Privacy Policy

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, phone number, and password. If you sign in with Google, we receive your name, email, and profile picture from Google.

Business & CRM Data

You and your team may store contacts, companies, deals, tasks, bookings, invoices, forms, and other business records within Flamingo CRM. This data is owned by the business (tenant) that created it.

Payment Information

Payment processing is handled by Stripe. We do not store your full credit card number on our servers. Stripe's privacy policy governs their handling of payment data.

Usage & Device Information

We collect information about how you interact with our Service, including pages visited, features used, device type, operating system, and browser type. On the mobile app, we may collect device identifiers for push notification delivery.

Biometric Data

Our mobile app supports Face ID and fingerprint authentication for quick login. This biometric data is processed and stored entirely on your device by your operating system — Flamingo CRM never receives, transmits, or stores your biometric data on our servers.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Flamingo CRM Service
• Process transactions and send related transactional emails
• Send appointment reminders, booking confirmations, and other service notifications
• Authenticate your identity and secure your account
• Respond to your requests, comments, or questions
• Monitor and analyze usage patterns to improve user experience
• Detect, prevent, and address technical issues or security threats

4. Multi-Tenant Data Handling

Flamingo CRM is a multi-tenant platform, meaning multiple businesses use the same application while their data remains strictly separated. Each business (“tenant”) controls their own data, including contacts, deals, and bookings.

• Data Isolation: All data is scoped to individual tenants. One business cannot access another business's data.
• Data Controller: Each business using Flamingo CRM is the data controller for the information they collect through our platform.
• Data Processor: Flamingo Labs LLC acts as the data processor, handling data on behalf of each business according to this policy.

5. Third-Party Services

We use the following third-party services to operate Flamingo CRM:

• Stripe — Payment processing and billing
• Resend — Transactional email delivery
• Vercel — Application hosting and deployment
• Supabase — Database hosting
• Google — OAuth authentication (optional sign-in method)
• Anthropic — AI assistant features (Flo)

Each third-party service operates under its own privacy policy. We only share the minimum information necessary for each service to perform its function.

6. Data Security

We take the security of your data seriously and implement industry-standard measures to protect it:

• All data is encrypted in transit using TLS (HTTPS)
• Sensitive data such as two-factor authentication secrets are encrypted at rest using AES-256
• Passwords are hashed using bcrypt
• Authentication tokens are securely stored using platform-native secure storage (iOS Keychain)
• Role-based access control limits data access within each organization
• All data operations are logged for audit purposes

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention & Deletion

We retain your personal information for as long as your account is active or as needed to provide the Service.

Account Deletion

You may request deletion of your user account and personal profile information (name, email, login credentials) at any time by contacting us at support@flamingocrm.com. We will process account deletion requests within 30 days.

Business Data

Flamingo CRM is a business tool where data such as contacts, deals, bookings, and other CRM records are created and managed on behalf of the business (tenant) that owns the account. This business data belongs to the tenant organization, not to individual users. Deleting your personal user account does not remove business data you may have entered on behalf of your organization.

Tenant administrators may request deletion of their organization's entire dataset by contacting us. Business data is retained for as long as the tenant's subscription is active.

8. Your Rights Under the California Consumer Privacy Act (CCPA)

If you are a California resident, you have the following rights:

• Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request that we delete your personal account information (name, email, login credentials). Business data entered on behalf of your organization is owned by the tenant and is not subject to individual deletion requests.
• Right to Opt-Out of Sale: We do not sell your personal information to third parties. Because we do not sell personal information, there is no need to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, contact us at support@flamingocrm.com. We will verify your identity before processing your request.

9. Children's Privacy

Flamingo CRM is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a notice within the Service. Your continued use of Flamingo CRM after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: