Privacy Policy

The data controller is GALLO CRM S.r.l., Via Statale 21, 21030 Marchirolo (VA), Italy — VAT IT03270000777. For any privacy request you can reach us at gallo-crm@hotmail.com.

When you upload information about your own customers and contacts (“Customer Data”), you act as the data controller for that data and Gallo CRM acts as your data processor, processing it on your instructions to provide the Service.

• Account data: name, email address, password (stored only as a salted hash), organisation name, role, and language preference.
• Customer Data: the records you create or import — leads, customers, companies, deals, tasks, notes, files and the contact details they contain. You decide what to upload.
• Billing data: plan, subscription status and the payment identifiers returned by our payment processor. We never see or store your full card number.
• Technical & usage data: IP address, device and browser information, and diagnostic/error events needed to operate and secure the Service.

• To provide the Service (create your account, store and display your data, run features) — performance of a contract (GDPR Art. 6(1)(b)).
• To bill you for paid plans — contract and legal obligation (tax/accounting).
• To secure and improve the Service (rate limiting, fraud and abuse prevention, error monitoring, aggregated analytics) — legitimate interests (Art. 6(1)(f)).
• To send transactional emails (invites, password resets, billing notices) — contract.
• Where required, with your consent (e.g. optional AI features over your data) — consent (Art. 6(1)(a)), which you can withdraw at any time.

Some optional features (lead scoring, summarisation and the assistant) process the relevant records using third-party AI providers, including Anthropic. Depending on the configured provider this may involve a transfer of the processed records outside the EEA (e.g. to the United States) for the duration of the request only.

We do not sell your data and we do not allow it to be used to train third-party AI models without your explicit opt-in. AI processing happens on a per-request basis; the providers act as our subprocessors under data-processing terms. You can disable AI features for your organisation.

We rely on a small set of vetted providers to run the Service. Each processes data only as needed for its function and under a data-processing agreement:

• Railway — application & database hosting (EU region).
• Cloudflare R2 — file/attachment storage (EU jurisdiction).
• Stripe — subscription billing and payment processing.
• Resend — transactional email delivery.
• Anthropic — AI processing for optional features (may involve a US transfer).
• Sentry — error and performance monitoring (EU region).

We will keep this list current and give notice of material changes. Contact us for the up-to-date subprocessor list at any time.

We host customer content in the EU. Some subprocessors (notably AI providers) may process data outside the EEA. Where that happens we rely on appropriate safeguards under GDPR Chapter V, such as the European Commission’s Standard Contractual Clauses, and we minimise the data involved.

We keep Customer Data for as long as your account is active. After you close your account we retain it for up to 30 days to allow recovery, then delete or anonymise it, except where a longer period is required by law (e.g. invoices for tax purposes). Backups are rotated on a rolling schedule.

Subject to applicable law, you have the right to:

• access the personal data we hold about you;
• rectify inaccurate data and complete incomplete data;
• erase your data (“right to be forgotten”);
• restrict or object to certain processing;
• receive your data in a portable, machine-readable format;
• withdraw consent at any time, without affecting prior processing.

To exercise any right, email gallo-crm@hotmail.com. You also have the right to lodge a complaint with your local data protection authority (in Italy, the Garante per la protezione dei dati personali).

We use only the cookies needed to run the Service (e.g. authentication and security) plus, where applicable, privacy-respecting analytics. See our Cookie Policy for details and your choices.

We apply technical and organisational measures to protect your data, including encryption in transit, strict per-tenant isolation, least-privilege access and monitoring. See our Data Security page for details.

The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

We may update this Privacy Policy from time to time. The version shown at the top of this page always applies. We will notify you of material changes through the Service or by email.

Questions about your privacy or this policy? Email gallo-crm@hotmail.com.