Privacy Policy

Bilberk CRM ("Bilberk CRM", "we", "our", or "us") is operated by Bilberk Global Company Ltd, a company registered in Nigeria. This Privacy Policy explains what personal data we collect when you use Bilberk CRM at bilberkgroup.com, how we use it, who we share it with, and the rights you have over it.

If you have questions about this policy, contact us at support@bilberk.com.

We collect three categories of data:

• Account data — the email address, name, and (optionally) profile photo you provide when you sign up or sign in. We use Firebase Authentication, so passwords are hashed by Google and never stored on our servers in plaintext.
• Workspace data — the contacts, companies, deals, tasks, notes, calendars, forms, workflows, and messages you and your team create inside your workspace. This data belongs to your workspace and is only visible to members of that workspace.
• Integration data — data we retrieve from third-party services you explicitly connect (Google Calendar, Zoom, SendGrid, Twilio, Meta WhatsApp Cloud API). See Section 4 for details on Google data specifically.

• To provide, maintain, and improve Bilberk CRM features.
• To authenticate you and authorise access to your workspace.
• To send transactional emails (booking confirmations, password resets, workflow notifications) — never marketing email without your consent.
• To detect, prevent, and respond to abuse or security incidents.
• To meet our legal obligations.

We do not sell your personal data, and we do not use your workspace data or Google user data to train machine-learning or generative-AI models.

When you connect a Google account to Bilberk CRM, we request a single, narrow OAuth scope:

• https://www.googleapis.com/auth/calendar.app.created — on first connection, Bilberk CRM creates a dedicated calendar named "Bilberk CRM" on your Google account. This scope only lets us see, create, update, and delete events on that calendar. Bilberk CRM has no access to your primary calendar, any other calendar you own, your calendar settings, your contacts, or any other Google data. You can see, hide, share, or delete the Bilberk CRM calendar at any time from calendar.google.com.

Specifically:

• We use Google user data only to provide the user-facing features that Google approved Bilberk CRM for.
• We do not transfer Google user data to others unless necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data to serve advertisements.
• We do not allow humans to read your Google user data unless we have your affirmative consent for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for Bilberk CRM's internal operations — and even then, only when the data has been aggregated and de-identified.

• Workspace data is stored in Google Cloud Firestore. Access is enforced by row-level security rules that scope every read and write to the workspace the requesting user belongs to.
• OAuth refresh tokens and API keys (Google, Zoom, SendGrid, Twilio, Meta) are stored in Google Cloud Secret Manager — encrypted at rest, never written to Firestore or application logs, and only retrievable by our backend Cloud Functions at runtime.
• All traffic between your browser, our backend, and third-party APIs uses TLS 1.2 or higher.
• We log application errors and usage metrics, but we redact secrets, tokens, and the bodies of calendar events, emails, and messages from those logs.

We keep your workspace data for as long as your workspace is active. You can delete individual records (contacts, deals, events, messages) inside the app at any time.

When you disconnect a Google integration from Settings → Integrations, we immediately delete the stored OAuth refresh token from Google Cloud Secret Manager and stop accessing your Google Calendar. Calendar events already synced into Bilberk CRM are retained as part of your workspace data until you delete them or close your workspace.

When you close your workspace, all workspace data — including any cached Google Calendar event data — is permanently deleted within 30 days. You can also request deletion at any time by emailing support@bilberk.com from the email address associated with your account.

We share your data only with these categories of recipients:

• Google Cloud Platform / Firebase — our infrastructure provider (hosting, authentication, Firestore, Cloud Functions, Secret Manager).
• Integrations you connect — Google Calendar, Zoom, SendGrid, Twilio, Meta WhatsApp Cloud API. We send only the data needed for the feature you enabled.
• Law enforcement or regulators when legally required and after reviewing the request for validity.

We do not sell, rent, or trade your personal data or Google user data to advertisers or data brokers.

Subject to applicable law (including the Nigeria Data Protection Act 2023 and, where it applies, the EU/UK GDPR), you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data (subject to legal retention obligations).
• Export your data in a machine-readable format.
• Object to or restrict processing.
• Withdraw consent at any time for processing based on consent.
• Lodge a complaint with the Nigeria Data Protection Commission or your local supervisory authority.

To exercise any of these rights, email support@bilberk.com. You can revoke Bilberk CRM's access to your Google account at any time at myaccount.google.com/permissions.

Bilberk CRM is a business tool and is not directed at children under 16. We do not knowingly collect personal data from children.

Bilberk CRM is operated from Nigeria, and our infrastructure runs on Google Cloud data centres (primarily us-central1). If you access Bilberk CRM from outside Nigeria, your data will be transferred to and processed in jurisdictions with different data-protection laws than your own.

We may update this Privacy Policy from time to time. Material changes will be communicated to workspace owners by email at least 14 days before they take effect. The "Effective date" at the top of this page always reflects the current version.

Bilberk Global Company Ltd
Email: support@bilberk.com
Website: bilberkgroup.com