Privacy Policy

This Privacy Policy describes how crmFEX (“we”, “our”, or “the Service”), operated by Yasin Ozkasapoglu from Istanbul, Turkey, collects, uses, stores and protects personal data when you use our website (https://crmfex.com), the web application at https://app.crmfex.com, and the customer portal at https://portal.crmfex.com.

1. Data We Collect

1.1 Account information

• Name, email address, password hash, profile picture (if you upload one).
• Company name, tax ID, address, phone, IBAN if you provide them in your CRM settings.
• Authentication metadata: login times, IP address, user agent, country.

1.2 Application data you create

• Client / contact records, invoices, contracts, expenses, ledger entries, products, files you upload.
• Email templates and outgoing message logs.

1.3 Data from Google (when you use Google Sign-In or Google Calendar)

When you choose to sign in with Google or connect Google Calendar, we receive:

• Your Google account’s basic profile (name, email, picture, Google ID).
• Calendar events only when you explicitly grant calendar.events scope, and only for the calendars you choose to sync.

Google API Services User Data Policy — Limited Use Disclosure. crmFEX’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not sell it, and do not transfer it to third parties except as required to provide and improve the user-facing features of the Service.

1.4 Cookies and analytics

• Session cookies for authentication (HTTP-only, Secure, SameSite=Lax).
• We do not use third-party advertising cookies or cross-site trackers.
• We use Cloudflare for DDoS protection and basic traffic analytics (aggregated, anonymized).

2. How We Use Your Data

• To provide the Service: store your CRM data, render invoices, send emails on your behalf when you click “Send”.
• To authenticate you: verify your password / Google identity, issue session tokens.
• To communicate with you: send transactional emails (password reset, payment receipts, security alerts).
• To comply with legal obligations: retain invoices and contracts for the period required by your local tax law.

3. Legal Bases (GDPR / KVKK)

If you are in the EU, EEA, UK or Turkey, we process your data on the following legal bases:

• Contract: processing is necessary to provide you the Service you signed up for.
• Legal obligation: tax, accounting and e-invoicing regulations.
• Legitimate interest: securing the platform, preventing fraud.
• Consent: for optional features like Google Calendar sync — revocable at any time.

4. Where Your Data Lives

• Application data: Microsoft Azure datacenters in North Europe (PostgreSQL) and West Europe (storage, compute).
• Email sending: via your configured SMTP provider, or Gmail/Outlook when you authorize it.
• Payments: handled by Stripe and iyzico — we never store full card numbers on our servers.

5. How We Protect Your Data

• All traffic over HTTPS / TLS 1.2+ enforced.
• Database encrypted at rest (Azure-managed keys).
• Passwords hashed with Argon2id.
• Per-tenant row-level isolation in PostgreSQL.
• API credentials and OAuth secrets stored in Azure Key Vault, never in source code.

6. Data Sharing

We share data with third parties only when necessary to operate the Service:

• Microsoft Azure — hosting (data processor under DPA).
• Cloudflare — CDN, DDoS protection, DNS.
• Stripe / iyzico — payment processing (subject to their own privacy policies).
• Google / Microsoft — only if you choose to sign in with them or use their APIs.
• Nilvera (TR e-Fatura provider) — only if you enable e-Invoice and submit invoices through it.

We never sell your data. We never share data with advertising networks.

7. Your Rights

You have the right to:

• Access your data — the Settings page lets you download all your CRM data as JSON.
• Correct inaccurate data — edit any field in-app.
• Delete your account — Settings → Account → Delete Account triggers a 30-day deletion window.
• Export your data — full JSON export anytime, no fee.
• Revoke Google or Microsoft access — Settings → Integrations → Disconnect.
• Object to specific processing or restrict it.
• Lodge a complaint with your local data protection authority (e.g. KVKK in Turkey, your national DPA in the EU).

To exercise these rights, email [email protected]. We respond within 30 days.

8. Data Retention

• Active account data: kept while your account is active.
• After account deletion: 30-day grace period, then permanent deletion. Tax-required records (invoices) may be retained for up to 10 years per Turkish tax law if applicable to you.
• Backups: rolling 7-day retention.
• Server logs: 30 days.

9. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has signed up, contact us and we will delete the account.

10. International Transfers

If you access the Service from outside the EU / EEA / UK / Turkey, your data is still stored in EU datacenters. For users in the EU/EEA, no international transfer occurs. For users elsewhere, by using the Service you consent to your data being processed in the EU.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be announced by email at least 14 days before they take effect. The current version is always available at this URL with the “Last updated” date at the top.

12. Contact

For any privacy questions or to exercise your rights:

• Email: [email protected]
• Data controller: Yasin Ozkasapoglu — Istanbul, Turkey
• General contact: [email protected]