B

Privacy Policy

Last updated: June 2026

This Privacy Policy explains how BMC CRM (“BMC CRM,” “we,” “us,” or “our”) collects, uses, and protects information in connection with our business-to-business customer relationship management (CRM) and outreach platform (the “Service”). The Service is intended for business use by companies and their authorized team members (“Customers”).

When you use BMC CRM to manage your own contacts, leads, and communications, you are the controller of that data and BMC CRM acts as your processor. You are responsible for having a lawful basis to upload and process the personal data of your contacts.

1. Information we collect

  • Account information. Your name, email address, password (stored only as a salted hash by our authentication provider), workspace/company name, and team membership and role.
  • CRM data you import. Contacts, leads, accounts, deals, tasks, notes, custom fields, and any files you upload. This may include personal data about your customers and prospects that you choose to store in the Service.
  • Communications you process. Emails, SMS messages, and call records sent, received, or logged through the Service, including subject lines, message bodies, recipients, timestamps, and engagement events such as opens, clicks, replies, and bounces.
  • Connected mailbox content. If you connect an email inbox over SMTP/IMAP, we access the messages and calendar availability needed to send, sync replies, and prevent double-booking. We store the credentials you provide to operate those connections on your behalf.
  • Usage and device data. Log data such as IP address, browser/device type, pages viewed, and feature usage, used to operate, secure, and improve the Service.

2. How we use information

  • To provide, maintain, and secure the Service and your workspace.
  • To send and sync the emails, SMS, and calls you initiate through the Service.
  • To power optional AI features (for example, drafting messages, summarizing activity, and suggesting next actions) on the data you submit for that purpose.
  • To authenticate users, enforce roles and permissions, and prevent abuse.
  • To provide support, troubleshoot issues, and communicate service notices.
  • To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal data, and we do not use the CRM data or communications content you import to train our own or any third party’s general AI models.

3. Sub-processors

We rely on a small set of trusted service providers to operate the Service. They process data only on our instructions and to provide their service to us:

  • Supabase — database, authentication, and file storage.
  • Vercel — application hosting and content delivery.
  • Anthropic — AI processing for optional AI-assisted features. Content you submit to these features is sent to Anthropic to generate a response and is not used to train its models.
  • Twilio — delivery of voice calls and SMS messages.
  • Email providers — the SMTP/IMAP mail providers you connect to send and receive email from your own mailboxes.

4. Data retention

We retain your account and CRM data for as long as your account is active. You can delete individual records at any time within the app. When you delete your account, we delete your account and the workspaces you own, along with their associated data, on a best-effort, cascading basis. Some records may persist for a limited period in backups or where retention is required to comply with legal obligations, resolve disputes, or enforce our agreements, after which they are deleted or anonymized.

5. Security

We use industry-standard safeguards to protect your data, including encryption in transit (TLS), encryption at rest provided by our infrastructure providers, scoped access controls, and row-level security that isolates each workspace’s data. No method of transmission or storage is completely secure, but we work to protect your information and to promptly address vulnerabilities.

6. Your rights and choices

Depending on your location, you may have the right to access, correct, export, or delete your personal data. Within the Service you can:

  • Access and edit your account and CRM data directly in the app.
  • Export your leads and related records using the built-in export tools.
  • Permanently delete your account and any workspaces you own from Profile → Delete account.

If you are a contact of one of our Customers and wish to exercise your rights, please contact that Customer directly, as they control your data. We will assist our Customers in responding to such requests.

7. International data transfers

Our providers may process and store data in the United States and other countries. Where required, we rely on appropriate safeguards for cross-border transfers of personal data.

8. Children’s privacy

The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you within the Service.

10. Contact us

Questions about this policy or your data? Contact us at support@bmccrm.app. (Placeholder address — update before launch.)