Privacy Policy

We collect the following categories of information:

• Account information. Name, email address, profile image, and role (admin, manager, or broker), provided when an authorized user accepts an invitation through our identity provider (Clerk).
• CRM records. Contact details, deal information, call logs, follow-up notes, checklist tasks, and email correspondence that YachtsDirect personnel enter or attach to records within the application.
• Google account data. When a user connects a Google account through OAuth, we store an access token, refresh token, and associated calendar identifiers required to operate the integrations described below.
• Website lead data. Information that visitors voluntarily submit through forms on yachtsdirect.com (name, email, phone, vessel details, message) is forwarded to the CRM as a website submission.
• Operational and security logs. Sign-in events, error reports, audit trails of record changes, and synchronization history. These help us secure the application and diagnose problems.

We use the information we collect to:

• Provide and maintain YachtsDirect CRM for authorized users.
• Authenticate users, enforce role-based access controls, and protect the application against unauthorized use.
• Operate the Google Calendar and Gmail integrations described in Section 3.
• Respond to inbound website leads and manage the resulting customer relationships.
• Monitor application health, detect errors, and improve reliability.
• Comply with legal obligations.

YachtsDirect CRM integrates with Google APIs using the OAuth scopes listed below. We request only the scopes necessary to deliver the corresponding functionality, and access is granted by the user on a per-account basis.

• Google Calendar (.../auth/calendar). We create a dedicated “YachtsDirect CRM” calendar in the user’s account and write follow-ups scheduled in the CRM to that calendar. We may read events from that calendar to keep the CRM and Google Calendar in sync.
• Gmail (.../auth/gmail.modify). With the user’s authorization we send email from the connected account, read messages exchanged with contacts to surface them on the contact timeline, and label, archive, or trash messages in response to user actions taken within the CRM.
• OpenID Connect (openid, email, profile). Used solely to identify the Google account connected to a YachtsDirect CRM user.

A user can revoke YachtsDirect CRM’s access to their Google account at any time from Settings → Integrations inside the CRM, or by visiting https://myaccount.google.com/permissions.

We operate YachtsDirect CRM on the following infrastructure providers, each of which processes data on our behalf under their own security and privacy commitments:

• Convex — backend database and serverless functions.
• Clerk — user authentication and session management.
• Cloudflare — frontend hosting and DNS.
• Google — Gmail and Calendar APIs (only when a user has connected their account).
• Slack — operational alerts to our internal channel.

We do not sell personal information, and we do not share Google user data with third parties for advertising or analytics purposes.

We retain account information and CRM records for as long as the account is active or as needed to operate the business. When an authorized user is removed, we deactivate their account immediately and may retain the records they created where they are needed to maintain customer history.

Google OAuth tokens are deleted when a user disconnects the integration from Settings → Integrations.

We protect access to YachtsDirect CRM with invitation-only sign-up, industry-standard password requirements, bot and brute-force protection, and role-based access controls enforced server-side. Communication with our backend is encrypted in transit (HTTPS).

No system is perfectly secure. If you believe an account has been compromised, contact us at tech@yachtsdirect.com immediately.

Authorized users may update their profile information at any time in Settings, disconnect Google integrations from Settings → Integrations, and request deletion of their account by contacting tech@yachtsdirect.com.

If you are a visitor who submitted a form on yachtsdirect.com, you may contact us at the address below to request access to or deletion of the lead record we created.

YachtsDirect CRM is not directed to children under 13 and we do not knowingly collect information from them.

We may update this Privacy Policy from time to time. When we do, we will revise the “Effective” date at the top of the page and, for material changes, notify authorized users by email or in-application notice.

Questions about this Privacy Policy or our handling of information can be sent to tech@yachtsdirect.com.