Last updated: July 6, 2026
This Privacy Policy explains how Salt City Software LLC ("Salt City Software," "we," "us," or "our"), a limited liability company formed in Utah, United States, collects, uses, shares, and protects personal information in connection with Chat my CRM (the "Service"), available at chatmycrm.com.
We designed Chat my CRM as an AI-chat-first CRM. Because of that, this policy pays particular attention to how data flows through the product, how it interacts with third-party AI models, and the difference between data about you and data you put into the CRM about other people.
If you have questions, contact us at legal@chatmycrm.com.
1. Our two roles: controller and processor
Under data-protection law, the same company can play different roles for different kinds of data. Ours are:
- Controller — account, billing, and usage data. For information about you as our customer (your account details, billing information, how you use the Service, and so on), we decide why and how it is processed. We are the "controller" (GDPR) / "business" (California law) for this data, and this policy governs it.
- Processor — the data you load into the CRM. When you add contacts, notes, deals, activities, messages, or other records to Chat my CRM, that data is yours. We process it on your behalf and under your instructions to provide the Service. For this "Customer Data," we are the "processor" (GDPR) / "service provider" (California law), and you are the controller. If a record in your CRM relates to you personally (for example, an individual contact who wants to exercise privacy rights), we will generally direct that person to the customer who controls the data, and assist that customer in responding.
The sections below note which role applies where it matters.
2. Information we collect
2.1 Account and profile data (controller)
When you sign up, we collect your name, email address, organization name, and login credentials. Passwords are stored only in hashed form.
2.2 Billing data (controller)
Payments are processed by Paddle, which acts as our reseller and merchant of record. Paddle collects and processes your payment details (such as card information) directly under its own terms and privacy policy. We do not store full payment card numbers. We receive limited billing records from Paddle, such as your billing name, country, plan, and transaction history.
2.3 Usage and technical data (controller)
When you use the Service, we automatically collect log and device data such as IP address, browser and device type, pages and features accessed, timestamps, and diagnostic or error information. We use this to operate, secure, and improve the Service.
2.4 Customer Data (processor)
This is the data you and your users enter into or sync with Chat my CRM — contacts and their details, notes, deals, tasks, activities, communications, and any files you upload. Because Chat my CRM is single-tenant, each organization's Customer Data is stored in a dedicated database (Cloudflare D1) and object store (Cloudflare R2) provisioned for that organization. We process Customer Data only to provide the Service, as described in these terms and any separate agreement with you.
2.5 Cookies and analytics
We use cookies and similar technologies to keep you signed in, remember preferences, and understand how the Service is used. We use Google Analytics to measure website and product usage; Google Analytics sets cookies and may transfer certain data to Google in the United States. See Section 10 (Cookies) for detail and your choices.
3. How we use information
We use personal information to:
- provide, operate, maintain, and secure the Service;
- create and administer your account and process payments (via Paddle);
- sync data with third-party CRMs you connect, such as HighLevel;
- provide AI and chat features, including sending relevant data to AI models to generate responses (see Section 5);
- respond to support requests and communicate with you about the Service;
- monitor, troubleshoot, and improve the Service, including through analytics;
- detect, prevent, and address fraud, abuse, and security incidents; and
- comply with legal obligations and enforce our agreements.
We do not use Customer Data for our own purposes beyond providing the Service to you.
Legal bases (GDPR / UK GDPR)
Where GDPR or UK GDPR applies, we rely on the following legal bases:
- Contract — to provide the Service you've signed up for and administer your account.
- Legitimate interests — to secure, maintain, analyze, and improve the Service, and to prevent fraud and abuse, where those interests are not overridden by your rights.
- Consent — for non-essential cookies and analytics, and any optional communications; you may withdraw consent at any time.
- Legal obligation — to comply with applicable law, such as tax and accounting requirements.
For Customer Data, the customer (as controller) is responsible for establishing a legal basis for the data they load into the Service.
4. How we share information
We do not sell your personal information. We share information only as described here:
- Subprocessors and service providers who help us run the Service, under contracts that limit their use of the data to providing services to us (see Section 6).
- Third-party integrations you enable, such as HighLevel, to which we send and from which we receive data at your direction.
- AI providers, as described in Section 5.
- Legal and safety — where required by law, legal process, or to protect the rights, safety, and security of our users, the public, or Salt City Software.
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
5. AI, chat, and large language models
Chat my CRM's core features rely on large language models (LLMs). This section explains how your data interacts with them.
We do not train AI models on your data. Salt City Software does not use your account data or your Customer Data to train, fine-tune, or develop any AI or machine-learning models.
To provide AI features, we send data to AI providers. When you use chat and AI features, relevant data — which may include Customer Data — is transmitted to a third-party LLM provider to generate a response. By default, this provider is Anthropic, accessed through our MCP Gateway. That processing is governed by the provider's terms; Anthropic's commercial API terms provide that data submitted through the API is not used to train its models.
Third-party or connected LLMs handle your data under their own terms. If you connect, route to, or otherwise use an LLM or AI integration other than our default — including any model you configure through the MCP Gateway or your own credentials — that provider processes your data under its own terms and privacy policy, which may permit it to use your data, including for training its models.We do not control how those providers handle data. Before connecting or using a third-party LLM, please review that provider's terms and privacy policy. You are responsible for ensuring any such use is appropriate for the data in your CRM.
6. Subprocessors
We rely on the following subprocessors to provide the Service. Each is bound by contractual obligations to protect the data they process on our behalf.
- Cloudflare — Hosting, compute (Workers, Durable Objects), database (D1), and object storage (R2). Global edge network.
- HighLevel — CRM data sync, for customers who connect it. United States.
- Anthropic — Default LLM processing via the MCP Gateway. United States.
- Paddle — Payment processing and billing (merchant of record). European Union / United States.
- Google (Google Analytics) — Website and product usage analytics. United States.
- Our transactional email provider — Sending account and system emails. United States.
We may update this list as our Service evolves. Material changes will be reflected in an updated version of this policy.
7. International data transfers
We operate in the United States, and our subprocessors may process data in the United States and elsewhere. If you are in the European Economic Area, the United Kingdom, or another region with data-transfer restrictions, your information may be transferred to and processed in the United States and other countries whose laws may differ from your own.
Where required, we rely on appropriate safeguards for these transfers, such as the European Commission's Standard Contractual Clauses (and the UK Addendum), together with additional measures where needed. You may request more information about these safeguards by contacting legal@chatmycrm.com.
8. Data retention
We retain personal information for as long as needed to provide the Service and for legitimate business or legal purposes.
- Customer Data: We retain Customer Data for as long as your account is active. When your account is terminated, we delete your organization's tenant data (its dedicated D1 database and R2 storage) within 30 days. Residual copies in routine backups are purged on our normal backup cycle thereafter.
- Account and billing data: We retain account and transaction records as needed to meet legal, tax, and accounting obligations.
- Usage and log data: Retained for a limited period for security, diagnostics, and analytics.
You may request earlier deletion as described in Sections 9 and 10, subject to legal retention requirements.
9. Your privacy rights
9.1 Everyone
You may access, update, or delete much of your account information directly in the Service, or by contacting legal@chatmycrm.com.
9.2 GDPR / UK GDPR (EEA and UK residents)
If you are in the EEA or UK, you have the right to: access your personal data; rectify inaccurate data; erase data; restrict or object to processing; data portability; and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority.
To exercise these rights, contact legal@chatmycrm.com. Where the request concerns Customer Dataheld on behalf of one of our customers, we will refer you to, and assist, that customer as the controller.
9.3 California (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know / access the categories and specific pieces of personal information we have collected about you;
- Delete personal information we hold about you, subject to exceptions;
- Correct inaccurate personal information;
- Opt out of the "sale" or "sharing" of personal information; and
- Non-discrimination for exercising your rights.
Categories of personal information we collect include identifiers (such as name, email, IP address), commercial information (billing and transaction records), internet/network activity (usage and log data), and the contents of Customer Data you choose to store. We collect these for the business purposes described in Section 3 and disclose them to the subprocessors listed in Section 6.
Sale and sharing. We do not sell your personal information for money. We use analytics services (such as Google Analytics) that may involve the "sharing" of certain online identifiers for cross-context analytics as those terms are defined under California law. You can opt out through our cookie controls (Section 10) or by transmitting a Global Privacy Control (GPC) signal, which we honor.
To exercise California rights, contact legal@chatmycrm.com. We will verify your request as required by law, and you may use an authorized agent.
10. Cookies and your choices
We use the following types of cookies and similar technologies:
- Essential cookies — required to sign you in and keep the Service secure and functioning. These cannot be turned off.
- Analytics cookies — set by Google Analytics to help us understand usage. These are optional.
Where required by law, we ask for your consent before setting non-essential cookies, and you can change your choices at any time through our cookie banner or settings. You can also block or delete cookies in your browser, and we honor Global Privacy Control (GPC) signals for opt-out of sharing. For more on how Google Analytics processes data and how to opt out, see Google's privacy resources.
11. Security
We use technical and organizational measures to protect personal information, including a single-tenant architecture that isolates each organization's data in its own database and storage, encryption in transit, access controls, and monitoring. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
12. Children's privacy
The Service is not directed to children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact legal@chatmycrm.com and we will take appropriate steps to delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the Service or by email. Your continued use of the Service after an update means you accept the revised policy.
14. Contact us
Salt City Software LLC
Utah, United States
Email:
legal@chatmycrm.com
Our mailing address is available on request by emailing legal@chatmycrm.com.
If you are in the EEA or UK and have concerns we have not resolved, you may contact your local data-protection supervisory authority.