How we handle your data.

1. Introduction

YouCRMit (operated by Mabaso) is a managed customer-relationship-management service. We ingest a customer's existing communication history — email, calendar events, contact records, files, and forwarded SMS threads — and convert it into a deduplicated contact graph with per-contact AI personas. This policy explains what we access from Google, how we use it, where it lives, and what choices you have over it.

This policy applies to all users whose data is processed by YouCRMit, whether through the customer's own connected accounts or through reps invited by the customer.

2. Information we access from Google

When a user connects their Google account, we request the following OAuth scopes:

• gmail.readonly — read-only access to email messages, message metadata, and labels. We use this to capture sent and received emails, identify counterparties, and write each message into the activity timeline of the relevant contact.
• calendar.readonly — read-only access to calendar events. We use this to capture meeting metadata (attendees, time, subject, description) and link it to the relevant contacts in the activity timeline.
• drive.readonly — read-only access to files in Google Drive. We use this to associate documents with the contacts they reference, summarize document content, and surface key terms and renewal dates that matter to the customer's relationships.

We never write to a user's Gmail, Calendar, or Drive. We never request scopes beyond the three above.

3. How we use Google user data

YouCRMit's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Concretely, Google user data is used solely to (a) capture activity into the customer's CRM, (b) deduplicate and normalize contacts, (c) generate per-contact persona summaries, and (d) deliver these back to the user through the customer's own database and a spreadsheet-style UI. It is not used for any other purpose.

4. What we do not do

• We do not sell Google user data.
• We do not use Google user data for advertising.
• We do not transfer Google user data to third parties except as needed to provide the service the user signed up for.
• We do not use Google user data to train, fine-tune, or improve generalized AI or ML models.
• No human at YouCRMit reads Google user data except: with explicit user consent, for security investigation, to comply with applicable law, or in aggregated/anonymized form for internal operations.

5. Where data is stored

Each customer is provisioned a dedicated Supabase Postgres project. The customer's contact data, activity records, personas, and embeddings live exclusively in that project. The customer owns the database and retains full administrative access; YouCRMit operates the pipeline that writes to it.

Cross-tenant isolation is enforced at the project level: there is no shared database across customers. OAuth refresh tokens are stored encrypted in the customer's own Supabase project.

6. Data retention and deletion

To request deletion of all data associated with your account, email [email protected] from the address on file. Within 30 days of the request, we will:

• Disconnect all OAuth integrations and revoke our refresh tokens.
• Purge the contact graph, activity records, personas, and embeddings from the customer's Supabase project, or hand the project over to the customer if they wish to retain it.
• Delete operational logs that contain user-identifiable data, except records required for legal, financial, or security purposes (which are retained for the minimum period required and then purged).

If you connected via a Google account, you may also revoke YouCRMit's access at any time through your Google Account permissions page. Revocation halts ingestion immediately; existing data already in the customer's database is governed by the deletion process above.

7. Security

All data is transmitted over TLS. Data at rest in Supabase is encrypted using industry-standard AES-256. OAuth credentials are stored encrypted with per-tenant scoping. AI requests pass through a license-gated proxy we operate; customer data is sent to Anthropic as runtime context only, never as training data.

We do not transfer customer data outside the region of the customer's chosen Supabase project. Access to operational systems is limited to authorized personnel with audit logging on privileged actions.

8. Third parties used to operate the service

We use the following third-party providers as processors:

• Anthropic — Claude API. Customer data is passed as runtime context for persona generation and is not used by Anthropic for model training.
• Supabase — managed Postgres hosting for the customer's own database.
• Railway — compute hosting for the YouCRMit pipeline and supporting services.
• Twilio — SMS capture and delivery for customers using SMS-based ingestion.
• SendGrid — transactional email (welcome, reconnect, account-related notifications).
• Google APIs — source data for connected Gmail, Calendar, and Drive accounts.

9. Your rights

You may at any time:

• Request a copy of all data we hold about you (access).
• Request deletion of all data associated with your account (see Section 6).
• Export the customer's full database — the customer's Supabase project belongs to them and a complete export is always available.

If the customer terminates the YouCRMit service, the customer retains the database; YouCRMit ceases to operate against it.

10. Changes to this policy

If we make a material change to this policy, we will notify the account holder by email. Non-material changes (typos, clarifications) will be reflected in an updated effective date at the top of this page.

11. Contact

Questions, requests, or complaints: [email protected].

See also the Terms of Service.