Skip to main content
My Crazy CRM — Legal
Return Home

Privacy Policy

Last Updated: Monday, June 1st, 2026 USA EST

1. Overview

This Privacy Policy describes how My Crazy Agency LLC ("we," "us," or "our") collects, uses, and protects information in connection with the My Crazy CRM platform at crm.mycrazyagency.com and its associated public-facing pages (/demo, /refer, /portal, /intake).

2. Data We Collect

We collect the following categories of information through normal platform operation:

  • Account information: name, email address, role, phone number
  • Authentication data: encrypted password hashes, session tokens
  • Google OAuth tokens: Gmail API and Google Calendar API access and refresh tokens, stored per user to enable email integration and calendar scheduling features
  • Activity logs: pages visited, actions taken, timestamps
  • IP addresses and session metadata for security purposes
  • Prospect and client records entered by authorized users
  • Call logs, notes, messages, reminders, and task data
  • Email engagement data: we track whether emails sent to prospects are opened and whether recipients reply, via Resend email delivery infrastructure
  • Do Not Call records: phone numbers, and optionally first and last names, of individuals who have requested no further contact from the agency. These records are maintained solely to enforce calling restrictions
  • Portal session data: when external prospects access the secure portal, their session activity, IP address, and consent actions are recorded for quality assurance and business documentation purposes, as disclosed in the portal consent screen
  • Referral partner information: names, email addresses, and phone numbers of persons who sign up for the referral program via the /refer/signup page, submitted voluntarily
  • Demo and intake form submissions: name, email, phone, business name, and any notes entered by visitors via the /demo or /intake pages

3. How We Use Your Data

Data collected through this platform is used exclusively for:

  • Platform operation and access control
  • Authentication and session management
  • Activity tracking for accountability and compliance
  • Security monitoring and incident investigation
  • Internal business operations and performance management
  • Outreach to prospects and leads who submit their information via public pages
  • Enforcing Do Not Call restrictions

4. Who Has Access to Your Data

Harry Price (superadmin) has access to all data within the platform, including activity logs, audit trails, session history, and IP addresses, for security and compliance purposes.

Other users see only what their assigned role permits. Role-based access control is enforced at the database level via row-level security policies.

5. Third-Party Services

This platform uses the following third-party services to operate:

  • Supabase — database hosting and authentication (supabase.com)
  • Vercel — platform hosting and deployment (vercel.com)
  • Anthropic — AI features via Oliver, our AI assistant (anthropic.com)
  • Google — Gmail API and Google Calendar API (google.com). We store OAuth access and refresh tokens per user solely to enable Gmail email integration and Google Calendar scheduling features. Users can revoke this access at any time by disconnecting the integration from their account settings. Google's use of this data is governed by Google's Privacy Policy.
  • Calendly — demo call scheduling (calendly.com). When a visitor books a demo call through our /demo page, their name and email are passed to Calendly to pre-fill the scheduling form. Calendly loads only after explicit cookie consent. Calendly may set its own cookies and process scheduling data under its own Privacy Policy.
  • Resend — transactional email delivery (resend.com). We use Resend to deliver emails sent through the platform. Resend receives recipient names, email addresses, and message content for delivery purposes. Resend does not use this data for advertising.
  • Slack — internal operations notifications (slack.com). The platform posts CRM event notifications (such as new prospect submissions and pipeline updates) to our internal Slack workspace. Only agency-internal event data is transmitted; no external PII beyond what is entered into the platform is shared.

Each third-party service operates under its own privacy policy. We do not sell, rent, or share your data with any third party for advertising, marketing, or any purpose outside platform operation.

Subprocessors

DRAFT — review with a licensed Pennsylvania attorney before relying on this.

The following is a complete list of third-party companies ("subprocessors") that process data on behalf of My Crazy Agency LLC as part of normal platform operation, as identified in the platform codebase and configuration:

  • Supabase (supabase.com) — database storage and user authentication
  • Vercel (vercel.com) — application hosting and serverless function execution
  • Anthropic (anthropic.com) — AI language model API powering the Oliver assistant
  • OpenRouter (openrouter.ai) — AI API routing layer used as a fallback for the Oliver assistant when the primary Anthropic API is unavailable; receives the same user context and query data as Anthropic
  • Resend (resend.com) — transactional email delivery; receives recipient names, email addresses, and message content
  • Calendly (calendly.com) — demo call scheduling; receives visitor name and email on the /demo page
  • Slack (slack.com) — internal operations event notifications via webhook; receives CRM event data such as new lead submissions and pipeline updates
  • Google (google.com) — Gmail API (email integration) and Google Calendar API (calendar scheduling); stores OAuth access and refresh tokens per user
  • GitHub (github.com) — private source code repository; automated cron processes commit operational status files, which may include team member names, email addresses, and role information, to a private repository

Each subprocessor operates under its own terms and privacy policy. This list reflects processors identified in the platform codebase and configuration as of the last-updated date shown above, and will be updated as integrations change.

6. Data Retention

Active contractor accounts and associated business records are retained for the duration of the contractor relationship and for a reasonable period thereafter as required for business and legal purposes. Activity logs are never automatically deleted.

Prospect and lead records for individuals who do not become clients (i.e., where no contract was signed) are retained as active business records unless a deletion is requested by contacting harry@mycrazyagency.com. Referral partner records are retained for the same purpose.

Do Not Call records are retained indefinitely in order to honor opt-out requests on an ongoing basis. Portal session recordings are retained for quality assurance purposes and accessible only to the superadmin.

7. Cookies and Local Storage

This platform uses essential cookies and local storage for authentication and session management. On the /demo page, the Calendly scheduling widget — which may set third-party cookies — is loaded only after you explicitly accept cookies via the consent banner. If you decline or have not accepted, Calendly does not load. See our Cookie Policy for full details.

8. Data Security

All data is stored in Supabase with row-level security (RLS) policies enforced. Passwords are hashed and never stored in plain text. All platform traffic is encrypted via HTTPS. Access is restricted by role-based permissions.

9. Policy Updates

My Crazy Agency LLC may update this Privacy Policy at any time. Users will be notified of material changes via the platform. Continued use of the platform constitutes acceptance of the updated policy.

10. Your Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know: you may request disclosure of the categories and specific pieces of personal information we collect about you.
  • Right to delete: you may request deletion of your personal information, subject to certain exceptions.
  • Right to opt out of sale: we do not sell personal information.
  • Right to non-discrimination: we will not discriminate against you for exercising any of these rights.

If you are located in the European Union, you may have additional rights under the GDPR, including the right to access, rectify, erase, restrict, or port your personal data, and the right to object to processing. To exercise any of these rights, contact harry@mycrazyagency.com.

11. Contact

To request data correction, deletion, or to ask questions about this policy, contact harry@mycrazyagency.com.