1. Introduction

Mako CRM ("we," "us," or "our") operates the Mako CRM platform at makocrm.so. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our customer relationship management platform and related services (the "Service"). By using the Service, you agree to the practices described in this policy.

2. Information We Collect

2.1 Account Information
When you create an account, we collect your name, email address, and password. During onboarding, we collect your business name, business type, and operating preferences.

2.2 Customer Data
As a business user, you may store information about your customers in the Service, including names, email addresses, phone numbers, physical addresses, service history, payment records, and custom field data. You are the data controller for your customer data, and we process it on your behalf as a data processor.

2.3 Payment Information
Payment processing is handled by Stripe. We do not directly store credit card numbers or bank account details. Stripe collects and processes payment information in accordance with its own privacy policy.

2.4 Communication Data
When you use our email, SMS, or messaging features, we process and store message content and metadata to deliver those communications. If you use the AI Receptionist feature, call transcripts and conversation data are processed and stored.

2.5 Usage Data
We automatically collect information about how you interact with the Service, including pages visited, features used, and activity logs.

3. How We Use Your Information

We use the information we collect to:
- Provide, maintain, and improve the Service
- Process bookings, invoices, payments, and subscriptions
- Send transactional emails such as booking confirmations, reminders, and team invitations
- Power AI-assisted features including the AI Receptionist and business analytics
- Synchronize data with connected integrations such as Google Calendar and QuickBooks
- Enforce our Terms of Service and prevent fraud or abuse
- Respond to support requests and communicate with you about the Service

4. Third-Party Services

We share data with the following categories of third-party service providers as necessary to operate the Service:

- Payment processing: Stripe processes payments, subscriptions, and payouts on our behalf.
- Email delivery: Resend delivers transactional and marketing emails.
- SMS and voice: Twilio provides SMS messaging and voice call infrastructure for the AI Receptionist.
- AI services: Google Gemini and ElevenLabs power AI-driven features such as business analytics and the AI Receptionist voice.
- Calendar sync: Google Calendar data is accessed when you connect your calendar via OAuth.
- Accounting: QuickBooks data is accessed when you connect your accounting software via OAuth.
- Infrastructure: Supabase provides database hosting, authentication, and serverless functions.

Each third-party provider processes data under its own privacy policy and terms. We only share the minimum data necessary for each provider to perform its function.

5. Data Security

We implement industry-standard security measures to protect your data, including:
- Encryption of data in transit (TLS/HTTPS)
- Row-level security policies ensuring users can only access data within their own organization
- Role-based access controls for team members
- Secure authentication via Supabase Auth with email verification
- Rate limiting on API endpoints

6. Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide the Service. When you delete your account, we initiate a 30-day grace period during which you may recover your account. After this period, your data is permanently deleted, including all associated customer records, bookings, and financial data.

You may request deletion of your account and data at any time by contacting us or using the account settings within the Service.

7. Your Rights

Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Request deletion of your data
- Object to or restrict certain processing
- Export your data in a portable format

To exercise any of these rights, contact us at support@makocrm.so.

8. Customer Portal Users

If you access the Service through a Customer Portal provided by a business using Mako CRM, that business is the data controller for your information. Your data is governed by that business's own privacy practices. We process your data on behalf of the business as a data processor. Please direct any questions about how your data is handled to the business that invited you to the portal.

9. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at support@makocrm.so.

‍