Skip to content

Legal

Privacy Policy

Last updated: 8 June 2026. This is a draft template — review with qualified legal counsel before launch.

1. Introduction

This Privacy Policy explains how McNif ("McNif", "we", "us") collects, uses, and protects personal data when you use our multi-tenant CRM platform and related websites (the "Service"). It is written to be consistent with the EU and UK General Data Protection Regulation (GDPR).

For account holders and visitors, McNif acts as a data controller. For the Customer Data that organisations store in their tenant, the organisation is the controller and McNif acts as a data processor, processing that data on their instructions to provide the Service.

2. Data We Collect

  • Account data — name, work email, organisation, role, and authentication details used to create and secure your account.
  • CRM content you enter — contacts, leads, deals, tasks, notes, messages, and other records you add to your tenant, which may include personal data about your own contacts.
  • Usage data — log and technical information such as IP address, device and browser type, and feature interactions, used to operate and secure the Service.

3. How We Use Data

We use personal data to: provide, maintain, and secure the Service; authenticate users and isolate tenant data; deliver email and messaging features you initiate; power AI-assisted features; provide support and respond to enquiries; process billing; detect and prevent fraud or abuse; and comply with legal obligations. We do not sell personal data.

4. Legal Bases (GDPR)

Where GDPR applies, we rely on the following legal bases for processing:

  • Contract — to provide the Service you have signed up for and to administer your account and billing.
  • Legitimate interests — to secure, operate, and improve the Service, prevent abuse, and communicate about the Service, balanced against your rights.
  • Legal obligation — to comply with applicable laws, such as tax and accounting requirements.
  • Consent — where required, for example certain communications; you may withdraw consent at any time.

For Customer Data, processing is carried out on behalf of, and on the documented instructions of, the customer organisation acting as controller.

5. Sub-processors

We use the following sub-processors to deliver the Service. Each is engaged under terms requiring appropriate confidentiality and security safeguards.

Sub-processor Purpose
Supabase Authentication, PostgreSQL database hosting, and file storage. Holds account credentials and Customer Data at rest.
SendGrid Delivery of transactional email and CRM/outreach email sent through the platform. Processes recipient addresses and message content.
Anthropic Powers AI features such as the AI coach. Relevant CRM context is sent to generate responses; not used to train third-party models under our agreement.

6. Data Isolation & Security

The platform is multi-tenant. Tenant data is isolated at the database layer using PostgreSQL row-level security (RLS), so one tenant's records cannot be accessed by another. We apply role-based access controls, encryption in transit, and reasonable administrative and technical safeguards. We do not currently hold formal certifications such as SOC 2 or ISO 27001, and we describe our security practices honestly rather than implying assurances we do not provide.

7. Data Retention

We retain personal data for as long as your account is active and as needed to provide the Service. Customer Data is retained while your tenant exists; after account closure we make it available for export for a reasonable period and then delete or anonymise it, unless longer retention is required by law. Backups are retained for a limited period and then cycled out.

8. Your Rights

Subject to applicable law, you may have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection & restriction — object to or restrict certain processing.

Where the data relates to a customer organisation's tenant, we will refer requests to that organisation as the controller. You may also lodge a complaint with your local data protection authority.

9. International Transfers

Our sub-processors may process data in countries outside your own, including outside the EEA or UK. Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms.

10. Cookies

We use a minimal set of cookies that are strictly necessary to operate the Service, such as keeping you signed in and maintaining your session. In the current product we do not use third-party advertising or analytics trackers. If this changes, we will update this policy and provide any consent controls required by law.

11. Children's Privacy

The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

12. Changes

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last updated" date and, where appropriate, notify you in-app or by email. Your continued use of the Service after an update takes effect indicates your awareness of the revised policy.

13. Contact / DPO

For privacy questions, requests to exercise your rights, or to reach our data protection contact, email privacy@mcnifglobal.com.