Privacy Policy | Bastion CRM

1. Introduction

Bastion CRM ("Bastion," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, how we store and protect it, and your rights regarding your data.

By using Bastion CRM ("the Service"), you consent to the data practices described in this policy.

2. Information We Collect

Information you provide

When you use the Service, you may provide the following information:

Account information — Your Google account name, email address, and profile photo (provided automatically via Google Sign-In)
Business information — Company name, phone number, address, logo, service area, and industry
CRM data — Property records, contact information, addresses, phone numbers, notes, estimates, invoices, email templates, and documents you create within the Service
Photos and images — Images you upload for property documentation, social media posts, or your company logo

Information collected automatically

Usage data — Features used, pages visited, and actions taken within the Service (for the purpose of improving the product)
Device information — Browser type, operating system, and screen size (for compatibility and debugging)
Authentication tokens — Secure tokens generated by Google Firebase for maintaining your login session

Information we do NOT collect

Credit card numbers, bank account details, or other payment information (handled exclusively by Stripe)
Your Google account password
Location data from your device's GPS (map features use addresses you enter, not your physical location)

3. How We Use Your Information

Purpose	Data used
Providing the Service	Account info, CRM data, business info
Cloud sync across your devices	All data you enter into the Service
Team collaboration (Business plan)	Shared CRM data within your organization
Subscription management	Email, account ID, payment status (from Stripe)
Weather alerts for your service area	State/region setting from your Company Info
Customer support	Email, account info, relevant CRM data when troubleshooting
Product improvement	Aggregated, anonymized usage patterns

We never sell, rent, or trade your personal information or CRM data to third parties. We never use your data for advertising or ad targeting.

4. How We Store & Protect Your Data

Cloud storage

Your data is stored in Google Firebase (Firestore), which provides:

Encryption at rest (AES-256) and in transit (TLS 1.2+)
Data centers with SOC 1, SOC 2, and ISO 27001 certification
Automatic backups and redundancy across multiple data centers
Access controls ensuring only your account (or your organization members) can access your data

Local storage

A copy of your data is also cached on your device using your browser's localStorage for offline functionality. This data is accessible only to the Bastion application on your device and is not transmitted to any third party.

Photos and images

Photos you upload (property images, logos) are stored locally on your device as base64 data. They are not uploaded to our cloud servers unless you are using the cloud sync feature, in which case they are stored in your encrypted Firestore document.

Payment data

All payment processing is handled by Stripe, Inc., a PCI DSS Level 1 certified payment processor. We never see, store, or have access to your credit card number, CVV, or banking details. We only receive confirmation of payment status, plan type, and subscription dates from Stripe. See Stripe's Privacy Policy.

5. Third-Party Services

The Service uses the following third-party providers who may process your data according to their own privacy policies:

Service	Purpose	Data shared
Google Firebase	Authentication, database, cloud sync	Google profile, CRM data
Stripe	Payment processing	Email, payment info (entered by you on Stripe's page)
Google Maps	Map display, geocoding, route planning	Property addresses
National Weather Service	Severe weather alerts	Your state/region setting (no personal data)

We do not share your personal information with any third parties beyond what is necessary to provide the Service as described above.

6. Team & Organization Data Sharing

If you use the Business plan and create or join an organization:

All organization members can view and edit shared CRM data (properties, estimates, invoices, contacts)
Your name and email are visible to other members of your organization
The organization owner controls membership and can add or remove members
If you leave an organization, your personal data is separated from the shared data

Data sharing occurs only within organizations you explicitly create or join. We never share data between different organizations or unrelated users.

7. Data Retention

Active accounts: Your data is retained for as long as your account is active
Canceled subscriptions: Your data is retained and accessible in read-only mode. You can reactivate at any time.
Account deletion: Upon request, we will delete all your data from our servers within 30 days. Local data on your device can be cleared through Settings → Data & Tools.
Inactive accounts: Accounts with no sign-in activity for 24 months may be flagged for deletion. We will send a notification to your email before taking any action.

8. Your Rights

You have the right to:

Access your data — View all data stored in your account within the Service, or request a full export
Export your data — Download your CRM data as a CSV file at any time through Settings → Data & Tools → Export
Correct your data — Edit any information in your account directly through the Service
Delete your data — Request complete deletion of your account and associated data by contacting [email protected]
Withdraw consent — You may stop using the Service at any time. Revoking Google sign-in permissions is done through your Google Account settings

9. Cookies & Tracking

Bastion CRM does not use tracking cookies, advertising cookies, or third-party analytics cookies. The Service uses only:

localStorage — To store your CRM data locally for offline functionality and app preferences (theme, colors, settings)
Firebase authentication tokens — Session tokens to keep you signed in securely

We do not use Google Analytics, Facebook Pixel, or any other tracking tools on the application.

10. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If we learn that we have inadvertently collected data from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

11. International Users

The Service is operated from the United States. If you are accessing the Service from outside the US, please be aware that your data will be transferred to, stored, and processed in the United States where our servers (Google Cloud) are located. By using the Service, you consent to this transfer.

For users in the European Economic Area (EEA), UK, or other regions with data protection laws: we process your data based on your consent (given at sign-in) and our legitimate interest in providing the Service. You may exercise your data rights as described in Section 8.

12. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, what data was affected, and steps we are taking to address it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your information is handled, contact us at:

Bastion CRM
Email: [email protected]
Website: bastioncrm.com