Back to login

Privacy Policy

Last updated: April 1, 2026

1. Data Controller

CeramicCRM ("we", "us", "our") is the data controller responsible for your personal data. This privacy policy explains how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable EU/EEA data protection laws.

2. Personal Data We Collect

We collect and process the following categories of personal data:

  • Account Data: Email address, name, and hashed password when you create an account.
  • Workspace Data: Organization name, workspace settings, and team member information.
  • CRM Data: Customer profiles, segments, campaigns, and communication data that you upload or create within the platform.
  • Usage Data: Log data, IP addresses, browser type, and interaction data for service improvement and security.
  • Cookie Data: Authentication tokens and session identifiers stored in httpOnly cookies.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 GDPR:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the CRM service you have subscribed to.
  • Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement.
  • Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws and regulations.
  • Consent (Art. 6(1)(a)): Where required, such as for optional marketing communications.

4. Data Storage and Security

Your data is stored on servers located within the European Union. We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Database-per-workspace isolation for multi-tenant data separation
  • Field-level encryption for sensitive data
  • JWT-based authentication with httpOnly secure cookies
  • CSRF protection on all state-changing operations
  • Regular security audits and monitoring

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Account data is retained for the duration of your active subscription and deleted within 30 days of account closure, unless longer retention is required by law.

6. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of your personal data.
  • Right to Rectification (Art. 16): Request correction of inaccurate data.
  • Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to Restriction (Art. 18): Request restriction of data processing.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interest.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact us at the email provided in your workspace settings. We will respond to your request within 30 days.

7. Data Processors and Transfers

We may engage third-party processors to assist in providing our services. All processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance. We do not transfer personal data outside the EU/EEA unless adequate safeguards are in place (such as Standard Contractual Clauses or an adequacy decision).

8. Cookies

We use strictly necessary cookies for authentication and session management. These cookies are essential for the operation of the service and do not require consent under the ePrivacy Directive. We do not use tracking or advertising cookies.

9. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

© 2026 CeramicCRM. All rights reserved.