Privacy Policy of Leaf CRM

Full policy

Owner and Data Controller

Red Ant Technology Sdn Bhd
E-10-08, Block E, Oasis Ara Damansara,
2, Jalan PJU1A/7A, Ara Damansara,
PJU 1A, 47301 Petaling Jaya, Selangor,
Malaysia

Owner contact email: legal@leaf.my

Types of Data collected

Among the types of Personal Data that Leaf CRM collects, by itself or through third parties, there are: first name; last name; phone number; company name; country; email address; Usage Data; Tracker; Data communicated while using the service; payment info; billing address; purchase history; various types of Data; unique device identifiers for advertising (Google Advertiser ID or IDFA, for example); geographic position; language; date of birth; physical address; city; ZIP/Postal code; gender; state; marital status; profession; username; password; VAT Number; Tax ID; website; number of employees; prefix ; workplace; answers to questions; clicks; keypress events; motion sensor events; mouse movements; scroll position; touch events; Contacts permission; Biometric Data access permission; Call permission; Camera permission, without saving or recording; session duration; scroll-to-page interactions; device information; interaction events; page events; custom events; number of Users; session statistics; Universally unique identifier (UUID); crash data.

Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.
Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using Leaf CRM.
Unless specified otherwise, all Data requested by Leaf CRM is mandatory and failure to provide this Data may make it impossible for Leaf CRM to provide its services. In cases where Leaf CRM specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.
Any use of Cookies – or of other tracking tools — by Leaf CRM or by the owners of third-party services used by Leaf CRM serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy.

Users are responsible for any third-party Personal Data obtained, published or shared through Leaf CRM.

Mode and place of processing the Data

Methods of processing

The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of Leaf CRM (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Owner at any time.

Place

The Data is processed at the Owner's operating offices and in any other places where the parties involved in the processing are located.

Depending on the User's location, data transfers may involve transferring the User's Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data.

Retention time

Unless specified otherwise in this document, Personal Data shall be processed and stored for as long as required by the purpose they have been collected for and may be retained for longer due to applicable legal obligation or based on the Users’ consent.

The purposes of processing

The Data concerning the User is collected to allow the Owner to provide its Service, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as the following: Contacting the User, Displaying content from external platforms, Access to third-party accounts, Analytics, Collection of privacy-related preferences, Handling payments, Connecting Data, Data transfer outside of the UK, Data transfer outside the EU, Managing contacts and sending messages, Managing data collection and online surveys, Platform services and hosting, Registration and authentication provided directly by Leaf CRM, SPAM protection, Tag Management, Traffic optimization and distribution, Device permissions for Personal Data access, Offline processing, Heat mapping and session recording, Advertising, Building and running Leaf CRM and Infrastructure monitoring.

For specific information about the Personal Data used for each purpose, the User may refer to the section “Detailed information on the processing of Personal Data”.

Facebook permissions asked by Leaf CRM

Leaf CRM may ask for some Facebook permissions allowing it to perform actions with the User's Facebook account and to retrieve information, including Personal Data, from it. This service allows Leaf CRM to connect with the User's account on the Facebook social network, provided by Facebook Inc.

For more information about the following permissions, refer to the Facebook permissions documentation and to the Facebook privacy policy.

The permissions asked are the following:

Basic information

By default, this includes certain User’s Data such as id, name, picture, gender, and their locale. Certain connections of the User, such as the Friends, are also available. If the User has made more of their Data public, more information will be available.

About Me

Provides access to the 'About Me' section of the profile.

Business Management API

Read and write with Business Management API.

Leads Retrieval

Allows retrieving and reading all information captured by a lead advertisement form with an advertisement created in Ads Manager or the Marketing API.

Manage Advertisements

Provides the ability to manage ads and call the Facebook Ads API on behalf of a User.

Pages manage engagement

Allows creating, editing and deleting comments posted on the page.

Pages manage metadata

Allows subscribing and receiving webhooks about activity on the Page, and updating settings on the Page.

Pages read engagement

Provides access to content (posts, photos, videos, events) posted by the Page, access to followers data (including name, PSID), and profile picture, and access to metadata and other insights about the Page.

Show List of Managed Pages

Provides the access to show the list of the Pages that the User manages.

Device permissions for Personal Data access

Depending on the User's specific device, Leaf CRM may request certain permissions that allow it to access the User's device Data as described below.

By default, these permissions must be granted by the User before the respective information can be accessed. Once the permission has been given, it can be revoked by the User at any time. In order to revoke these permissions, Users may refer to the device settings or contact the Owner for support at the contact details provided in the present document.
The exact procedure for controlling app permissions may be dependent on the User's device and software.

Please note that the revoking of such permissions might impact the proper functioning of Leaf CRM.

If User grants any of the permissions listed below, the respective Personal Data may be processed (i.e accessed to, modified or removed) by Leaf CRM.

Biometric Data access permission

Used for accessing the User's biometrical Data and/or authentication systems, such as for instance, FaceID.

Call permission

Used for accessing a host of typical features associated with telephony.

Camera permission, without saving or recording

Used for accessing the camera or capturing images and video from the device.
Leaf CRM does not save or record the camera output.

Contacts permission

Used for accessing contacts and profiles on the User's device, including the changing of entries.

Detailed information on the processing of Personal Data

Personal Data is collected for the following purposes and using the following services:

• Access to third-party accounts

  This type of service allows Leaf CRM to access Data from your account on a third-party service and perform actions with it. These services are not activated automatically, but require explicit authorization by the User.

  Facebook account access (Meta Platforms, Inc.)

  This service allows Leaf CRM to connect with the User's account on the Facebook social network, provided by Facebook, Inc.

  Permissions asked: About Me; Business Management API; Leads Retrieval; Manage Advertisements; Pages manage engagement; Pages manage metadata; Pages read engagement; Show List of Managed Pages.

  Place of processing: United States – Privacy Policy – Opt out.

  Category of Personal Information collected according to the CCPA: identifiers.

  This processing constitutes:

  Linkedin account access (LinkedIn Corporation)

  This service allows Leaf CRM to connect with the User's account on Linkedin, provided by LinkedIn Corporation.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  • a Sale in California

• Advertising

  This type of service allows User Data to be utilized for advertising communication purposes. These communications are displayed in the form of banners and other advertisements on Leaf CRM, possibly based on User interests. This does not mean that all Personal Data are used for this purpose. Information and conditions of use are shown below. Some of the services listed below may use Trackers to identify Users or they may use the behavioral retargeting technique, i.e. displaying ads tailored to the User’s interests and behavior, including those detected outside Leaf CRM. For more information, please check the privacy policies of the relevant services. Services of this kind usually allow Users to opt out of such tracking. Users may learn how to opt out of interest-based advertising more generally by visiting the relevant opt-out section in this document.

  Google Ad Manager (Google LLC)

  Google Ad Manager is an advertising service provided by Google LLC that allows the Owner to run advertising campaigns in conjunction with external advertising networks that the Owner, unless otherwise specified in this document, has no direct relationship with. This service uses the “DoubleClick” Cookie, which tracks use of Leaf CRM and User behavior concerning ads, products and services offered.  

  Users may decide to disable all the DoubleClick Cookies by going to: Google Ad Settings.

  In order to understand Google's use of Data, consult their partner policy and their Business Data page.

  Personal Data processed: Trackers; Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  • a Sale in the United States
  • a Sharing in California
  • Targeted Advertising in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana

• Analytics

  The services contained in this section enable the Owner to monitor and analyze web traffic and can be used to keep track of User behavior.

  Google Analytics (Universal Analytics) (Google LLC)

  Google Analytics (Universal Analytics) is a web analysis service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing, (“Google”). Google utilizes the Data collected to track and examine the use of Leaf CRM, to prepare reports on its activities and share them with other Google services.
  Google may use the Data collected to contextualize and personalize the ads of its own advertising network.

  In order to understand Google's use of Data, consult Google's partner policy.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy – Opt Out; Ireland – Privacy Policy – Opt Out.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  • a Sale in the United States

  Google Analytics 4 (Google LLC)

  Google Analytics 4 is a web analysis service provided by Google LLC (“Google”). Google utilizes the Data collected to track and examine the use of Leaf CRM, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualize and personalize the ads of its own advertising network. In Google Analytics 4, IP addresses are used at collection time and then discarded before Data is logged in any data center or server. Users can learn more by consulting Google’s official documentation.

  In order to understand Google's use of Data, consult their partner policy and their Business Data page.

  Personal Data processed: number of Users; session statistics; Trackers; Usage Data.

  Place of processing: United States – Privacy Policy – Opt out.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  • a Sale in the United States

• Building and running Leaf CRM

  Key components of Leaf CRM are built and run directly by the Owner by making use of the software listed below.

  WordPress (self-hosted) (Leaf CRM)

  Leaf CRM is built and run by the Owner via a CMS software (Content Management System) called WordPress.

  Personal Data processed: company name; email address; first name; last name; phone number.

  Category of Personal Information collected according to the CCPA: identifiers; commercial information.

• Collection of privacy-related preferences

  This type of service allows Leaf CRM to collect and store Users’ preferences related to the collection, use, and processing of their personal information, as requested by the applicable privacy legislation.

  iubenda Consent Solution (iubenda srl)

  The iubenda Consent Solution allows to store and retrieve records of Users’ consent to the processing of Personal Data, and information and preferences expressed in relation to the provided consent.
  In order to do so, it makes use of a Tracker that temporarily stores pending information on the User’s device until it is processed by the API. The Tracker (a browser feature called localStorage) is at that point deleted.

  Personal Data processed: Data communicated while using the service; Tracker.

  Place of processing: Italy – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  iubenda Cookie Solution (iubenda srl)

  The iubenda Cookie Solution allows the Owner to collect and store Users’ preferences related to the processing of personal information, and in particular to the use of Cookies and other Trackers on Leaf CRM.

  Personal Data processed: Tracker.

  Place of processing: Italy – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

• Connecting Data

  This type of service allows the Owner to connect Data with third-party services disclosed within this privacy policy.
  This results in Data flowing through these services, potentially causing the retention of this Data.

  Zapier (Zapier, Inc.)

  Zapier is a workflow automation service provided by Zapier, Inc. that automates the movement of Data between (third-party) services.

  Personal Data processed: company name; email address.

  Place of processing: United States – Privacy Policy.

  Category of Personal Information collected according to the CCPA: identifiers; commercial information.

  This processing constitutes:

  • a Sale in California

• Contacting the User

  Contact form (Leaf CRM)

  By filling in the contact form with their Data, the User authorizes Leaf CRM to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header.

  Personal Data processed: company name; country; email address; first name; last name; phone number.

  Category of Personal Information collected according to the CCPA: identifiers; commercial information.

  This processing constitutes:

  Mailing list or newsletter (Leaf CRM)

  By registering on the mailing list or for the newsletter, the User’s email address will be added to the contact list of those who may receive email messages containing information of commercial or promotional nature concerning Leaf CRM. Your email address might also be added to this list as a result of signing up to Leaf CRM or after making a purchase.

  Personal Data processed: email address.

  Category of Personal Information collected according to the CCPA: identifiers.

• Device permissions for Personal Data access

  Leaf CRM requests certain permissions from Users that allow it to access the User's device Data as described below.

  Device permissions for Personal Data access (Leaf CRM)

  Leaf CRM requests certain permissions from Users that allow it to access the User's device Data as summarized here and described within this document.

  Personal Data processed: Biometric Data access permission; Call permission; Camera permission, without saving or recording; Contacts permission.

  Category of Personal Information collected according to the CCPA: biometric information; internet or other electronic network activity information.

  This processing constitutes:

• Displaying content from external platforms

  This type of service allows you to view content hosted on external platforms directly from the pages of Leaf CRM and interact with them.
  This type of service might still collect web traffic data for the pages where the service is installed, even when Users do not use it.

  Google Fonts (Google LLC)

  Google Fonts is a typeface visualization service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing, that allows Leaf CRM to incorporate content of this kind on its pages.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy; Ireland – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  • a Sale in California

  Font Awesome (Fonticons, Inc. )

  Font Awesome is a typeface visualization service provided by Fonticons, Inc. that allows Leaf CRM to incorporate content of this kind on its pages.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  • a Sale in California

• Handling payments

  Unless otherwise specified, Leaf CRM processes any payments by credit card, bank transfer or other means via external payment service providers. In general and unless where otherwise stated, Users are requested to provide their payment details and personal information directly to such payment service providers. Leaf CRM isn't involved in the collection and processing of such information: instead, it will only receive a notification by the relevant payment service provider as to whether payment has been successfully completed.

  Stripe (Stripe Inc)

  Stripe is a payment service provided by Stripe Inc, Stripe Technology Europe Ltd or by Stripe Payments Ltd, depending on how the Owner manages the Data processing.

  Personal Data processed: billing address; email address; first name; last name; payment info; purchase history.

  Place of processing: United States – Privacy Policy; Ireland – Privacy Policy; United Kingdom – Privacy Policy.

  Category of Personal Information collected according to the CCPA: identifiers; commercial information.

  This processing constitutes:

• Heat mapping and session recording

  Heat mapping services are used to display the areas of Leaf CRM that Users interact with most frequently. This shows where the points of interest are. These services make it possible to monitor and analyze web traffic and keep track of User behavior. Some of these services may record sessions and make them available for later visual playback.

  Microsoft Clarity (Microsoft Corporation)

  Microsoft Clarity is a session recording and heat mapping service provided by Microsoft Corporation. Microsoft processes or receives Personal Data via Microsoft Clarity, which in turn may be used for any purpose in accordance with the Microsoft Privacy Statement, including improving and providing Microsoft Advertising.

  Personal Data processed: clicks; custom events; device information; interaction events; mouse movements; page events; scroll-to-page interactions; session duration.

  Place of processing: United States – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

• Infrastructure monitoring

  This type of service allows Leaf CRM to monitor the use and behavior of its components so its performance, operation, maintenance and troubleshooting can be improved. Which Personal Data are processed depends on the characteristics and mode of implementation of these services, whose function is to filter the activities of Leaf CRM.

  Crashlytics (Google LLC)

  Crashlytics is a monitoring service provided by Google LLC.

  Personal Data processed: crash data; device information; Trackers; Universally unique identifier (UUID).

  Place of processing: United States – Privacy Policy.

  Category of Personal Information collected according to the CCPA: identifiers; internet or other electronic network activity information.

• Managing contacts and sending messages

  This type of service makes it possible to manage a database of email contacts, phone contacts or any other contact information to communicate with the User.
  These services may also collect data concerning the date and time when the message was viewed by the User, as well as when the User interacted with it, such as by clicking on links included in the message.

  Firebase Cloud Messaging (Google LLC)

  Firebase Cloud Messaging is a message sending service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing. Firebase Cloud Messaging allows the Owner to send messages and notifications to Users across platforms such as Android, iOS, and the web. Messages can be sent to single devices, groups of devices, or specific topics or User segments.

  Personal Data processed: various types of Data as specified in the privacy policy of the service.

  Place of processing: United States – Privacy Policy; Ireland – Privacy Policy; United States – Privacy Policy; Ireland – Privacy Policy; Canada – Privacy Policy; Canada – Privacy Policy; Brazil – Privacy Policy; Brazil – Privacy Policy; United Kingdom – Privacy Policy; United Kingdom – Privacy Policy; Belgium – Privacy Policy; Belgium – Privacy Policy; Switzerland – Privacy Policy; Switzerland – Privacy Policy; Germany – Privacy Policy; Germany – Privacy Policy; India – Privacy Policy; India – Privacy Policy; Singapore – Privacy Policy; Singapore – Privacy Policy; Indonesia – Privacy Policy; Indonesia – Privacy Policy; Hong Kong – Privacy Policy; Hong Kong – Privacy Policy; Taiwan – Privacy Policy; Taiwan – Privacy Policy; Japan – Privacy Policy; Japan – Privacy Policy; Australia – Privacy Policy; Australia – Privacy Policy; Korea, Republic of – Privacy Policy; Korea, Republic of – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  • a Sale in California
  • a Sharing in California

  OneSignal (Lilomi, Inc.)

  OneSignal is a message sending service provided by Lilomi, Inc.

  OneSignal allows the Owner to send messages and notifications to Users across platforms such as Android, iOS, and the web. Messages can be sent to single devices, groups of devices, or specific topics or User segments. Depending on the permissions granted to Leaf CRM, the Data collected may also include precise location (i.e. GPS-level data) or WiFi information, apps installed and enabled on the User's device. Leaf CRM uses identifiers for mobile devices (including Android Advertising ID or Advertising Identifier for iOS, respectively) and technologies similar to cookies to run the OneSignal service.

  The Data collected may be used by the service provider for interest-based advertising, analytics and market research. In order to understand OneSignal's use of Data, consult OneSignal's privacy policy.

  Push notifications opt-out
  Users may in most cases opt-out of receiving push notifications by visiting their device settings, such as the notification settings for mobile phones, and then changing those settings for some or all of the apps on the particular device.

  Interest-based advertising opt-out
  Users may opt-out of OneSignal advertising features through applicable device settings, such as the device advertising settings for mobile phones. Different device configurations, or updates to devices, may affect or change how these indicated settings work.

  Personal Data processed: email address; geographic position; language; Tracker; unique device identifiers for advertising (Google Advertiser ID or IDFA, for example); Usage Data; various types of Data as specified in the privacy policy of the service.

  Place of processing: United States – Privacy Policy – Opt out.

  Category of Personal Information collected according to the CCPA: identifiers; internet or other electronic network activity information; geolocation data; inferences drawn from other personal information.

  This processing constitutes:

  • a Sale in California
  • a Sharing in California

  Brevo email (SendinBlue SAS)

  Brevo email is an email address management and message-sending service provided by SendinBlue SAS.

  Personal Data processed: email address; Trackers; Usage Data.

  Place of processing: France – Privacy Policy.

  Category of Personal Information collected according to the CCPA: identifiers; internet or other electronic network activity information.

  This processing constitutes:

  • a Sale in the United States
  • a Sharing in California
  • Targeted Advertising in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana

  Mailgun (Mailgun Technologies, Inc.)

  Mailgun is an email address management and message sending service provided by Mailgun Technologies, Inc.

  Personal Data processed: email address; first name; last name.

  Place of processing: United States – Privacy Policy.

  Category of Personal Information collected according to the CCPA: identifiers.

  This processing constitutes:

  • a Sale in the United States
  • a Sharing in California
  • Targeted Advertising in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana

• Managing data collection and online surveys

  This type of service allows Leaf CRM to manage the creation, deployment, administration, distribution and analysis of online forms and surveys in order to collect, save and reuse Data from any responding Users.
  The Personal Data collected depend on the information asked and provided by the Users in the corresponding online form.

  These services may be integrated with a wide range of third-party services to enable the Owner to take subsequent steps with the Data processed - e.g. managing contacts, sending messages, analytics, advertising and payment processing.

  Facebook lead ads (Facebook, Inc.)

  Facebook lead ads is an advertising and data collection service provided by Facebook, Inc. or by Facebook Ireland Ltd, depending on how the Owner manages the Data processing, that allows form-based ads to be shown to Users pre-populated with Personal Data from their Facebook profiles, such as names and email addresses. Depending on the type of advertisement, Users may be requested to provide further information.

  Form submission results in the collection and processing of these Data by the Owner under this privacy policy, and only for the specific purpose outlined on the form and/or inside this privacy policy, where provided.

  Users may exercise their rights, at any time, including the right to withdraw their consent to the processing of their Data, as specified in the section containing information about User rights in this privacy policy.

  Personal Data processed: city; company name; country; Data communicated while using the service; date of birth; email address; first name; gender; last name; marital status; phone number; physical address; profession; state; Tracker; ZIP/Postal code.

  Place of processing: United States – Privacy Policy – Opt out; Ireland – Privacy Policy – Opt out.

  Category of Personal Information collected according to the CCPA: identifiers; commercial information; biometric information; internet or other electronic network activity information; employment related information; inferences drawn from other personal information.

  This processing constitutes:

  • a Sale in California

  Typeform (TYPEFORM S.L)

  Typeform is a form builder and data collection platform provided by TYPEFORM S.L.

  Personal Data processed: company name; country; Data communicated while using the service; date of birth; email address; first name; gender; geographic position; last name; number of employees; password; phone number; physical address; profession; state; Tax ID; Tracker; username; various types of Data as specified in the privacy policy of the service; VAT Number; website.

  Place of processing: Spain – Privacy Policy.

  Category of Personal Information collected according to the CCPA: identifiers; commercial information; biometric information; internet or other electronic network activity information; geolocation data; employment related information; inferences drawn from other personal information.

  This processing constitutes:

  • a Sale in California

• Offline processing

  Contact Access for local lead matching with no external sharing or transmission, and no access to contact images or extra data

  We only use it for local lead matching, no external sharing or transmission, and no access to contact images or extra data.

• Platform services and hosting

  These services have the purpose of hosting and running key components of Leaf CRM, therefore allowing the provision of Leaf CRM from within a unified platform. Such platforms provide a wide range of tools to the Owner – e.g. analytics, user registration, commenting, database management, e-commerce, payment processing – that imply the collection and handling of Personal Data.
  Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

  Apple App Store (Apple Inc.)

  Leaf CRM is distributed on Apple's App Store, a platform for the distribution of mobile apps, provided by Apple Inc.

  By virtue of being distributed via this app store, Apple collects basic analytics and provides reporting features that enables the Owner to view usage analytics data and measure the performance of Leaf CRM. Much of this information is processed on an opt-in basis.

  Users may opt-out of this analytics feature directly through their device settings. More information on how to manage analysis settings can be found on this page.

  Personal Data processed: Usage Data.

  Place of processing: United States – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  Google Play Store (Google LLC)

  Leaf CRM is distributed on the Google Play Store, a platform for the distribution of mobile apps, provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing.

  By virtue of being distributed via this app store, Google collects usage and diagnostics data and share aggregate information with the Owner. Much of this information is processed on an opt-in basis.

  Users may opt-out of this analytics feature directly through their device settings. More information on how to manage analysis settings can be found on this page.

  Personal Data processed: Usage Data.

  Place of processing: United States – Privacy Policy; Ireland – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

• Registration and authentication provided directly by Leaf CRM

  By registering or authenticating, Users allow Leaf CRM to identify them and give them access to dedicated services. The Personal Data is collected and stored for registration or identification purposes only. The Data collected are only those necessary for the provision of the service requested by the Users.

  Direct registration (Leaf CRM)

  The User registers by filling out the registration form and providing the Personal Data directly to Leaf CRM.

  Personal Data processed: billing address; city; company name; country; date of birth; email address; first name; gender; last name; number of employees; password; phone number; physical address; prefix ; state; Tracker; Usage Data; various types of Data; website; workplace; ZIP/Postal code.

  Category of Personal Information collected according to the CCPA: identifiers; commercial information; biometric information; internet or other electronic network activity information; employment related information; inferences drawn from other personal information.

  This processing constitutes:

• SPAM protection

  This type of service analyzes the traffic of Leaf CRM, potentially containing Users' Personal Data, with the purpose of filtering it from parts of traffic, messages and content that are recognized as SPAM.

  Google reCAPTCHA (Google LLC)

  Google reCAPTCHA is a SPAM protection service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing.
  The use of reCAPTCHA is subject to the Google privacy policy and terms of use.

  In order to understand Google's use of Data, consult Google's partner policy.

  Personal Data processed: answers to questions; clicks; keypress events; motion sensor events; mouse movements; scroll position; touch events; Tracker; Usage Data.

  Place of processing: United States – Privacy Policy; Ireland – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information; inferences drawn from other personal information.

  This processing constitutes:

• Tag Management

  This type of service helps the Owner to manage the tags or scripts needed on Leaf CRM in a centralized fashion.
  This results in the Users' Data flowing through these services, potentially resulting in the retention of this Data.

  Google Tag Manager (Google LLC)

  Google Tag Manager is a tag management service provided by Google LLC or by Google Ireland Limited, depending on how the Owner manages the Data processing.

  Personal Data processed: Tracker; Usage Data.

  Place of processing: United States – Privacy Policy; Ireland – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  • a Sale in California

• Traffic optimization and distribution

  This type of service allows Leaf CRM to distribute their content using servers located across different countries and to optimize their performance.
  Which Personal Data are processed depends on the characteristics and the way these services are implemented. Their function is to filter communications between Leaf CRM and the User's browser.
  Considering the widespread distribution of this system, it is difficult to determine the locations to which the contents that may contain Personal Information of the User are transferred.

  Cloudflare (Cloudflare Inc.)

  Cloudflare is a traffic optimization and distribution service provided by Cloudflare Inc.
  The way Cloudflare is integrated means that it filters all the traffic through Leaf CRM, i.e., communication between Leaf CRM and the User's browser, while also allowing analytical data from Leaf CRM to be collected.

  Personal Data processed: Tracker; various types of Data as specified in the privacy policy of the service.

  Place of processing: United States – Privacy Policy.

  Category of Personal Information collected according to the CCPA: internet or other electronic network activity information.

  This processing constitutes:

  • a Sale in California

Information on opting out of interest-based advertising

In addition to any opt-out feature provided by any of the services listed in this document, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section of the Cookie Policy.

Further information about the processing of Personal Data

• Selling goods and services online

  The Personal Data collected are used to provide the User with services or to sell goods, including payment and possible delivery.
  The Personal Data collected to complete the payment may include the credit card, the bank account used for the transfer, or any other means of payment envisaged. The kind of Data collected by Leaf CRM depends on the payment system used.

• localStorage

  localStorage allows Leaf CRM to store and access data right in the User's browser with no expiration date.

• Equal protection of User Data

  Leaf CRM shares User Data only with third parties carefully selected to ensure that they provide the same or equal protection of User Data as stated in this privacy policy and requested by applicable data protection laws. Further information on data processing and privacy practices by third parties can be found in their respective privacy policies.

• Push notifications

  Leaf CRM may send push notifications to the User to achieve the purposes outlined in this privacy policy.

  Users may in most cases opt-out of receiving push notifications by visiting their device settings, such as the notification settings for mobile phones, and then change those settings for Leaf CRM, some or all of the apps on the particular device.
  Users must be aware that disabling push notifications may negatively affect the utility of Leaf CRM.

• sessionStorage

  sessionStorage allows Leaf CRM to store and access data right in the User's browser. Data in sessionStorage is deleted automatically when the session ends (in other words, when the browser tab is closed).

• Unique device identification

  Leaf CRM may track Users by storing a unique identifier of their device, for analytics purposes or for storing Users' preferences.

• User identification via a universally unique identifier (UUID)

  Leaf CRM may track Users by storing a so-called universally unique identifier (or short UUID) for analytics purposes or for storing Users' preferences. This identifier is generated upon installation of this Application, it persists between Application launches and updates, but it is lost when the User deletes the Application. A reinstall generates a new UUID.

Cookie Policy

Leaf CRM uses Trackers. To learn more, Users may consult the Cookie Policy.

Transfer of Personal Data outside of the European Union

Data transfer abroad based on consent

If this is the legal basis, Personal Data of Users shall be transferred from the EU to third countries only if the User has explicitly consented to such transfer, after having been informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards.
In such cases, the Owner shall inform Users appropriately and collect their explicit consent via Leaf CRM.

Transfer of Personal Data outside of the United Kingdom

Data transfer abroad based on consent (UK)

If this is the legal basis, Personal Data of Users shall be transferred from the UK to third countries only if the User has explicitly consented to such transfer, after having been informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards.

In such cases, the Owner shall inform Users appropriately and collect their explicit consent via Leaf CRM.

Further information for Users in Switzerland

This section applies to Users in Switzerland, and, for such Users, supersedes any other possibly divergent or conflicting information contained in the privacy policy.

Further details regarding the categories of Data processed, the purposes of processing, the categories of recipients of the personal data, if any, the retention period and further information about Personal Data can be found in the section titled “Detailed information on the processing of Personal Data” within this document.

The rights of Users according to the Swiss Federal Act on Data Protection

Users may exercise certain rights regarding their Data within the limits of law, including the following:

• right of access to Personal Data;
• right to object to the processing of their Personal Data (which also allows Users to demand that processing of Personal Data be restricted, Personal Data be deleted or destroyed, specific disclosures of Personal Data to third parties be prohibited);
• right to receive their Personal Data and have it transferred to another controller (data portability);
• right to ask for incorrect Personal Data to be corrected.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. Such requests are free of charge and will be answered by the Owner as early as possible, providing Users with the information required by law.

Further information for Users in Brazil

This section of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the entity running Leaf CRM and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, “our”).
This section applies to all Users in Brazil (Users are referred to below, simply as “you”, “your”, “yours”), according to the "Lei Geral de Proteção de Dados" (the "LGPD"), and for such Users, it supersedes any other possibly divergent or conflicting information contained in the privacy policy.
This part of the document uses the term “personal information“ as it is defined in the LGPD.

The grounds on which we process your personal information

We can process your personal information solely if we have a legal basis for such processing. Legal bases are as follows:

• your consent to the relevant processing activities;
• compliance with a legal or regulatory obligation that lies with us;
• the carrying out of public policies provided in laws or regulations or based on contracts, agreements and similar legal instruments;
• studies conducted by research entities, preferably carried out on anonymized personal information;
• the carrying out of a contract and its preliminary procedures, in cases where you are a party to said contract;
• the exercising of our rights in judicial, administrative or arbitration procedures;
• protection or physical safety of yourself or a third party;
• the protection of health – in procedures carried out by health entities or professionals;
• our legitimate interests, provided that your fundamental rights and liberties do not prevail over such interests; and
• credit protection.

To find out more about the legal bases, you can contact us at any time using the contact details provided in this document.

Categories of personal information processed

To find out what categories of your personal information are processed, you can read the section titled “Detailed information on the processing of Personal Data” within this document.

Why we process your personal information

To find out why we process your personal information, you can read the sections titled “Detailed information on the processing of Personal Data” and “The purposes of processing” within this document.

Your Brazilian privacy rights, how to file a request and our response to your requests

Your Brazilian privacy rights

You have the right to:

• obtain confirmation of the existence of processing activities on your personal information;
• access to your personal information;
• have incomplete, inaccurate or outdated personal information rectified;
• obtain the anonymization, blocking or elimination of your unnecessary or excessive personal information, or of information that is not being processed in compliance with the LGPD;
• obtain information on the possibility to provide or deny your consent and the consequences thereof;
• obtain information about the third parties with whom we share your personal information;
• obtain, upon your express request, the portability of your personal information (except for anonymized information) to another service or product provider, provided that our commercial and industrial secrets are safeguarded;
• obtain the deletion of your personal information being processed if the processing was based upon your consent, unless one or more exceptions provided for in art. 16 of the LGPD apply;
• revoke your consent at any time;
• lodge a complaint related to your personal information with the ANPD (the National Data Protection Authority) or with consumer protection bodies;
• oppose a processing activity in cases where the processing is not carried out in compliance with the provisions of the law;
• request clear and adequate information regarding the criteria and procedures used for an automated decision; and
• request the review of decisions made solely on the basis of the automated processing of your personal information, which affect your interests. These include decisions to define your personal, professional, consumer and credit profile, or aspects of your personality.

You will never be discriminated against, or otherwise suffer any sort of detriment, if you exercise your rights.

How to file your request

You can file your express request to exercise your rights free from any charge, at any time, by using the contact details provided in this document, or via your legal representative.

How and when we will respond to your request

We will strive to promptly respond to your requests.
In any case, should it be impossible for us to do so, we’ll make sure to communicate to you the factual or legal reasons that prevent us from immediately, or otherwise ever, complying with your requests. In cases where we are not processing your personal information, we will indicate to you the physical or legal person to whom you should address your requests, if we are in the position to do so.

In the event that you file an access or personal information processing confirmation request, please make sure that you specify whether you’d like your personal information to be delivered in electronic or printed form.
You will also need to let us know whether you want us to answer your request immediately, in which case we will answer in a simplified fashion, or if you need a complete disclosure instead.
In the latter case, we’ll respond within 15 days from the time of your request, providing you with all the information on the origin of your personal information, confirmation on whether or not records exist, any criteria used for the processing and the purposes of the processing, while safeguarding our commercial and industrial secrets.

In the event that you file a rectification, deletion, anonymization or personal information blocking request, we will make sure to immediately communicate your request to other parties with whom we have shared your personal information in order to enable such third parties to also comply with your request — except in cases where such communication is proven impossible or involves disproportionate effort on our side.

Transfer of personal information outside of Brazil permitted by the law

We are allowed to transfer your personal information outside of the Brazilian territory in the following cases:

• when the transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution bodies, according to the legal means provided by the international law;
• when the transfer is necessary to protect your life or physical security or those of a third party;
• when the transfer is authorized by the ANPD;
• when the transfer results from a commitment undertaken in an international cooperation agreement;
• when the transfer is necessary for the execution of a public policy or legal attribution of public service;
• when the transfer is necessary for compliance with a legal or regulatory obligation, the carrying out of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures.

Additional information for Users in Brazil

Transfer of personal information outside of Brazil based on your consent

We can transfer your personal information outside of the Brazilian territory if you consent to such transfer.
When we ask for your consent, we’ll make sure to provide all the information that you need to make an educated decision and to understand the implications and consequences of providing or denying your consent.
Such information will be given in clear and plain language and in such a way that you’ll be able to clearly distinguish these requests from other consent requests that we may possibly ask.
You may withdraw your consent at any time.

Further information for Users in the United States

This part of the document integrates with and supplements the information contained in the rest of the privacy policy and is provided by the business running Leaf CRM and, if the case may be, its parent, subsidiaries and affiliates (for the purposes of this section referred to collectively as “we”, “us”, “our”).

The information contained in this section applies to all Users (Users are referred to below, simply as “you”, “your”, “yours”), who are residents in the following states: California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana.

For such Users, this information supersedes any other possibly divergent or conflicting provisions contained in the privacy policy.

This part of the document uses the term Personal Information (and Sensitive Personal Information).

Notice at collection

The following Notice at collection provides you with timely notice about the categories of Personal Information collected or disclosed in the past 12 months so that you can exercise meaningful control over our use of that Information.

While such categorization of Personal Information is mainly based on California privacy laws, it can also be helpful for anyone who is not a California resident to get a general idea of what types of Personal Information are collected.

ℹ️ You can read the definitions of these concepts inside the “Definitions and legal references section” of the privacy policy.

To know more about your rights in particular to opt out of certain processing activities and to limit the use of your sensitive personal information (“Limit the Use of My Sensitive Personal Information”) you can refer to the “Your privacy rights under US state laws” section of our privacy policy.

For more details on the collection of Personal Information, please read the section “Detailed information on the processing of Personal Data” of our privacy policy.

We won’t process your Information for unexpected purposes, or for purposes that are not reasonably necessary to and compatible with the purposes originally disclosed, without your consent.

What are the sources of the Personal Information we collect?

We collect the above-mentioned categories of Personal Information, either directly or indirectly, from you when you use Leaf CRM.

For example, you directly provide your Personal Information when you submit requests via any forms on Leaf CRM. You also provide Personal Information indirectly when you navigate Leaf CRM, as Personal Information about you is automatically observed and collected.

Finally, we may collect your Personal Information from third parties that work with us in connection with the Service or with the functioning of Leaf CRM and features thereof.

Your privacy rights under US state laws

You may exercise certain rights regarding your Personal Information. In particular, to the extent permitted by applicable law, you have:

• the right to access Personal Information: the right to know. You have the right to request that we confirm whether or not we are processing your Personal Information. You also have the right to access such Personal Information;
• the right to correct inaccurate Personal Information. You have the right to request that we correct any inaccurate Personal Information we maintain about you;
• the right to request the deletion of your Personal Information. You have the right to request that we delete any of your Personal Information;
• the right to obtain a copy of your Personal Information. We will provide your Personal Information in a portable and usable format that allows you to transfer data easily to another entity – provided that this is technically feasible;
• the right to opt out from the Sale of your Personal Information; We will not discriminate against you for exercising your privacy rights.
• the right to non-discrimination.

Additional rights for Users residing in California

In addition to the rights listed above common to all Users in the United States, as a User residing in California, you have:

• The right to opt out of the Sharing of your Personal Information for cross-context behavioral advertising;
• The right to request to limit our use or disclosure of your Sensitive Personal Information to only that which is necessary to perform the services or provide the goods, as is reasonably expected by an average consumer. Please note that certain exceptions outlined in the law may apply, such as, when the collection and processing of Sensitive Personal Information is necessary to verify or maintain the quality or safety of our service.

Additional rights for Users residing in Virginia, Colorado, Connecticut, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana

In addition to the rights listed above common to all Users in the United States, as a User residing in Virginia, Colorado, Connecticut, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana you have

• The right to opt out of the processing of your personal information for Targeted Advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you;
• The right to freely give, deny or withdraw your consent for the processing of your Sensitive Personal Information. Please note that certain exceptions outlined in the law may apply, such as, but not limited to, when the collection and processing of Sensitive Personal Information is necessary for the provision of a product or service specifically requested by the consumer. In Maryland, your Sensitive Personal Information will be collected or processed only if strictly necessary to provide or maintain a specific product or service requested by you.

In Minnesota and Maryland Users also have the right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data

* Note that in some states like Minnesota you have the following specific rights connected to profiling:

• The right to question the results of the profiling;
  
• The right to be informed of the reason that the profiling resulted in the decision; if feasible
  
• The right to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future;
  
• The right to review personal data used in the profiling;
  
• If inaccurate, the right to have the data corrected and the profiling decision reevaluated based on the corrected data;
  

Additional rights for users residing in Utah and Iowa

In addition to the rights listed above common to all Users in the United States, as a User residing in Utah and Iowa, you have:

• The right to opt out of the processing of your Personal Information for Targeted Advertising;
• The right to opt out of the processing of your Sensitive Personal Information. Please note that certain exceptions outlined in the law may apply, such as, but not limited to, when the collection and processing of Sensitive Personal Information is necessary for the provision of a product or service specifically requested by the consumer.

How to exercise your privacy rights under US state laws

To exercise the rights described above, you need to submit your request to us by contacting us via the contact details provided in this document.

For us to respond to your request, we must know who you are. We will not respond to any request if we are unable to verify your identity and therefore confirm the Personal Information in our possession relates to you. You are not required to create an account with us to submit your request. We will use any Personal Information collected from you in connection with the verification of your request solely for verification and shall not further disclose the Personal Information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.

If you are an adult, you can make a request on behalf of a child under your parental authority.

How to exercise your rights to opt out

In addition to what is stated above, to exercise your right to opt-out of Sale or Sharing and Targeted Advertising you can also use the privacy choices link provided on Leaf CRM.

If you want to submit requests to opt out of Sale or Sharing and Targeted Advertising activities via a user-enabled global privacy control, such as for example the Global Privacy Control (“GPC”), you are free to do so and we will abide by such request in a frictionless manner.

How and when we are expected to handle your request

We will respond to your request without undue delay, but in all cases within the timeframe required by applicable law. Should we need more time, we will explain to you the reasons why, and how much more time we need.

Should we deny your request, we will explain to you the reasons behind our denial (where envisaged by applicable law you may then contact the relevant authority to submit a complaint).

We do not charge a fee to process or respond to your request unless such request is manifestly unfounded or excessive and in all other cases where it is permitted by the applicable law. In such cases, we may charge a reasonable fee or refuse to act on the request. In either case, we will communicate our choices and explain the reasons behind them.

Additional information for Users in the United States

CCPA: Collection of personal information about consumers aged 13 to 16

We collect personal information of consumers between the age of 13 and 16 and won't sell their data unless those consumers have opted-in.

CCPA: Collection of personal information about consumers below the age of 13

We collect personal information of consumers below the age of 13 and won't sell their data unless their parents or guardians have opted-in on behalf of those minors.

CCPA: Collection of personal information about minors

We do not knowingly collect personal information of consumers who are below the age of 16.

Additional information about Data collection and processing

Legal action

The User's Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of Leaf CRM or the related Services.
The User declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.

Additional information about User's Personal Data

In addition to the information contained in this privacy policy, Leaf CRM may provide the User with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.

System logs and maintenance

For operation and maintenance purposes, Leaf CRM and any third-party services may collect files that record interaction with Leaf CRM (System logs) or use other Personal Data (such as the IP Address) for this purpose.

Information not contained in this policy

More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the beginning of this document.

Changes to this privacy policy

The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page and possibly within Leaf CRM and/or - as far as technically and legally feasible - sending a notice to Users via any contact information available to the Owner. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.

Should the changes affect processing activities performed on the basis of the User’s consent, the Owner shall collect new consent from the User, where required.