Privacy Policy | Onbrix

SKBH Technology ("we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Onbrix CRM platform (the "Service"), a product of SKBH Technology. By accessing or using the Service, you agree to the practices described in this policy.

1. Information We Collect

Account Data

When you create an account, we collect your name, email address, password (stored as a secure hash), team name, and billing information. If you sign up using a third-party provider (such as Google or Microsoft), we receive your profile information from that provider.

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, device information, IP address, and referring URLs. This data helps us improve the platform and diagnose technical issues.

CRM Data

The data you enter into the CRM — including contacts, leads, deals, accounts, tasks, notes, emails, call recordings, documents, invoices, quotes, and any custom module records — is stored securely and is treated as your confidential business data. We do not access, analyze, or sell your CRM data except as required to provide the Service or as described in this policy.

Integration Data

When you connect third-party services (such as Stripe, Twilio, Google Calendar, Xero, QuickBooks, or Zoom), we store OAuth tokens and API credentials required to maintain the integration. All credentials are encrypted at rest using AES-256-GCM. We may also receive data from these integrations (e.g., payment status from Stripe, calendar events from Google) as needed to provide the features you have enabled.

2. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Onbrix CRM platform
Process transactions and manage your subscription, billing, and payments
Send transactional notifications (e.g., password resets, billing receipts, workflow alerts)
Deliver AI-powered features such as lead scoring, deal health analysis, data enrichment, next-best-action recommendations, email drafting, and call transcription
Sync data with third-party services you have connected (e.g., accounting software, calendars, telephony providers)
Monitor and enforce our Acceptable Use Policy and Terms of Service
Detect, prevent, and respond to security incidents, fraud, and abuse
Generate anonymized, aggregated analytics to improve the Service (individual user data is never shared)
Comply with legal obligations and respond to lawful requests

3. Data Storage and Security

We take the security of your data seriously and implement industry-standard measures to protect it:

Database hosting: All CRM data is stored in PostgreSQL databases hosted on Supabase with encryption at rest and in transit (TLS 1.2+).
Credential encryption: All third-party API credentials, OAuth tokens, and sensitive configuration values are encrypted using AES-256-GCM before storage.
API authentication: REST API keys are hashed using SHA-256 and are never stored in plaintext. API keys are shown once on creation and cannot be retrieved afterward.
Webhook security: All outbound webhooks are signed using HMAC-SHA256, allowing recipients to verify payload authenticity.
File storage: Uploaded files and attachments are stored in Supabase Storage with signed URLs and a 10 MB per-file limit.
Access control: The platform enforces multi-team role-based access control (RBAC) with custom roles, field-level permissions, record-level permissions, and full audit trails.
Infrastructure: Our infrastructure is hosted on enterprise-grade cloud providers with automated backups, DDoS protection, and 99.9% uptime SLA.

4. Third-Party Services

Onbrix integrates with third-party services to deliver its full feature set. When you enable an integration, data may be shared with the corresponding provider in accordance with their own privacy policies. Key third-party services include:

Twilio — Voice calls, SMS messaging, call recording, and the AI Calling Agent (WebRTC media streams). Data shared: phone numbers, call audio, SMS content.
Resend — Transactional email delivery. Data shared: recipient email addresses, email subject lines, and email body content.
OpenAI — AI features including lead scoring, deal health analysis, data enrichment, next-best-action recommendations, email drafting, and call transcription/summary. Data shared: relevant CRM record fields and call audio transcripts. We do not send your entire database to OpenAI.
Stripe — Subscription billing, payment processing, and seat management. Data shared: billing contact information, payment method tokens, and invoice amounts.
Google — Google Calendar sync, Google Ads management, and Gmail integration. Data shared: calendar events, ad campaign data, and email messages (per-user OAuth).
Microsoft — Outlook Calendar sync and Microsoft 365 email integration. Data shared: calendar events and email messages (per-user OAuth).
Xero / QuickBooks — Two-way accounting sync. Data shared: invoices, payments, and contact records.
Zoom — Meeting scheduling and transcription pipeline. Data shared: meeting metadata and recording transcripts.
Zapier — Workflow automation connectors. Data shared: trigger event payloads as configured by the user.

We encourage you to review the privacy policies of each third-party service before enabling integrations.

5. Data Retention

We retain your account data and CRM data for as long as your account is active or as needed to provide the Service. Specific retention details:

Active accounts: All data is retained indefinitely while your account remains active.
Deleted accounts: Upon account deletion, we permanently remove all CRM data, uploaded files, and personal information within 30 days. Backup copies may persist for up to 90 days before automatic deletion.
Audit trail: Audit log retention varies by plan tier (30 days for Starter, 90 days for Professional, unlimited for Enterprise).
Billing records: We retain billing and transaction records for up to 7 years as required by applicable tax and financial regulations.
Call recordings: Call recordings are retained according to your team settings and applicable legal requirements. You may delete recordings at any time.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

GDPR Rights (European Economic Area)

Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal data.
Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
Right to Data Portability: Receive your personal data in a structured, machine-readable format (JSON or CSV).
Right to Object: Object to processing of your personal data for direct marketing or based on legitimate interests.
Right to Restrict Processing: Request limitation of processing in certain circumstances.

CCPA Rights (California Residents)

Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you.
Right to Delete: Request deletion of personal information collected from you, with certain exceptions.
Right to Opt-Out: Opt out of the sale of your personal information. Note: Onbrix does not sell personal information.
Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your CCPA rights.

To exercise any of these rights, please contact us at privacy@onbrix.com. We will respond to verified requests within 30 days.

7. International Data Transfers

Onbrix operates globally and your data may be transferred to and processed in countries other than your country of residence. When we transfer personal data outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or other lawful transfer mechanisms to ensure your data receives adequate protection.

Our primary data infrastructure is hosted in the United States and European Union through Supabase and Vercel. Third-party service providers may process data in their own data center regions as specified in their respective privacy policies.

8. Cookies and Tracking

Onbrix uses a minimal set of cookies and local storage to provide core functionality:

Authentication cookies: Secure, HTTP-only cookies used to maintain your login session. These are strictly necessary and cannot be disabled.
Preference storage: Local storage entries for UI preferences such as sidebar state, theme selection, and dashboard layout. These are functional and do not track you across sites.
Analytics: We may use privacy-respecting, first-party analytics to understand feature usage and improve the Service. We do not use third-party advertising trackers or sell tracking data.

We do not use third-party advertising cookies, cross-site tracking pixels, or fingerprinting techniques.

9. Children's Privacy

The Onbrix Service is designed for business use and is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information promptly. If you believe a child under 16 has created an account on Onbrix, please contact us at privacy@onbrix.com.

10. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you can reach us at:

Email: privacy@onbrix.com
General support: support@onbrix.com

For GDPR-related inquiries, you may also contact our Data Protection Officer at dpo@onbrix.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date at the top. For significant changes, we may also send you a notification via email or an in-app banner.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.