pplCRM
Legal

Privacy policy

What we collect, why, where it lives, and the things we will never do with it. Written to be read, not skimmed past.

Last updated July 16, 2026

Who we are and what this covers

pplCRM (“we”, “us”) is a relationship platform for constituency offices, campaigns and non-profits, operated from Canada. This policy covers the marketing site (pplcrm.com), the application (app.pplcrm.com and api.pplcrm.com), the volunteer companion apps (go.pplcrm.com), and the public pages organizations publish through us (their pages on pplforms.com). You can reach us about anything in this policy at [email protected].

The short version: we collect what we need to run the service and nothing else. We never sell, share, rent or mine the people in your workspace. We run no advertising trackers and no third-party analytics anywhere. Delete means deleted.

Two kinds of data: yours and your organization’s

It helps to separate two roles, because your rights differ between them.

  • Data we control. Your account details, billing information, support conversations and website interactions. For this data, we decide how it is handled, and this policy is the full story.
  • Data your organization controls. Everything inside a workspace: the constituents, voters, donors and volunteers your organization stores, plus notes, donations, form submissions and synced email. Here the organization is the data controller and we are its service provider; we process this data only on the organization’s instructions and never for our own purposes.

If you are in an organization’s list rather than a pplCRM account holder, the section “If you are in one of our customers’ lists” below is written for you.

What we collect about account holders

  • Identity and sign-in. Your name, email address and password. Passwords are stored only as an argon2id hash; nobody at pplCRM can see them. If you enable passkeys or two-factor codes, we store the public credential or a hashed one-time code, never a usable secret.
  • Session security data. The IP address and browser signature of your active sessions. We keep these so we can show you where you are signed in and challenge sign-ins from a new device or location.
  • Billing. Paid plans are billed through Stripe. Stripe collects your card details and billing address directly; card numbers never touch our servers. We keep your plan, invoices and billing contact.
  • Phone number. Only if you provide one, for example to verify sending on the free plan. Verification codes are sent by SMS and stored hashed.
  • Support. Emails you send to [email protected], so we can answer them and improve the product.

Data your organization stores in its workspace

A workspace can hold contact details for people, households and companies, notes and tags, casework, donation history, event RSVPs, volunteer availability, and campaign facts such as support level and voting status. Some of this is politically sensitive personal information; we treat the entire workspace with the same care regardless of category.

  • Addresses and maps. Household addresses can be geocoded so they appear on maps and turfs. Geocoding sends the street address to the Google Maps Geocoding API and stores the resulting coordinates.
  • Synced mailboxes. If a workspace admin connects Gmail or Microsoft 365, we sync email content into the workspace so conversations sit next to the people they belong to. The OAuth tokens for these connections are encrypted at rest with AES-256-GCM, and you can disconnect at any time. Our use of data received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
  • Newsletter engagement. When an organization sends a newsletter, delivery and engagement events (bounces, unsubscribes, opens and clicks) are recorded so the sender can respect them.
  • Uploaded files. Imports and attachments are stored in the workspace’s region.

Public forms, donations, events and volunteer links

Organizations can publish signup forms, donation pages, event pages and volunteer links. Anything you submit on those pages goes into that organization’s workspace, and the organization is responsible for how it is used. Donation payments are processed by Stripe (see the subprocessor list below); we receive the donation record, never your full card details. Volunteers using a companion link verify with a one-time code sent to the email or mobile number the organization has on file; codes and device sessions are stored hashed and expire automatically.

How we use personal information

  • To run the service: signing you in, storing and displaying your workspace, sending the emails and SMS messages you ask it to send.
  • To bill you and send you invoices, receipts and important account notices.
  • To keep the platform safe: rate limiting, new-device challenges, and the sending guards that pause senders whose mail bounces or draws complaints.
  • To answer support requests, using the minimum data needed to help.
  • To comply with the law when we genuinely must, and we will tell you when the law allows it.

What we never do

  • We never sell, share, rent or trade personal information, yours or your organization’s. To anyone.
  • We never use workspace data for advertising, profiling, or building products for other customers, and we do not use it to train machine-learning models.
  • We run no third-party analytics, advertising pixels or fingerprinting scripts on the website or in the product.
  • We never read workspace content out of curiosity. Access by our team is limited to what a specific support request or safety issue requires.

Service providers we rely on

We use a small set of infrastructure providers, each for one job. They receive only what that job requires and may not use it for anything else.

  • Microsoft Azure. Hosts the application, database and file storage in your workspace’s region (Canada by default).
  • Cloudflare. Serves the marketing site and the public form, donation and companion pages at the network edge.
  • Stripe. Subscription billing, tax calculation, and card donation processing. Stripe stores payment and donor data in the United States.
  • Postmark. Delivers transactional email such as verification links, security codes and account notices.
  • SendGrid. Delivers newsletters from your organization’s own verified domain and reports delivery and engagement events.
  • Twilio. Sends SMS one-time codes for volunteer verification and free-plan sending verification.
  • Google Maps. Geocodes household addresses and renders maps.
  • Google and Microsoft. Mailbox sync, only for workspaces that connect them.
  • Zapier. Only if your organization creates an integration; data flows are defined by the workflows you build.

Where your data lives

Workspaces are hosted in Canada by default. On the Movement plan, you choose your workspace’s region (Canada, US, EU or UK) when you create it, and your workspace data stays in that region for processing and backups. Two narrow exceptions apply regardless of region: card payments processed by Stripe are stored by Stripe in the United States, and email or SMS necessarily travels to wherever the recipient is.

Retention and deletion

We keep personal information only while it does its job, and the product enforces its own deadlines.

  • Records you delete are removed from the live database immediately. Automated backups expire within 7 days, at which point deleted data is gone from those too.
  • Workspace deletion can be scheduled by an organization admin. After a 30-day grace window (cancelable at any time), every record in the workspace is permanently deleted, and we confirm by email when it is done.
  • Activity logs are kept for 90 days, then pruned automatically.
  • Export files are downloadable for 30 days, then removed. Import source files are kept for 90 days so you can audit an import, then removed.
  • Sessions expire after 24 hours, or 30 days if you chose “remember me”. Volunteer device sessions expire after 30 days.
  • Suppression records (unsubscribes, bounces, complaints) are kept while a workspace is active, because keeping them is what honors the opt-out.
  • Billing records are kept as long as tax and accounting law requires.

How we protect it

Encryption in transit everywhere, encrypted OAuth secrets at rest, hashed tokens, workspace isolation enforced by automated checks on every build, signature-verified webhooks, and least-privilege access for field volunteers. The full, honest detail (including what we do not claim) is on the security page.

Cookies

We use exactly two cookies, both ours, neither used for tracking.

  • pc_refresh. Keeps you signed in to the app. HttpOnly and secure, so scripts cannot read it.
  • pc_signed_in. A yes/no flag that lets this website show “Dashboard” instead of “Log in” when you already have a session. It contains no personal data.

There are no advertising cookies, no analytics cookies, and no third-party cookies. That is the whole list.

Your rights

Wherever you are, we extend the same rights: access the personal information we hold about you, correct it, receive a portable copy, and have it deleted. Account holders can exercise most of these directly in the product (export lives in settings; deletion is described above). For anything else, email [email protected] and we will respond within 30 days. We comply with PIPEDA and applicable provincial privacy law in Canada, and with the GDPR and UK GDPR for workspaces and visitors in those regions. If you are unsatisfied with our answer, you can complain to your privacy regulator; in Canada that is the Office of the Privacy Commissioner.

If you are in one of our customers’ lists

If a constituency office, campaign or non-profit that uses pplCRM holds your information, that organization decides why and how it is used, and your request is theirs to answer: contact them directly to access, correct or delete your record, or to opt out of contact. Every newsletter sent through pplCRM carries the sender’s name, postal address and a working unsubscribe link, and unsubscribes are honored automatically across all future sends. If you contact us instead, we will forward your request to the organization and help them fulfill it.

Children

pplCRM is a tool for organizations and is not directed at children. You must be the age of majority where you live to create an account. We do not knowingly collect personal information from children for our own purposes; organizations are responsible for the lawfulness of the records they store.

Changes to this policy

When this policy changes materially, we will email workspace admins and update the date at the top before the change takes effect. We will never weaken the commitments in “What we never do” quietly; a change to those would be announced prominently and in advance.

Contact

Privacy questions, requests and complaints all go to [email protected]. A human reads every one.

Questions about this document?

Write to [email protected] and a human replies. We are happy to walk through any of it.