HomePrivacy Policy

Privacy Policy

Last updated: February 9, 2026

Overview

TinyCRM ("we", "us", "our") is a lightweight customer engagement platform. We take your privacy seriously. This policy explains what data we collect, how we use it, and your rights regarding that data.

Data We Collect

Account Data

When you create a TinyCRM account, we collect your email address and password (hashed). This is used solely for authentication and account management.

Customer Data (on behalf of our users)

When you use TinyCRM to track your end users, we store the data you send us via the SDK or API, including user identifiers, traits, events, and event properties. You control what data is sent. We act as a data processor on your behalf.

Usage Data

We collect basic analytics about how you use the TinyCRM dashboard (page views, feature usage) via Vercel Analytics to improve the product. This data is anonymous and aggregated.

How We Use Your Data

  • Account data — to authenticate you and manage your account.
  • Customer data — to provide the TinyCRM service: displaying user profiles, event histories, powering automations, and sending emails you configure.
  • Usage data — to understand how the product is used and improve the experience.

We do not sell your data. We do not use your customer data for advertising. We do not share data with third parties except as required to provide the service (see below).

Third-Party Services

We use the following services to operate TinyCRM:

  • Supabase — database and authentication hosting.
  • Vercel — application hosting and analytics.
  • Resend — transactional email delivery (only when you configure automations that send emails).

Each of these services has their own privacy policy. We only share the minimum data necessary for each service to function.

Data Retention

We retain your data for as long as your account is active. When you delete your account or a project, all associated data (users, events, automations, email logs) is permanently deleted within 30 days.

You can delete individual end-user records at any time via the dashboard or API (GDPR delete), which permanently removes the user and all associated events.

Your Rights

You have the right to:

  • Access the data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Export your data in a portable format.
  • Object to processing of your data.

To exercise any of these rights, contact us at support@tinycrm.dev.

Security

We use industry-standard security measures including encryption in transit (TLS), encryption at rest, row-level security policies, and secure key management. API keys are encrypted before storage and never logged in plaintext.

Changes to This Policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

Contact

If you have questions about this privacy policy or our data practices, contact us at support@tinycrm.dev.