Privacy Policy

Summary

1. Data Controller

The data controller responsible for your personal data is:

2. Data We Collect

We collect the following categories of personal data:

Account Information

• Email address
• Encrypted password
• Language preference

Email Data (when you connect your email)

• Email addresses of senders and recipients
• Email subject lines and body content
• Email dates and times
• Attachment metadata (file names, sizes)
• Contact information extracted from emails (names, job titles, phone numbers)
• Company information extracted from emails (names, addresses, VAT IDs)

Usage Data

• Login timestamps and IP addresses
• Features used within the application
• Browser type and device information

3. How We Use Your Data

We process your personal data for the following purposes:

• Service Provision: To create and manage your account, provide the CRM functionality, and process your email data.
• AI-Powered Extraction: To automatically extract contacts, companies, and tasks from your connected emails using artificial intelligence.
• Service Improvement: To analyze usage patterns and improve our service quality and features.
• Security: To detect and prevent fraud, abuse, and security threats.
• Communication: To send you service-related notifications and respond to your inquiries.

4. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR:

• Contract Performance (Art. 6.1.b): Processing necessary to provide the CRM service you requested.
• Legitimate Interest (Art. 6.1.f): For security, fraud prevention, and service improvement, where our interests don't override your rights.
• Consent (Art. 6.1.a): For optional marketing communications, which you can withdraw at any time.
• Legal Obligation (Art. 6.1.c): To comply with legal requirements such as tax and accounting laws.

5. Data Retention

We retain your personal data for the following periods:

• Account data: Until you delete your account, plus any legally required retention period.
• Email data: Until you disconnect your email or delete your account.
• Extracted contacts and companies: Until you delete them or your account.
• Usage logs: 12 months for security purposes.
• Backup copies: Up to 30 days after deletion.

6. Data Sharing

We share your data with the following categories of recipients:

• Cloud Infrastructure Provider (AWS): Hosting our servers and storing your data securely in the EU.
• AI Processing Provider (Anthropic): Processing emails to extract contacts and tasks. Email content is processed but not stored by the provider.

We never sell your personal data to third parties.

7. International Data Transfers

Your data is primarily stored in the European Union (AWS Ireland). Some processing may occur outside the EU when using AI services.

For any transfers outside the EU, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Access: Request a copy of your personal data.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your data ('right to be forgotten').
• Restriction: Request limitation of processing in certain circumstances.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Withdraw consent for optional processing at any time.

To exercise these rights, contact us at privacy@mercuriocrm.es.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

9. Security Measures

We implement appropriate technical and organizational measures to protect your data:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Secure password hashing using bcrypt
• Regular security updates and vulnerability monitoring
• Access controls and authentication requirements
• Regular backups with encryption

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through the application. The 'last updated' date at the top indicates when the policy was last revised.

11. Contact Us

If you have questions about this privacy policy or our data practices, please contact us: