Privacy Policy

1. Introduction

Samford Labs (“we,” “our,” or “us”) operates Talk2CRM, a mobile application that connects phone call data with CRM systems using artificial intelligence. This Privacy Policy explains how we collect, use, store, and protect your information when you use Talk2CRM.

By using Talk2CRM, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the application.

2. Data We Collect

2.1 Account Information

When you connect your accounts, we process:

• OAuth tokens for RingCentral and Zoho CRM (stored encrypted on your device via platform Keychain/Keystore)
• Email address for early access waitlist and account identification

2.2 Call Data

When processing calls, Talk2CRM accesses via the RingCentral API:

• Call logs (date, time, duration, participants)
• Call transcripts (text content of conversations)
• Contact matching data (phone number to CRM record lookup)

2.3 CRM Data

Talk2CRM reads from your Zoho CRM:

• Module schemas and field definitions
• Record data relevant to matched contacts
• Picklist values and field options

Important: Talk2CRM can only read and create/update records. It has no capability to delete CRM records (see our Zero-Delete Policy in Section 5).

2.4 Data Sent to AI

For AI processing (via OpenAI GPT-4o through our secure server relay), we send:

• Call transcript text
• Sanitized CRM record values (system fields stripped)
• Contact name and email snippet
• Field schemas and picklist options
• Field weights for prioritization

We never send to AI: OAuth tokens, API keys, internal IDs (Created_By, Modified_By), database records beyond the active call context.

3. How We Use Your Data

We use your data exclusively to provide Talk2CRM's core functionality:

• Voice-to-field mapping: Extracting CRM field values from call transcripts
• Commitment extraction: Identifying follow-ups and promises from conversations
• Deal signal detection: Analyzing buying signals and deal health
• Natural language search: Converting plain English queries to CRM searches
• Call prep sheets: Generating pre-call briefings from CRM history

4. Data Storage and Retention

4.1 Local Storage

Talk2CRM stores data locally on your device using SQLite. The following retention schedule is enforced automatically on each app launch:

• Processed call records: 30 days
• Sync errors: 7 days
• Phone contacts cache: 30 days
• Field update history: 60 days
• Commitments: 90 days
• Completed reminders: 30 days
• Past activities: 30 days
• API logs: 7 days (also auto-pruned every 50 inserts)

4.2 Credential Storage

OAuth tokens are stored in your device's platform Keychain (iOS) or Keystore (Android) using flutter_secure_storage with encrypted shared preferences enabled. Tokens never leave your device except during API calls to the respective services.

4.3 AI Data Retention

All AI API calls enforce store: false, opting out of OpenAI's 30-day data retention policy. Your data is processed and discarded — OpenAI does not retain it beyond the duration of the API request.

4.4 Server-Side Processing

AI calls in production route through Supabase Edge Functions. These functions act as secure relays — they receive your data, forward it to OpenAI, and return the response. No data is persisted on our servers beyond the request lifecycle.

5. Security Measures

Talk2CRM implements the following security measures:

• Zero-Delete Policy: The application codebase contains no DELETE HTTP methods. Talk2CRM cannot delete records from your CRM.
• Manual Confirmation: All CRM writes require your explicit approval through the Review Card UI.
• PKCE OAuth: Both RingCentral and Zoho CRM connections use PKCE (S256) to prevent authorization code interception.
• Server-Side Secrets: API keys (OpenAI, Zoho client secret, RingCentral client secret) are stored on Supabase Edge Functions and never touch your device.
• PII Masking: 31 PII field patterns are automatically redacted from API logs before local storage.
• No Token Leakage: Exception messages never include raw tokens, auth codes, or API response bodies.
• Permission-Aware Access: Module discovery respects your CRM permissions. Delete permissions are explicitly ignored and not stored.

6. Third-Party Services

Talk2CRM integrates with the following third-party services:

• OpenAI: For AI processing (GPT-4o). Subject to OpenAI's Privacy Policy. We enforce zero-retention (store: false) on all API calls.
• RingCentral: For call data access. Subject to RingCentral's Privacy Notice.
• Zoho CRM: For CRM data access. Subject to Zoho's Privacy Policy.
• Supabase: For server-side edge functions and waitlist management. Subject to Supabase's Privacy Policy.
• Firebase: For crash reporting and push notifications (Android). Subject to Firebase's Privacy Policy.

7. Your Rights

You have the right to:

• Disconnect your RingCentral and Zoho CRM accounts at any time
• Request deletion of your waitlist email address
• Clear all locally stored data by uninstalling the application
• Review what data the app has stored locally (via the Settings screen)

Since Talk2CRM stores most data locally on your device and enforces automatic data pruning, your data is ephemeral by design.

8. Children's Privacy

Talk2CRM is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Samford Labs
Email: privacy@samfordlabs.com