Privacy Policy

Last updated: May 7, 2026

1. Introduction

Smarfle CRM ("we," "us," or "our") operates the website www.smarfle.com and the Smarfle CRM platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

We collect information that you provide directly to us, including:

  • Account information: Name, email address, password, phone number
  • Business information: Company name, address, phone number, logo, tax ID
  • Client data: Names, contact details, addresses, and service history you enter into the CRM
  • Payment information: Processed securely via Stripe (we do not store card numbers)
  • Communications: SMS messages and emails sent through the platform
  • Voice recordings: Call recordings and transcripts from the AI voice receptionist (when enabled)
  • Location data: Addresses entered for clients, work orders, and branches (geocoded via Google Maps)
  • Usage data: Features used, pages visited, actions taken, device information, and IP addresses

3. How We Use Your Information

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Send transactional notifications (appointment reminders, invoice updates)
  • Respond to your comments, questions, and support requests
  • Monitor and analyze usage trends to improve user experience
  • Detect, prevent, and address fraud, abuse, and security issues
  • Generate AI-powered content (email drafts, SMS drafts, work order summaries) using your business context
  • Process voice calls and generate call transcripts and summaries
  • Comply with legal obligations

4. SMS Communications & Text Messaging

When businesses use Smarfle CRM to send SMS/text messages to their clients, we process these messages through Twilio. All messages are transactional in nature — appointment reminders, work order status updates, invoice notifications, and payment confirmations. We do not send marketing or promotional SMS.

No sharing of phone numbers. We will not share, sell, rent, or transfer mobile phone numbers or SMS opt-in consent data to third parties or affiliates for marketing or promotional purposes. Phone numbers are used solely to deliver the transactional messages described above.

Message frequency. Message frequency varies based on your service activity with the business you engage with (for example, appointment bookings, service completions, and invoices).

Message and data rates. Message and data rates may apply based on your mobile carrier and plan. Smarfle does not charge for sending text messages.

Opt-in. Recipients provide explicit consent by checking an unchecked-by-default consent checkbox on the business's booking form, client registration page, or contact form. The phone field is optional on all forms; if a phone is provided, the consent box must be ticked for the submission to succeed and for any outbound SMS to be sent. Smarfle's outbound-SMS engine refuses to text any recipient whose consent flag is not set.

Opt-out. You can opt out of SMS communications at any time by replying STOP to any message. We also honor CANCEL, UNSUBSCRIBE, END, and QUIT. After opting out, you will receive a confirmation and no further messages will be sent.

Help. Reply HELP to any message for assistance, or contact us at support@smarfle.com.

5. Data Sharing

We do not sell your personal information. We share data only with:

  • Service providers that help us operate the platform:
    • Stripe (payment processing and billing)
    • Twilio (SMS messaging and voice calls)
    • Resend (transactional email delivery)
    • Supabase (database hosting and authentication)
    • Vercel (application hosting and analytics)
    • Anthropic (AI features, email/SMS drafting, call handling)
    • Amazon Web Services (voice synthesis via Amazon Polly)
    • Google Maps Platform (address autocomplete, geocoding, route optimization)
    • DataForSEO (Google Business Profile rank tracking)
  • Business accounts: Client data is accessible only to the business that created it. Multi-tenant isolation ensures no cross-organization data access.
  • Legal requirements: When required by law, subpoena, court order, or to protect our rights, safety, or property

6. Data Security

We implement appropriate technical and organizational security measures including: encryption in transit (TLS/SSL), row-level security on all database tables ensuring tenant isolation, encrypted storage of sensitive credentials, role-based access controls, audit logging of sensitive operations, and regular security reviews. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

  • Active accounts: Data is retained for as long as your account is active
  • After account deletion: Business data (clients, work orders, invoices) is permanently deleted within 30 days of account closure
  • Billing records: Transaction and payment records are retained for up to 7 years as required for tax and legal compliance
  • Voice recordings: Call recordings are retained for 90 days and then automatically deleted unless exported
  • Audit logs: Security audit logs are retained for 1 year
  • Anonymized analytics: Aggregated, non-identifiable usage statistics may be retained indefinitely

8. Your Rights

Depending on your location, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data (CSV export available for all entities)
  • Opt out of SMS communications
  • Object to or restrict certain processing of your data
  • Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at founder@smarfle.com. We will respond within 30 days.

9. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know: You can request details about the categories and specific pieces of personal information we collect
  • Right to delete: You can request deletion of your personal information, subject to certain exceptions
  • Right to opt out: We do not sell personal information to third parties
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights

10. European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal basis: We process your data based on: contract performance (providing the Service), legitimate interests (improving the Service, fraud prevention), consent (where applicable), and legal obligations
  • Data portability: You can request your data in a structured, machine-readable format
  • Right to object: You can object to processing based on legitimate interests
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority

Data transfers outside the EEA are protected by standard contractual clauses or other appropriate safeguards.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us.

12. Cookies & Tracking

We use the following types of cookies and tracking technologies:

  • Essential cookies: Required for authentication, session management, and security. Cannot be disabled.
  • Analytics: Vercel Analytics for anonymous, privacy-friendly usage tracking. Google Analytics 4 may also be used to measure traffic and behavior on www.smarfle.com.
  • Advertising: The Meta Pixel (Facebook/Instagram), Google Ads conversion tracking, and Google Tag Manager are loaded on our public marketing pages (homepage, features, pricing, alternatives, business industry pages, landing pages). These pixels collect information about your visit (pages viewed, actions taken, device data, IP address) and report it to Meta and Google so we can measure ad performance, optimize ad delivery, and build retargeting audiences.
  • Affiliate tracking: A 90-day cookie is set when you arrive via an affiliate referral link, used solely to attribute referrals.
  • Customer business websites: Where one of our business customers has configured their own Google Analytics or Google Tag Manager tracking ID, those scripts run on their landing or website pages. We do not control the data collection on those pages.

You can opt out of advertising cookies at any time by using the “Do Not Sell or Share My Personal Information” link in our footer. You can also opt out via your browser settings or by installing the Google Analytics Opt-out Browser Add-on and managing Meta ads preferences in Meta Accounts Center.

12a. California Privacy Rights (CCPA / CPRA)

California residents have the right under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) to:

  • Know what personal information we collect, share, and sell
  • Request deletion of your personal information
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of your personal information
  • Limit the use of sensitive personal information
  • Be free from discrimination for exercising your privacy rights

The use of advertising pixels (Meta Pixel, Google Ads) on our marketing pages may be considered “sharing” of personal information under California law. To opt out, click “Do Not Sell or Share My Personal Information” in the footer of any page on our site, or email us at founder@smarfle.com. Opt-out is processed within 15 business days and persists for at least 12 months.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the data affected, steps we are taking to address it, and recommendations for protecting yourself. Where required by law, we will also notify the relevant supervisory authorities.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at founder@smarfle.com.