Privacy Policy

Last updated: 16 July 2026

1. Introduction

Allsorts CRM ("we," "our," or "us") is operated by Allsorts Web Designers, a company based in South Africa. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you and your organization use our CRM platform (the "Service").

We are committed to protecting your privacy and complying with applicable data protection laws, including the Protection of Personal Information Act (POPIA) of South Africa.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Password (stored in encrypted/hashed form)
  • Organization name and business details you provide
  • Billing information for paid subscriptions (processed by PayFast — we don't store card numbers)

2.2 Your Business Data

We store the CRM data you and your team enter, including:

  • Contacts and companies (names, emails, phone numbers, addresses)
  • Deals, tasks, activity notes, and email logs
  • Invoices, quotes, and branding details (logo, banking details for your own invoices)
  • Custom fields and automation rules you configure

Much of this data is itself personal information about third parties (your customers and contacts) that you, as the data controller for that information, are responsible for having a lawful basis to store and process. We act as the data processor on your behalf for this data.

2.3 Technical Data

We automatically collect:

  • IP addresses (used for rate limiting and security, not stored long-term for analytics)
  • Browser type and version, device type
  • Pages visited and actions taken on our platform
  • Cookies required for authentication and session management

3. How We Use Your Information

We use the information we collect to:

  • Provide our Service: operate the CRM, generate documents, send emails via your connected SMTP account, and run automations you configure
  • Process payments: handle subscriptions and billing through PayFast
  • Communicate with you: send service updates, security alerts, and support messages
  • Improve our Service: analyze usage patterns to enhance features
  • Ensure security: detect and prevent fraud, abuse, and security threats (rate limiting, lockouts, audit logs)
  • Comply with legal obligations: meet regulatory and legal requirements

4. AI Features

Allsorts CRM includes optional AI-assisted features (email drafting, deal suggestions, and an in-app assistant) that send relevant CRM data — such as a contact's name, a deal's stage, or your typed question — to a third-party AI provider (Groq, and optionally Google Gemini or OpenRouter) to generate a response. These features are used only when you explicitly trigger them; nothing is sent automatically in the background.

AI provider API keys are configured at the platform level, not per-organization, and stored encrypted. We do not control how third-party AI providers process or retain data sent to their APIs beyond what their own terms describe.

5. Data Sharing and Disclosure

We may share information with:

5.1 Service Providers

Trusted third parties who assist in operating our Service, including our hosting provider, PayFast for payment processing, your own connected SMTP provider for sending email, and AI providers (Groq, Gemini, OpenRouter) when you use AI features. These providers are contractually or technically limited to the data necessary for their function.

5.2 Legal Requirements

We may disclose information when required by law, court order, or government request, or when necessary to protect our rights, property, or safety.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

We do not sell your personal information to third parties.

6. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit (TLS/SSL)
  • Secure password hashing using bcrypt
  • Encrypted storage of SMTP passwords and AI provider API keys (AES-256-GCM)
  • Two-factor authentication (TOTP) available for all accounts
  • Rate limiting and account lockout on repeated failed logins
  • Security headers (CSP) and access controls

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but strive to protect your data using commercially acceptable means.

7. Data Retention

We retain your data as follows:

  • Account and CRM data:retained while your organization's account is active, and for 30 days after a deletion request to allow recovery from accidental deletion
  • Billing records: retained for 7 years as required by law
  • Audit logs: retained for security and compliance purposes

8. Your Rights

Under POPIA, you have the right to:

  • Access: request a copy of your personal data
  • Correction: correct inaccurate or incomplete data
  • Deletion: request deletion of your data, subject to legal retention obligations
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: withdraw previously given consent at any time

To exercise these rights, contact us at [email protected]

9. Cookies

We use cookies for:

  • Essential cookies: required for authentication and session security — the Service cannot function without these
  • Referral attribution cookie: if you arrived via a referral link, a cookie records the referral code for up to 30 days

We do not use third-party advertising or tracking cookies. You can manage cookie preferences through your browser settings, though disabling essential cookies will prevent you from logging in.

10. Children's Privacy

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or prominent notice on our platform. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related inquiries or to exercise your rights:

Allsorts Web Designers

Trading as Allsorts CRM

Email: [email protected]

East London, Eastern Cape, South Africa

You have the right to lodge a complaint with the Information Regulator of South Africa if you believe your privacy rights have been violated.