Privacy Policy

Last Updated: 12th February 2026

Sellframe Ltd. (trading as "Add to CRM") ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (https://addtocrm.com), use our Chrome extensions, or otherwise interact with our services (collectively, the "Services").

We process personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation 2016/679 ("GDPR"), and the California Consumer Privacy Act of 2018 ("CCPA"), as amended by the California Privacy Rights Act of 2020 ("CPRA"). We also strive to comply with other relevant privacy laws, such as Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA").

Please read this Privacy Policy carefully. By using our Services, you agree to the collection and use of information in accordance with this Policy. If you do not agree with any terms herein, you should not access or use the Services.

1. Who We Are

Legal Entity Name: Sellframe Ltd. (trading as "Add to CRM")

Registered Office Address: 14 Avonside Grove, Hamilton, UK, ML3 7DL

Jurisdiction: Scotland (UK)

Contact Email: [email protected]

We do not currently have a Data Protection Officer (DPO) or EU/EEA Representative appointed.

2. Personal Data We Collect

2.1 Information You Provide Directly

Account Information: When you sign up for an account, we may collect your name, email address, and login credentials.
CRM Setup Details: If you integrate a CRM system (e.g., Pipedrive, Agile CRM, etc.) via our Services, we collect and store your CRM connection credentials (API keys and/or OAuth tokens), CRM user ID, domain, and other necessary configuration details. These credentials are encrypted using AES-256-GCM authenticated encryption and stored on our servers to maintain your CRM connection.
Payment Information: If you purchase a subscription, our payment processor (Stripe) will collect your payment details. We do not store your credit or debit card numbers directly, but may receive minimal billing information (e.g., subscription status, partial billing address).
Support or Communication: When you contact us (e.g., via email or contact forms), we collect the information you provide (e.g., your name, contact details, and the content of your message).

2.2 Information Collected Through Our Extensions

Profile Data from Web Pages: When you use our extension on LinkedIn®, Gmail, or Outlook, we collect publicly visible profile information from the page you are viewing, such as the person's name, job title, company name, location, and profile URL. This information is sent to our servers and to third-party data enrichment providers to retrieve additional contact details (such as email addresses, phone numbers, and company information) at your request.
Email Data: When used on Gmail or Outlook, we collect the sender's email address and name from the message you are viewing.
Usage Data: Our Chrome extensions capture certain usage data, such as when you click to fetch contact information and which contacts you choose to add to your CRM, in order to facilitate synchronization and improve the service.

2.3 Automatically Collected Data

Analytics: We use Fathom Analytics for website and product analytics. Fathom Analytics does not use cookies by default (it's a privacy-friendly solution).
Cookies: We use our own cookies primarily for authentication and session management. For more details, see Section 7: Cookies & Tracking.

3. How We Use Your Personal Data

We process your personal data for the following purposes:

Account Creation & Management: To register and maintain your user account, authenticate logins, and provide customer support.
Providing Our Services: To enable the functionality of our Chrome extensions and website, including CRM integration and data enrichment via third-party data providers.
Data Enrichment: When you request contact information, we send identifiers (such as a LinkedIn® profile URL or email address) to third-party data enrichment providers. These providers search their databases and return additional professional information such as verified email addresses, phone numbers, job titles, and company details. This data comes from the enrichment providers' databases, not from LinkedIn®.
Payment Processing: To facilitate subscription billing through Stripe (though your payment details are handled by Stripe directly).
Marketing & Communication: To send you marketing emails, product updates, or special offers where we rely on our legitimate interests or as permitted by law (with an option to unsubscribe at any time).
Analytics & Improvements: To analyze usage of our website and extensions, debug issues, and develop new features.
Legal & Regulatory Compliance: To comply with our legal obligations, protect our rights and interests, and address disputes or claims.

4. Legal Bases for Processing (EEA/UK Users)

Under the UK GDPR/GDPR, we process personal data based on the following legal grounds:

Performance of a Contract: Most data processing is necessary to provide our Services and fulfill our contractual obligations (e.g., creating your account).
Legitimate Interests: We rely on legitimate interests for certain marketing communications to existing users, for usage analytics, and for preventing fraud or misuse. We ensure these interests do not override your privacy rights.
Consent (where required): We may rely on consent for optional cookies or certain email marketing in specific jurisdictions. If you wish to withdraw consent, you can do so at any time by contacting us.
Processing of Enriched Contact Data: When our users request information about other individuals (e.g., looking up a contact's email address), we process that data on the basis of our users' legitimate interests in business-to-business sales and marketing. We have conducted a balancing assessment and determined that this processing does not override the privacy rights of the data subjects, as the data processed is limited to professional contact information.

5. Disclosure of Your Information

We do not sell or rent your personal data. However, we may share information in the following circumstances:

Service Providers & Sub-Processors:

Data Enrichment: Apollo.io, SalesQL, Prospeo.
Email Verification: Bouncer, BounceBan.
Analytics: Fathom (cookieless), PostHog (EU-hosted at eu.i.posthog.com).
Email/Marketing: MailerLite, MailerSend.
Payment Processing: Stripe.
Hosting: DigitalOcean (New York, USA).
Content Management: Strapi Cloud.
Authentication: Google (OAuth sign-in).
Affiliate Tracking: Rewardful.
Code Repository: GitHub (we do not store personal data here except potentially in issue tickets if you submit them).

These providers process data on our behalf under contractual obligations consistent with this Privacy Policy.

Compliance & Protection: If required by law or in response to valid requests by public authorities (e.g., court orders), or to protect our rights, users, or the public.

Business Transfers: If we are involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice if your data becomes subject to a different Privacy Policy.

6. International Data Transfers

We currently store and process data on servers located in the United States (New York) via DigitalOcean. For users located in the UK, EEA, or other regions with data transfer restrictions, this may constitute a cross-border transfer. We rely on Standard Contractual Clauses (SCCs) with our US-based service providers to ensure adequate protection for international data transfers. For providers certified under the EU-US Data Privacy Framework, we rely on that framework as an additional safeguard.

If you would prefer we store your data in the EU or the UK, please contact us to discuss available options. If necessary and feasible, we may migrate our hosting to an EU-based server to further ensure GDPR compliance.

7. Cookies & Tracking

7.1 Cookies We Use

Authentication Cookies: We place cookies to keep you logged in as you navigate our website or Services.

Analytics Cookies/Tools:

Fathom: Typically does not use cookies; it collects aggregated data in a privacy-friendly manner.

7.2 Do Not Track (DNT)

We currently do not respond to "Do Not Track" (DNT) signals. You can still control cookies and trackers via your browser settings or third-party extensions.

8. Data Retention

We retain user account data for as long as the account is active, plus six (6) months. After that period, we will securely delete or anonymize personal data, unless a longer retention is required by law (e.g., for tax or regulatory purposes). Usage logs and backups may persist in our archives for a limited period.

Enrichment data (contact information retrieved from data providers) is cached for up to 30 days to improve performance and reduce redundant lookups. Data provider API response caches are retained for up to 30 days. Operation logs are retained for up to 12 months for debugging and service improvement purposes.

CRM connection credentials are retained for as long as your account is active and your CRM connection is configured. Credentials are permanently deleted when you disconnect your CRM or delete your account.

9. Security Measures

We do not hold any formal certifications such as ISO 27001 or SOC 2. However, we take reasonable technical and organizational measures to protect your data, including:

Using reputable hosting providers (DigitalOcean).
Restricting access to personal data to authorized personnel.
Employing safeguards such as SSL/TLS encryption for data in transit.
CRM credentials (API keys, OAuth tokens) are encrypted using AES-256-GCM authenticated encryption at rest. This provides both confidentiality and integrity protection, meaning credentials cannot be read or tampered with without the encryption key.
Database connections use SSL/TLS encryption.
CRM credential access is logged for security auditing purposes.
OAuth tokens are automatically refreshed server-side to maintain your connection.

While we strive to protect your personal data, no method of electronic storage or transmission is 100% secure. If you suspect any unauthorized access or data breach, please contact us immediately at [email protected].

10. Data Breach Notification

In the event of a data breach that impacts personal data, we will notify the relevant supervisory authority (e.g., the UK Information Commissioner's Office) within 72 hours of becoming aware, where required by applicable law. We will also notify affected individuals if there is a high risk to their rights and freedoms.

11. Children's Privacy

Our Services are not directed at children under 16. You must be at least 18 years of age to use our Services (see our Terms and Conditions). We do not knowingly collect personal information from anyone under 16. If you believe we have unintentionally processed a minor's data, please contact us so we can delete it.

12. Region-Specific Disclosures

12.1 For Users in the EEA and UK

Rights under the GDPR/UK GDPR:

You have the right to request access to, rectification of, or erasure of your personal data. You may also have the right to restrict or object to certain processing, as well as the right to data portability.

To exercise these rights, email [email protected]. We will respond within one month (or as required by law).

Complaint: If you have concerns about our data practices, please contact us first. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or another relevant supervisory authority.

12.2 For California Residents (CCPA/CPRA)

No Sale of Personal Information: We do not sell or share personal information for monetary or other valuable consideration.

Your Rights:

Right to Know: You can request details about the categories and specific pieces of personal data we have collected about you.
Right to Delete: You can request we delete personal data we have about you, subject to certain exceptions.
Right to Correct: You can request corrections of inaccurate personal data we hold.
Right to Non-Discrimination: We will not discriminate against you for exercising these rights.

To exercise any of these rights, please email [email protected]. If you believe we are "selling" your data despite our statement, contact us so we can address your concerns.

12.3 For Canadian Residents (PIPEDA)

We strive to comply with the principles of PIPEDA. Canadian users have the right to:

Access and Correction: Request access to personal data we hold about you, and request corrections if inaccurate.
Withdraw Consent: Where we rely on consent, you can withdraw it at any time.
Inquiries or Complaints: Please contact us at [email protected]. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada if you believe we have violated PIPEDA.

13. LinkedIn® Usage & User Responsibilities

Our Chrome extensions provide functionality that operates on third-party platforms including LinkedIn®, Gmail, and Outlook. We are not affiliated with, endorsed by, or sponsored by any of these platforms. Your use of our extensions on these platforms is at your own discretion and risk. You are responsible for understanding and complying with the terms of service of any platform you use in conjunction with our Services. We do not assume liability for any account restrictions, suspensions, or other actions taken by these platforms as a result of your use of our Services.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time by posting a new version on our website. Unless otherwise stated, any modifications take effect as soon as they are posted. We encourage you to review this page periodically to stay informed about how we protect your information.

15. Contact Us

If you have questions or comments about this Privacy Policy, or wish to exercise any data subject rights, please reach out to:

Sellframe Ltd. (trading as "Add to CRM")

14 Avonside Grove, Hamilton, UK, ML3 7DL

Email: [email protected]