Privacy Policy

Account Information: Name, email address, company name, job title, NMLS number, and profile photo when you create an account.

Contact Data: Names, phone numbers, email addresses, and notes for contacts you add to your CRM.

Communication Data: SMS messages sent and received through our platform via Twilio integration, email campaign content, and AI-generated responses.

Pipeline Data: Deal values, loan types, deal stages, and expected close dates you enter into your pipeline.

Usage Data: Log data, device information, browser type, IP address, and how you interact with our platform.

Third-Party Integrations: Google Business Profile data when you connect your GMB account.

We use the information we collect to:

• Provide, maintain, and improve our CRM platform
• Send and receive SMS messages on your behalf via Twilio
• Generate AI-powered responses and content suggestions
• Process and send email campaigns to your contacts
• Manage your loan pipeline and contact database
• Schedule and publish Google Business Profile posts
• Send you transactional emails (welcome, password reset, etc.)
• Provide customer support and respond to inquiries
• Analyze usage patterns to improve our services

We share data with the following categories of recipients that process your data on our behalf or as independent controllers:

• Paddle.com Market Limited ("Paddle"): our Merchant of Record (MoR) and payment processor. Paddle handles all checkout, billing, subscription management, payment processing, sales tax/VAT compliance, invoicing, refunds, and chargebacks. When you purchase a subscription, Paddle receives your name, email, billing address, payment method details, and transaction data. See Paddle's Privacy Notice.
• Twilio: SMS messaging delivery and phone number management
• Google: Google Business Profile posting and OAuth authentication
• AI Providers: Natural language processing for AI agent responses and content generation
• Hosting & infrastructure providers: database, file storage, and application hosting
• Professional advisers and authorities: legal/accounting advisers, and government authorities where required by law

Each third-party service has its own privacy policy governing their use of your data.

If you are located in the UK or EEA, we process your personal data on the following legal bases:

• Performance of a contract: to provide the Service you have subscribed to (account, CRM functionality, message delivery, billing through Paddle).
• Legitimate interests: to secure the Service, prevent fraud and abuse, analyze usage to improve the platform, and provide customer support — balanced against your rights and freedoms.
• Consent: for optional marketing communications and any non-essential cookies; you may withdraw consent at any time.
• Legal obligation: to comply with tax, accounting, anti-fraud, and other applicable laws.

When you connect your Google account to Capto to manage your Google Business Profile (GMB), we request the following OAuth scopes:

• openid, userinfo.email, userinfo.profile — to identify your Google account and link it to your Capto user.
• https://www.googleapis.com/auth/business.manage — to read your Business Profile locations and publish posts (updates, offers, events) that you compose or schedule inside Capto.

What we access: your Google account email, your Business Profile account ID and location IDs, location names, and the content of posts you publish through Capto.

What we do NOT access: Gmail, Google Drive, Google Contacts, Google Calendar, reviews of other businesses, payment information, or any Google service outside the Business Profile locations you authorize.

How we use it: solely to display your connected location in Capto and to publish the GMB posts you explicitly create or schedule. We do not use Google user data for advertising, do not sell or share it with third parties, do not use it to train AI/ML models, and do not transfer it to any party other than Google's APIs and the infrastructure providers required to operate the Service (database and hosting).

Storage & security: OAuth access tokens and refresh tokens are stored encrypted at rest in our backend database, protected by row-level security so that only your account can access them. All traffic to Google APIs is over TLS.

Retention: we retain your Google tokens and connection metadata only while the integration is active. Tokens are refreshed as needed and replaced; old tokens are overwritten.

Revocation & deletion: you can disconnect Google at any time from Settings → Google Business Profile in Capto, which deletes your access token, refresh token, and connection record from our database within 24 hours. You may additionally revoke Capto's access at myaccount.google.com/permissions. To request full deletion of all associated data, email privacy@usecapto.com and we will complete deletion within 30 days.

Capto's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you use Capto to send SMS messages, you are responsible for ensuring compliance with the Telephone Consumer Protection Act (TCPA) and all applicable telecom regulations. This includes:

• Obtaining proper consent from contacts before sending messages
• Honoring opt-out requests promptly
• Complying with A2P 10DLC registration requirements
• Following CAN-SPAM Act requirements for email campaigns

We retain your account data for as long as your account is active. Contact data, messages, and pipeline information are retained until you delete them or close your account. Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law.

We implement industry-standard security measures including encryption in transit (TLS), encrypted storage, role-based access controls, and row-level security policies to protect your data. However, no method of electronic transmission or storage is 100% secure.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Opt out of marketing communications
• Withdraw consent for data processing

To exercise any of these rights, contact us at privacy@usecapto.com.

California residents have additional rights under the CCPA, including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell your personal information.

Capto is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of Capto after changes constitutes acceptance of the revised policy.

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: privacy@usecapto.com