Invizo
CRM

Privacy Policy

Invizo CRM Privacy Policy

This policy explains how Invizo CRM collects, uses, protects, and shares personal data, including how we support GDPR rights for business owners and their customers.

Effective date: May 17, 2026

What We Collect

  • Account data such as name, email address, company name, country, login activity, and billing or access status.
  • Workspace data such as connected apps, generated API keys, merchant records imported by the business owner, lifecycle campaigns, email templates, and usage logs.
  • Email service data needed to send lifecycle mail, including sender settings, recipient email addresses, delivery status, bounce or failure information, and verification results.
  • Security and operational data such as IP-derived request metadata, authentication events, API key last-used timestamps, and system logs needed to protect the service.

Why We Use Data

  • To provide Invizo CRM, authenticate users, connect Shopify apps, send lifecycle emails, verify email addresses, and show analytics to the account owner.
  • To prevent abuse, detect failed API authentication, investigate failed sends or abnormal bounce rates, and keep the platform secure.
  • To send product, onboarding, and service communications where permitted by law or where the user has consented.
  • To comply with legal obligations, resolve disputes, and enforce our terms.

GDPR Lawful Bases

  • Contract: we process account, workspace, merchant, campaign, and delivery data to provide the CRM service requested by business owners.
  • Legitimate interests: we process limited security, fraud-prevention, analytics, and reliability data to protect Invizo CRM and improve the product.
  • Consent: we use consent for optional marketing communication where required and allow users to withdraw that consent.
  • Legal obligation: we retain or disclose limited information where applicable law requires it.

Roles Under GDPR

  • For business-owner account data, Invizo acts as the data controller.
  • For merchant, customer, campaign recipient, and Shopify app data uploaded or synced by a business owner, that business owner is usually the data controller and Invizo acts as a data processor.
  • Business owners are responsible for having a lawful basis to import, verify, email, or otherwise process their merchant and customer data through Invizo CRM.

Sharing and Subprocessors

  • We do not sell competitor, merchant, recipient, or customer data.
  • We share data only with service providers needed to operate Invizo CRM, such as hosting, database, authentication, email delivery, verification, analytics, monitoring, and customer support providers.
  • Subprocessors must process data only under our instructions, keep it confidential, and apply appropriate security controls.

Retention

  • We keep account and workspace data while the account is active or as needed to provide the service.
  • Email delivery logs, verification usage, campaign history, and API activity logs are retained only as long as needed for product functionality, abuse prevention, billing, support, and legal compliance.
  • When an account is deleted, we delete or anonymize data within a reasonable period unless retention is required by law, security, dispute resolution, or backup recovery procedures.

Your Rights

  • Depending on your location, you may request access, correction, deletion, restriction, portability, or objection to processing.
  • You may withdraw marketing consent at any time.
  • EU/EEA and UK users may lodge a complaint with their local data protection authority.
  • To exercise rights, contact us using the details below. We may need to verify your identity before acting on a request.

Security

  • We use access controls, tenant isolation, encrypted secrets where supported, audit logging for platform-admin access changes, and operational monitoring.
  • API keys are shown only at creation time where practical and should be rotated if exposed.
  • No internet service can be guaranteed perfectly secure, but we work to protect data against unauthorized access, alteration, disclosure, or destruction.

International Transfers

  • Invizo CRM and its providers may process data in countries outside your own.
  • Where GDPR applies and data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent legal mechanisms.

Contact and Data Requests

For privacy requests, data processing questions, a Data Processing Agreement, or security concerns, contact Invizo at privacy@invizo.io. Business owners should also ensure their own customer-facing privacy policy explains how they use Invizo CRM.

Read integration docs