Deal
Sign in
Back home
Legal · PrivacyLast updated April 26, 2026

Privacy Policy

This Privacy Policy explains what personal information Deal collects, how we use and share it, the choices you have, and the rights available under GDPR, UK GDPR, and applicable U.S. state laws. We try to keep it short, specific, and free of legalese.

1Who we are

AI CRM Inc. ("Deal", "we", "us", or "our") is a Delaware, United States company that operates the Deal website, platform, and related services (the "Service"), available at crm.deal. We are the controller of the personal information described in this Policy unless otherwise stated.

For privacy questions, write to us at igor@crm.deal.

2Information we collect

We collect information in three buckets:

Account & contact information

When you sign up, we collect your name, email address, organization, country, and (where applicable) billing details. If you sign in with a third-party identity provider (e.g. Google), we receive your email, name, and avatar URL — nothing else.

Customer Data

To run the Service, you send us product events, identified user data, and configuration (collectively "Customer Data"). This may include end-user emails, names, properties, behavioral events, timestamps, message history, replies, and product context you voluntarily upload (docs, transcripts, voice notes). You determine the scope of Customer Data you send.

Usage & technical data

We log IP addresses, device and browser information, referrer URLs, and feature usage so we can run, secure, and improve the Service. This data is collected automatically and is generally aggregated.

3How we use information

We use the information described above to:

  • Provide, operate, and maintain the Service;
  • Train per-workspace knowledge representations and generate follow-ups, drafts, and recommendations on your behalf;
  • Send transactional and product emails (account, billing, security, critical product changes);
  • With your consent or per legitimate interest where applicable, send product update emails and surveys — you can opt out at any time;
  • Detect, prevent, and respond to fraud, abuse, security incidents, and policy violations;
  • Comply with legal obligations and respond to lawful requests;
  • Aggregate and anonymize usage patterns to improve performance and reliability of the Service.

4Legal basis (GDPR / UK GDPR)

For users in the EU, EEA, UK, and Switzerland, we rely on the following legal bases under the GDPR and UK GDPR:

  • Performance of a contract — to deliver the Service you signed up for, manage billing, and provide support;
  • Legitimate interests — to secure the Service, prevent abuse, improve reliability, and tell existing customers about substantively new features. We balance these interests against your rights and freedoms;
  • Consent — for non-essential cookies, marketing emails to non-customers, and any optional integrations you turn on. You can withdraw consent at any time;
  • Legal obligation — to comply with applicable laws, including tax, accounting, and lawful disclosure requests.

Where you act as a customer using Deal to send communications to your end-users, you are the controller of those end-users' personal data and Deal acts as a processor under the GDPR. Our Data Processing Addendum is available on request and is incorporated by reference into our Terms.

5Service providers & sub-processors

We do not sell personal information. We share it with the sub-processors below to run the Service. Each is bound by a written contract that requires confidentiality, security measures, and use limited to providing the Service to us.

ProviderPurposeRegion
Vercel, Inc.
DPA		Application hosting, edge delivery, web analyticsGlobal (regional edge)
Stripe, Inc.
DPA		Payment processing, subscription billingUnited States, EU
OpenAI, L.L.C.
DPA		AI model inference for drafting follow-ups & classifying intent. API data is not used to train models.United States
Anthropic, PBC
DPA		AI model inference for drafting follow-upsUnited States
Vercel AI Gateway
DPA		Routing AI requests to underlying providers (OpenAI, Anthropic, Google Vertex, AWS Bedrock)Global (regional edge)
Resend, Inc.
DPA		Transactional and lifecycle email deliveryUnited States, EU
PostHog, Inc.
DPA		Product analytics, session insights, feature flagsUnited States, EU (EU cloud available)

We may add or change sub-processors as the Service evolves. Material changes are reflected on this page and, where required, communicated in advance to customers under a Data Processing Addendum.

6International data transfers

Deal is operated from the United States and several of our sub-processors are also located in the United States. When we transfer personal data from the EU, EEA, UK, or Switzerland to the United States or another country that does not provide an adequate level of protection under local law, we rely on appropriate safeguards, primarily the European Commission's Standard Contractual Clauses (2021/914), the UK Addendum to the SCCs, and Swiss-equivalent clauses where relevant. Additional supplementary measures (encryption in transit and at rest, access controls, data minimization) are applied across the Service.

7Data retention

We retain personal information only as long as needed to provide the Service and meet legal obligations. Concretely:

  • Account data — kept for the lifetime of your account, plus up to 90 days after closure for backups and dispute resolution.
  • Customer Data (events, messages, contacts) — kept according to your workspace retention setting (default: 24 months) and deleted thereafter, unless legally required to retain.
  • Billing and tax records — kept for the period required by applicable law (typically 7 years).
  • Security and audit logs — kept for up to 12 months unless an active investigation requires longer.

8Data security

We take data security seriously and apply industry-standard measures including TLS 1.2+ in transit, encryption at rest (AES-256), least- privilege access controls, audit logging, secret rotation, and documented incident response. No method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security; we will notify affected users and regulators of personal data breaches as required by law.

9Your rights

Rights under GDPR & UK GDPR

If the GDPR or UK GDPR applies to you, you have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate or incomplete data;
  • Erase your data ("right to be forgotten");
  • Restrict or object to certain processing;
  • Data portability — receive a copy in a structured, machine- readable format;
  • Withdraw consent at any time where processing is based on consent;
  • Lodge a complaint with your local supervisory authority (e.g. the Irish DPC or the UK ICO).

Rights for U.S. residents

Depending on the U.S. state in which you reside, you may have additional rights, including the right to know what categories of personal information we collect, request deletion, and opt out of certain disclosures. We do not "sell" personal information as that term is commonly understood.

How to exercise your rights

Send a request from your account email to igor@crm.deal. We respond within 30 days (extendable to 60 days for complex requests, with notice). We may need to verify your identity before acting.

10AI processing & customer data

Deal uses third-party AI models (including OpenAI, Anthropic, and Google) — accessed via our own infrastructure and the Vercel AI Gateway — to draft follow-ups, classify intent, summarize conversations, and similar tasks. We send only the workspace data necessary to complete each task, and we contractually require these providers to:

  • Not use Customer Data submitted via API to train their foundation models;
  • Apply industry-standard security and access controls;
  • Process data only on documented instructions.

If you prefer that specific workspace data not be processed by AI models, you can disable AI features in workspace settings.

11Cookies & similar technologies

We use a small number of cookies and similar technologies, grouped into essential (sign-in, CSRF, load balancing), preference (theme, workspace), and analytics (privacy-friendly product analytics via PostHog). On EU/UK traffic, non-essential cookies are loaded only after consent via our cookie banner. You can change your preferences at any time from the cookie settings link in our footer or via your browser controls.

12Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided personal data without appropriate consent, contact us and we will delete it.

13Third-party disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties for their independent marketing purposes. We disclose information only:

  • To sub-processors as listed in Section 5, under written contract;
  • To enforce our Terms, prevent fraud, or protect the rights, safety, and property of Deal, our users, or the public;
  • To comply with applicable law, court orders, or other lawful government requests, where we are legally required to do so;
  • In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, in which case we will provide notice before personal information is transferred and becomes subject to a different privacy policy.

14Changes to this policy

We may update this Policy from time to time. When we do, we will post the updated version on this page and update the "Last updated" date above. For material changes, we will notify customers in-app or by email at least 30 days before the change takes effect. Continued use of the Service after the effective date means you accept the updated Policy.

15Contact us

For privacy questions, requests, or complaints, contact our team at igor@crm.deal.

AI CRM Inc.
Wilmington, Delaware, United States