PRIVACY POLICY

CRM Infusion LLC

Last Updated: May 5, 2026

CRM Infusion LLC (“CRM Infusion,” “Company,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and protect information when you visit our website at www.crminfusion.com (the “Website”), interact with our content, or communicate with us. It also explains, at a high level, how we handle client CRM data in the course of providing consulting services.

By using the Website, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Website.

1. SCOPE AND ROLES

This Privacy Policy applies to:

  • Visitors to our Website
  • Individuals who submit forms, book calls, or otherwise contact us
  • Representatives of our business clients and prospects

For Website and marketing activities, we generally act as a data controller of the personal information we collect about you. For CRM data we access inside client systems (e.g., Salesforce, HubSpot) while providing consulting services, we generally act as a data processor on behalf of our clients, who remain the data controllers. That processing is governed by separate written agreements and data processing terms with each client.

2. INFORMATION WE COLLECT

2.1 Information You Provide to Us

We may collect the following categories of information:

  • Contact details: name, email address, phone number, company name, job title
  • Inquiry details: the content of messages you send us, including through contact forms, email, or booking tools
  • Newsletter/marketing preferences: your subscription status and communication preferences

2.2 Information Collected Automatically

When you use the Website, we may automatically collect:

  • Technical identifiers: IP address, browser type and version, device type, operating system, approximate location (based on IP)
  • Usage data: pages viewed, links clicked, referring/exit pages, timestamps, and other analytics data related to your interaction with the Website

Cookies and similar technologies: small files stored on your device that help us recognize your browser, remember preferences, and analyze Website usage. For a full list of cookies we use, their purposes, and durations, see our Cookie Policy at https://crminfusion.com/cookie-policy/.

Company-level visitor identification: We use Apollo.io, a third-party B2B sales intelligence tool, which identifies the company associated with your visit based on IP address resolution and publicly available business data. This operates at the company level and does not identify you as an individual consumer. Apollo.io is implemented via a JavaScript tag that is classified as an Advertising cookie and will not load unless you accept Advertising cookies via our consent banner.

You can adjust your browser settings to refuse cookies or to alert you when cookies are being sent. Some parts of the Website may not function properly without cookies.

2.3 Client CRM Data (Service Data)

When we provide consulting services, we may access or process data stored in your CRM or related systems (e.g., Salesforce, HubSpot) via service accounts you control. For this Service Data:

  • You (the client) determine what is collected and how it is used
  • We process it only according to your documented instructions and applicable contracts

2.4 Payment Information (Stripe)

If you purchase products or services from us online, payment processing is handled by our third-party payment processor, Stripe. We do not store your full payment card number, but we may receive limited information related to your payment method (such as the last four digits of your card, card type, and expiration date) and transaction metadata for recordkeeping, fraud prevention, and accounting purposes.

3. HOW WE USE INFORMATION

We use the information we collect for the following purposes:

  • To operate, maintain, and improve the Website
  • To respond to your inquiries, requests, and messages
  • To send you marketing communications about our services, events, and content, where we have your explicit consent or where otherwise permitted under applicable law, including on the basis of legitimate interests for B2B communications
  • To analyze Website performance and user behavior to improve content and user experience
  • To identify companies visiting our Website using IP-based business intelligence tools (including Apollo.io) for B2B sales and outreach purposes
  • To maintain the security and integrity of the Website, including detecting and preventing fraud or abuse
  • To comply with legal obligations and enforce our Terms of Service
  • For Service Data in client CRMs, we use information solely to provide the contracted services and for no independent purposes

4. LEGAL BASES FOR PROCESSING (GDPR/UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases for processing:

  • Contract performance: to respond to your requests or perform services under agreements with you or your organization
  • Legitimate interests: to operate and improve our Website, communicate with business contacts, and secure our systems, provided these interests are not overridden by your rights
  • Consent: for certain marketing activities, cookies, or where required by law. You may withdraw consent at any time, without affecting the lawfulness of processing before withdrawal
  • Legal obligations: to comply with applicable laws, regulations, or legal processes

5. HOW WE SHARE INFORMATION

We may share your information with:

  • Service providers and sub-processors who support our operations, such as website hosting, analytics, CRM tools, and visitor identification platforms, including Apollo.io (Apollo.io, Inc.), which processes company-level visitor data subject to its own privacy policy at apollo.io/privacy-policy
  • Email and marketing automation providers
  • Collaboration and productivity tools (e.g., cloud document and communication platforms)
  • Payment processing providers (including Stripe) when you complete a transaction with us
  • Professional advisers such as lawyers, accountants, and auditors, where necessary
  • Business transferees in connection with a merger, acquisition, or sale of all or part of our business or assets
  • Authorities and third parties when required by law, regulation, or legal process, or to protect our rights, safety, or property

Apollo.io’s visitor identification tool is used for company-level B2B sales intelligence. We do not use it to identify individual consumers. Apollo.io processes information in accordance with its applicable privacy and data processing terms. To the extent any use of cookies or similar technologies is considered “selling,” “sharing,” or targeted advertising under applicable law, we will provide required notices and opt-out rights.

For Service Data, we share or disclose information only as permitted by our contracts with clients, such as with authorized sub-processors identified or approved in applicable service agreements, data processing terms, or Business Associate Agreements.

6. INTERNATIONAL TRANSFERS

We are based in the United States, and your information may be processed in the U.S. or other countries that may have different data protection laws than your country of residence.

Where required by law, we implement appropriate safeguards for international transfers, such as Standard Contractual Clauses approved by the European Commission or UK equivalents, or other lawful transfer mechanisms or derogations as permitted by applicable law.

Clients and data subjects may request a copy of applicable Standard Contractual Clauses or transfer mechanisms by contacting us at info@crminfusion.com.

7. DATA RETENTION

We retain personal information for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy. The following general retention periods apply:

Category

Retention Period

Contact form submissions and inquiry data

24 months from date of submission

Marketing consent records

Until opt-out, then 12 months for suppression list purposes

Website analytics data

13 months from date of collection

Apollo.io visitor identification data

Per Apollo.io’s own retention policy, available at apollo.io/privacy-policy

Payment and transaction records

7 years, as required for tax and accounting compliance

Cookie consent records

Retained for the duration supported by our consent management platform (currently CookieYes) and available upon request

Client CRM service data

Per the applicable Master Services Agreement or data processing terms; deletion or return will occur within the timeframe specified therein, or within 30 days if no MSA term applies, subject to legal obligations

8. YOUR RIGHTS AND CHOICES

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:

  • Access: Request confirmation of whether we process your personal information and receive a copy
  • Correction: Request that we correct inaccurate or incomplete personal information
  • Deletion: Request that we delete your personal information, subject to certain exceptions
  • Restriction: Request that we restrict processing of your personal information in certain circumstances
  • Objection: Object to certain processing, including direct marketing
  • Portability: Request a copy of personal information you provided to us in a structured, commonly used, and machine-readable format where technically feasible
  • Consent withdrawal: Where processing is based on consent, withdraw that consent at any time

To exercise your rights, please contact us using the details in Section 12. We may need to verify your identity before responding. Where we process Service Data as a data processor, we will direct you to the relevant client (data controller), as they are responsible for handling rights requests for that data.

California and Certain U.S. State Rights

If you are a resident of California or certain other U.S. states with comprehensive privacy laws, you may have additional rights, such as:

  • The right to know categories and specific pieces of personal information we have collected about you
  • The right to request deletion of personal information, subject to exceptions
  • The right to correct inaccurate personal information
  • Where required by applicable law, the right to opt out of the sale or sharing of personal information.

To limit company-level visitor identification by Apollo.io, you may decline Advertising cookies via our cookie consent banner or submit an opt-out request directly to Apollo.io at apollo.io/privacy-policy.

California Privacy Rights Act (CPRA)

CRM Infusion LLC does not currently believe it meets the statutory thresholds for full CCPA/CPRA coverage. We will reassess applicability if our revenue, data volume, or data practices materially change.

9. SECURITY

We use reasonable technical and organizational measures designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. These measures include:

  • Limiting access to personal information to personnel with a legitimate business need
  • Using secure hosting and network protections
  • Employing access controls and, where applicable, multi-factor authentication

No method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

For Service Data, we follow security and access principles aligned with our client agreements, including least-privilege access, the use of service accounts, and avoiding long-term local storage of CRM data except where necessary and appropriately protected.

10. DATA SECURITY AND BREACH NOTIFICATION

In the event of a data breach that affects personal information, we will notify the appropriate parties as required by applicable law and our contractual obligations, including:

  • GDPR/UK GDPR — Controller Role: Where CRM Infusion acts as a data controller and the GDPR or UK GDPR applies, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to affected individuals, we will notify those individuals without undue delay, unless an exception applies under applicable law.
  • GDPR/UK GDPR — Processor Role: Where CRM Infusion acts as a data processor for client Service Data, we will notify the applicable client/data controller without undue delay after becoming aware of a personal data breach affecting that Service Data, in accordance with applicable law and our contractual obligations.
  • For breaches of unsecured PHI where CRM Infusion acts as a Business Associate, we will notify the applicable Covered Entity without unreasonable delay and no later than 60 calendar days after discovery, unless a shorter timeframe is required by the applicable BAA.
  • As required under Utah Code § 13-44-202 for breaches affecting Utah residents

Notification will be provided via email where we have your contact information, or via Website notice where required by law.

11. CHILDREN’S PRIVACY

The Website is intended for business and professional users and is not directed to children under 16. We do not knowingly collect personal information from children under 16 through the Website. If you believe we have collected such information, please contact us so we can delete it.

12. CONTACT US

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us:

CRM Infusion, LLC

St. George, Utah 84770, United States

Email: info@crminfusion.com

Website: www.crminfusion.com

If you are in the EU/EEA or UK and believe we have not adequately addressed your concerns, you may have the right to lodge a complaint with your local data protection authority.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we do, we will update the “Last Updated” date at the top of this page. Material changes may be communicated by additional notice where required by law. Updates will apply prospectively from the date posted, unless otherwise stated or required by law.

14. CANADA-SPECIFIC PRIVACY DISCLOSURES

If you are located in Canada, or if we provide services to organizations subject to Canadian privacy laws, additional requirements may apply.

14.1 PIPEDA and Provincial Privacy Laws

Where applicable, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and relevant provincial private-sector privacy laws. These laws require, among other things:

  • Identifying the purposes for which personal information is collected, used, or disclosed
  • Obtaining meaningful consent where required
  • Limiting collection, use, and disclosure to what is necessary for identified purposes
  • Providing individuals with access to their personal information and the ability to request corrections

14.2 Cross-Border Transfers

Personal information may be processed or stored outside of Canada, including in the United States. In such cases, the information may be subject to the laws of those jurisdictions. Where required, we implement contractual and organizational safeguards appropriate to the sensitivity of the information.

14.3 Quebec and Other Provincial Requirements

Certain provinces, including Quebec, may impose additional obligations, such as data protection impact assessments, enhanced transparency requirements, and mandatory breach reporting. Where applicable, we support our clients in meeting these requirements in accordance with our contractual obligations.

14.4 Canada’s Anti-Spam Legislation (CASL)

Where we send commercial electronic messages to recipients in Canada, we comply with Canada’s Anti-Spam Legislation (CASL). We send commercial electronic messages only where we have express or implied consent as defined under CASL. Each commercial electronic message we send identifies CRM Infusion LLC, includes our contact information, and contains a clear and functional unsubscribe mechanism. Unsubscribe requests will be honored within 10 business days. If you wish to withdraw consent to receive commercial electronic messages from us, you may do so at any time by using the unsubscribe link in any message or by contacting us at info@crminfusion.com.

15. HEALTHCARE AND PROTECTED HEALTH INFORMATION

CRM Infusion does not operate as a healthcare provider. However, in the course of providing consulting services to clients in regulated industries, we may access or process personal information that qualifies as Protected Health Information (PHI) or Personal Health Information under applicable laws.

15.1 United States (HIPAA)

Where we provide services to clients subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and we access PHI on their behalf, we will do so only pursuant to a written agreement, such as a Business Associate Agreement (BAA), where required. We process such information solely to provide contracted services and implement reasonable safeguards consistent with our contractual obligations.

15.2 Canada (Provincial Health Privacy Laws)

Where we provide services involving Personal Health Information subject to provincial healthcare privacy laws, such as Ontario’s Personal Health Information Protection Act (PHIPA) or similar legislation in other provinces, we process such information strictly in accordance with the client’s documented instructions and applicable agreements.

15.3 Safeguards

For healthcare-related data processed on behalf of clients, we apply heightened access controls, least-privilege principles, and secure authentication practices consistent with contractual and legal requirements. We do not use such data for independent purposes.