Last updated: April 2026
1. Who We Are
Tonic Desk Ltd ("Tonic Desk", "we", "us") is the controller of personal data collected through the Tonic Desk CRM platform and website (tonicdesk.com).
Contact: privacy@tonicdesk.com
2. What We Collect
2.1 Account Data
When you create an account: name, email address, password (hashed), organisation name, phone number (optional), timezone preference.
2.2 Customer Data
Data you upload or create within the Service: contacts, companies, deals, activities, tasks, email messages, custom field values. You are the controller of this data; we process it on your behalf.
2.3 Usage Data
Automatically collected: IP address, browser type, pages visited, features used, timestamps. We use this to improve the Service and diagnose issues.
2.4 Payment Data
Processed by Stripe. We do not store full credit card numbers. Stripe's privacy policy applies to payment processing.
2.5 Communication Data
Emails you send and receive through the Service, including tracking data (opens, clicks) if enabled by you. Email content is stored to provide the email feature and is not used for any other purpose.
3. How We Use Your Data
- To provide the Service: Account authentication, data storage and retrieval, email delivery, API access.
- To improve the Service: Aggregated usage analytics to understand feature adoption and performance.
- To communicate with you: Service updates, security alerts, billing notifications. We do not send marketing emails unless you opt in.
- To ensure security: Fraud prevention, abuse detection, audit logging.
4. Legal Basis (GDPR)
- Contract: Processing necessary to provide the Service you subscribed to.
- Legitimate interest: Usage analytics, security monitoring, service improvement.
- Consent: Marketing communications (where applicable).
- Legal obligation: Tax records, law enforcement requests.
5. Data Sharing
We do not sell your data. We share data only with:
- Stripe — Payment processing
- AWS — Infrastructure hosting (EU-West-1 region)
- Email providers — SMTP delivery for emails you send through the Service
We do not share Customer Data with advertisers, data brokers, or other third parties.
6. Data Retention
- Active accounts: Data retained for the duration of your subscription.
- Cancelled accounts: Customer Data retained for 30 days, then permanently deleted.
- Audit logs: Retained per your plan's audit log retention period (7 days to unlimited).
- Usage analytics: Aggregated, anonymised data retained indefinitely.
7. Data Security
- Encryption in transit (TLS 1.2+)
- Passwords hashed with bcrypt
- API keys stored securely
- Role-based access controls
- Regular security audits
- CSRF protection on all forms
- Rate limiting on authentication endpoints
8. Your Rights (GDPR)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing
- Data portability — export your data as CSV
- Object to processing based on legitimate interest
- Withdraw consent at any time
To exercise these rights, contact privacy@tonicdesk.com. We respond within 30 days.
9. Cookies
We use essential cookies for authentication and session management. We do not use third-party advertising cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| session | Authentication | Session |
| remember_token | "Remember me" login | 30 days |
10. International Transfers
Customer Data is stored in the EU (AWS EU-West-1, Ireland). If data is transferred outside the EU, we ensure adequate safeguards are in place (Standard Contractual Clauses).
11. Children
The Service is not intended for users under 16. We do not knowingly collect data from children.
12. Changes
We may update this Privacy Policy. Material changes will be notified by email. The "Last updated" date indicates the most recent revision.
13. Contact
Data Protection Officer: privacy@tonicdesk.com Postal: Tonic Desk Ltd, United Kingdom
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been mishandled.