Privacy.

FlatCRM is operated by a Polish individual under działalność nierejestrowa (unregistered economic activity). Address and a Data Processing Agreement are available on request to support@flatcrm.app. For data submitted by you about your contacts, you remain the controller and FlatCRM acts as your processor.

• Account emailUsed to sign in, recover access, and send the four lifecycle emails (welcome, trial reminder, paid receipt, cancellation).
• Workspace contentsContacts, deals, tasks, tags, activity log, inbound emails, attachments. Whatever you enter or forward in.
• Inbound email contentWhen you forward to your @inbox.flatcrm.app alias, the message and its attachments are stored against the matched contact.
• Billing identityLemon Squeezy holds the card and tax data; FlatCRM stores only the customer ID, subscription ID, and plan.
• Product eventsPostHog captures funnel events (signup, contact created, deal moved, csv exported) keyed to the synthetic auth ID. Real email is not sent to PostHog.
• Error reportsSentry captures stack traces and the synthetic auth ID on failure paths. Request bodies are scrubbed.
• Ad attributionIf you arrived from a Reddit Ads click and consented to analytics cookies, Reddit Pixel records the visit and Reddit Conversion API records signup or purchase against a hashed identifier.

The primary database is Supabase Postgres in the EU (Ireland, eu-west-1). Disk is encrypted at rest. Notes, inbound email subjects, and inbound email bodies are encrypted again at the application layer with AES-256-GCM before they reach the database — the key is held in the application host’s environment, not in the database. See Security for the threat model.

The third parties FlatCRM hands data to, and what each one sees:

• Supabase →Database, authentication, file storage. EU (eu-west-1, Ireland)
• Vercel →Application hosting, edge runtime, logs. Global edge
• Resend →Outbound transactional and inbound email. US / EU
• Lemon Squeezy →Merchant of Record — payment, invoicing, tax. US
• Cloudflare →Domain registrar, DNS, email routing for support@. Global
• PostHog →Product analytics — event capture, session funnel. US
• Sentry →Error and exception reporting. US
• Reddit Ads →Conversion attribution (Pixel + Conversion API). US

• fc_initialEssential. Holds the first letter of your account email so the marketing nav can show your avatar after login. Cleared on sign-out.
• fc_utmEssential. Persists the UTM parameters from your first visit so a later signup can be attributed.
• Supabase auth cookiesEssential. Session and refresh tokens. Cleared on sign-out.
• PostHogOptional. Loaded only after you accept the cookie banner. Decline and PostHog never initialises.
• Reddit PixelOptional. Loaded only after you accept the cookie banner. Decline and the pixel script never loads.

Workspace data lives until you delete it or close the workspace. Account deletion drops every row tied to your workspace, with a 30-day grace window in case you change your mind. The forensic audit log keeps row-deletion records for 24 hours then prunes itself; PostHog and Sentry retain on their own schedules (currently one year and 30 days respectively).

Under GDPR you can ask for access, correction, deletion, export, and restriction. Most of these are one-button already: Export everything in Settings ships a zip of every row in five CSVs; Close workspacedeletes the lot. For anything the UI doesn’t cover, mail support@flatcrm.appand you’ll have a reply within 72 hours. CCPA residents get the same rights via the same channel.

FlatCRM is not directed at children under 16 and we do not knowingly collect their data. If you believe a child has signed up, mail support@flatcrm.app and the account will be deleted.

When this page changes, the verification date at the top changes with it. Material changes (new sub-processor, broader data collection) are announced by email to all account holders before they take effect.

Privacy questions, deletion requests, DPA signature: mail support@flatcrm.app. Acknowledged within one business day, resolved within 72 hours.