Privacy Policy

Account information. When you sign up we collect your name, email address, and password (hashed). If you subscribe to a paid plan we collect billing details through Stripe (see Section 7).

Contacts & leads. You may import or manually create contacts and leads inside CoolBeans. This data can include names, email addresses, phone numbers, property preferences, notes, tags, and any custom fields you add.

Email sending via Gmail OAuth. When you connect your Gmail account, CoolBeans requests permission to send emails on your behalf and read your email address to identify the connected account. CoolBeans does not request access to read your inbox, search your mail, or view message content. Inbound replies are captured through a dedicated CoolBeans reply address, not by reading your Gmail inbox.

SMS & voice data via Twilio. When you use CoolBeans to send SMS messages or make voice calls, those messages and call metadata (timestamps, duration, recipient phone numbers) are processed through Twilio and stored in your CoolBeans account.

Email tracking data. CoolBeans uses tracking pixels (small transparent images) embedded in outgoing emails to detect when a recipient opens an email. We also use link-wrapping to detect when a recipient clicks a link. This data includes the time of the open or click and approximate IP-based geolocation.

Usage & browsing data. We collect standard usage data such as pages viewed, features used, browser type, device information, IP address, and session duration to improve the product and diagnose issues.

AI interaction data. Your interactions with CoolBeans's AI features (campaign generation, message drafting, lead scoring, signal detection, and the Cloe & Cody chat assistants) are logged to deliver and improve the service.

CoolBeans uses Claude by Anthropic as its content engine. When you use smart features — including campaign generation, message drafting, lead scoring, signal detection, and conversations with Cloe or Cody — relevant data (such as contact details, conversation context, and your instructions) is sent to Anthropic's API for processing.

Anthropic processes this data to generate a response and does not store your inputs or outputs for model training, in accordance with their API data usage policy. Data is transmitted over encrypted connections (TLS).

We retain AI-generated outputs (e.g., drafted messages, scores, campaign plans) within your account so you can review, edit, and use them.

To connect your Gmail account, CoolBeans requests the following OAuth scopes:

• gmail.send — Send emails on your behalf (campaign emails, follow-ups, direct messages)
• userinfo.email — Read your email address to identify your account
• calendar.events — View and create calendar events for property showings, client meetings, and follow-up reminders

CoolBeans does not request access to read your inbox, modify labels, access message content, or read any calendar data beyond events CoolBeans creates. Inbound email is captured through a dedicated CoolBeans reply address, not by reading your Gmail mailbox.

You can revoke Gmail access at any time from your Google Account permissions page or from CoolBeans's Settings → Integrations. Revoking access will stop all email sending functionality.

CoolBeans's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, CoolBeans will not:

• Use data obtained through Google APIs to develop, improve, or train generalized AI and/or machine learning models.
• Transfer Google user data to third parties except (a) as necessary to provide or improve user-facing features that are prominent in the CoolBeans user interface, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets, with the user's explicit consent.
• Allow humans to read Google user data unless (a) we have obtained the user's affirmative agreement to view specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) data is aggregated and used for internal operations in accordance with applicable privacy and other jurisdictional legal requirements.
• Use Google user data for serving advertisements.

You can revoke CoolBeans's access to your Google account at any time via your Google Account permissions page or by following the steps in our Data Deletion procedure.

CoolBeans embeds a small, invisible tracking pixel in outgoing campaign and follow-up emails. When a recipient loads the email, the pixel is requested from our servers, recording an "open" event.

Links in your emails may be wrapped through our tracking domain so we can record click events before redirecting the recipient to the destination URL.

This tracking data is visible only to you (the CoolBeans user) and is used for engagement analytics and AI signal detection. Recipients are not individually notified of tracking; however, you are responsible for complying with applicable email and privacy regulations in your jurisdiction.

SMS messages and voice calls made through CoolBeans are processed by Twilio. Twilio may temporarily store message content and call recordings as necessary to deliver and route communications. Refer to Twilio's Privacy Policy for details.

Message content, recipient phone numbers, and call metadata are stored in your CoolBeans account as part of your contact activity history.

CoolBeans uses cookies strictly for authentication and session management. We use Supabase Auth cookies to keep you signed in and to refresh your session securely.

We do not use advertising cookies, social media tracking cookies, or third-party analytics cookies. We may use basic, privacy-respecting analytics (e.g., page views) to improve the product.

Payments are processed by Stripe. We never see or store your full credit card number. Stripe provides us with a tokenized reference, the last four digits of your card, and your billing email. Refer to Stripe's Privacy Policy for details on how they handle payment data.

Your data is stored in a Supabase-hosted PostgreSQL database. Our database infrastructure is hosted in Canada. All data is encrypted at rest and in transit (TLS 1.2+).

The CoolBeans web application is hosted on Vercel. Static assets and server-side functions are served from Vercel's edge network.

We implement industry-standard security practices, including encrypted connections, secure credential storage, role-based access controls, and regular security reviews.

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data, contacts, campaigns, and activity history within 30 days. Some data may be retained longer if required by law or for legitimate business purposes (e.g., billing records).

You can delete your account and all associated data at any time from within CoolBeans (Settings → Account → Delete account) or by following the steps in our Data Deletion procedure. You may also contact us at privacy@coolbeanscrm.com.

CoolBeans integrates with the following third-party services that may process your data:

• Anthropic (Claude AI) — AI processing for campaign generation, message drafting, lead scoring, signal detection, and chat assistants
• Google (Gmail API) — Email sending via OAuth
• Nylas — Email and calendar sync API. CoolBeans uses Nylas as an aggregator for IMAP, Gmail, and Outlook accounts; OAuth grants and message metadata are stored at Nylas.
• Twilio — SMS messaging, voice calling, and phone number provisioning
• ElevenLabs — Voice cloning and AI-powered voice calls on your behalf
• SignWell — Electronic document signing for offer documents and agreements
• Resend — System notification emails (confirmations, alerts)
• Stripe — Payment processing and subscription management
• Vercel — Application hosting and edge delivery
• Supabase — Database hosting, authentication, and file storage (hosted in Canada)

You have the right to:

• Access your personal data and request a copy of it
• Correct inaccurate personal data
• Delete your account and associated data
• Export your contacts, leads, and activity data in a machine-readable format
• Withdraw consent for specific data processing (e.g., disconnect Gmail)

To exercise any of these rights, contact us at privacy@coolbeanscrm.com. We will respond within 30 days.

As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). This means:

• We collect personal information only for identified, reasonable purposes
• We obtain meaningful consent before collecting, using, or disclosing personal information
• We limit collection to what is necessary for the purposes identified
• We protect personal information with appropriate security safeguards
• We are transparent about our policies and practices
• We provide individuals with access to their personal information upon request

CoolBeans is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have inadvertently collected data from a minor, we will delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice within the application. Your continued use of CoolBeans after changes are posted constitutes your acceptance of the revised policy.

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: