Privacy Policy
Last updated: July 14, 2026
The short version: your CRM and lead data stay in your browser. The personal data we hold is limited to what's needed to run your account — your email, your subscription status, and a device identifier used to enforce seats. This page explains all of it, in plain language, with the detail behind each claim.
At a glance
- We don't collect your CRM or lead data. The agent reads and writes it entirely inside your CRM session, on your device.
- We hold your account email (sign-in), your subscription status (billing), and a random device identifier (seat enforcement).
- We don't sell your data, don't run advertising trackers, and don't share personal data for advertising — ever.
- Questions or requests: privacy@ervona.ai. We answer privacy mail personally.
1. Who we are
Ervona ("we", "us") provides Ervona SDR, a Chrome extension that automates outbound outreach inside your CRM, and the ervona.ai website. This policy covers both. For anything privacy-related (or general help), email privacy@ervona.ai.
2. Data you give us
- Account details. Your email address and a securely hashed password, handled by our authentication provider (Supabase Auth). We never see or store your plaintext password.
- Billing details. When you subscribe, our payment processor (Stripe) collects and stores your payment information. We never see or store full card numbers; we retain only a Stripe customer reference, your plan tier, and your subscription status.
- Support messages. If you email us, we keep that correspondence so we can help you and improve the product.
3. Data the extension creates
- Device identifier. On first sign-in, the extension generates a random identifier (a UUID — it contains no information about you or your hardware) and registers it to your account. We use it for one thing: making sure one subscription isn't shared across many computers at once. Plans include 1 active device (Unlimited: up to 3).
- CRM field map. If you use "Map My CRM", we store the on-screen spots you point at — element labels and attributes, e.g. that your Send button reads "Send" — on your account so your setup follows you to any computer you sign in on. This map describes your CRM's layout, not your leads: it contains no lead names, email addresses, phone numbers, or message content.
- Settings & templates. Your templates, engine rules, and workspace configuration are stored in your browser's extension storage. Chrome may sync these across your own Chrome profile via your Google account — that sync is between you and Google and never touches our servers.
- Run history & reports. Your outreach history and run reports are stored locally in extension storage on your device. Exported reports (PDF/Excel/CSV) are generated on your device and stamped with your account email — they are not uploaded to us.
4. Data we deliberately do not collect
Ervona SDR operates your CRM locally in your browser. Lead and customer records, email content, phone numbers, notes, message templates, and your outreach history are processed on your device and are not transmitted to our servers. We have no ability to read your CRM. This is an architectural choice, not just a policy promise: the extension has no code path that uploads CRM content.
5. Data collected automatically
Our website and authentication endpoints log basic technical information (such as IP address, browser type, and timestamps) for security, rate-limiting, and keeping the service running. We keep this to a minimum, do not use it to build advertising profiles, and do not enrich it with third-party data. See our Cookie Policy for the (short) list of cookies and local storage we use.
6. How we use data
- To create and secure your account and sign you in.
- To process subscriptions and determine which features your plan unlocks.
- To enforce plan seat limits (the device identifier above).
- To provide support and respond to your requests.
- To detect, prevent, and address abuse, fraud, or technical issues.
We do not use your data to train AI models, and we do not sell or rent personal data to anyone.
7. Legal bases (GDPR)
Where the GDPR applies, we process personal data on these bases:
- Contract — account, billing, seat enforcement, and support: processing needed to provide the service you signed up for.
- Legitimate interests — security logging and abuse prevention, balanced against your rights.
- Consent — any optional analytics or marketing storage (we run none today; if that changes, we'll ask first via the privacy choices page).
- Legal obligation — tax and accounting records tied to payments.
8. Service providers (subprocessors)
We share the limited data above only with providers that help us run the service:
- Supabase — authentication, account/subscription records, and serverless functions. Data hosted in their cloud infrastructure.
- Stripe — payment processing, subscription management, and fraud prevention.
These providers process data on our behalf under their own security and privacy commitments. If we add a subprocessor that touches personal data, we'll update this list before it goes live.
9. International transfers
Our providers may process data in the United States and other countries. Where required, transfers are protected by recognized safeguards such as Standard Contractual Clauses implemented by our providers.
10. Data retention
- Account & subscription records — kept while your account is active; deleted or anonymized within 30 days of a verified deletion request, except records we must keep for legal or accounting reasons (kept only as long as the law requires).
- Security logs — short-lived and rotated automatically.
- Support email — kept as long as useful for helping you, then deleted.
- Everything in your browser (templates, history, reports, settings) — under your control; removed when you uninstall the extension or clear its storage. We couldn't retain it if we wanted to: it never reaches us.
11. Your rights
Depending on where you live (including under the GDPR and the CCPA/CPRA), you may have the right to:
- Access the personal data we hold about you, and get a copy in a portable format.
- Correct inaccurate data, or delete your data ("right to be forgotten").
- Object to or restrict certain processing, and withdraw consent where processing is consent-based.
- Not be discriminated against for exercising any of these rights.
- Complain to your data-protection authority (EU/UK) or your state attorney general (US).
To exercise any of these, email privacy@ervona.ai from your account email — that's how we verify it's you. We respond within the time required by law (30 days for GDPR requests, 45 for CCPA). California residents: we do not "sell" or "share" personal information as defined by the CCPA/CPRA, so there is nothing to opt out of — see Your privacy choices.
12. Security
- All traffic to our services is encrypted in transit (TLS).
- Passwords are hashed by our authentication provider; we never handle them in plaintext.
- Database access is protected by row-level security — your records are readable only by your authenticated session.
- Secret keys live only in server-side environments, never in the extension or website code.
- Least-privilege access: the extension requests only the browser permissions it needs to operate your CRM tab.
No system is perfectly secure, but keeping CRM data on your device rather than our servers removes the biggest risk class entirely: we can't leak what we never had. If we ever become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.
13. Children
Ervona is a business tool and is not directed to anyone under 16. We do not knowingly collect data from children; if you believe a child has provided us data, email privacy@ervona.ai and we'll delete it.
14. Changes to this policy
We may update this policy as the product evolves. Material changes will be reflected by the "Last updated" date above and, where the change meaningfully affects your rights, communicated to you by email before it takes effect.