Privacy Policy

Last updated: April 1, 2026

1. Introduction

Smarfle CRM ("we," "us," or "our") operates the website www.smarfle.com and the Smarfle CRM platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

We collect information that you provide directly to us, including:

  • Account information: Name, email address, password, phone number
  • Business information: Company name, address, phone number, logo, tax ID
  • Client data: Names, contact details, addresses, and service history you enter into the CRM
  • Payment information: Processed securely via Stripe (we do not store card numbers)
  • Communications: SMS messages and emails sent through the platform
  • Voice recordings: Call recordings and transcripts from the AI voice receptionist (when enabled)
  • Location data: Addresses entered for clients, work orders, and branches (geocoded via Google Maps)
  • Usage data: Features used, pages visited, actions taken, device information, and IP addresses

3. How We Use Your Information

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Send transactional notifications (appointment reminders, invoice updates)
  • Respond to your comments, questions, and support requests
  • Monitor and analyze usage trends to improve user experience
  • Detect, prevent, and address fraud, abuse, and security issues
  • Generate AI-powered content (email drafts, SMS drafts, work order summaries) using your business context
  • Process voice calls and generate call transcripts and summaries
  • Comply with legal obligations

4. SMS Communications

When businesses use Smarfle CRM to send SMS messages to their clients, we process these messages through Twilio. Recipients can opt out of SMS communications at any time by replying STOP. We do not send marketing SMS. All messages are transactional (appointment reminders, service updates, invoice notifications). Message frequency varies based on service activity.

5. Data Sharing

We do not sell your personal information. We share data only with:

  • Service providers that help us operate the platform:
    • Stripe (payment processing and billing)
    • Twilio (SMS messaging and voice calls)
    • Resend (transactional email delivery)
    • Supabase (database hosting and authentication)
    • Vercel (application hosting and analytics)
    • Anthropic (AI features, email/SMS drafting, call handling)
    • Amazon Web Services (voice synthesis via Amazon Polly)
    • Google Maps Platform (address autocomplete, geocoding, route optimization)
    • DataForSEO (Google Business Profile rank tracking)
  • Business accounts: Client data is accessible only to the business that created it. Multi-tenant isolation ensures no cross-organization data access.
  • Legal requirements: When required by law, subpoena, court order, or to protect our rights, safety, or property

6. Data Security

We implement appropriate technical and organizational security measures including: encryption in transit (TLS/SSL), row-level security on all database tables ensuring tenant isolation, encrypted storage of sensitive credentials, role-based access controls, audit logging of sensitive operations, and regular security reviews. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

  • Active accounts: Data is retained for as long as your account is active
  • After account deletion: Business data (clients, work orders, invoices) is permanently deleted within 30 days of account closure
  • Billing records: Transaction and payment records are retained for up to 7 years as required for tax and legal compliance
  • Voice recordings: Call recordings are retained for 90 days and then automatically deleted unless exported
  • Audit logs: Security audit logs are retained for 1 year
  • Anonymized analytics: Aggregated, non-identifiable usage statistics may be retained indefinitely

8. Your Rights

Depending on your location, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data (CSV export available for all entities)
  • Opt out of SMS communications
  • Object to or restrict certain processing of your data
  • Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at founder@smarfle.com. We will respond within 30 days.

9. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know: You can request details about the categories and specific pieces of personal information we collect
  • Right to delete: You can request deletion of your personal information, subject to certain exceptions
  • Right to opt out: We do not sell personal information to third parties
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights

10. European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal basis: We process your data based on: contract performance (providing the Service), legitimate interests (improving the Service, fraud prevention), consent (where applicable), and legal obligations
  • Data portability: You can request your data in a structured, machine-readable format
  • Right to object: You can object to processing based on legitimate interests
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority

Data transfers outside the EEA are protected by standard contractual clauses or other appropriate safeguards.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us.

12. Cookies & Tracking

We use the following types of cookies and tracking technologies:

  • Essential cookies: Required for authentication, session management, and security. Cannot be disabled.
  • Analytics: Vercel Analytics for anonymous, privacy-friendly usage tracking. No personally identifiable information is collected.
  • Affiliate tracking: A 90-day cookie is set when you arrive via an affiliate referral link, used solely to attribute referrals.
  • Google Analytics / Tag Manager: Only active on business landing pages where the business owner has configured their own GA4 or GTM tracking ID.

We do not use third-party advertising cookies or tracking pixels.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the data affected, steps we are taking to address it, and recommendations for protecting yourself. Where required by law, we will also notify the relevant supervisory authorities.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at founder@smarfle.com.