM data is retained for as long as your account is active. Upon account termination, your data will be deleted within 30 days. Purchase records and license keys for the source code Product are retained indefinitely to support lifetime access to updates. Audit logs are retained for 12 months. Deleted contact records are permanently purged after 60 days.
7. Data Security
We use industry-standard security measures to protect your data:
- All data encrypted at rest (AES-256) and in transit (TLS 1.3)
- OAuth tokens and API credentials encrypted with AES-256-GCM at the application level
- Payment information processed entirely by Stripe — card data never touches our servers
- Role-based access controls with granular per-module permissions
- Full audit logging of data changes with user attribution
- Webhook signature verification on all inbound integrations
- Rate limiting on public endpoints
8. Your Rights
You have the right to:
- Request a copy of the personal data we hold about you
- Request deletion of your personal data
- Request export of your CRM data in a portable format
- Opt out of marketing communications
- Request correction of inaccurate data
- Withdraw consent for analytics cookies
To exercise any of these rights, contact us at [email protected].
9. Cookies
We use cookies and similar technologies for authentication (Clerk session cookies) and analytics (PostHog). Authentication cookies are essential for the Service to function. Analytics cookies are only set with your consent. You can disable non-essential cookies via the cookie banner or your browser settings.
10. California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know — You can request details about the personal information we collect, use, and disclose about you
- Right to Delete — You can request deletion of your personal information, subject to certain exceptions
- Right to Correct — You can request correction of inaccurate personal information
- Right to Opt Out of Sale — We do not sell your personal information to third parties
- Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights
To exercise any of these rights, contact us at [email protected]. We will respond within 45 days as required by law. We do not sell personal information and have not done so in the preceding 12 months.
11. UK and EEA Residents (GDPR)
If you are located in the United Kingdom or European Economic Area, you have the following additional rights under the UK GDPR and EU GDPR:
- Lawful Basis — We process your data based on: (a) contract performance (to provide the Service), (b) legitimate interest (fraud prevention, service improvement), and (c) consent (analytics cookies)
- Right to Access — Request a copy of your personal data
- Right to Rectification — Request correction of inaccurate data
- Right to Erasure — Request deletion of your personal data
- Right to Restrict Processing — Request we limit how we use your data
- Right to Data Portability — Receive your data in a structured, machine-readable format
- Right to Object — Object to processing based on legitimate interest
- Right to Withdraw Consent — Withdraw cookie consent at any time by clearing your browser cookies and revisiting the site
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you believe your rights have been violated, you have the right to lodge a complaint with your local data protection authority (the ICO in the UK, or your national DPA in the EEA).
12. International Data Transfers
Our infrastructure providers (Convex, Vercel, Clerk) are located in the United States. If you access our Service from the UK or EEA, your data will be transferred to the US. We rely on Standard Contractual Clauses, the EU-U.S. Data Privacy Framework, and adequacy decisions as appropriate to ensure your data is protected in accordance with applicable law. Our sub-processors maintain their own SCCs and DPAs which are linked in Section 4.
13. Children
Our Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the Service after changes constitutes acceptance of the updated policy.