Privacy Policy
Last Updated: February 25, 2026
This Privacy Policy ("Policy") describes how Legasea CRM ("Company", "we", "us", or "our") collects, uses, discloses, and protects personal information when you access or use the Legasea CRM platform, software, website, and associated services (collectively, the "Services"). This Policy applies to all users of the Services, including account holders ("Subscribers"), their authorised users, and visitors to our website.
By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with the practices described herein, you must not use the Services.
1. Definitions
1.1 "Personal Information" means any information that identifies, relates to, describes, or could reasonably be linked to an identifiable natural person. This includes, but is not limited to, names, email addresses, phone numbers, IP addresses, device identifiers, and usage data.
1.2 "Subscriber Data" means the data, information, and material that Subscribers input, upload, or store within the Services, including personal information of third parties such as contacts, leads, and clients managed through the CRM.
1.3 "Processing" means any operation performed on Personal Information, whether by automated or manual means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
2. Information We Collect
2.1 Information You Provide Directly
We collect Personal Information that you voluntarily provide when you:
(a) Register for an account (name, email address, company name, phone number, billing address); (b) Subscribe to a plan or make a payment (payment card details, billing information — processed by our third-party payment processor, Stripe); (c) Input data into the CRM, including contacts, deals, vessels, documents, notes, and communications; (d) Communicate with us via email, support tickets, or other channels; (e) Participate in surveys, promotions, or provide feedback; or (f) Connect third-party integrations (e.g., email accounts, social media accounts, calendar services).
2.2 Information Collected Automatically
When you access or use the Services, we automatically collect certain information, including:
(a) Device and Browser Information: Device type, operating system, browser type and version, screen resolution, and language preferences; (b) Log Data: IP address, access timestamps, pages viewed, features used, clickstream data, and referring/exit URLs; (c) Usage Analytics: Frequency and duration of use, feature adoption, performance metrics, and error logs; (d) Cookies and Similar Technologies: We use cookies, local storage, and similar tracking technologies as described in Section 8 of this Policy; and (e) Push Notification Tokens: If you opt in to push notifications, we collect device tokens necessary to deliver notifications.
2.3 Information from Third Parties
We may receive Personal Information from third parties, including:
(a) Payment processors (Stripe) — transaction confirmations, payment status, and limited card details; (b) Email providers — when you connect your email account for CRM integration, we access email metadata and content as authorised by you; (c) Social media platforms — when you connect social accounts (e.g., Facebook, LinkedIn), we receive profile information and communications data as permitted by those platforms; (d) Calendar services — event data and scheduling information when you connect calendar integrations; and (e) Publicly available sources — business contact information used to enrich CRM records, where lawfully obtained.
3. How We Use Your Information
We use the Personal Information we collect for the following purposes:
3.1 Providing and Operating the Services
(a) Creating and managing your account; (b) Processing subscriptions and payments; (c) Delivering CRM functionality, including contact management, deal tracking, pipeline management, vessel management, document storage, communications (email, messaging, calls), calendar, task management, and AI-assisted features; (d) Processing and generating AI-assisted outputs such as suggested responses, data enrichment, analytics summaries, and document analysis; (d) Providing customer support and responding to enquiries; and (e) Sending transactional communications (e.g., account confirmations, payment receipts, security alerts, service notifications).
3.2 Improving and Developing the Services
(a) Analysing usage patterns to improve features and user experience; (b) Conducting research and development for new features; (c) Diagnosing technical problems and debugging; (d) Generating aggregated, anonymised analytics that cannot identify any individual; (e) Training and improving our AI assistant features using anonymised data only. We do not use identifiable Subscriber Data to train third-party AI models; and (f) Evaluating the quality and accuracy of AI-generated outputs to improve the Services.
3.3 Security and Fraud Prevention
(a) Detecting, preventing, and investigating security incidents, fraud, and abuse; (b) Monitoring for unauthorised access or use of the Services; (c) Enforcing our Terms of Service and other policies; and (d) Verifying identity and authenticating users.
3.4 Legal and Compliance
(a) Complying with applicable laws, regulations, and legal processes; (b) Responding to lawful requests from government authorities; (c) Establishing, exercising, or defending legal claims; and (d) Fulfilling our obligations under data protection legislation.
3.5 Communications
(a) Sending product updates, announcements, and newsletters (where you have opted in or where permitted by law); (b) Notifying you of changes to these policies or our Terms of Service; and (c) Providing in-app notifications and alerts relevant to your use of the Services.
4. Legal Basis for Processing
Where applicable data protection laws require a legal basis for processing Personal Information, we rely on the following:
4.1 Performance of a Contract: Processing necessary to provide the Services to you under our Terms of Service (e.g., account management, payment processing, delivering CRM functionality).
4.2 Legitimate Interests: Processing necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include improving the Services, ensuring security, preventing fraud, and conducting business analytics.
4.3 Consent: Where you have given your explicit consent to processing for specific purposes (e.g., receiving marketing communications, connecting third-party integrations). You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
4.4 Legal Obligations: Processing necessary to comply with our legal obligations (e.g., tax reporting, responding to lawful data access requests).
5. How We Share Your Information
We do not sell your Personal Information to third parties. We may share Personal Information in the following circumstances:
5.1 Service Providers
We engage trusted third-party service providers who process Personal Information on our behalf to help us operate and improve the Services. These providers are contractually obligated to use Personal Information only for the purposes we specify and to maintain appropriate security measures. Our key service providers include:
(a) Stripe — payment processing and subscription management; (b) Hosting and infrastructure providers — cloud hosting, databases, and content delivery; (c) Email delivery services — transactional and notification email delivery; (d) Analytics providers — usage analytics and performance monitoring; (e) AI service providers — processing Subscriber Data to deliver AI-assisted features, including generating suggested responses, data enrichment, analytics summaries, and document analysis. Data transmitted to AI providers may include contact information, deal details, notes, communications content, and documents you input into the Services. We require AI providers to process this data solely for the purpose of delivering the requested AI output and not to use it for training their own models. Where possible, data is anonymised or pseudonymised before transmission; and (f) Customer support tools — helping us manage support requests.
5.2 Legal Requirements
We may disclose Personal Information if required to do so by law, regulation, legal process, or governmental request. We will endeavour to provide you with advance notice of such disclosure, to the extent permitted by law.
5.3 Business Transfers
In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, Personal Information may be transferred as part of the transaction. We will notify you of any such transfer and any choices you may have regarding your information.
5.4 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so, such as when you connect third-party integrations or authorise data sharing.
5.5 Aggregated and Anonymised Data
We may share aggregated, anonymised data that cannot reasonably be used to identify you with third parties for research, analytics, benchmarking, or other business purposes.
5.6 AI-Assisted Features — Data Processing
(a) What Data Is Shared: When you use AI-assisted features within the Services, portions of your Subscriber Data may be transmitted to third-party AI service providers for processing. This may include, depending on the feature used: contact names and details, deal information, vessel specifications, notes, email and message content, document text, and other data you input into the Services that is relevant to the AI feature being invoked.
(b) Purpose of Sharing: Subscriber Data is transmitted to AI providers solely for the purpose of generating the AI output you have requested (e.g., a suggested email response, a deal summary, or an analytics insight). AI providers are contractually prohibited from using your Subscriber Data for any purpose other than delivering the requested output, including for training, fine-tuning, or improving their own models.
(c) AI Service Providers: Our current AI service providers include OpenAI. We may engage additional or alternative AI providers from time to time. An up-to-date list of AI providers is available upon request by contacting us at the details in Section 14.
(d) Data Minimisation: We endeavour to transmit only the minimum Subscriber Data necessary for the relevant AI feature to function. Where technically feasible, we anonymise or pseudonymise data before transmission to AI providers.
(e) Accuracy and Reliability: AI-generated outputs are produced by automated systems and may be inaccurate, incomplete, or misleading. We do not verify the accuracy of AI outputs before presenting them to you. You are solely responsible for reviewing and verifying any AI-generated content before use. AI outputs do not constitute professional advice of any kind.
(f) Data Retention by AI Providers: Our contractual arrangements with AI providers require that Subscriber Data transmitted for processing is not retained by the provider beyond the period necessary to deliver the requested output, subject to any overriding legal obligations applicable to the provider.
(g) Opting Out: Where the Services provide the ability to disable or limit AI-assisted features, you may do so through your account settings. Disabling AI features means your Subscriber Data will not be transmitted to AI service providers for those features. Certain core functionality of the Services may be affected if AI features are disabled.
(h) International Transfers: AI service providers may process your data in jurisdictions outside your country of residence, including the United States. Such transfers are subject to the safeguards described in Section 10 of this Policy.
6. Data Retention
6.1 We retain Personal Information for as long as reasonably necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements.
6.2 Account Data is retained for the duration of your subscription and for a reasonable period thereafter to facilitate account reactivation and comply with legal obligations. Upon termination, you have fifteen (15) days to export your Subscriber Data, after which we may permanently delete it in accordance with our Terms of Service.
6.3 Usage and Log Data is typically retained for up to twenty-four (24) months for analytics and security purposes, after which it is anonymised or deleted.
6.4 Payment Records are retained for the period required by applicable tax and financial reporting laws (typically seven (7) years).
6.5 Terms Acceptance Records (including IP address, user agent, timestamp, and terms version) are retained indefinitely as part of our legal compliance and audit trail.
6.6 When Personal Information is no longer required, we will securely delete or anonymise it using industry-standard methods.
7. Data Security
7.1 We implement appropriate technical and organisational security measures to protect Personal Information against unauthorised access, alteration, disclosure, or destruction. These measures include:
(a) Encryption of data in transit using TLS/SSL; (b) Encryption of sensitive data at rest; (c) Role-based access controls and multi-tenant data isolation; (d) Regular security assessments and vulnerability monitoring; (e) Secure authentication mechanisms including session management and token-based auth; (f) Audit logging of access to sensitive data; and (g) Incident response procedures for security breaches.
7.2 While we take reasonable precautions to protect your information, no method of electronic storage or transmission over the internet is completely secure. We cannot guarantee absolute security and you acknowledge that you provide Personal Information at your own risk.
7.3 You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. You must notify us immediately of any unauthorised use of your account.
8. Cookies and Tracking Technologies
8.1 We use cookies and similar technologies to enhance your experience, analyse usage, and support the functionality of the Services:
(a) Essential Cookies: Required for the operation of the Services, including authentication, session management, and security. These cannot be disabled without affecting core functionality; (b) Analytics Cookies: Help us understand how users interact with the Services, which pages are most popular, and how features are used. This data is used in aggregate to improve the Services; and (c) Preference Cookies: Remember your settings and preferences (e.g., language, display options) to provide a personalised experience.
8.2 We do not use third-party advertising or cross-site tracking cookies within the CRM application.
8.3 You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect the functionality of the Services.
8.4 We use local storage and service workers for offline functionality, caching, and push notification delivery. Service worker data is stored locally on your device and is not transmitted to our servers except for push notification subscription tokens.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your Personal Information:
9.1 Right of Access: You may request a copy of the Personal Information we hold about you.
9.2 Right to Rectification: You may request correction of inaccurate or incomplete Personal Information. You can also update much of your information directly through the Services.
9.3 Right to Erasure: You may request deletion of your Personal Information, subject to our legal obligations and legitimate interests in retaining certain data (e.g., billing records, legal compliance).
9.4 Right to Restrict Processing: You may request that we limit the processing of your Personal Information in certain circumstances.
9.5 Right to Data Portability: You may request a copy of your Personal Information in a structured, commonly used, machine-readable format. The Services include a data export feature accessible to account owners and administrators.
9.6 Right to Object: You may object to the processing of your Personal Information based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
9.7 Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
9.8 Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.
9.9 To exercise any of these rights, please contact us using the details provided in Section 14. We will respond to your request within thirty (30) days or such shorter period as required by applicable law. We may request verification of your identity before processing your request.
10. International Data Transfers
10.1 The Services are hosted on infrastructure that may be located in various jurisdictions. Your Personal Information may be transferred to, stored, and processed in countries other than your country of residence.
10.2 Where we transfer Personal Information outside of jurisdictions with data protection laws (such as the European Economic Area, United Kingdom, or similar regions), we ensure appropriate safeguards are in place, including:
(a) Standard contractual clauses approved by relevant authorities; (b) Transfers to countries recognised as providing an adequate level of data protection; or (c) Other lawful transfer mechanisms as permitted by applicable data protection laws.
10.3 By using the Services, you acknowledge and consent to the transfer of your Personal Information to jurisdictions that may have different data protection laws than your own.
11. Children's Privacy
11.1 The Services are not intended for use by individuals under the age of eighteen (18). We do not knowingly collect Personal Information from children under 18.
11.2 If we become aware that we have collected Personal Information from a child under 18, we will take steps to delete that information as promptly as possible.
11.3 If you believe that a child under 18 has provided us with Personal Information, please contact us using the details in Section 14.
12. Third-Party Services and Links
12.1 The Services may integrate with or contain links to third-party websites, applications, or services (e.g., email providers, social media platforms, payment processors, calendar services). This Policy does not apply to those third-party services.
12.2 We encourage you to review the privacy policies of any third-party services you connect to or access through the Services. We are not responsible for the privacy practices, content, or security of third-party services.
12.3 When you connect third-party integrations (such as email accounts or social media), you authorise us to access and process data from those services as necessary to provide the CRM features you have enabled. You may revoke integration access at any time through the Services settings.
13. Changes to This Policy
13.1 We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable laws. We will notify you of material changes by:
(a) Posting the updated Policy on our website and within the Services; (b) Updating the "Last Updated" date at the top of this Policy; and (c) Sending you an email notification or in-app notification for significant changes.
13.2 Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you must stop using the Services and contact us to close your account.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Legasea CRM Email: privacy@legaseacrm.com
For data protection enquiries, rights requests, or complaints, please email: privacy@legaseacrm.com
We will endeavour to respond to all enquiries within thirty (30) days.
15. Subscriber Responsibilities as Data Controller
15.1 Where you use the Services to store or process personal data of your contacts, leads, clients, or other third parties, you are the data controller in respect of that data and we are the data processor.
15.2 As data controller, you are solely responsible for:
(a) Ensuring you have a lawful basis for collecting and processing the personal data of your contacts; (b) Obtaining all necessary consents from individuals whose data you input into the Services; (c) Providing appropriate privacy notices to those individuals; (d) Responding to data subject access requests and other rights requests from your contacts; and (e) Complying with all applicable data protection laws in your jurisdiction.
15.3 We will process Subscriber Data only in accordance with your instructions (as set out in these Terms and the functionality of the Services) and will not use it for our own independent purposes, except as described in this Policy (e.g., aggregated analytics).
15.4 If we receive a data subject request directly from one of your contacts, we will refer that individual to you and notify you promptly, unless legally prohibited from doing so.