Skip to main content
Prax CRM — Smart. Secure. Scalable.®

Legal

Privacy policy

Last updated: 2026-05-10

Plain-language summary, not legal advice. We've written this in plain English so you can read it. The terms apply as written; for the formal counterparts (DPA, MSA, custom contracts), email privacy@praxcrm.com.

Prax CRM ("Prax CRM", "we", "us") is operated by Praxxii Global, with registered office at Aligarh, Uttar Pradesh, India. This policy explains what personal data we process, why we process it, how long we keep it, with whom we share it, and the rights you have over it.

This policy applies to praxcrm.com, app.praxcrm.com, every customer subdomain we host, and to any visitor, prospect, signed-in user, customer, or end-user whose data passes through Prax CRM.

1. Roles — controller vs processor

For data about visitors and prospects (people browsing praxcrm.com, filling our forms, signing up), we are the controller: we decide why and how the data is used.

For data your team enters into your Prax CRM workspace — leads, customers, employees, attendance, sales, etc. — you (the customer) are the controller and we are the processor. We process that data only on your documented instructions, as set out in our Data Processing Addendum (see /dpa).

2. What personal data we collect

We collect the categories below. Not every category applies to every person.

  • Account data — name, work email, phone, role, designation, company, employee ID, preferred locale.
  • Authentication data — password (stored as an Argon2id hash; never plaintext), TOTP secret (encrypted), WebAuthn public-key credentials, recovery codes, session tokens (hashed).
  • Workspace content — everything your team puts into Prax CRM: lead and customer records, sales, attendance, payroll, uploaded documents, calls, emails sent through the product.
  • Billing data — billing contact, billing address, tax ID, plan, seats, invoice history. Card numbers are never stored on our infrastructure — they're tokenised by Stripe / Razorpay.
  • Usage telemetry — pages visited, features used, page-load timing, errors, request method and path, response status, truncated user-agent and approximate region (derived from IP at the edge; we do not store the raw IP beyond 30 days unless tied to a security incident).
  • Communications — emails you send to support@, privacy@, security@, sales@, contact-form submissions, demo bookings.
  • Marketing analytics — only when you've consented via our cookie banner. Google Analytics with Consent Mode v2, IP-anonymised, no cross-site tracking.

We do not knowingly collect data from anyone under 16. Prax CRM is a B2B product for working adults; if you believe a child's data has been entered into a workspace, email privacy@praxcrm.com and we'll delete it.

3. Why we process it (lawful bases)

  • Contract — to provide Prax CRM, authenticate sign-ins, process payments, send service-related notifications.
  • Legitimate interest — to run product-usage analytics on aggregated data, prevent fraud and abuse, secure our infrastructure, improve features. We balance our interest against your privacy on each new use.
  • Consent — for marketing analytics, third-party integrations you connect, newsletters. Withdrawable at any time from the cookie banner or your profile.
  • Legal obligation — tax records, lawful disclosure requests we are compelled to honour.

4. Where your data lives

Workspace data is stored on Convex's managed infrastructure. The default region is the United States. Enterprise customers can request the European Union or Asia-Pacific regions; we'll cover the regional add-on as part of the negotiated SOW.

All data is encrypted in transit with TLS 1.2 or above and at rest with AES-256 on managed storage. Key management is handled by the underlying cloud provider's KMS; we do not export raw keys.

5. International transfers

When personal data of EU/UK or Indian residents is processed in another region, we rely on the European Commission's Standard Contractual Clauses (Module 2 or 3 as applicable), the UK International Data Transfer Addendum, and — for India — the safeguards specified under the Digital Personal Data Protection Act, 2023. SCCs are incorporated by reference into our DPA and are countersigned with every paid customer on request.

6. Subprocessors

We use a small set of vetted subprocessors to run Prax CRM. The current list, with each subprocessor's purpose and region, is published at /legal/subprocessors. We give 30 days' notice before adding or replacing a subprocessor; customers on active plans can object in writing within that window.

7. How long we keep data

  • Workspace content — for as long as the subscription is active. After cancellation, data is retained read-only for 30 days so you can export, then permanently deleted within 60 days. Backups age out on a 90-day rolling cycle.
  • Account & auth — until you delete your account or the workspace closes; password-reset and login-event logs purge after 12 months.
  • Audit logs — kept 365 days unless your plan or regulatory regime requires longer.
  • Billing records — kept 7 years to satisfy Indian tax retention requirements; longer where another jurisdiction's law applies.
  • Marketing emails — until you unsubscribe; suppression list retained indefinitely so we don't email you again.
  • Visitor IP — 30 days, except when tied to a security incident under investigation.

8. Sharing

We do not sell, rent or trade personal data. We share it only with:

  • Subprocessors listed at /legal/subprocessors, under a written DPA, only to the extent needed to operate the service.
  • Integrations you connect (e.g., a payment gateway, your SMTP provider). The data flow is initiated by you.
  • Legal authorities when compelled by a valid binding legal process. We push back on overbroad requests, notify the customer where we're permitted to, and publish an annual transparency note.
  • An acquirer, in the event of a merger, acquisition or asset sale — we'd give you advance notice and a clear path to opt out.

9. Your rights

Depending on where you live, you have most or all of the following rights. They apply free of charge unless your request is repetitive or manifestly unfounded.

  • Access — get a copy of your personal data.
  • Rectification — fix inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — have your data deleted. Admins can self-serve from Admin → Settings → Privacy; the action cascades across every workspace-scoped table.
  • Restriction — limit how we process your data while you contest its accuracy or our basis for processing.
  • Portability — export your data as CSV or JSON.
  • Objection — object to legitimate-interest processing or to direct marketing.
  • Consent withdrawal — turn off marketing analytics from the cookie banner; revoke integration connections from settings.
  • Complaint to a supervisory authority — your local DPA in the EU/UK, the Data Protection Board of India under the DPDP Act, or your state's attorney general in the US.

For requests about data inside a customer's workspace (e.g., a lead asking to be deleted), we forward the request to the workspace's admin — the controller — and assist with the deletion. Email privacy@praxcrm.com; we respond within 30 days.

10. Security

Workspace isolation is enforced by indexed queries and re-checked on every mutation. Passwords are hashed with Argon2id. Sessions are stored as SHA-256 hashes — even our database can't replay a stolen token. MFA (TOTP and WebAuthn passkeys) is available on every plan. Full details on the security page.

We notify customers of confirmed personal-data breaches without undue delay and within 72 hours of discovery where required by law. The notice includes the nature of the breach, scope, mitigation steps and a contact for follow-up.

11. Cookies & similar technologies

We use a minimal set of strictly-necessary first-party cookies for authentication and session continuity. Google Analytics with Consent Mode v2 runs only after you accept on the cookie banner; declining leaves analytics in cookieless mode and we receive aggregated counts only. No cross-site advertising cookies.

12. Marketing communications

Service emails (security alerts, billing receipts, password resets) are not optional — they're required for the contract. Newsletters and product announcements are opt-in; every message includes a one-click unsubscribe.

13. Automated decision-making

We do not subject you to fully-automated decisions that produce legal or similarly significant effects. Spam scoring, fraud signals and rate-limit triggers are reviewable by a human on request.

14. Changes to this policy

We will post material changes here at least 30 days before they take effect, and will notify workspace admins by email. The "last updated" date at the top reflects the most recent change.

15. Contact

Privacy questions, data-subject requests, complaints: privacy@praxcrm.com. Security disclosures: privacy@praxcrm.com (PGP key at /.well-known/pgp-key.asc). Postal address: Praxxii Global, Aligarh, Uttar Pradesh, India.