1. Introduction
This Privacy Policy describes how Coastline CRM, Inc. (“Coastline,” “we,” “us”) collects, uses, and shares information when you use our CRM at coastlinecrm.com and related subdomains (the “Service”). The Service is a customer relationship management application for sales teams, and includes the Coastline mobile app for iOS and Android, a companion to the web CRM.
This policy covers information we collect through the Service. It does not cover information you separately share with third-party tools you connect to Coastline; those tools have their own privacy policies.
2. Information we collect
Account information
When you create an account, we collect your name, email address, phone number, a hash of your password, and the workspace you create or join. If you pay for a subscription, our payments provider collects and stores your payment details; we receive only a billing summary and a customer identifier.
Customer data
The Service exists to let you manage your own records. Anything you enter or import (contacts, deals, notes, files, calendar events, emails synced from a connected inbox, messages sent through the Service) we treat as your data. We process it on your behalf to operate the Service. You decide what to put in, and you are responsible for having the right to use it under the Terms of Service.
Connected email and calendar accounts
The Service lets you connect a personal or business email and calendar account (for example, a Google or Microsoft account) so you can read, search, send, and organize email and manage your calendar inside Coastline. You connect an account through the provider’s own secure sign-in and consent screen, and you can disconnect it at any time from within the Service, which stops the sync and revokes our access going forward.
When an account is connected, we access it only to provide the features you enabled. What happens to the information depends on whether it relates to your CRM records:
- Messages tied to a contact or project (an email whose sender or recipient matches a contact in your workspace, or that belongs to a conversation already linked to a project) are stored in your workspace so they appear alongside that record. Emails you send through the Service are also stored.
- The rest of your mailbox is read live from your email provider each time you view it and is not stored on our servers. We keep only a lightweight index where needed to power features such as new-message notifications.
- Attachments are stored only for messages tied to a project. For other messages we keep the file’s name and type, not its contents.
- On-device cache. To load quickly, the Service temporarily caches recently viewed messages and message lists on your own device (in your browser), the same way a desktop or mobile email app does. This cache is tied to your signed-in account and is cleared when you sign out or switch accounts.
Usage and device data
When you use the Service we log information that browsers and servers normally exchange: IP address, browser type and version, operating system, pages viewed, referrer, and timestamps. We use this to run the Service, diagnose errors, and detect abuse.
We do not use third-party advertising or product-analytics trackers at this time. If we add one, we will update this policy.
Mobile app information
The Coastline mobile app for iOS and Android is a companion to the web CRM and requires a Coastline account. With your permission, the app accesses the following on your device:
- Camera: to capture project photos and scan documents.
- Photos and files: to upload photos, set a profile picture, and attach documents.
- Location, while you are using the app: to show your position and nearby jobs on the map and to fill in the address of a job you create from your current location. We request location only while the app is in the foreground; we do not track your location in the background. When you create a record from a location, the resulting address is saved as part of that record. We may use approximate and precise location.
- Notifications: to send you job and message alerts. To deliver these we register a push token with Expo’s push notification service.
The app also sends crash reports and basic device and operating-system information to Sentry to help us diagnose errors. We disable collection of personally identifying data in these crash reports. The app does not use advertising identifiers and does not track you across other apps or websites.
3. Cookies
We use one cookie: a session cookie set by our authentication provider to keep you signed in. We do not set advertising cookies, analytics cookies, or cross-site tracking cookies.
Most browsers let you block or delete cookies. Blocking the session cookie will prevent the Service from signing you in.
4. How we use information
We use the information described above to:
- Provide, operate, and maintain the Service.
- Authenticate you and secure your account.
- Process payments and send billing notices.
- Send transactional email: confirmations, password resets, receipts, support replies, service notices.
- Respond to your support requests.
- Detect, investigate, and prevent security incidents, fraud, and abuse.
- Comply with legal obligations and enforce our Terms of Service.
We do not sell your personal information. We do not use your Customer Data to train machine-learning models.
Limited use of connected email and calendar data
When you connect a Google or Microsoft account, we use the information we access from it only to provide and improve the features you enabled inside Coastline. In particular:
- We do not sell this information, and we do not use it for advertising.
- We do not use it to develop, train, or improve generalized or standalone artificial-intelligence models.
- We do not transfer it to others except as needed to provide the Service to you, to comply with applicable law, or as part of a merger or acquisition with notice to you.
- We do not allow humans to read it, except with your consent, to investigate a security or abuse issue, to provide support you have requested, to comply with applicable law, or where the information has been aggregated and anonymized.
Coastline’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including its Limited Use requirements. Our use of information from a connected Microsoft account adheres to the applicable Microsoft terms.
5. Text messages we send you
When you create a Coastline account and provide a phone number, you may opt in to receive text messages from us at that number. We send three categories of texts:
- Account notifications: such as security alerts about your account.
- Billing notifications: such as failed payments, upcoming renewals, and receipts.
- Service reminders: such as trial-ending notices and onboarding nudges.
We do not send marketing or promotional texts as part of this program. Consent to receive texts is not required to use Coastline; you may continue with email-only notifications.
Opting in is explicit: at signup or in your account settings, you check a box indicating you agree to receive texts at the number you provided. We also send a one-time code to confirm the number is yours; the verification code itself is sent regardless of whether you opted in to ongoing texts.
You may opt out at any time by replying STOP to any message, or by turning off SMS notifications in your account settings under Notifications. Message and data rates may apply. Message frequency varies.
We retain the timestamp, the phone number, and the exact wording you agreed to as the durable record of your consent, and we retain the timestamp and reason of any opt-out.
6. How we share information
We share information with service providers who help us run the Service. Each provider is bound by a contract that restricts them to processing information on our behalf. The current list:
- Supabase: authentication, database, and file storage. United States.
- Vercel: application hosting and request logging. United States.
- Stripe: payment processing and billing. United States.
- Resend: transactional email delivery. United States.
- Unipile: email and calendar synchronization, used only when a workspace connects an inbox. United States.
- Twilio: SMS and voice messaging, used to deliver account notifications you've opted into and, when a workspace enables messaging, to send and receive messages with that workspace's contacts. United States.
- Google Maps Platform: address autocomplete and geocoding for addresses you enter. Global.
- Sentry: crash and error reporting for our mobile app, with personally identifying data disabled. United States.
- Expo: push notification delivery for our mobile app. United States.
We also share information:
- When you direct us to (for example, when you invite a teammate to your workspace).
- With our auditors, accountants, and legal counsel, under duties of confidence.
- To comply with law, a court order, or a valid government request.
- To investigate or respond to a security incident or violation of our Terms of Service.
- In connection with a merger, acquisition, or sale of assets; we will notify you if your information becomes subject to a different policy.
7. Data retention
We keep account information and Customer Data for as long as your account and workspace are active.
Account deletion. When you delete your account, we remove your profile and personal data from production systems after a 30-day grace period. This lets us reverse accidental deletions and respond to legal requests.
Workspace cancellation. If a workspace subscription is canceled, Customer Data remains available for reactivation for 90 days, then is purged from production systems.
Backups are encrypted and cycled within 30 days of the corresponding deletion.
Billing records are kept for up to seven years to meet tax and accounting obligations.
8. Security
We use industry-standard measures to protect your information, including TLS encryption in transit, encryption of data at rest, access controls and logging, and least-privilege administration. No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you without undue delay in line with applicable law.
You are responsible for using a strong password, enabling two-factor authentication where available, and keeping your credentials confidential.
9. Your rights
You can:
- Access and update most account information directly in Settings → Account.
- Export your Customer Data at any time; workspace owners can generate a full export under Settings → Data.
- Delete your account from Settings → Account.
You can also email support@coastlinecrm.com to make any of these requests. We verify the email on file before acting on a request.
California residents (CCPA/CPRA)
You have the right to know what personal information we have collected about you, to request deletion, to request correction, and to opt out of the “sale” or “sharing” of personal information as those terms are defined by California law. We do not sell or share personal information for cross-context behavioral advertising. You may designate an authorized agent to make a request on your behalf.
European Economic Area, United Kingdom, and Switzerland residents (GDPR and UK GDPR)
You have the rights of access, rectification, erasure, restriction, portability, and objection. Where we rely on consent, you can withdraw it at any time. Where we rely on legitimate interests, you may object. You can lodge a complaint with your local supervisory authority.
Our legal bases for processing are:
- Performance of a contract with you (to provide the Service).
- Our legitimate interests in securing, improving, and operating the Service.
- Compliance with a legal obligation.
- Your consent, where the law requires it.
10. International transfers
We operate from the United States, and our service providers are primarily based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. Where required, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent Swiss mechanisms to lawfully transfer personal data.
11. Children
The Service is not directed to, and we do not knowingly collect information from, anyone under sixteen. If you believe a child has given us information, contact support@coastlinecrm.com and we will delete it.
12. Changes
We may update this policy from time to time. If a change is material, we will provide notice (for example, by email to account owners or a notice inside the Service) at least 30 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact
Questions about this policy or requests about your data:
Coastline CRM, Inc.
support@coastlinecrm.com