Information we collect

• Account details such as name, email address, workspace membership, authentication state, and support requests.
• CRM records created by customers, including contacts, projects, files, forms, proposals, contracts, invoices, and workflow events.
• Calendar connection metadata, provider account identifiers, encrypted OAuth refresh tokens, webhook identifiers, and sync cursors.
• Calendar data needed to deliver scheduling features, such as calendar metadata, availability, and synced external event details.
• Operational telemetry such as logs, webhook receipts, security events, and job execution details used to monitor reliability and abuse.

How we use information

• To authenticate users, provision tenant workspaces, and enforce role-based access within each tenant.
• To deliver CRM workflows such as lead capture, document generation, invoicing, reminders, and client portal access.
• To connect Google and Microsoft calendars, refresh access in the background, process webhooks, and keep tenant scheduling data synchronized.
• To prevent fraud, investigate abuse, troubleshoot incidents, and maintain the security and performance of the service.

Google and Microsoft user data

When a user connects a provider, MDL CRM uses the granted scopes only to support the calendar features the user requested. Refresh tokens are stored encrypted at rest, used server-side for background refresh and sync, and marked for reauthentication if the provider revokes access.

• We do not sell Google or Microsoft user data.
• We do not use provider calendar data for unrelated advertising.
• We request the narrowest practical scopes for the feature set currently enabled in the product.

How information is shared

We share information only with service providers or subprocessors needed to operate the product, such as cloud hosting, infrastructure, transactional email, file storage, payment processing, and customer-directed provider APIs. We may also disclose information when required by law or to protect the security of the service.

Retention and deletion

Workspace data is retained for as long as the customer account remains active or as needed to satisfy legal, accounting, security, and backup obligations. Calendar connections can be disconnected by the user, and deletion or data access requests can be sent to brandon@mydarklab.com.

Security

We use administrative, technical, and physical safeguards designed to protect customer data, including encryption in transit, encrypted storage for provider refresh tokens, tenant-scoped storage boundaries, and audited background processing for synchronization and webhook handling.

Contact

Privacy questions, access requests, or deletion requests can be sent to brandon@mydarklab.com.