Privacy Policy

1. Introduction

ShineCRM ("ShineCRM," "we," "us," or "our") is a software-as-a-service customer relationship management platform designed for exterior cleaning businesses. This Privacy Policy explains how we collect, use, share, store, and protect personal information when you use our mobile application, web dashboard, websites, and related services (collectively, the "Service").

ShineCRM is currently operated by Sean van Gessel as a sole proprietorship based in Victoria, British Columbia, Canada. References to "ShineCRM" in this policy refer to this business and any successor entity.

This policy applies to:

• Customers: Businesses and individuals who sign up for and use ShineCRM (typically exterior cleaning companies, sole proprietors, and their employees).
• End Clients: The customers of our Customers, whose information our Customers enter into the Service (homeowners, property managers, etc.).
• Website Visitors: Anyone who visits our marketing website at shinecx.com or related domains.

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

2. Plain-Language Summary

We've written this policy in detail to be transparent and legally complete. Here's the short version:

• We collect what we need to run the Service: your account info, the data you put into ShineCRM, and standard technical data like IP addresses and device info.
• We use Stripe for payments. We never see, store, or handle your credit card numbers directly.
• AI is a core part of the Service. We use AI to read, analyze, and generate responses to all communications processed through ShineCRM, and we use that data to operate and improve our AI models.
• Customers can opt out of AI training at any time. AI inference (using AI to help with your work) cannot be disabled while using AI features.
• We do not sell your personal information.
• Our founder and authorized support personnel may technically access Customer Data to operate, debug, and support the Service. Cross-tenant administrative dashboards show metadata only (token counts, model names, decision outcomes, costs) and do not display the content of your customers' messages. Every cross-tenant access is recorded in an audit log that tenant administrators can review. See Sections 7.6 and 15.1.
• We use trusted third-party services (Supabase, Stripe, Twilio, Resend, Anthropic, OpenAI, Google, Cloudflare, and others) to operate. They process data on our behalf.
• Our servers are currently located in the United States.
• You have rights over your data: access, correction, deletion, portability, and more. Email sean@shinecx.com to exercise them.
• You must be 18 or older to use the Service.

3. Who We Are and How to Contact Us

Business Name: ShineCRM (operated by Sean van Gessel)
Mailing Address: 1279 Derby Rd, Victoria, BC, Canada
Privacy Contact Email: sean@shinecx.com

For all privacy-related questions, requests, or complaints, email sean@shinecx.com. We respond to verified requests within 30 days.

4. Information We Collect

4.1 Information You Provide to Us (Customer Account Data)

When you sign up for and use ShineCRM as a Customer, we collect:

• Identity Information: Name, business name, job title.
• Contact Information: Email address, phone number, business address, mailing address.
• Account Credentials: Username, password (stored as a salted hash, never in plain text).
• Billing Information: Subscription tier, billing history, and limited payment metadata. Full payment card details are collected and stored by Stripe, not by ShineCRM. We receive only tokenized references and basic transaction data from Stripe.
• Communications with Us: Support emails, chat messages, survey responses, and feedback.
• Marketing Preferences: Whether you have opted in to marketing emails.

4.2 Information You Enter Into ShineCRM (End Client Data)

As a Customer, you may enter, upload, or generate the following information about your End Clients:

• Names, addresses, email addresses, phone numbers.
• Property photos and job-site images.
• Service history, estimates, invoices, and payment history.
• Notes, tags, and custom fields you create.
• SMS message content and metadata exchanged with End Clients via the Service.
• Call recordings and call metadata, where the calling feature is used.
• Email content and metadata exchanged through the Service.
• Job schedules, location data tied to jobs, and route information.

You are the controller of this End Client data. ShineCRM acts as your processor and handles this data on your behalf, in accordance with your instructions and this policy.

4.3 Information Collected Automatically

When you or your End Clients interact with the Service, we automatically collect:

• Device Information: Device type, operating system, OS version, app version, browser type and version, screen size, language, and time zone.
• Network Information: IP address, internet service provider, approximate geographic location derived from IP address.
• Usage Data: Pages visited, features used, buttons clicked, session duration, referral source, error logs, crash reports, and timestamps of activity.
• Mobile Location Data: Precise GPS location, when you grant the mobile app permission, used to support job routing, check-ins, and time tracking.
• Web Location Data: Approximate location derived from IP address, and precise location if you grant browser permission.
• Push Notification Tokens: Device-level identifiers used to deliver in-app and system notifications.
• Cookies and Similar Technologies: See Section 9.

4.4 Mobile Device Permissions

When you use the ShineCRM mobile app, we may request the following device permissions. Each permission is requested only when needed for the relevant feature, and you may revoke any of them at any time through your device's system settings.

• Camera: To capture photos of job sites, before/after shots, receipts, and other work-related images. Photos are only created and stored when you explicitly take or attach them.
• Microphone: To make and receive business phone calls through our in-app calling feature (powered by Twilio), and to record calls where the call recording feature is enabled and used.
• Photos and Media Library: To attach existing images from your device's photo library to jobs, estimates, invoices, and messages.
• Location: To support job routing, on-site check-ins, and time tracking. Precise location is only collected when you grant permission and only while the relevant feature is in use. See also Section 4.3 (Mobile Location Data).
• Notifications: To deliver alerts for incoming calls, SMS messages, job updates, payment events, and other Service activity.
• Contacts (optional): If you choose to import contacts from your device, we use this permission to read selected contact entries you choose to import. We do not upload your full address book without your action.
• Phone State: On Android, used by the in-app calling feature so the app can manage call audio routing and respond appropriately when a native phone call interrupts an in-app call.

4.5 Information from Third Parties

We may receive information about you from:

• Stripe: Subscription status, payment outcomes, refund records.
• Analytics and Error Tracking Tools: Aggregated data about Service performance and usage.
• Marketing and Referral Sources: If a third party refers you to us, we may receive limited information from that referral.

4.6 AI and Machine Learning Data

The Service includes AI-powered features (automated message drafting, summarization, transcription, lead scoring, scheduling assistance, and similar functions). To deliver these features, we send relevant data to AI service providers including Anthropic, OpenAI, and Google (Gemini). See Sections 7 and 8 for details on how AI inference and training work.

5. How We Use Your Information

5.1 To Provide the Service

• Create and manage your account.
• Process payments and subscriptions through Stripe.
• Deliver core features: contacts, estimates, jobs, invoices, scheduling, messaging, and reporting.
• Send transactional notifications (account updates, payment receipts, security alerts, service announcements).
• Provide customer support.
• Sync data between mobile and web platforms.

5.2 To Operate AI Features (Inference)

• Read, analyze, and process all inbound and outbound communications (SMS, email, calls, voicemails, notes) handled through the Service.
• Generate suggested replies, drafts, summaries, transcripts, lead scores, scheduling suggestions, and other AI-assisted outputs.
• Detect anomalies and flag items needing attention.

AI inference is a core part of the Service and cannot be disabled while using AI-dependent features.

5.3 To Train and Improve AI Models (Future Use)

We currently use third-party AI APIs (Anthropic, OpenAI, and Google) to power AI features. Under those providers' API terms, data submitted via their APIs is not retained for model training by default.

We may, in the future, use Customer Data — including communications processed through the Service — to train and improve AI models that power ShineCRM. Trained models may be used to benefit all ShineCRM users. We are disclosing this intent in advance so that ongoing use of the Service constitutes notice; if this practice begins, we will update this policy with the effective date.

Customers can opt out of AI training at any time through account settings or by emailing sean@shinecx.com. Opting out applies to future training; we cannot retrain or roll back models that have already incorporated data, as this is not technically feasible.

Where Customers have not opted out, the use of Customer Data for AI training is permitted under our Terms of Service. Customers represent and warrant that their own privacy notices and agreements with End Clients permit this processing. See Section 18 for Customer responsibilities.

ShineCRM (and any successor entity) owns all AI models, including any models trained or improved using Customer Data.

5.4 To Improve and Develop the Service

• Analyze how Customers use the Service to identify bugs, performance issues, and feature opportunities.
• Conduct internal research and product development.
• Test new features.

5.5 To Communicate with You

• Send transactional messages required to operate your account.
• Send marketing emails about new features, tips, and offers, only if you have opted in. You can unsubscribe at any time using the link in any marketing email.
• Respond to your inquiries.

5.6 To Protect the Service and Comply with Law

• Detect, investigate, and prevent fraud, abuse, security incidents, and policy violations.
• Enforce our Terms of Service.
• Comply with legal obligations, court orders, and lawful government requests.
• Establish, exercise, or defend legal claims.

5.7 With Your Consent

For any purpose disclosed to you at the time we collect the information or with your consent.

6. Legal Bases for Processing

(For users in the EEA, UK, and similar jurisdictions)

Where applicable law requires us to identify a legal basis for processing personal information, we rely on:

• Performance of a Contract: To provide the Service you have signed up for.
• Legitimate Interests: To operate, secure, and improve the Service, train and improve AI models that power the Service, prevent fraud, and conduct internal analytics, where these interests are not overridden by your rights.
• Consent: For marketing emails, optional cookies, and any other processing where consent is required. You may withdraw consent at any time.
• Legal Obligation: To comply with applicable laws and regulations.

For End Client data, ShineCRM acts as a processor on behalf of Customers, who are responsible for establishing the legal basis for processing under their own agreements and notices to End Clients.

7. How We Share Your Information

We share personal information only as described below. We do not sell personal information.

7.1 Service Providers (Sub-Processors)

We share information with third-party service providers who help us operate the Service. These providers are contractually required to handle data securely and only on our instructions. Our current sub-processors include:

We may add, remove, or replace sub-processors as our infrastructure evolves. We will update this list when material changes occur.

7.2 With Your Customers and Their Authorized Users

If you are a Customer, your authorized team members can access the data in your ShineCRM account. If you are an End Client of one of our Customers, your data is accessible to that Customer and their authorized users.

7.3 Business Transfers

If ShineCRM is acquired, merged, sold, or otherwise transfers ownership or assets, your information may be transferred to the acquiring entity as part of that transaction. We will notify you of any such transfer and your rights regarding your data.

7.4 Legal and Safety

We may disclose information when we believe in good faith that disclosure is necessary to comply with applicable law, enforce our Terms of Service, protect the rights or safety of ShineCRM or others, or detect and prevent fraud and security issues.

7.5 With Your Consent

We may share information for any other purpose disclosed to you and with your consent.

7.6 ShineCRM Internal Access

ShineCRM's founder, Sean van Gessel, and any authorized support personnel may technically access Customer Data and End Client Data, including communications processed through the Service, for the limited purposes of providing customer support, debugging Service issues, monitoring AI model behavior, operating cross-tenant administrative tooling (including the AI orchestration dashboard described in Section 14), enforcing our Terms of Service, and complying with legal obligations.

We minimize this access by default. Cross-tenant administrative dashboards display aggregate metrics and structural metadata only — for example: organization name, billing usage, AI model identifiers, token counts, decision outcomes, latency, and cost. These dashboards do not display the content of your customers' SMS messages, emails, call recordings, or AI-drafted reply bodies. Drafted reply text and the raw conversation text that the AI receives are not duplicated into the cross-tenant audit log; they remain in tenant-scoped tables that ShineCRM personnel cannot read through the administrative surface without making a deliberate, separately logged action.

Access to Customer Data by ShineCRM personnel is gated behind an explicit super-administrator role. The list of users holding this role is small (initially: the founder only) and is maintained internally.

Every access by ShineCRM personnel to a specific Customer's records through the administrative dashboards is recorded in an internal access log. The log captures the identity of the accessor, the action taken, the table and row identifier accessed, and the time of access. Tenant administrators can view the access log entries that touched their own organization through their account dashboard, and may also request a copy by emailing sean@shinecx.com. We will produce the log on request in response to a data subject inquiry, a regulator request, or a court order.

8. International Data Transfers

ShineCRM is operated from Canada, and most of our infrastructure is located in the United States. If you are accessing the Service from outside Canada or the United States, your information will be transferred to, processed in, and stored in the United States and other countries where our service providers operate.

These countries may have data protection laws that differ from those in your country. By using the Service, you acknowledge and agree to the transfer of your information to these jurisdictions.

For users in the European Economic Area, United Kingdom, and Switzerland: where required, we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms when transferring personal information internationally.

9. Cookies and Tracking Technologies

We and our service providers use cookies, web beacons, pixels, local storage, and similar technologies on our website and dashboard to keep you signed in, remember your preferences, measure and analyze how the Service is used, detect and prevent fraud, and deliver and measure marketing campaigns.

You can control cookies through your browser settings. Disabling certain cookies may affect functionality. Where required by law, we will ask for your consent before setting non-essential cookies.

10. Data Retention

We retain personal information for as long as necessary to provide the Service and fulfill the purposes described in this policy.

• Active Accounts: We retain your account data for as long as your account is active.
• Cancelled Accounts: After you cancel or delete your account, we delete or anonymize your account data and End Client data within 30 days, except where retention is required for legitimate business or legal purposes.
• Backups: Deleted data may persist in encrypted backups for a limited period before being overwritten.
• Stripe Data: Payment-related records held by Stripe are retained according to Stripe's policies and applicable financial regulations.
• Anonymized and Aggregated Data: Once irreversibly anonymized or aggregated, data may be retained indefinitely for analytics, research, and AI model improvement.
• AI Models: If we use Customer Data to train AI models in the future (see Section 5.3), those models may be retained indefinitely. Account deletion would not remove a Customer's prior data contribution from previously trained models, as retraining or rolling back models is not technically feasible.
• Legal Holds: We may retain information longer when required by law or to establish, exercise, or defend legal claims.

11. Your Privacy Rights

Depending on where you live, you may have the following rights over your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request that we delete your personal information.
• Portability: Request a copy of your data in a structured, machine-readable format.
• Restriction: Request that we limit how we process your information.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Withdraw Consent: Withdraw consent for processing that is based on consent.
• Opt Out of AI Training: Customers can opt out at any time through account settings or by emailing sean@shinecx.com.
• Automated Decisions: Request human review of significant decisions made solely by automated means.
• Non-Discrimination: Not be discriminated against for exercising your rights.
• Complain to a Regulator: Lodge a complaint with your local data protection authority.

To exercise any of these rights, email sean@shinecx.com. We will respond within 30 days. We may need to verify your identity before fulfilling your request.

If you are an End Client whose data was entered into ShineCRM by one of our Customers, please direct your request to that Customer first, since they control your data. We will assist them in fulfilling valid requests.

Self-Serve Options

You can exercise most rights directly within the Service: export your data from your account dashboard, edit your account information, delete portions of your account data, toggle AI training opt-out, and permanently delete your entire organization and account from the mobile app (Settings → Delete account) or from the web operator dashboard. Deletion is immediate and cascades through all of your organization’s data, cancels any active subscription, and releases any provisioned phone number. If you need help with deletion or want to verify it completed, email sean@shinecx.com.

12. Region-Specific Disclosures

12.1 Canada (PIPEDA, Quebec Law 25, BC PIPA)

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector (Law 25), and BC's Personal Information Protection Act (PIPA). You have the right to access and correct your personal information and to file a complaint with the Office of the Privacy Commissioner of Canada or your provincial regulator.

For Quebec residents: ShineCRM's Privacy Officer is Sean van Gessel, reachable at sean@shinecx.com.

12.2 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have the rights described in Section 11. You may also lodge a complaint with your local supervisory authority. ShineCRM does not currently maintain an EU representative. For privacy inquiries, contact sean@shinecx.com.

12.3 California (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including the right to know, correct, delete, and opt out of sale or sharing. ShineCRM does not sell or share personal information for cross-context behavioral advertising.

To exercise California rights, email sean@shinecx.com.

12.4 Other US States

Residents of other US states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, and others) may have similar rights. Contact sean@shinecx.com to exercise these rights.

13. Marketing and Anti-Spam Compliance (CASL)

If you are in Canada, we comply with Canada's Anti-Spam Legislation (CASL). We send marketing emails only to recipients who have provided express or implied consent. Every marketing email includes our identity and contact information and a clear and functional unsubscribe link that takes effect within 10 business days.

Transactional and account-related messages are sent regardless of marketing preferences and do not require separate consent. You can opt out of marketing at any time by clicking unsubscribe in any marketing email or emailing sean@shinecx.com.

14. Automated Decision-Making and AI

ShineCRM uses automated processing and AI to support core features, which may include lead scoring and prioritization, automated message drafting and suggested replies, pricing suggestions, schedule optimization and route planning, call transcription and summarization, and anomaly detection.

These features assist Customers in making decisions but do not produce legal or similarly significant effects on End Clients without human review by a Customer. If you believe an automated decision has had a significant effect on you and you would like human review, contact sean@shinecx.com.

15. Security

We take reasonable technical and organizational measures to protect personal information, including encryption of data in transit using HTTPS/TLS, encryption of data at rest, Row-Level Security (RLS) policies in our database, salted password hashing, access controls limiting production database access to authorized personnel, and security monitoring and error tracking.

No security system is perfect. You are responsible for keeping your password secure and notifying us immediately if you suspect unauthorized access. In the event of a data breach, we will notify you and applicable regulators as required by law.

15.1 Internal Access Controls and Audit Logging

Production database access is limited to authorized personnel. Tenant data is segregated by Row-Level Security policies that scope every read and write to the calling user's organization. Cross-tenant access by ShineCRM personnel is gated behind an explicit super-administrator role recorded in a dedicated database table.

Every action taken by a super administrator against tenant-identifiable records through the administrative dashboards, including viewing the AI decisions log, opening a specific decision record, editing a global AI prompt or trigger setting, editing a tenant's AI instructions, cancelling a scheduled follow-up, clearing a contact's AI timer, or dismissing a Suds suggestion, is recorded in an append-only audit log. Each entry captures the identity of the accessor (auth user ID and email), the action performed, the table name and row identifier touched, the affected organization identifier, the time of access, and any contextual metadata about the action.

Audit log entries cannot be modified or deleted by any application user, including super administrators. Tenant administrators can view the audit log entries that touched their own organization at any time through their account dashboard, and may request a copy or export by emailing sean@shinecx.com. Audit log entries are retained for a minimum of twenty-four (24) months.

The cross-tenant administrative tooling stores only structural metadata about each AI decision — model identifier, token counts, decision outcome category, latency, cost, and structural counts of messages and follow-ups passed to the model. It does not store, and ShineCRM personnel cannot view through the administrative surface, the raw text of the conversations sent to the AI provider, the raw text returned by the AI provider, or the drafted reply bodies. Those records remain in tenant-scoped tables protected by the same Row-Level Security policies that protect customer messages and follow-ups.

16. Children's Privacy

The Service is intended for users 18 years of age or older. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will delete it. Contact sean@shinecx.com if you believe a child has provided us with personal information.

17. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services that we do not operate. This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies before providing them with personal information.

18. Customer Responsibilities

If you are a Customer using ShineCRM to manage End Client data, you are responsible for maintaining your own privacy notice and service agreements with End Clients that disclose the use of third-party software, AI processing, call recording, and data sharing; obtaining all consents required by applicable law; honoring privacy rights requests from End Clients; and configuring the Service in compliance with applicable law.

ShineCRM provides template language that Customers may incorporate into their own privacy notices as a starting point. Use of the template does not constitute legal advice; Customers should consult their own counsel.

A Data Processing Addendum (DPA) is available upon request by emailing sean@shinecx.com.

19. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 7 days before the changes take effect. For minor changes, we may make changes effective immediately with notice posted in the Service or on our website. For changes required by law or to address urgent security matters, changes may take effect immediately.

Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the changes.

20. Governing Law and Disputes

This Privacy Policy is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable in BC. Any disputes arising out of or related to this Privacy Policy will be resolved in accordance with the dispute resolution provisions of our Terms of Service, except where applicable law provides you with a non-waivable right to seek resolution elsewhere.

21. Contact Us

Email: sean@shinecx.com
Mailing Address: 1279 Derby Rd, Victoria, BC, Canada