Forward
Legal

Privacy Policy

Last updated: June 11, 2026

Who we are

Forward CRM is operated by Wesley Swain, an individual sole trader, acting as the data controller for the personal data described below. Contact: hello@forwardcrm.app.

What we collect

  • Account info: email, name, hashed password, optional PIN.
  • Content you create: notes, contacts, deals, tasks, activity, files, tags.
  • Billing info: handled by Paddle — we never see your card number; we receive a customer ID, country, plan, and invoice metadata.
  • Device & usage data: IP address, browser, push-notification tokens, feature usage, and minimal product analytics.
  • Support messages you send us.

How we use it & legal basis

  • Deliver the service (contract): authenticate you, store and show Your Content, sync devices.
  • Billing & tax (contract / legal obligation): manage your subscription via Paddle as Merchant of Record.
  • Reminders & digests (consent / contract): only the emails and push notifications you opt into.
  • Security & fraud prevention (legitimate interests): rate limiting, abuse detection, audit logs.
  • Product improvement & support (legitimate interests): aggregated usage analytics, debugging crashes, replying to you.

We don't sell your data. Ever.

AI processing

Notes and selected metadata are sent to AI providers (OpenAI, Anthropic, Google) via the Lovable AI Gateway to extract structure. Providers do not train on your data. Inputs and outputs are retained only as needed to deliver the response.

Sub-processors we share data with

  • Lovable Cloud (Supabase) — hosting, Postgres database, auth, storage.
  • Cloudflare — CDN and edge serverless runtime.
  • Paddle — Merchant of Record for payments, subscriptions, tax compliance, invoicing.
  • Resend — transactional and notification email delivery.
  • Lovable AI Gateway — routes prompts to OpenAI, Anthropic, and Google for AI features.
  • Web Push services (Apple, Google, Mozilla) — delivering push notifications you opt into.

We may also disclose data to professional advisers (legal, accounting) and to authorities where required by law. No marketing partners. No data brokers.

International transfers

Sub-processors may process data outside your country, including in the United States. Where required, transfers rely on Standard Contractual Clauses or adequacy decisions.

Storage & security

Data is stored in encrypted Postgres with row-level security so only you can read your data. Transport is TLS only. Passwords are hashed. Access to production systems is restricted and logged.

Retention

We keep Your Content for as long as your account is active. If you delete your account, Your Content is removed within 30 days, except backups (purged within 90 days) and records we must keep for tax/legal reasons (typically up to 7 years).

Your rights

You can access, export, rectify, restrict, or delete your data anytime from settings, or by emailing hello@forwardcrm.app. Under GDPR (EEA/UK) and similar laws (CCPA in California), you also have the right to data portability, to object to or restrict processing, to withdraw consent, and to lodge a complaint with your local supervisory authority. We respond within 30 days.

Cookies

We use first-party cookies for sign-in sessions and remembering preferences, and minimal first-party analytics. No third-party advertising cookies.

Children

Forward is not directed to children under 16 and we do not knowingly collect their personal data.

Changes

We may update this policy. Material changes will be announced via email or in-app at least 14 days before they take effect.

Contact

Privacy questions: hello@forwardcrm.app