Privacy Policy - CoachlyCRM

1. Introduction

This Privacy Policy describes how Coachly CRM ("we," "us," or "our") collects, uses, protects, and shares your personal information when you use our coaching CRM platform and related services (the "Service"). We are committed to protecting your privacy and being transparent about our data practices.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: Name, email address, password, phone number
Profile Information: Company name, business address, professional details, profile photo
Client and Lead Data: Contact information, notes, and business-related data you input about your clients and prospects
Communication Data: Messages, emails, notes, and other communications within the platform
Payment Information: Billing address and payment method details (processed securely through third-party payment processors)

2.2 Google Account Integration

When you connect your Google account to our Service, we access and collect:

Basic Profile Information: Your name, email address, and profile picture from your Google account
Google Calendar Data: Calendar events you own, including event details, dates, times, attendees, and descriptions
Authentication Data: Tokens necessary to maintain your Google account connection

Google OAuth Scopes Used:

https://www.googleapis.com/auth/calendar.events.owned - This allows us to view, create, edit, and delete calendar events that you own

2.3 Information We Collect Automatically

Usage Data: How you interact with our Service, features used, time spent, click patterns
Device Information: IP address, browser type, operating system, device identifiers
Log Data: Server logs, error reports, performance data
Cookies and Tracking Data: As described in Section 9

2.4 Information We Do NOT Collect

We do not collect or store:

Sensitive personal data such as health records, financial account numbers, or government identification numbers
Credit card information (handled by our payment processors)
Personal data of individuals under 16 years of age
Google Calendar events you don't own (we only access events you created)
Other Google services data beyond what's explicitly requested

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

Contract Performance: To provide our Service and fulfill our obligations to you
Legitimate Interest: To improve our Service, ensure security, and conduct business operations
Consent: For marketing communications, Google account integration, and optional features (you can withdraw consent at any time)
Legal Obligation: To comply with applicable laws and regulations

4. How We Use Your Information

4.1 General Use

We use your information to:

Provide, maintain, and improve our CRM services
Process transactions and manage your account
Provide customer support and respond to inquiries
Send important service updates and security notifications
Send marketing communications (with your consent)
Analyze usage patterns to enhance user experience
Detect and prevent fraud, abuse, and security threats
Comply with legal obligations and resolve disputes

4.2 Google Account Data Usage

We use your Google account data specifically to:

Profile Information: Create and maintain your Coachly CRM account using your Google name, email, and profile picture
Calendar Integration:
- Display your calendar events within the CRM interface
- Create new calendar events for client appointments and meetings
- Update existing calendar events when you modify appointments
- Delete calendar events when appointments are cancelled
- Sync appointment scheduling between our CRM and your Google Calendar
Authentication: Maintain secure access to your Google account for ongoing calendar synchronization

Data Minimization: We only access and use the minimum amount of Google data necessary to provide our calendar integration features.

5. Data Sharing and Third Parties

5.1 We Share Data With:

Service Providers: Cloud hosting (Render), analytics (Google Analytics), email services (Postmark), payment processors (Lemon Squeezy), authentication services (Google OAuth)
Legal Requirements: When required by law, court order, or to protect our rights and safety
Business Transfers: In connection with mergers, acquisitions, or sale of assets (with user notification)

5.2 Google Data Sharing

Google Calendar Data: We do not share your Google Calendar data with any third parties
Profile Data: Your Google profile information (name, email, picture) is only used within our platform and not shared externally
No Advertising: We do not use your Google data for advertising purposes

5.3 We Do NOT:

Sell your personal data to third parties
Share your client data with other users
Use your data for advertising on other platforms
Share your Google Calendar data with other users or third parties
Store your Google account passwords (we use secure OAuth tokens)

5.4 Third-Party Services

Our key third-party providers include:

Hosting: Render for cloud hosting (data processing agreement in place)
Analytics: Google Analytics (anonymized data)
Email: Postmark for transactional emails
Payments: Lemon Squeezy for payment processing
Authentication: Google OAuth for secure login and calendar access
Support: Manual support provided directly by our team

Each provider has their own privacy policies and security measures.

6. Data Security

We implement industry-standard security measures including:

Encryption of data in transit and at rest
Secure OAuth 2.0 implementation for Google account connections
Regular security audits and vulnerability assessments
Access controls and employee training
Secure data centers with physical security measures
Regular backups and disaster recovery procedures
Secure token storage and refresh mechanisms for Google API access

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will promptly notify you of any material security breaches affecting your personal data.

7. Data Retention

7.1 General Data Retention

We retain your personal data for the following periods:

Account Data: 3 years after account closure
Usage Logs: 12 months
Payment Records: 7 years (for tax and legal compliance)
Marketing Data: Until you unsubscribe or withdraw consent
Legal Holds: As required by law or ongoing legal matters

7.2 Google Data Retention

Google Profile Data: Retained while your account is active and for 30 days after account closure
Google Calendar Data: Synchronized in real-time; deleted immediately when you disconnect your Google account
OAuth Tokens: Securely stored while integration is active; immediately deleted when you revoke access

You can request earlier deletion of your data subject to our legal obligations.

8. Managing Your Google Account Integration

8.1 Connecting Your Google Account

You can connect your Google account through our secure OAuth flow
You will be clearly informed about what data we access before granting permission
Connection is entirely optional and can be done at any time

8.2 Disconnecting Your Google Account

You can disconnect your Google account at any time through your account settings
Disconnecting will immediately stop all data synchronization
Previously synced calendar data will be removed from our systems within 24 hours
You can also revoke access directly through your Google Account settings

8.3 Data Access Transparency

You can view what Google data we've accessed in your account dashboard
We provide clear explanations of how your Google data is being used
You can contact us for detailed information about your Google data processing

9. Cookies and Tracking Technologies

We use the following types of cookies:

9.1 Essential Cookies

Required for basic functionality - cannot be disabled:

Authentication and session management
Security features
Load balancing
Google OAuth state management

9.2 Analytics Cookies

Help us understand how you use our Service:

Google Analytics (anonymized)
Internal usage analytics

9.3 Preference Cookies

Remember your settings and preferences:

Language preferences
Dashboard customizations
Notification settings

You can manage cookie preferences through your browser settings or our cookie preference center.

10. Your Rights and Choices

You have the following rights regarding your personal data:

10.1 Access and Portability

Request a copy of your personal data
Export your data in common formats (CSV, JSON)
Receive data within 30 days of request

10.2 Correction and Updates

Update your account information at any time
Request correction of inaccurate data

10.3 Deletion

Delete your account and associated data
Request deletion of specific data categories
Note: Some data may be retained for legal compliance

10.4 Google Data Rights

Disconnect your Google account at any time
Request deletion of all Google-sourced data
View and manage your Google data permissions
Revoke calendar access without deleting your main account

10.5 Marketing Communications

Unsubscribe from marketing emails
Opt out of promotional communications
Update communication preferences

10.6 Data Processing

Object to certain data processing activities
Restrict processing in specific circumstances
Withdraw consent for consent-based processing

To exercise these rights, contact us at privacy@coachlycrm.com or through your account settings.

11. International Data Transfers

Your data may be processed in countries other than your own. We ensure adequate protection through:

Standard Contractual Clauses with service providers
Adequacy decisions by relevant authorities
Other approved transfer mechanisms

Currently, our primary data processing occurs in the United States and European Union. Google data is processed in accordance with Google's global infrastructure and data protection standards.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

Right to know what personal information is collected
Right to delete personal information
Right to opt-out of the sale of personal information (we don't sell data)
Right to non-discrimination for exercising your rights

13. Children's Privacy

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we discover we have collected such information, we will delete it promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Changes will be:

Posted on this page with an updated "Last Updated" date
Communicated via email for material changes
Effective 30 days after posting (unless otherwise specified)

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

15. Data Protection Officer

For privacy-related questions or concerns, you can contact our Data Protection Officer at:

Email: privacy@coachlycrm.com

16. Supervisory Authority

If you are in the European Union, you have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data in accordance with applicable law.

17. Contact Information

For questions about this Privacy Policy or our privacy practices, contact us:

Email: privacy@coachlycrm.com

We will respond to privacy requests within 30 days.