Legal

Privacy Policy

Last updated: 4 July 2026

This is a general template and not legal advice. Please have it reviewed by qualified counsel and tailored to your jurisdiction before relying on it.

1 CRM (“1 CRM”, “we”, “us”) provides a customer-communication and CRM platform that connects to WhatsApp, Facebook Messenger and Instagram. This policy explains what personal data we process, why, and the choices you have.

Who is responsible for your data

For our website and your account (the person who signs up and their team), we act as the data controller. For the end-customer conversations a business handles through 1 CRM, the business is the controller and we act as a data processoracting on that business’s instructions.

Data we collect

  • Account data — name, email, and authentication details for the people who use the platform.
  • Business content — contacts, conversations, messages, media, notes, deals and related records you create or receive through connected channels.
  • Channel data — information exchanged with the Meta WhatsApp, Messenger and Instagram APIs to deliver and receive messages.
  • Usage & technical data — logs, device and browser information, and IP address, used for security and reliability.

How we use data

  • To provide, secure and maintain the platform.
  • To deliver and receive messages across connected channels.
  • To provide optional AI features (drafting, summarising, classifying and, where enabled, automated replies).
  • To communicate with you about your account and support requests.
  • To comply with legal obligations and enforce our terms.

AI processing

When you enable AI features, relevant conversation content may be sent to the AI provider you configure (for example Anthropic, OpenAI or Google) using your own API key, solely to generate the requested output. We do not use your business content to train our own models. Review your AI provider’s terms for how they handle data.

Sharing & subprocessors

We share data only as needed to run the service — for example with hosting and database infrastructure, the Meta messaging APIs, and any AI provider you connect. We do not sell personal data.

Security

Access tokens and AI keys are encrypted at rest, inbound webhooks are signature-verified, and each account’s data is isolated at the database level with row-level security. No system is perfectly secure, but we work to protect your data with appropriate technical and organisational measures.

Retention

We retain data for as long as your account is active or as needed to provide the service, then delete or anonymise it within a reasonable period, subject to legal requirements.

Your rights

Depending on your location, you may have rights to access, correct, delete, restrict or port your personal data, and to object to certain processing. See our Data & Deletion page, or contact us to exercise these rights. Where we act as a processor for a business, we will direct end-customer requests to that business.

International transfers

Your data may be processed in countries other than your own. Where required, we rely on appropriate safeguards for such transfers.

Children

The platform is intended for businesses and is not directed to children.

Changes

We may update this policy from time to time. Material changes will be reflected by the “last updated” date above.

Contact

Questions about this policy? Email privacy@1crm.app or use our contact page.