Who we are and what this covers
Two kinds of data: yours and your organization’s
Data we control. Your account details, billing information, support conversations and website interactions. For this data, we decide how it is handled, and this policy is the full story. Data your organization controls. Everything inside a workspace: the constituents, voters, donors and volunteers your organization stores, plus notes, donations, form submissions and synced email. Here the organization is the data controller and we are its service provider; we process this data only on the organization’s instructions and never for our own purposes.
What we collect about account holders
Identity and sign-in. Your name, email address and password. Passwords are stored only as an argon2id hash; nobody at pplCRM can see them. If you enable passkeys or two-factor codes, we store the public credential or a hashed one-time code, never a usable secret. Session security data. The IP address and browser signature of your active sessions. We keep these so we can show you where you are signed in and challenge sign-ins from a new device or location. Billing. Paid plans are billed through Stripe. Stripe collects your card details and billing address directly; card numbers never touch our servers. We keep your plan, invoices and billing contact. Phone number. Only if you provide one, for example to verify sending on the free plan. Verification codes are sent by SMS and stored hashed. Support. Emails you send to [email protected], so we can answer them and improve the product.
Data your organization stores in its workspace
Addresses and maps. Household addresses can be geocoded so they appear on maps and turfs. Geocoding sends the street address to the Google Maps Geocoding API and stores the resulting coordinates. Synced mailboxes. If a workspace admin connects Gmail or Microsoft 365, we sync email content into the workspace so conversations sit next to the people they belong to. The OAuth tokens for these connections are encrypted at rest with AES-256-GCM, and you can disconnect at any time. Our use of data received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Newsletter engagement. When an organization sends a newsletter, delivery and engagement events (bounces, unsubscribes, opens and clicks) are recorded so the sender can respect them. Uploaded files. Imports and attachments are stored in the workspace’s region.
Public forms, donations, events and volunteer links
How we use personal information
To run the service: signing you in, storing and displaying your workspace, sending the emails and SMS messages you ask it to send. To bill you and send you invoices, receipts and important account notices. To keep the platform safe: rate limiting, new-device challenges, and the sending guards that pause senders whose mail bounces or draws complaints. To answer support requests, using the minimum data needed to help. To comply with the law when we genuinely must, and we will tell you when the law allows it.
What we never do
We never sell, share, rent or trade personal information, yours or your organization’s. To anyone. We never use workspace data for advertising, profiling, or building products for other customers, and we do not use it to train machine-learning models. We run no third-party analytics, advertising pixels or fingerprinting scripts on the website or in the product. We never read workspace content out of curiosity. Access by our team is limited to what a specific support request or safety issue requires.
Service providers we rely on
Microsoft Azure. Hosts the application, database and file storage in your workspace’s region (Canada by default). Cloudflare. Serves the marketing site and the public form, donation and companion pages at the network edge. Stripe. Subscription billing, tax calculation, and card donation processing. Stripe stores payment and donor data in the United States. Postmark. Delivers transactional email such as verification links, security codes and account notices. SendGrid. Delivers newsletters from your organization’s own verified domain and reports delivery and engagement events. Twilio. Sends SMS one-time codes for volunteer verification and free-plan sending verification. Google Maps. Geocodes household addresses and renders maps. Google and Microsoft. Mailbox sync, only for workspaces that connect them. Zapier. Only if your organization creates an integration; data flows are defined by the workflows you build.
Where your data lives
Retention and deletion
Records you delete are removed from the live database immediately. Automated backups expire within 7 days, at which point deleted data is gone from those too. Workspace deletion can be scheduled by an organization admin. After a 30-day grace window (cancelable at any time), every record in the workspace is permanently deleted, and we confirm by email when it is done. Activity logs are kept for 90 days, then pruned automatically. Export files are downloadable for 30 days, then removed. Import source files are kept for 90 days so you can audit an import, then removed. Sessions expire after 24 hours, or 30 days if you chose “remember me”. Volunteer device sessions expire after 30 days. Suppression records (unsubscribes, bounces, complaints) are kept while a workspace is active, because keeping them is what honors the opt-out. Billing records are kept as long as tax and accounting law requires.
How we protect it
Cookies
pc_refresh. Keeps you signed in to the app. HttpOnly and secure, so scripts cannot read it. pc_signed_in. A yes/no flag that lets this website show “Dashboard” instead of “Log in” when you already have a session. It contains no personal data.
Your rights
If you are in one of our customers’ lists
Children
Changes to this policy
Contact
Questions about this document?
Write to [email protected] and a human replies. We are happy to walk through any of it.
