Last updated: June 18, 2025

Privacy Policy

1. Introduction

TSM CRM ("we", "our", or "the Service") is operated by TSM CRM Ltd. We are committed to protecting the personal data of our customers and website visitors in accordance with the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and applicable data protection laws in Latvia and Lithuania.

This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights in relation to it.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: name, work email address, phone number, company name, job title.
  • Authentication data: hashed passwords, two-factor authentication secrets (never stored in plain text).
  • Financial integration data: API keys and OAuth tokens for third-party banking and payment services (stored encrypted using AES-256).
  • Transaction data: bank transaction records, balances, and statements imported via connected integrations.
  • Usage data: IP addresses, browser type, pages visited, timestamps, and audit log entries.
  • Communications: any information you provide when contacting our support team.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract performance — to provide the Service you have signed up for.
  • Legitimate interests — to maintain security, prevent fraud, and improve the Service.
  • Legal obligation — to comply with applicable laws including AML/KYC requirements and tax regulations.
  • Consent — for marketing communications, where required.

4. How We Use Your Data

  • To create and manage your account and company workspace.
  • To synchronise financial data from connected bank and payment integrations.
  • To generate financial reports, invoices, and contracts on your behalf.
  • To perform sanctions screening (OFAC, EU, UN) on transaction counterparties.
  • To send transactional notifications and security alerts.
  • To comply with anti-money-laundering, tax reporting, and audit obligations.
  • To investigate and prevent fraud, abuse, or security incidents.

5. Data Sharing

We do not sell your personal data. We may share data with:

  • Banking & payment providers (Wise, Payoneer, Revolut Business, etc.) — only to the extent necessary to perform the integration you authorise.
  • Cloud infrastructure — DigitalOcean (EU/US data centres) for hosting and storage.
  • Compliance services — sanctions screening providers.
  • Tax authorities — IRS, HMRC, VID, VMI — as required by applicable law or at your explicit request.
  • Law enforcement — if required by a valid legal order.

All third-party processors are bound by data processing agreements ensuring GDPR-equivalent protections.

6. International Transfers

Our servers are located in the European Union (Frankfurt, DE). Some third-party integrations (e.g. Payoneer, Wise) may process data in the United States. Such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Retention

  • Account data is retained for the duration of your subscription plus 3 years.
  • Financial transaction records are retained for 7 years to comply with accounting and tax regulations.
  • Audit logs are retained for 5 years.
  • Upon account deletion, personal data is anonymised within 30 days unless retention is required by law.

8. Security

We implement technical and organisational measures including AES-256 encryption at rest, TLS 1.2+ in transit, role-based access control, multi-factor authentication, IP whitelisting, and regular security reviews. API keys and OAuth tokens are stored exclusively in encrypted form and are never logged in plain text.

9. Your Rights

Under GDPR, UK GDPR, and applicable EU law you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your data where no legal retention obligation applies.
  • Restriction — request that we restrict processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — at any time where processing is based on consent.

California residents have additional rights under the CCPA, including the right to know, delete, and opt out of the sale of personal information (we do not sell personal information).

To exercise any right, contact us at privacy@tsm-crm.com. We will respond within 30 days.

10. Cookies

We use strictly necessary cookies for session management and authentication. We do not use tracking or advertising cookies. You may disable cookies in your browser settings; however, the Service requires session cookies to function.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be notified by email to account holders at least 14 days before taking effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

12. Contact

Data Controller: TSM CRM Ltd
Email: privacy@tsm-crm.com
Website: tsm-crm.com

If you are located in the EU, you have the right to lodge a complaint with your national supervisory authority (e.g. the Latvian Data State Inspectorate — Datu valsts inspekcija).