Privacy Policy

1. Scope of Privacy Applicability

This Policy applies exclusively to the BasaltCRM ecosystem. It does not govern data collection by any application, website, or third-party service outside our direct infrastructure, nor does it govern information collected offline or via channels outside the defined digital perimeter of the Service. We bear no liability for the data practices of non-integrated third parties.

2. Definitions of Processed Information

2.1. "Personal Information" means information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device. This includes identifiers like a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, or other similar identifiers.

2.2. "Non-Personal Information" means data that is de-identified, anonymized, or aggregated such that it cannot be reasonably linked to a specific individual or household.

2.3. "Customer Metadata" means data generated by the use of our infrastructure, such as volume of messages sent, delivery rates, open rates, and general utilization heuristics of our AI engines.

3. Modalities of Information Collection

3.1. Direct Submission. We explicitly collect Information by which you may be personally identified, such as name, postal address, e-mail address, and telephone number when you voluntarily provide corresponding entries through our webforms, account creation gateways, or direct inquiries to our corporate contact vectors.

3.2. Automated Telemetry. As you navigate through and interact with our Service, we employ automatic data collection technologies to continuously harvest highly granular environmental metadata. This includes hardware specifics, operating system signatures, cryptographic browser headers, traffic patterns, and comprehensive behavioral navigation mappings (further analyzed in Section 5 via our Microsoft Clarity integration).

4. Purposes and Legitimate Interests of Processing

We process the Information that we collect about you or that you proactively provide to us, including any Personal Information, to fundamentally present our Service and its contents to you; to provide you with granular utilization notices; to fulfill any other purpose for which you provide it; to carry out our obligations and legally enforce our rights arising from any contracts entered into between you and us, expressly including billing and complex revenue collection mechanisms; and to notify you unequivocally about vital systemic architectural shifts or newly available integrations.

5. Microsoft Clarity Integration & Behavioral Telemetry

To ensure unparalleled engineering stability and rapidly diagnose platform bottlenecks via macroscopic mapping, we inject diagnostic telemetry capture tooling globally across the dashboard. We partner explicitly with Microsoft Clarity and Microsoft Advertising to capture how Authorized Users leverage and interact with our application ecology through behavioral tracking metrics, real-time thermal heatmaps, and deterministic session replication methodologies. This ensures we can rapidly trace user-experience falloff and perfect our products. Website usage data is acquired utilizing dynamic first-party and third-party tracking algorithms to analyze geographic product viability and continuous online interactions. Furthermore, we leverage this information for platform optimization infrastructures, threat-hunting security arrays, and targeted corporate outreach. For comprehensive definitions outlining how Microsoft Corporation collects, synthesizes, and deploys your operational data, please rigorously review the official Microsoft Privacy Statement.

6. Cookies, Local State, and Persistent Storage Mechanisms

Our platform relies extensively on both Session (volatile) and Persistent memory cookies. Essential Cookies are non-negotiable and strictly necessary for zero-trust authentication matrices and core navigational state retention. Analytics Cookies assess continuous application fidelity and map user traversal friction. While standard browser manipulations allow you to refuse tracking cookies, invoking such protocols will result in immediate, severe degradation of our capacity to provide rapid engineering support for UI anomalies, and certain modules may reject connection attempts entirely due to missing state verification.

7. Disclosures and Sharing (Sub-processors)

We absolutely prohibit the sale, exchange, or unauthorized licensing of your Personal Identifiable Information (PII) to raw data brokers for marketing speculation. However, we may unequivocally disclose aggregated information about our users, and information that does not identify any individual, without restriction. We may disclose Personal Information that we collect or you provide as described in this policy: (a) To our subsidiaries and affiliates; (b) To highly vetted enterprise contractors, service providers (such as AWS, Twilio, OpenAI, Stripe), and other third parties we use strictly to support our business functions; (c) To comply with any court order, valid law enforcement subpoena, or rigorous legal process, including responding to any government or regulatory request.

8. Intercontinental Data Transfers and SCCs

BasaltHQ leverages geo-distributed enterprise cloud fabrics. Information collected from you may be transferred to, stored, or processed in the United States or any other country in which we, our affiliates, or our designated sub-processors maintain resilient architecture. If operational data is transferred beyond the European Economic Area (EEA), we mandate the execution of binding Standard Contractual Clauses (SCCs) to guarantee equivalent regulatory safeguards and structural privacy continuity.

9. Data Security and Cryptographic Standards

All client payload and persistent data is fortified beneath absolute cryptographic enforcement: Advanced Encryption Standard (AES-256) algorithms govern data at rest within physically secured enterprise cloud facilities, while Transport Layer Security (TLS 1.3 or highest available commercial grade) encrypts all volatile traffic in transit. BasaltCRM enforces ruthless internal principle-of-least-privilege mechanisms, physically isolating engineering arrays from production customer datasets. However, we cannot guarantee the absolute systemic impenetrability of the internet; any transmission of Personal Information is therefore conducted strictly at your own operational risk.

10. Right to Erasure and Data Retention

In adherence with the Right to be Forgotten (GDPR Article 17) and equivalent regulatory statutes, Enterprise tenants may invoke terminal hard-deletion commands upon contract dissolution. Invocation of this right systematically incinerates assigned cloud partitions and cryptographically overwrites associated vector search indices beyond the point of standard forensic recovery. Absent such invocation, we retain account routing data perpetually to maintain referential integrity of cross-tenant suppression lists and systemic security logs.

11. State Privacy Rights (CCPA & CPRA)

If you are a resident of California or a similarly legislatively protected state, you are endowed with specific rights regarding access to your personal information. You have the right to request comprehensive disclosure of our collection and data disbursement procedures encompassing the prior 12-month trailing operational period. You possess the strict right to formally demand that we do not "sell" or "share" your personal information, a directive we fundamentally fulfill by virtue of our strictly B2B operating philosophy.

12. European Union Data Protection Disclosures (GDPR)

For data subjects located within the European Economic Area, we operate strictly as a Data Processor regarding Customer CRM uploads, and a Data Controller concerning standard Account Administration Data. You possess the absolute right to lodge formal grievances with your localized Supervisory Authority should you determine our data practices deviate materially from the stringent processing limitations codified within the General Data Protection Regulation.

13. Children's Online Privacy Protection Act (COPPA)

Our Website and concomitant Services are explicitly constructed as elite enterprise toolsets built strictly for verified corporate operators. We do not intentionally orchestrate the extraction of data from entities under the age of eighteen (18). If we obtain validated confirmation that we have inadvertently collected Personal Information from a minor, we will execute immediate terminal deletion via our engineering protocols.

14. Material Modifications to This Policy

We perpetually reserve the unilateral right to amend, augment, or synthetically rewrite this Master Privacy Policy dynamically as global regulatory algorithms shift. Material systemic modifications addressing the handling of Personal Information will be boldly communicated via mandatory administrative dashboard alerts at least 30 days prior to global enforcement mapping.

15. Contact Data Compliance Officer

To exercise any regulatory rights (Data Portability, Right to Erasure, DPO queries), or to demand formal clarification regarding the esoteric intricacies of our processing pipelines, please contact our Data Compliance team at via electronic routing to [email protected].