Privacy Policy
Last updated: September 30, 2025
One Life CRM ("One Life CRM," "we," "us," or "our") respects your privacy and is committed to protecting it. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit or use our websites, products, and services, including our web and mobile applications, customer portals, APIs, and integrations (collectively, the "Platform"). It also describes your privacy rights and how you can exercise them.
This Privacy Policy applies where we act as a controller of your personal information (for example, when you create an account with us, visit our websites, or use our services). When we process personal information on behalf of our business customers about their end users or contacts, we act as a processor/service provider and our customers’ privacy notices govern their processing of that data. In those cases, we process such data under our agreements with our customers and their instructions.
If you do not agree with our policies and practices, do not use the Platform. By accessing or using the Platform, you acknowledge you have read and understand this Privacy Policy.
Definitions
- Personal Information ("PI"): information that identifies, relates to, describes, can reasonably be associated with, or could reasonably be linked to an individual or household.
- Processing: any operation performed on Personal Information, such as collection, use, storage, disclosure, or deletion.
- Controller: the entity that determines the purposes and means of processing Personal Information.
- Processor/Service Provider: an entity that processes Personal Information on behalf of a Controller.
- Sensitive Personal Information: certain categories of data defined by law (e.g., precise geolocation, government IDs) requiring additional protections.
Data Controller and Contact Information
The Controller for your Personal Information (unless otherwise stated or where we act as a processor for our customers) is One Life CRM. If you have questions or wish to exercise your rights, contact: legal@onelifecrm.com.
EU/UK Representatives
If required by law, we will appoint representatives in the European Union and/or the United Kingdom and update this Privacy Policy with their contact details. If you are in the EU/UK and require assistance, you may contact us at legal@onelifecrm.com while we complete representative arrangements.
Data Protection Officer (DPO)
We have not appointed a Data Protection Officer. For privacy questions, contact our privacy team at legal@onelifecrm.com. If we appoint a DPO in future, we will update this section.
Information We Collect
- Account and Contact Data: name, business name, email address, phone number, mailing address, job title, and account credentials.
- Commercial and Transaction Data: purchases, subscription plans, billing and payment details (processed by our payment processor), and related records.
- Communications and Support Data: information you provide when you contact support, participate in surveys, provide feedback, or interact with us via email, chat, or phone.
- Usage and Device Data: IP address, device identifiers, browser type, operating system, referring URLs, pages viewed, links clicked, features used, session duration, and timestamps.
- Cookies and Similar Technologies: cookies, pixels, local storage, SDKs, and analytics identifiers used for essential functionality, performance, and (where permitted) marketing.
- Third-Party Sources: information from service providers and partners (e.g., analytics providers, identity providers, marketing partners) and publicly available sources.
How We Use Information
- Provide and Operate the Platform (Contract; Legitimate Interests): create and manage accounts; deliver features; process transactions; provide customer support.
- Personalize and Improve (Legitimate Interests; Consent where required): analyze usage; debug, fix, and enhance functionality; develop new products; personalize content and experiences.
- Security and Fraud Prevention (Legal Obligation; Legitimate Interests): protect accounts and the Platform; monitor, prevent, and detect fraud, abuse, or security incidents; enforce terms and policies.
- Communications (Contract; Legitimate Interests; Consent where required): send transactional messages (e.g., receipts, service notifications, policy updates) and, where permitted, marketing or informational communications.
- Compliance and Legal (Legal Obligation; Legitimate Interests): comply with laws; respond to lawful requests; protect our rights and those of users and third parties.
- Advertising and Analytics (Legitimate Interests; Consent where required): measure and understand the effectiveness of campaigns; deliver or measure personalized content (see Your Choices & Rights).
Legal Bases by Category (EEA/UK/Swiss)
- Account/Contact Data: contract (account provisioning), legitimate interests (service improvement), consent (optional marketing).
- Commercial/Transaction Data: contract (billing, transactions), legal obligation (tax, accounting).
- Usage/Device & Cookies: legitimate interests (security, diagnostics, analytics); consent where required for non-essential cookies.
- Support/Communications: contract (support), legitimate interests (quality assurance), legal obligation (recordkeeping, fraud prevention).
- Google Calendar Integration Data: consent and contract (provide requested features); legitimate interests (security, abuse prevention).
What We Share
We do not sell personal information for money. We may disclose personal information to service providers (hosting, storage, analytics, communications, authentication, payment processing, customer support, security), professional advisors, affiliates, and (at your direction) integration partners. We may also disclose information to comply with laws or in connection with a business transfer. We do not share your phone number or opt-in consent with third parties for their independent marketing unless you expressly authorize it.
Cookies & Similar Technologies
We use cookies and similar technologies to provide essential Platform functionality, understand performance and usage, and, where permitted, to measure and improve marketing effectiveness. You can manage cookie preferences in your browser and, where available, through our cookie preferences.
Children’s Privacy (COPPA/GDPR-K)
The Platform is not directed to children under 13 (U.S.) or under 16 (EEA/UK). We do not knowingly collect Personal Information from children under these ages. If we learn that we have collected such information, we will take steps to delete it promptly. Parents or guardians who believe a child has provided us information should contact legal@onelifecrm.com.
Google OAuth Calendar Integration
This section describes our use of Google user data and is intended to meet Google’s OAuth and API disclosure requirements, including the Google API Services User Data Policy ("Limited Use").
Scopes We Request
- openid
- https://www.googleapis.com/auth/calendar.readonly
- https://www.googleapis.com/auth/calendar.events
- https://www.googleapis.com/auth/calendar.calendarlist.readonly
- https://www.googleapis.com/auth/spreadsheets
What Information We Collect via Google
- Google account ID and email associated with the connected Google account.
- OAuth tokens, token expiry, and granted scopes needed to maintain your connection.
- Calendar list metadata (calendar ID, title/summary, primary flag, color settings).
- Events data (IDs, titles, descriptions, start/end times, attendees, reminders, conferencing links) for calendars and time ranges you select.
- Free/busy information for selected calendars to support availability checks.
- Spreadsheet title, sheet tab names, and header row values for the sheet you create or select to map fields.
How We Use Google Data
- Authenticate and link your Google account to your One Life CRM profile.
- Display calendars and events per your settings and time ranges.
- Create, update, and delete events at your direction; optionally add conferencing.
- Query free/busy to propose or confirm meeting times.
- Maintain the connection by securely storing tokens and honoring your granted scopes.
- Create a spreadsheet when enabled, show sheet tabs and headers, and append lead data to the sheet you select.
We use Google data only to provide or improve user-facing features you enable, for security, and to comply with law. We do not use Google data for advertising or to build advertising profiles, and we do not use it to train generalized AI models.
What We Share from Google Data
We do not sell or share Google user data with third parties for their independent marketing. We may disclose limited Google-derived data to service providers (under contract) solely to operate the calendar features, to other services only at your direction (for syncing), or as required by law.
Storage, Security, and Retention of Google Data
- We store OAuth tokens and basic account identifiers in our secure database.
- We implement administrative, technical, and organizational measures to protect Google data (encryption in transit, access controls, least-privilege access).
- We retain tokens and related configuration only as long as necessary to provide the integration or as required by law. Disconnecting removes stored tokens and related configuration for that user connection.
Your Choices & Revocation
- Disconnect in One Life CRM via integrations settings.
- Revoke access in your Google account at myaccount.google.com/permissions.
- Not enabling Google integration leaves core Platform features available without Google Calendar.
Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements. Human access is limited to cases required for security, compliance, resolving issues you report, or with your consent.
Third-Party Analytics & Advertising
We may use third-party analytics and limited advertising measurement tools. Examples include:
- Google Analytics (controls at tools.google.com/dlpage/gaoptout and adssettings.google.com).
- Meta platforms (controls at facebook.com/adpreferences/ad_settings).
We do not use Google Calendar data for advertising. Where required by law, we obtain consent before setting non-essential cookies/trackers.
California Notice at Collection (CCPA/CPRA)
Below is a summary of categories of Personal Information we may collect, the sources, purposes, disclosures, and whether the category is sold or shared for cross-context behavioral advertising. We do not sell Personal Information for money and we do not share it for cross-context behavioral advertising. We do not knowingly sell or share the personal information of consumers under 16 years of age.
| Category | Examples | Sources | Purposes | Disclosed To | Sold/Shared |
|---|---|---|---|---|---|
| Identifiers | Name, email, IP address | You; device/browser | Provide services; security; communications | Hosting, auth, support providers | No |
| Customer Records | Contact details, account info | You | Account setup; support | Hosting, support | No |
| Commercial Info | Purchases, subscription tier | You; payment processor | Billing; fraud prevention | Stripe (payments); finance tools | No |
| Internet/Network Activity | Usage analytics, logs | Device/browser; analytics | Security; analytics; improvement | Hosting; analytics providers | No |
| Inferences | Preferences from usage | Analytics | Product improvement; personalization | Analytics providers | No |
| Sensitive PI | We do not intentionally collect | N/A | N/A | N/A | No |
Automated Decision-Making / Profiling
We do not engage in solely automated decision-making that produces legal or similarly significant effects about you. If we introduce features that involve profiling or automated decisions, we will provide clear notice, meaningful information about the logic involved, and information about your rights.
International Transfers and Mechanisms
We may transfer, store, and process personal information outside your country, including in the United States. Where required, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, or adequacy decisions, to protect personal information transferred from the EEA/UK/Switzerland.
Data Subject Requests (Timing and Process)
To exercise your rights (access, correction, deletion, portability, objection/restriction, or withdrawal of consent), contact legal@onelifecrm.com. We will respond without undue delay and within one month (30 days) where required by GDPR, and within 45 days under applicable U.S. state privacy laws (with an extension where permitted). If we deny your request, you may appeal by replying to our decision email or by contacting legal@onelifecrm.com with "Appeal" in the subject line. We may need to verify your identity and may retain limited information as allowed by law.
Data Portability (GDPR Art. 20 / CCPA §1798.100)
Data Portability
Upon verified request, we will provide you with a copy of your Personal Information in a structured, commonly used, machine-readable format (such as JSON or CSV). Where technically feasible, and when requested, we will transmit this information directly to another controller.
Security and Breach Notification
We maintain administrative, technical, and organizational measures designed to protect personal information against unauthorized access, loss, misuse, or alteration. In the event of a data breach affecting your personal information, we will notify affected individuals and, where required, regulators without undue delay, consistent with applicable law.
Breach Notification Timeline (GDPR Art. 33)
Security Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where required by law, we will also notify affected individuals without undue delay.
Accessibility
We are committed to making this Privacy Policy accessible. If you need this policy in an alternative format or need assistance exercising your rights, please contact legal@onelifecrm.com. We will work with you to provide reasonable accommodations.
Employment & Recruiting Data
If you apply for a job with One Life CRM or otherwise provide employment-related information, we may collect applicant data such as contact details, resume/CV, work history, education, and references. We use this information to process and evaluate applications and for onboarding if hired. Additional notices may apply and will be provided where required.
API & Other Integrations
Beyond Google Calendar, our Platform may integrate with service providers and partners to deliver certain features you choose to enable:
- Mailgun: transactional and inbound email services (sending, receiving, and webhooks). We transmit email content and metadata as needed to provide requested email features.
- Stripe: payment processing and billing. Stripe receives payment information and related metadata as necessary to process transactions. We do not store full payment card numbers.
- Facebook (Meta): optional connection for lead sync or performance reporting if you choose to connect. We process tokens and limited account IDs/metrics as required to provide the integration.
- GoHighLevel: optional CRM synchronization you initiate; we exchange contact and activity data per your configuration.
- Supabase: database, authentication, and edge functions used to operate the Platform securely.
For integrations, we process only the data necessary to deliver the features you enable, subject to this Privacy Policy and applicable partner terms. You can disconnect integrations at any time within the Platform (where available) or via the third-party service.
Data Retention
We retain personal information only as long as necessary to provide the Platform, comply with legal obligations, resolve disputes, and enforce agreements. By way of example: (i) account and profile data is retained for the life of the account plus up to 3 years after closure (or sooner upon verified deletion request) to address fraud prevention, disputes, or legal obligations; (ii) transactional/billing records are retained for up to 7 years (or longer if required by tax/accounting law); (iii) support tickets and communications may be retained for up to 3 years for quality assurance and compliance. We may anonymize data for analytics and product improvement.
Sensitive Personal Information (SPI)
We do not intentionally collect Sensitive Personal Information. To the extent any SPI is processed incidentally, we do not use it for inferring characteristics or for purposes beyond the limited uses permitted by applicable law (e.g., security, short-term transient use, or as authorized by you).
Your Choices & Rights
Depending on your location, you may have rights to access, correct, delete, or receive a portable copy of your data; to object to or request restriction of processing; and to withdraw consent where applicable. To exercise rights, contact legal@onelifecrm.com. We may verify your identity and may retain certain data as permitted by law.
U.S. State Privacy Disclosures
Residents of certain U.S. states (e.g., CA, CO, CT, DE, IA, MN, MT, NE, NH, NJ, OR, TN, TX, UT, VA) may have additional rights, including to know/access, correct, delete, and to appeal denials. We do not sell personal information or share it for cross-context behavioral advertising under applicable laws. If practices change, we will update this policy and provide required notices.
Methods for CCPA Requests (CPRA Regs §7024)
Submitting a Privacy Request (California Residents)
California residents may exercise their privacy rights by using any of the following methods:
Email: legal@onelifecrm.com
Mail: 100 Navigator Drive, APT #5308, Daytona Beach, Florida, 32117, United States.
Do Not Track
Some browsers transmit "Do Not Track" signals. We currently do not respond to DNT signals. You can use other mechanisms to control data collection, such as browser settings or opting out of certain cookies.
Changes
We may update this policy from time to time. The "Last updated" date indicates the latest revision. Continued use of the Platform after updates constitutes acceptance.
Contact
If you have questions or concerns, contact us at legal@onelifecrm.com.
Appendix A: Google OAuth Calendar Review – Summary
- What information do you collect? Google account ID and email, OAuth tokens and scopes, calendar list metadata, events you choose to sync (titles, descriptions, times, attendees, conferencing links), and free/busy for selected calendars.
- How do you use the information? To authenticate and connect your Google account; display calendars and events; schedule/manage events at your direction; determine availability; maintain the integration. Not used for advertising or to train generalized AI models.
- What information do you share? Not sold. Shared only with contracted service providers to operate the integration, with services you direct us to connect, or as required by law. Disconnect in the Platform or revoke at myaccount.google.com/permissions.
Controller Identity & Address (GDPR Art. 13)
Controller Identity and Address
The Controller of your Personal Information is One Life CRM, Inc., incorporated in Florida, USA.
Registered address: 100 Navigator Drive, APT #5308, Daytona Beach, Florida, 32117, United States.
You can contact us by email at legal@onelifecrm.com or by mail at the above address.