Privacy Policy

Account information. Name, email address, phone number and role for each person a workspace invites as a user.

Workspace data entered by a business. Customer/lead records (name, contact details, address), quotes, jobs, tasks, notes, payments and similar operational records the workspace creates to run its business.

Files and media. Photos, PDFs and other documents a workspace uploads against a job or customer record. On the Android app, adding a job photo can use the device camera directly (in addition to picking an existing photo) — the camera is only accessed when a user explicitly takes that action, and the photo is uploaded the same way regardless of source.

Call recordings and transcripts. Where a workspace uses the call-logging feature, audio recordings and AI-generated transcripts/summaries of those calls.

Push notification identifiers. A Web Push subscription (browser) or device token (Android, via Firebase Cloud Messaging) used solely to deliver reminders and activity notifications a user has opted into.

Usage and device data. Standard web analytics (page views, performance timing) collected via Vercel Analytics, and the user agent string associated with a push subscription.

We do not request access to precise device location or the microphone beyond what's described above (call recording uses the device microphone only when a user explicitly starts a recording; the camera is used only as described in "Files and media" above).

• Operate the CRM: store and display the records a workspace creates, and keep them isolated to that workspace.
• Send the notifications a user has enabled (reminders, mentions, activity on a job).
• Generate AI summaries of notes and call transcripts to save time on admin work.
• Maintain and secure the service, including basic performance and error monitoring.

We do not sell personal information, and we do not use workspace data to train third-party AI models beyond the per-request processing described in section 3.

MirroCRM is built on a small number of infrastructure and AI providers, each of which only receives the data needed to perform its function:

• Supabase — database, authentication and file/session storage.
• Cloudflare R2 — storage for uploaded photos, documents and call recordings.
• Vercel — application hosting and basic analytics.
• Gladia — speech-to-text transcription of call recordings, where that feature is used.
• Groq / Google Gemini — AI-generated summaries of notes and call transcripts.
• Google Firebase Cloud Messaging — delivery of push notifications to the Android app.

Workspace data is retained for as long as the workspace remains active. A workspace administrator can remove a customer, job or file record at any time; deleting a user account removes that person's login but does not remove workspace records they created, since those belong to the business. To request deletion of personal data we hold about you, contact the workspace administrator who invited you, or email us at the address in section 7.

Push notifications can be turned off at any time from the app's notification settings, which also removes the stored subscription/device token.

Data is encrypted in transit (HTTPS) and access to a workspace's records is restricted to that workspace's authenticated users via row-level access controls. No method of storage or transmission is 100% secure, but we apply industry-standard practices throughout the stack listed in section 3.

MirroCRM is a business operations tool and is not directed at, or knowingly used to collect information from, children.

Questions about this policy or a request relating to your personal data can be sent to privacy@mirrocrm.com.

We may update this policy as the product changes. Material changes will update the effective date above.