Privacy policy

What this policy covers

Bizflix Cloud ("we", "us", "the service") is a tenant-isolated CRM platform operated by Bizflix Global Limited. This policy describes what personal data we collect from workspace operators and end users, why, and how we handle it.

We act as a data processor for content our customers (workspace owners) upload — leads, contacts, conversations, calls. The workspace owner is the data controller for that content. We act as a data controller only for the information we collect to operate the service itself (account email, sign-in events, audit logs).

Data we collect

From workspace operators (you, the user)

• Email address — required for magic-link sign-in.
• Display name — shown in the UI; optional.
• Sign-in timestamps + IP address — short-term, in session cookies and audit_log, for security forensics.

From content you import into your workspace

• Lead/contact records — names, emails, phone numbers, company names, deal values, custom fields you define.
• Conversations — message bodies + attachments from WhatsApp and email channels you connect.
• Call recordings + transcripts — only when you opt in via the Telephony settings panel.

Operational telemetry

• Sentry — error stack traces with sensitive fields scrubbed by lib/logSafe.ts before transmission.
• Application logs — request paths + timings. We do not log message bodies, lead PII, API keys, or session tokens.

How we use the data

• To authenticate you and keep your session active.
• To deliver the CRM features you signed up for: pipeline tracking, inbox unification, AI-assisted proposals (Atlas), webhooks.
• To investigate security incidents (audit log + Sentry errors).
• To improve the product — but only via aggregated, non-identifying metrics derived from system telemetry. Your content is never used to train any model.

How we store and protect data

• Encryption at rest — Postgres volume encrypted at the Hetzner block-device level. Per-tenant integration credentials (Twilio, Stripe, SignNow API keys) are additionally envelope-encrypted with AES-256-GCM using a master key only we hold.
• Encryption in transit — TLS 1.2+ between every hop (browser ↔ Cloudflare ↔ Caddy ↔ Node).
• Tenant isolation — every query runs under a non-superuser Postgres role with row-level security filtering by tenant_id. A query from tenant A literally cannot return tenant B's rows.
• Access control — only Bizflix Global Limited engineers with a documented operational need can SSH to the production server. All such access is via signed SSH keys.

Data sharing

We do not sell, rent, or trade customer data. We share data only with the sub-processors required to deliver the service — listed at /legal/sub-processors.

Retention

• Active workspace data — kept while the workspace is active. You can export or delete it at any time (contact us; self-serve UI lands post-launch).
• Audit logs — retained 365 days then purged.
• Backups — daily snapshots retained 30 / 12 / 6 (daily/weekly/monthly), encrypted at rest, automatically purged.
• Deleted workspaces — purged from active databases within 7 days; purged from backups within 90 days.

Your rights (GDPR / similar)

• Access — request a copy of all data we hold about your workspace. Fulfilled via scripts/export-tenant.tswhich produces a single JSON file with every row scoped to your tenant.
• Correction — edit any field you control via the UI, or contact us for fields you can't edit directly.
• Deletion — request workspace deletion. Fulfilled via scripts/delete-tenant.ts within 7 days; backups expire automatically thereafter.
• Portability — exports are JSON. Open standard.

Cookies

We use a single first-party session cookie issued by NextAuth. No third-party tracking cookies. No advertising cookies. No analytics cookies. We do not currently need a cookie consent banner.

Contact

Bizflix Global Limited · privacy@bizflixglobal.com