ThinkBright CRMBack to Home

Privacy Policy

Last updated: April 2026

1. Introduction

ThinkBright CRM ("ThinkBright," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in connection with our customer relationship management platform with integrated voice-over-IP (VoIP) and artificial intelligence features (the "Service").

This Policy applies to: (a) account holders who register for and use the Service ("Customers"); (b) individual users of Customer accounts ("Users"); and (c) visitors to our websites. It also describes how we handle Personal Data that Customers upload to the Service about third parties (such as their leads, contacts, prospects, and call participants).

2. Our Roles and Responsibilities

Because the Service is a B2B platform, our role under data protection laws (such as GDPR and CCPA/CPRA) depends on which data is involved.

We are a Controller of Personal Data we collect directly about: (a) Customers and their authorized Users (e.g., account registration data, billing information, login activity, support communications); and (b) visitors to our websites.

We are a Processor of Personal Data that Customers upload to, generate within, or transmit through the Service about their own contacts, leads, prospects, customers, employees, or call participants ("Customer Personal Data"). For Customer Personal Data, the Customer is the Controller and is responsible for the lawful basis, notice, consent, and individual rights handling.

If you are a contact, lead, or call participant of a ThinkBright Customer and you wish to exercise data protection rights regarding data the Customer has uploaded or generated about you, please contact the Customer directly. We will support our Customer in responding to such requests as required by our agreement with them and applicable law, but we cannot act on requests about data we hold only as a Processor without instructions from the Customer.

3. Information We Collect

3.1 Information You Provide

  • Account information: name, email address, password, company name, job title, billing and payment details.
  • Communications: messages, support requests, feedback, and other content you send us.
  • Content you upload: Customer Data you submit to the Service, including contact lists, notes, attachments, and configuration settings.

3.2 Information Generated by Use of the Service

  • Communications data: call metadata (numbers, duration, time, direction), call recordings (where enabled), call transcriptions, voicemails, SMS-related metadata where applicable, email content sent or received through integrations, and calendar events.
  • Usage data: features used, clicks, navigation paths, performance and error logs, session identifiers.
  • AI-generated outputs: sentiment scores, transcription text, suggested responses, summaries, and other outputs produced by AI features applied to your data.

3.3 Information Collected Automatically

  • Device and connection data: IP address, browser type, operating system, device identifiers, language preferences.
  • Cookies and similar technologies: see Section 11.

3.4 Information from Third-Party Integrations

When you connect the Service to a third-party application (e.g., email, calendar, productivity, or storage providers), we may receive Personal Data from that application as authorized by you. The third party's privacy policy governs its own collection and use of your data.

4. How We Use Information

We use the information described above to:

  • Provide, maintain, secure, and improve the Service and its features;
  • Process transactions, manage accounts, and handle billing;
  • Authenticate Users and detect, prevent, and respond to fraud, abuse, or security incidents;
  • Provide customer support and respond to inquiries;
  • Send administrative communications about your account, the Service, security alerts, and changes to our terms or policies;
  • Send marketing communications about our products and services (subject to your right to opt out at any time);
  • Generate aggregated, anonymized, or de-identified statistics to operate and improve our products and models;
  • Comply with legal obligations, enforce our agreements, and protect our rights and the rights of others.

5. Call Recording, Transcription, and AI Processing

5.1 Call Recording and Transcription

The Service includes call recording and transcription functionality. When a Customer enables these features, audio recordings and text transcripts of calls placed through the Service may be stored, processed, and made available to that Customer's authorized Users. Customers are solely responsible for obtaining all legally required consents from call participants before recording or transcribing calls, including any required announcements or disclosures, in accordance with applicable federal, state, and foreign law.

5.2 Artificial Intelligence Features

The Service uses a combination of third-party large language models and our own proprietary models to deliver AI-assisted features, including but not limited to call routing, sentiment analysis, transcription, summarization, auto-attendant, suggested responses, and analytics. We do not disclose the specific identity of third-party model providers in this Policy and may change providers at any time.

When AI features are used, the relevant data (which may include call audio, transcripts, message content, and CRM records) is processed by these models to generate outputs. We do not authorize our third-party AI providers to use Personal Data submitted through the Service to train their general-purpose models, and we contract with providers under enterprise terms designed to maintain this restriction.

5.3 No Sole Reliance on Automated Decisions

AI outputs are probabilistic and may be inaccurate. Customers should not rely on AI outputs as the sole basis for any decision producing legal, financial, employment, medical, or similarly significant effects on individuals. Where required by applicable law, individuals have the right not to be subject to a decision based solely on automated processing — see Section 9.

6. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, our legal basis for processing your Personal Data depends on the context:

  • Contract: to provide the Service to you and perform our agreement with you (or your employer);
  • Legitimate interests: to operate, secure, and improve the Service; to communicate with you; to detect and prevent fraud or abuse; and to develop new features;
  • Consent: for certain processing activities such as marketing communications, optional cookies, and processing of sensitive data where required;
  • Legal obligation: to comply with applicable laws, regulations, court orders, or governmental requests.

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

7. How We Share Information

We do not sell your Personal Data, and we do not "share" Personal Data for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA) or analogous laws.

We may disclose Personal Data only as follows:

  • With your direction or consent: when you ask or authorize us to share information with a third party;
  • Service providers and subprocessors: vendors who help us operate the Service (e.g., cloud hosting, payment processing, AI model providers, customer support tooling, analytics), under contractual obligations that restrict their use of Personal Data to the purposes for which we engage them. A current list of subprocessors is available to business Customers under the Data Processing Addendum (see Section 14);
  • Legal and safety: to comply with law, legal process, or governmental requests; to enforce our agreements; to protect the rights, property, or safety of ThinkBright, our Customers, or others; or to investigate fraud or security incidents;
  • Business transfers: in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, with appropriate confidentiality protections.

8. International Data Transfers

We are based in the United States and may store and process Personal Data in the United States and other countries where our service providers operate. When we transfer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we use appropriate safeguards — such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or the EU-U.S., UK, and Swiss-U.S. Data Privacy Framework where applicable — to protect that data in accordance with applicable law.

9. Your Rights

Depending on your location and the role in which we process your Personal Data, you may have the right to:

  • Access: obtain a copy of the Personal Data we hold about you;
  • Rectification: correct inaccurate or incomplete Personal Data;
  • Erasure: request deletion of your Personal Data, subject to legal retention requirements;
  • Restriction: restrict our processing of your Personal Data in certain circumstances;
  • Portability: receive your Personal Data in a structured, machine-readable format and transmit it to another controller;
  • Objection: object to processing based on legitimate interests, including for direct marketing;
  • Withdraw consent at any time where processing is based on consent;
  • Not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects;
  • Lodge a complaint with a data protection supervisory authority in your jurisdiction.

To exercise any of these rights, contact us at development@thinkbright.net. We will respond within the timeframes required by applicable law. We may need to verify your identity before fulfilling certain requests.

For Personal Data we hold as a Processor on behalf of a Customer, please direct your request to the Customer (the Controller). If you submit such a request to us directly, we will refer it to the relevant Customer and assist them as required by our agreement and applicable law.

10. California Privacy Rights (CCPA/CPRA)

This section applies to California residents and supplements the rest of this Policy.

10.1 Categories of Personal Information We Collect

In the past twelve months, we have collected the following categories of Personal Information as defined by the CCPA/CPRA:

  • Identifiers (e.g., name, email, IP address, account ID);
  • Customer records (e.g., billing information, contact details);
  • Commercial information (e.g., subscription and transaction history);
  • Internet or electronic network activity (e.g., usage logs, device information);
  • Geolocation data (approximate, derived from IP address);
  • Audio and electronic information (e.g., call recordings and transcriptions where enabled by Customers);
  • Professional or employment information (e.g., job title, company);
  • Inferences drawn from the above (e.g., usage patterns, preferences).

10.2 Sources, Purposes, and Disclosures

We collect this Personal Information from you, from your use of the Service, from third-party integrations you connect, and from service providers. We use it for the purposes described in Section 4 and disclose it for the business purposes described in Section 7.

10.3 No Sale or Sharing

We do not sell Personal Information, and we do not share Personal Information for cross-context behavioral advertising, as those terms are defined by the CCPA/CPRA.

10.4 Sensitive Personal Information

We do not use or disclose Sensitive Personal Information for purposes that would require a "right to limit" disclosure under the CCPA/CPRA.

10.5 California Rights

California residents have the right to: know what Personal Information we collect, use, and disclose; request deletion; request correction; opt out of "sale" or "sharing" (not applicable, as we do neither); limit use of Sensitive Personal Information (not applicable, as described above); and not be discriminated against for exercising these rights. To exercise these rights, contact us at development@thinkbright.net. You may also designate an authorized agent to make a request on your behalf.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service, remember your preferences, authenticate sessions, analyze usage, and improve performance. Cookies fall into three general categories:

  • Strictly necessary: required to operate the Service (e.g., session, authentication, security);
  • Functional: remember your preferences and settings;
  • Analytics: help us understand how the Service is used.

You can control cookies through your browser settings and, where applicable, through our cookie preference tools. We honor recognized browser-based opt-out signals (such as Global Privacy Control) where required by law. Disabling certain cookies may affect Service functionality.

12. Data Retention

We retain Personal Data for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. We determine appropriate retention periods based on the nature and sensitivity of the data, the purposes for which it was collected, the potential risks of unauthorized use, and applicable legal and regulatory requirements.

In general:

  • Account and billing data: retained for the duration of your subscription and for a reasonable period thereafter to comply with tax, accounting, and legal obligations;
  • Call recordings and transcriptions: retained according to the retention settings configured by the Customer; in the absence of Customer configuration, we apply default retention periods that we may modify at our discretion;
  • Customer Data (other than recordings): retained for the duration of the subscription and may be deleted following termination as described in our Terms of Service;
  • Backups: may persist for a limited period in encrypted backups consistent with our standard backup cycles;
  • Aggregated, anonymized, or de-identified data: may be retained indefinitely.

After applicable retention periods expire, we delete or de-identify Personal Data. Where complete deletion is not technically feasible (e.g., residual data in backups), we maintain appropriate measures to prevent further use until deletion occurs.

13. Security

We maintain commercially reasonable administrative, physical, and technical safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. These include encryption of data in transit, access controls, authentication mechanisms, monitoring, and personnel training. No security program is impenetrable, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

In the event of a personal data breach affecting your Personal Data, we will notify you and applicable authorities without undue delay as required by applicable law.

14. Data Processing Addendum (Business Customers)

Business Customers who require a Data Processing Addendum (DPA) to comply with applicable data protection laws may request one by contacting development@thinkbright.net. The DPA includes our subprocessor list, the Standard Contractual Clauses (where applicable), and our commitments as a Processor with respect to Customer Personal Data.

15. Children's Privacy

The Service is not directed to, and we do not knowingly collect Personal Data from, children under the age of 16. If we learn that we have collected Personal Data from a child under 16 without verified parental consent, we will delete it. Parents or guardians who believe their child has provided Personal Data to us should contact us at development@thinkbright.net.

16. Third-Party Sites and Services

The Service may contain links to, or interoperate with, third-party websites and services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with Personal Data.

17. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this Policy reflects the date of the most recent revision. We will use commercially reasonable efforts to notify you of material changes via in-app notification or email at least fifteen (15) days before they take effect. Your continued use of the Service after the changes take effect constitutes acceptance of the revised Policy.

18. Contact Us

For questions, requests, or complaints regarding this Privacy Policy or our handling of Personal Data, please contact us at:

Email: development@thinkbright.net

If you are located in the European Economic Area, the United Kingdom, or Switzerland and have an unresolved concern, you may contact your local data protection authority. If you are a California resident, you may also contact the California Attorney General's Office.