Privacy Policy

This privacy policy describes how AstraCRM ("we", "our", or "us") collects, uses, and protects your personal information when you use our comprehensive CRM platform, including: • Web Application: Browser-based dashboard for administrators and managers • Mobile Applications: iOS and Android apps for field workers • Telegram Bot: Conversational interface for quick interactions • Landing Website: Public marketing and information site By using any of our services, you agree to the collection and use of information in accordance with this policy. Our platform is designed for service businesses to manage operations, clients, orders, and team communication efficiently. Roles in personal data processing: • Personal data of AstraCRM users (for example account and billing data) is processed by us as a data controller. • Personal data of your clients/counterparties/employees that you enter into AstraCRM as part of your business operations is processed by you (your organization) as the data controller (operator). AstraCRM processes such data on your instructions solely to provide the Service and perform the contract. You are responsible for having valid legal grounds for processing your clients' personal data (including obtaining consents where required) and for informing data subjects.

We collect the following types of information across our platform: • Personal Information: Name, email address, phone number, company details, and other contact information when you register or use our services • Account Data: User credentials, authentication tokens, role assignments, and organization membership • Business Data: Client information, order details, service categories, financial transactions, and operational data you input into the system • Device Information: Device type, operating system, browser information, and mobile device identifiers for optimization and security • Usage Data: How you interact with our platform, feature usage patterns, navigation behavior, and performance metrics • Communication Data: Messages, call logs (through PBX integration), notifications, and correspondence with support • File Data: Photos, documents, attachments, and other files uploaded to orders and client records • Technical Data: IP addresses, session tokens, API usage logs, error reports, and system performance metrics

We use the collected information for the following purposes: • Core Services: Providing CRM functionality including order management, client tracking, team coordination, and business analytics • Authentication & Security: User verification, account protection, fraud prevention, and secure access control • Communication: Sending notifications about orders, system updates, scheduled maintenance, and important announcements • Business Operations: Processing orders, managing client relationships, coordinating field workers, and generating reports • Platform Improvement: Analyzing usage patterns to enhance features, fix bugs, optimize performance, and develop new capabilities • Customer Support: Providing technical assistance, resolving issues, and maintaining service quality • Compliance: Meeting legal obligations, regulatory requirements, and industry standards • Marketing: Sending relevant product updates and promotional content (with opt-out available) • Integration Services: Connecting with third-party tools like PBX systems, mapping services, and business applications

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except in the following circumstances: • Within Your Organization: Data is shared among authorized users in your CRM instance as part of normal business operations, subject to role-based permissions • Service Providers: We share data with trusted providers and partners (to the extent necessary to deliver the Service): • Timeweb Cloud / Timeweb S3: infrastructure, hosting, and file storage • Self-hosted Sentry (on Timeweb Cloud): error and performance monitoring • Yandex.Metrika: analytics for the astracrm.pro landing website • Yandex Maps (Tiles API): map tiles and previews • Sber SaluteSpeech: speech recognition (ASR) and audio transcription • OpenRouter: generative AI/LLM services for call-transcription summaries and similar AI-summary features; direct identifiers are removed before transfer and only de-identified/pseudonymized payloads are sent • Yandex Cloud: generative AI/LLM services for order inbox parsing and similar flows where message content may contain direct personal data • DaData: address/company validation and suggestions • Expo / Firebase: push notifications (mobile apps) • Telegram: message delivery for the Telegram bot • T-Bank: acquiring and payment processing • Email/SMS providers: notifications and communication • PBX integration partners: phone system connectivity • Legal Requirements: When required by law, court order, subpoena, or other legal process • Safety and Security: To investigate suspected fraud, security incidents, or violations of our terms of service • Business Transfers: In connection with a merger, acquisition, sale of assets, or other business transaction • Public Directories: Only information you explicitly choose to make public (such as business listings) We implement strict data minimization practices and only share the minimum necessary information required for each purpose.

We implement comprehensive security measures to protect your personal information: • Encryption: All data transmission uses industry-standard TLS encryption, and sensitive data is encrypted at rest • Access Controls: Multi-factor authentication, role-based permissions, and principle of least privilege access • Infrastructure Security: Secure cloud hosting in Timeweb Cloud with regular security audits and best practices • Database Protection: Encrypted databases with regular backups, access logging, and monitoring • Application Security: Regular security testing, vulnerability assessments, and penetration testing • Employee Training: All staff undergo security training and sign confidentiality agreements • Monitoring: 24/7 security monitoring, intrusion detection, and incident response procedures • Data Isolation: Multi-tenant architecture ensures complete separation between different organizations • Regular Updates: Continuous security patches, software updates, and security best practice implementation While we implement robust security measures, no system is 100% secure. We continuously monitor and improve our security posture.

You have the following rights regarding your personal information: • Access: Request access to your personal data and information about how it's processed • Correction: Update or correct inaccurate or incomplete information through your account settings • Deletion: Request deletion of your account and associated personal data (subject to legal retention requirements) • Portability: Request a copy of your data in a structured, machine-readable format • Restriction: Request limitation of processing in certain circumstances • Objection: Object to processing based on legitimate interests or for marketing purposes • Consent Withdrawal: Withdraw consent for processing where consent is the legal basis • Notification Control: Manage email, push notification, and SMS preferences • Data Export: Export your business data including orders, clients, and reports • Account Deactivation: Temporarily deactivate your account while preserving data To exercise these rights, contact us using the information provided below or use the account settings in our web application. We will respond to requests within 30 days.

Our platform includes several components with specific privacy considerations: • Web Application: Browser-based interface with session management, advanced analytics, and file management • Mobile Apps (iOS/Android): Camera access for order documentation, push notifications for real-time updates, offline data synchronization • Telegram Bot: Conversational interface for quick order updates, client lookups, and notifications within Telegram • PBX Integration: Call logging, recording (where legally permitted), and communication tracking • AI Summaries: Call-transcription summary payloads are de-identified/pseudonymized before transfer to OpenRouter; direct identifiers are removed. Order inbox parsing that may contain direct personal data continues to use Yandex Cloud • File Storage: Secure S3-compatible storage for photos, documents, and attachments • Real-time Features: WebSocket connections for live updates and notifications • Over-the-air Updates: Mobile apps may download code and assets via Expo OTA to fix bugs or add features. No additional personal data is collected during these updates • API Access: Secure API endpoints for third-party integrations and custom developments Each platform component implements appropriate privacy controls and security measures specific to its functionality.

Our platform integrates with various services to provide enhanced functionality: • Cloud infrastructure and storage: Timeweb Cloud (including Timeweb S3) • Monitoring: self-hosted Sentry (deployed in our Timeweb Cloud infrastructure) • Landing analytics: Yandex.Metrika • Mapping: Yandex Maps (Tiles API) for address display, maps, and routing based on entered addresses • Speech recognition: Sber SaluteSpeech • Generative AI/LLM for de-identified/pseudonymized call summaries: OpenRouter (direct identifiers are removed before transfer) • Generative AI/LLM for order inbox parsing that may contain direct personal data: Yandex Cloud • API services: DaData for address validation and company information lookup • Payments: T-Bank (acquiring) • Push notifications: Expo / Firebase • Communications: Telegram (for the Telegram bot) and email/SMS providers Each third-party service (for example Yandex, Telegram, DaData, Expo/Firebase, T-Bank) has its own privacy policy. We carefully select vendors who meet our security and privacy standards and only share necessary data for specific functionalities.

We retain your personal information for different periods depending on the type of data and purpose: • Account Information: Retained while your account is active and for up to 7 years after closure for compliance purposes • Business Data: Orders, clients, and operational data retained according to your organization's retention policies and legal requirements • Communication Records: Email and chat logs retained for up to 3 years for support and legal purposes • Technical Logs: System logs, access logs, and error reports retained for up to 1 year for security and debugging • Financial Records: Billing and payment data retained for up to 7 years for tax and accounting purposes • Marketing Data: Contact preferences and communication history retained until you opt out • Backup Data: Encrypted backups retained for up to 1 year for disaster recovery purposes When data is deleted, it is securely purged from all systems including backups within 90 days, except where longer retention is required by law.

AstraCRM operates globally and may transfer your personal information to countries other than your country of residence: • Primary Infrastructure: Our main servers are located in secure Timeweb data centers with appropriate safeguards • Data Processing: We may process data in multiple jurisdictions to provide optimal performance and redundancy • Legal Safeguards: All international transfers are protected by appropriate safeguards including: • Standard Contractual Clauses (SCCs) for transfers outside the EU • Adequacy decisions where available • Binding corporate rules for intra-group transfers • Additional security measures as required by applicable law We ensure that all international data transfers comply with applicable privacy laws and provide adequate protection for your personal information.

Our services are designed for business use and are not intended for children under 16 years of age (or the minimum age in your jurisdiction): • Age Verification: We require users to confirm they meet minimum age requirements during registration • No Targeting: We do not knowingly market to or target children • Parental Rights: If you are a parent or guardian and believe your child has provided personal information, contact us immediately • Data Deletion: We will promptly delete any personal information from children that we become aware of • Educational Use: Any educational or training use must be supervised by appropriate adults If you become aware of any child using our services, please notify us so we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings: • Notification Methods: We will notify you of material changes by: • Posting the updated policy on our website and in our applications • Sending email notifications to registered users • Displaying in-app notifications for significant changes • Updating the "Last updated" date • Review Period: You will have at least 30 days to review material changes before they take effect • Continued Use: Your continued use of our services after changes take effect constitutes acceptance of the updated policy • Withdrawal: If you do not agree to changes, you may discontinue using our services You are advised to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us: • Privacy Officer: privacy@astracrm.pro • General Support: support@astracrm.pro • Website: https://astracrm.pro/contact • Mailing Address: 164500, Severodvinsk, Karla Marksa St., 46, office 12 • Response Time: We respond to privacy inquiries within 5 business days • Escalation: For urgent privacy matters, mark your email "URGENT: Privacy" • Language: We can respond in English and Russian For platform-specific privacy questions: • iOS App: Refer to our iOS Privacy Policy or contact us through the App Store • Android App: Refer to our Android Privacy Policy or contact us through Google Play • Telegram Bot: Use the /help command or contact us directly We are committed to addressing your privacy concerns promptly and transparently.