Plain English summary: We collect the minimum data needed to run your account. We never sell your data. Your client data belongs to you. You can request deletion at any time.
1. Who We Are
Ngozi CRM is operated by A-One Global Resourcing Ltd (AOGRL), a company incorporated in Mauritius (Business Registration No. C23014789). References to "we", "us", or "our" mean AOGRL.
For data protection purposes, AOGRL is the data controller for account and billing data. You (the clinic owner) are the data controller for your clients' personal data stored within the platform.
Contact: privacy@ngozi-crm.beauty
2. What Data We Collect
2.1 Account Data (you provide this)
- Your name, email address, and clinic/business name
- Workspace URL (slug) and account password (hashed — we never store plaintext passwords)
- Business type and preferences set during onboarding
2.2 Billing Data
- Subscription plan and status
- PayPal subscription ID (we never store card numbers — all payment processing is handled by PayPal, which is PCI-DSS Level 1 certified)
2.3 Clinic Client Data (your data, not ours)
Data you enter about your own clients — names, contact details, treatment notes, appointment history, invoices, photos — is your data. We process it on your behalf as a data processor, not a data controller. We do not access, analyse, or share it except to provide the service.
2.4 Usage and Technical Data
- IP address, browser type, and session data (stored in encrypted server-side sessions)
- Error logs and performance data for diagnosing issues
- Approximate geographic region (derived from IP, not stored long-term)
2.5 Marketing Enquiries
If you submit a contact or trial request form on our website, we collect your name, email, phone, and clinic name to follow up with you about Ngozi CRM.
3. How We Use Your Data
- To provide the service: Creating and managing your workspace, authentication, and feature delivery
- To process payments: Managing your PayPal subscription and issuing billing communications
- To communicate: Sending trial expiry notices, payment confirmations, and critical service updates (not marketing, unless you opt in)
- To improve the service: Aggregated, anonymised usage analytics — no individual profiling
- To meet legal obligations: Fraud prevention, security monitoring, and regulatory compliance
4. Legal Basis for Processing (GDPR)
- Contract performance: Processing your account and billing data to deliver the service you signed up for
- Legitimate interests: Security monitoring, fraud prevention, service improvement
- Consent: Marketing communications (you can withdraw at any time)
- Legal obligation: Tax records, fraud reporting
5. Data Storage and Security
Your data is stored on:
- PostgreSQL database hosted on Railway (EU/US region) and/or Supabase
- Vercel for application hosting (CDN edge nodes globally)
All data is encrypted in transit (TLS 1.2+) and at rest. Access is role-based — staff members only see data belonging to their own organisation. We perform regular backups.
Payment data never touches our servers. PayPal processes all card and payment information directly under their own PCI-DSS compliance programme.
6. Data Sharing
We do not sell, rent, or trade your personal data. We share it only with:
- PayPal: For subscription billing
- Vercel: Application hosting and deployment
- Railway / Supabase: Database infrastructure
- Law enforcement: Only when legally required, and only the minimum necessary
All sub-processors are bound by data processing agreements and operate under equivalent data protection standards.
7. International Transfers
Your data may be processed in the EU, UK, and USA (via our infrastructure providers). Where transfers occur outside the EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards as required by UK and EU GDPR.
8. Data Retention
- Active accounts: Data retained for the duration of your subscription
- After cancellation: Account data retained for 90 days (so you can reactivate), then permanently deleted
- Marketing enquiries: Retained for 12 months, then deleted
- Deletion on request: We will delete your data within 30 days of a verified request
9. Your Rights
Under UK GDPR, EU GDPR, and applicable data protection laws, you have the right to:
- Access: Request a copy of personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests
- Restriction: Request that we limit how we process your data
- Withdraw consent: For any processing based on consent, withdraw at any time
To exercise any of these rights, email privacy@ngozi-crm.beauty. We will respond within 30 days.
You also have the right to lodge a complaint with your local supervisory authority:
10. Cookies
We use essential cookies only for session management and authentication. No advertising or tracking cookies. See our Cookie Policy for full details.
11. Children's Privacy
Ngozi CRM is a B2B platform for business owners. We do not knowingly collect data from anyone under 18. If you believe a minor has submitted data to us, please contact us immediately.
12. Changes to This Policy
We will notify active users by email of any material changes at least 14 days before they take effect. The "Last reviewed" date at the top of this page reflects the most recent update.
13. Contact
A-One Global Resourcing Ltd (AOGRL)
Souillac, Mauritius
Email: privacy@ngozi-crm.beauty
Website: ngozi-crm.beauty