Privacy Policy

1Introduction & Scope

This Privacy Policy describes how Aetrix Systems, LLC ("Aetrix," "we," "us," or "our") collects, uses, shares, and protects information in connection with the websites, mobile applications, and software-as-a-service products we offer (collectively, the "Services").

Today, the Services include Aetrix Core CRM, our modular field customer-relationship-management platform, and the related aetrixcorecrm.com website. As we expand our product line, this Policy will apply to additional Aetrix-branded software and services we make available, unless a separate notice or agreement says otherwise for a specific product.

Aetrix Systems, LLC is a California limited liability company. Our products primarily serve businesses ("Customers"), and most personal information we process is provided by those Customers about their employees, contractors, and the leads, contacts, properties, or accounts they manage. Where we act as a service provider or processor on behalf of a Customer, that Customer is the controller of the personal information they upload or input, and our use of that information is governed by our agreement with them in addition to this Policy.

One sentence summary: If you're a CRM end-user (a rep or admin at a Customer organization), most of the data we hold about you was put there by your employer, and your employer controls it.

2Information We Collect

2.1 Information you provide directly

Account information. Name, email address, username, password (hashed), phone number, role, and profile bio.
Organization information. Business name, industry, company size, primary contact details, billing address, plan selection, and module configuration.
Customer data you input. Records you create or upload while using the Services — for example, leads, contacts, properties, units, tasks, notes, files, photos, forms, signatures, expense receipts, surveys, contracts, and reports.
Communications you send through the Services. Email messages composed in or sent through Aetrix, in-app chat messages, posts and comments in team feeds (Pulse, Announcements), and call or SMS metadata when telephony features are configured.
Support and feedback. Information you share when you contact us for help, submit feedback, or fill out forms on our marketing website.

2.2 Information collected automatically while you use the Services

Device and connection data. IP address, browser type and version, operating system, device model, and approximate location derived from IP address.
Usage data. Pages and features accessed, actions taken, timestamps, and identifiers needed to maintain your session.
Precise location data (only when expressly enabled by you or your organization for features that require it). This includes mileage tracking, geofencing zones, route optimization, and check-in/check-out events on customer sites. Location data is captured only when the relevant feature is active and you have granted location permission to the application.
Diagnostic and error data. Crash reports, performance traces, and exception details, used to fix bugs and improve reliability. We use a service called Sentry for error monitoring.

2.3 Information from third-party services you connect

If you choose to connect a third-party account to the Services — for example, a Microsoft 365 mailbox, a Google Workspace mailbox, an IMAP/SMTP email account, a calendar provider, or a payment processor — we receive information from that service as needed to perform the integration you requested. Section 4 of this Policy explains in detail what we collect from connected email accounts and how we use it.

2.4 Information we do not collect

We do not collect or store payment card numbers, CVCs, or bank account credentials. Payments are processed by our payment provider (currently Stripe), which sends Aetrix only a customer reference, masked card details (e.g., last four digits and brand), and transaction status.
We do not collect biometric identifiers (fingerprints, faceprints, voiceprints).
We do not knowingly collect information from anyone under the age of 16. See Section 12.

3How We Use Information

We use the information described in Section 2 for the following purposes:

To provide and operate the Services. Authenticating you, syncing data across your devices, sending notifications, executing the actions you initiate (sending an email, dispatching a task, generating a report).
To support and communicate with you. Responding to support requests, sending service-related announcements (outage notices, security updates, billing reminders), and operating the marketing portal.
To bill and account for your subscription. Calculating amounts due, processing payments through our payment provider, issuing invoices and receipts, applying credits and promotions.
To improve and develop the Services. Diagnosing issues, measuring feature adoption in aggregate, and building new functionality. Where we use customer data for product improvement, we do so in aggregated, de-identified form whenever practical.
To keep the Services secure. Detecting and preventing unauthorized access, fraud, abuse, and policy violations; investigating security incidents; responding to legal process.
To comply with law. Meeting legal, regulatory, and contractual obligations, including responding to lawful requests from public authorities.

What we do not do with your data: We do not sell personal information. We do not use Customer data, communications content, or data accessed through connected third-party accounts for advertising. We do not use Customer email content or other Customer communications to train machine-learning or AI models that benefit other customers or any third party.

4Connected Email & Third-Party Accounts

The Aetrix Core CRM Email module lets you (or, in the case of a shared mailbox, an administrator at your organization) connect a personal or organizational email account so that messages composed inside Aetrix are sent from your real email address and replies are synchronized back into your CRM threads. We currently support — or plan to support — connections to the following providers:

Microsoft 365 / Outlook.com / Microsoft Entra ID identities, via the Microsoft Graph API and Microsoft identity platform OAuth 2.0.
Google Workspace / Gmail, via the Gmail API and Google OAuth 2.0 (planned).
Generic IMAP/SMTP accounts (for any provider that supports IMAP and SMTP with username/password or app-password authentication), as a fallback for users who don't use Microsoft or Google.

4.1 What we access from a connected email account

When you connect an email account, you grant Aetrix permission, through that provider's standard OAuth (or username/password) flow, to perform the following on your behalf:

Send email messages that you compose within the Services.
Read email messages in your inbox only for the purpose of syncing replies and incoming messages that are part of conversations you initiated through Aetrix, or that match contacts and leads in your CRM.
Read message metadata (sender, recipients, subject, date, thread or conversation identifier) needed to thread conversations correctly inside Aetrix.
Mark messages as read or move them to specific folders, only as a result of actions you take in Aetrix.
Read your basic profile (name, email address) to display the connected account in your settings.

4.2 Limited Use commitment

Aetrix's use of information received from connected email providers is strictly limited to providing or improving the user-facing features of the Services that the user explicitly requested. In particular, with respect to data accessed via Microsoft Graph, the Gmail API, or any other connected mailbox:

We do not transfer this data to others except as necessary to provide or improve the user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
We do not use this data for advertising purposes.
We do not allow humans to read this data, except: (a) with your specific consent, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized in a way that does not identify you.
We do not use this data to train generalized or third-party AI or machine-learning models. Aetrix may apply per-user, per-message AI features (for example, AI-assisted reply drafting) only when you actively invoke them, and only to the message you are working on at that moment.

4.3 How tokens and credentials are stored

OAuth access tokens and refresh tokens for connected providers are stored encrypted at rest using authenticated symmetric encryption (Fernet, AES-128 in CBC mode with HMAC-SHA256 authentication). For IMAP/SMTP fallback accounts, the SMTP password (or app-specific password) is stored encrypted using the same scheme. Encryption keys are held in our infrastructure provider's secrets management and are not present in our application source code or version control.

4.4 Disconnecting an account

You can disconnect a connected email account at any time from Settings → Connections in Aetrix Core CRM. When you disconnect:

The associated OAuth tokens or stored credentials are deleted immediately from our systems.
We stop performing any further sync against that account on your behalf.
Email messages that were already synchronized into your Aetrix CRM threads remain in your CRM (because they are now part of your CRM's records). To delete those records as well, follow the data-deletion process described in Section 9.

You may also revoke Aetrix's access from your provider's own account settings page (e.g., Microsoft account "Apps with access," Google account "Third-party apps with account access"). Revoking from the provider has the same effect: we lose the ability to sync, and we will mark the account disconnected the next time we attempt access.

4.5 Other third-party connections

The Services may offer connections to additional third-party systems beyond email — for example, calendar providers, telephony platforms (Twilio), accounting systems, e-signature services, and payroll platforms. Each such connection is governed by the same principles: we access only the data needed to deliver the feature you requested, we do not use that data for advertising or unrelated AI training, and you can disconnect at any time.

6Service Providers & Subprocessors

We engage the following categories of third-party service providers to operate the Services. The specific vendors below reflect our infrastructure as of the effective date of this Policy and may change as our products evolve; we will keep this list reasonably current.

Category	Purpose	Provider(s)
Application hosting & compute	Backend application servers and database hosting	Railway
Web & static asset hosting	Marketing site, web application delivery	Vercel
DNS & CDN	Domain resolution, content delivery, DDoS protection	Cloudflare
File storage	User-uploaded files, attachments, photos	Cloudflare R2
Transactional email	System-sent emails (welcome, summaries, notifications)	Resend
Email integrations	OAuth-based access to user-connected mailboxes	Microsoft (Graph API), Google (Gmail API, planned), generic IMAP/SMTP providers
Payments	Subscription billing, payment processing	Stripe
Telephony	Voice calls and SMS originated through the Services	Twilio (planned)
Error monitoring	Diagnosing crashes and exceptions	Sentry
Geocoding & routing	Address-to-coordinate conversion, route optimization	OSRM
Identity & access	Owner business email and admin tooling	Microsoft 365

Each subprocessor is bound by a contract that limits its use of personal information to providing services to Aetrix and requires appropriate security measures. Subprocessors that are based in the United States are subject to U.S. law; subprocessors operating in other jurisdictions are subject to the laws of those jurisdictions. International transfers are addressed in Section 11.

7Security

We use commercially reasonable technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit using TLS 1.2 or higher.
Encryption at rest for sensitive credentials, OAuth tokens, and AI provider keys, using authenticated symmetric encryption.
Password hashing using a modern algorithm (bcrypt) with per-user salts.
Multi-tenant data isolation — every Customer's records are scoped by organization identifier and access-controlled at the application and database query layers.
Role-based access controls within the Services so administrators can limit what each team member can see and do.
Logging and monitoring for security-relevant events.
Regular software updates and dependency reviews.

No system is perfectly secure, however, and we cannot guarantee that information will never be accessed in an unauthorized way. If we become aware of a security incident affecting your personal information, we will notify you and any applicable regulator as required by law.

8Data Retention

We retain personal information for as long as needed to provide the Services and for the additional periods described below.

Customer data (records you input into Aetrix Core CRM, including leads, contacts, tasks, files, and synced email threads): retained for the duration of your subscription. After your subscription ends, we retain Customer data for up to 90 days to allow for export and recovery, after which it is deleted unless a longer retention period is required by law.
Account information: retained while the account is active and for a reasonable period afterward to support reactivation, billing reconciliation, and legal recordkeeping.
OAuth tokens for connected mailboxes: deleted immediately when you disconnect the account, when your account is deleted, or when the token is revoked at the provider.
Email attachment uploads that are uploaded but never linked to a sent message are deleted after 24 hours (the orphan-cleanup window).
Logs and diagnostic data: retained for up to 90 days for operational purposes, after which they are aggregated, anonymized, or deleted.
Billing records: retained for at least seven years to comply with tax and accounting requirements.

Customers (organizations) may configure shorter retention windows for specific record types in Aetrix Core CRM where supported. Individual users acting as employees of a Customer should direct retention questions to their organization's administrator.

9Your Rights & Choices

Depending on where you live, you may have rights regarding the personal information we hold about you, including:

Access — request a copy of the personal information we hold about you.
Correction — request that we correct inaccurate or incomplete information.
Deletion — request that we delete personal information about you, subject to certain exceptions (such as records we must retain to comply with law).
Portability — request a machine-readable export of personal information you provided.
Objection or restriction — object to or restrict certain processing of your personal information.
Withdrawal of consent — withdraw consent where processing is based on consent.

How to exercise these rights:

If you are an individual user of Aetrix Core CRM acting in the course of your employment, please direct your request first to your organization's administrator. The administrator controls the relevant records and is in the best position to act on your request quickly.
For requests Aetrix must handle directly (for example, if you no longer have access to your account, or if the request concerns the marketing website), email us at privacy@aetrixsystems.com. We may need to verify your identity before acting on a request.

We will not discriminate against you for exercising these rights.

10California Residents

This section provides additional information for California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA").

10.1 Categories of personal information collected

In the prior 12 months, we have collected the categories of personal information described in Section 2, which fall under the CCPA categories of: identifiers, customer records information, commercial information, internet/electronic activity, geolocation data (for users who enable location-based features), professional/employment information, and inferences derived from any of the foregoing.

10.2 Sources, purposes, and disclosures

Sources are described in Section 2. Business purposes are described in Section 3. Categories of recipients are described in Sections 5 and 6.

10.3 Sale and sharing

We do not "sell" personal information for monetary consideration, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not done so in the prior 12 months and have no plans to.

10.4 Sensitive personal information

We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA without the right to limit such use.

10.5 California rights

California residents have the rights described in Section 9, including the rights to know, delete, correct, opt out of sale or sharing (which we do not do), and limit use of sensitive personal information. To exercise these rights, contact us as described in Section 15. You may use an authorized agent to submit a request on your behalf.

11International Users

Aetrix Systems is based in the United States, and our infrastructure and most of our service providers are located in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your country.

By using the Services or providing information to us, you consent to such transfer. Where required by law, we rely on appropriate safeguards (such as standard contractual clauses) for international transfers.

12Children's Privacy

The Services are intended for businesses and their authorized users, and are not directed to children. We do not knowingly collect personal information from anyone under the age of 16. If we learn that we have collected personal information from a child under 16 without verified parental consent, we will delete that information promptly. If you believe that we have collected information from a child, please contact us at privacy@aetrixsystems.com.

13Cookies & Similar Technologies

Our marketing website and the Aetrix Core CRM web application use cookies, browser local storage, and similar technologies for the following purposes:

Strictly necessary — to keep you signed in, remember your preferences, and provide core features. These cannot be disabled without breaking the Services.
Analytics — to understand how the Services are used, in aggregate. We minimize the personal information collected for this purpose and aim to use privacy-preserving analytics where available.

We do not use cookies for cross-site advertising or for retargeting. Most browsers let you delete or block cookies; doing so may affect the functionality of the Services.

14Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) or by posting a prominent notice on the Services or our website at least 30 days before the change takes effect, unless a shorter period is required by law. The "Last updated" date at the top of this Policy reflects the most recent revision.

15Contact Us

If you have questions, concerns, or requests about this Privacy Policy or your personal information, contact us at:

Aetrix Systems, LLC
Privacy: privacy@aetrixsystems.com
Legal & data requests: legal@aetrixsystems.com
Support: support@aetrixcorecrm.com
Web: www.aetrixcorecrm.com

We will acknowledge receipt of privacy inquiries within a reasonable time and respond substantively as required by applicable law.