This policy explains what personal data we collect, why, and how we handle it. We wrote it in English, not in legalese. Our lawyers hated that. We didn't care.
Conduyt Inc. ("Conduyt," "we," "us," or "our") is a Delaware corporation headquartered at 700 112th Ave NE, Suite 310, Bellevue, Washington 98004, USA.
This policy applies to our website (conduyt.com), marketing activities, and the Conduyt product. Where we process data on behalf of a customer (for example, the contacts they import into their CRM), that customer is the controller and we act as the processor under GDPR Article 28.
When you sign up, we collect your name, work email, company name, and role. If you subscribe to a paid plan, our payment processor (Stripe) collects your billing address and payment details — we never see or store your card number.
The contacts, deals, notes, messages, and files you add to your workspace. We treat this as your data: we don't sell it, train on it, or share it. You can export or delete it at any time.
If you connect your email inbox or calendar, we receive message metadata and content to surface activity in the product. We only access what's needed for the features you've enabled.
IP address, browser type, pages visited, features used, error logs. We use this to keep the service up, debug issues, and make product decisions. Logs are PII-redacted and retained for 90 days.
Support emails, sales calls, survey responses. If you ever ask us to delete a support conversation, we will.
| Activity | Lawful basis | What it covers |
|---|---|---|
| Running the product | Contract | Authentication, serving pages, processing your CRM data |
| Billing & invoicing | Contract | Charging subscriptions, tax reporting |
| Security & fraud prevention | Legitimate interest | Rate limiting, anomaly detection, incident investigation |
| Product improvement | Legitimate interest | Aggregate usage analytics; you can opt out |
| Marketing emails to customers | Legitimate interest | Product updates, security notices; you can unsubscribe |
| Marketing to prospects | Consent | Newsletter, webinars — you actively signed up |
| Compliance & legal obligations | Legal obligation | Tax records, lawful requests, SOC 2 evidence |
| Data type | Retention |
|---|---|
| Account & product data | Life of the account + 30 days after cancellation |
| Billing records | 7 years (tax law) |
| System logs | 90 days |
| Security & audit logs | 1 year (Team), 7 years (Enterprise) |
| Backups | Rolling 90-day retention |
| Support conversations | 2 years, or until you ask us to delete |
Most of these are self-service inside the product (Settings → Privacy). For anything else, email privacy@conduyt.app. We verify your identity, then respond within 7 days — usually faster.
We operate out of the United States and offer EU data residency on Team and higher plans. Where data moves between regions, we use the European Commission's Standard Contractual Clauses (2021/914) and, for UK data, the UK Addendum. A copy of our SCCs is in our Data Processing Addendum.
Conduyt is not directed to children under 16 and we don't knowingly collect data from them. If you believe a child has provided us with personal data, email privacy@conduyt.app and we'll delete it promptly.
We update this policy when our practices change. Material changes are announced by email to active customers at least 30 days before they take effect. Cosmetic changes (typos, clarifications) are logged in a public diff at conduyt.com/privacy/history.
Anything privacy-related: privacy@conduyt.app. For formal requests, our Data Protection Officer is Samira Chen (DPO, reachable at the same address).
EU representative (Art. 27 GDPR): Conduyt Ireland Ltd., 6 Fitzwilliam Square East, Dublin 2, Ireland.
UK representative: Conduyt UK Ltd., 70 Wilson Street, London EC2A 2DB, United Kingdom.
Or by letter: Conduyt Inc., Attn: Privacy, 700 112th Ave NE, Suite 310, Bellevue, WA 98004, USA.
Our DPO reads every privacy email. Response within a week, usually a day.