Privacy Policy
Last updated: June 3, 2026 Effective: June 3, 2026
This Privacy Policy explains what personal data ClientForge Lab collects, how we use and protect it, and what rights you have over your information. It applies to all users of the Service operated by Crystal Palace Metals Inc. ("we," "us," or "our").
1. Who We Are
Crystal Palace Metals Inc. (FL Corp #P15000014585; FEI 47-3136302) operates ClientForge Lab at clientforgelab.com. For the purposes of applicable data protection law, Crystal Palace Metals Inc. is the data controller for personal data we collect about you (the subscriber/user). Where you upload data about your own customers, you are the data controller and we act as your data processor — see our Data Processing Addendum.
For privacy inquiries, contact us at privacy@clientforgelab.com.
2. Data We Collect
2.1 Account Information
When you register, we collect your name, business name, email address, and password (stored as a secure hash). You may optionally provide a phone number and business address.
2.2 Billing Information
Payment is processed by Stripe, Inc. We receive a tokenized reference, last-four card digits, card brand, and billing country from Stripe. We do not receive or store full card numbers, CVVs, or bank account details.
2.3 Usage Analytics
We use Google Analytics 4 (GA4) to collect anonymized data about how visitors and users interact with our website and application, including pages visited, features used, session duration, and device/browser type. GA4 may use cookies; see Section 8.
2.4 Support Communications
If you contact us via email or any support channel, we collect the content of those communications along with your contact details.
2.5 Customer-Uploaded Data ("Customer Data")
When you use the Service to manage leads and customer communications, you may upload or import contact information, conversation histories, notes, and related business data about your own customers and prospects. We process this data only on your instructions. See our Data Processing Addendum for full details.
2.6 Technical and Log Data
We automatically collect IP addresses, browser type, operating system, referring URLs, and server log data when you access the Service. This data is used for security monitoring, debugging, and service improvement.
3. How We Use Your Data
We use the data we collect for the following purposes:
| Purpose | Types of Data Used |
|---|---|
| Provide and operate the Service | Account info, usage data, Customer Data |
| Process payments and manage billing | Billing info, account info |
| Improve and develop the Service | Anonymized usage analytics |
| Security and fraud prevention | Technical/log data, account info |
| Customer support and communications | Support communications, account info |
| Send transactional emails (receipts, alerts) | Account info, billing info |
| Send product updates and marketing (with consent) | Account info |
| Comply with legal obligations | Any data as required |
We do not use Customer Data (your customers' data) for our own marketing or product improvement beyond aggregate, anonymized analytics.
4. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:
- Performance of a contract — processing necessary to provide the Service you signed up for (account management, billing, Service operation).
- Legitimate interests — fraud prevention, security monitoring, improving the Service, and direct marketing to existing customers, where our interests are not overridden by your privacy rights.
- Consent — marketing emails and cookies beyond essential functionality. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
- Legal obligation — where we must retain or disclose data to comply with applicable law.
5. Sharing and Disclosure
We do not sell your personal data. We do not share it with third parties for their own marketing purposes.
We share data only in the following circumstances:
5.1 Service Providers (Subprocessors)
We engage trusted third-party service providers to help us operate the Service. These providers may process personal data only under our instructions and subject to appropriate data protection agreements. A current list of subprocessors is available on request at privacy@clientforgelab.com.
5.2 Business Transfers
If Crystal Palace Metals Inc. is acquired, merged, or undergoes a significant asset sale, your data may be transferred to the successor entity. We will notify you by email before your data is transferred and becomes subject to a different privacy policy.
5.3 Legal Requirements
We may disclose data if required by law, regulation, court order, or governmental authority, or when we believe disclosure is necessary to protect the rights, property, or safety of Crystal Palace Metals Inc., our users, or others.
5.4 With Your Consent
We may share data in any other circumstances with your explicit consent.
6. Data Retention
- Active accounts: We retain your account and usage data for as long as your subscription is active.
- After termination: We retain account data for 12 months after termination to support any billing disputes, legal holds, or reactivation requests. After that period, we delete or anonymize it.
- Customer Data: Handled per the Data Processing Addendum — deleted within 90 days of subscription termination unless you export it first or we are subject to a legal hold.
- Analytics data: GA4 data is retained per Google's standard retention settings (up to 14 months for user-level data). Aggregate analytics may be retained indefinitely.
7. Security
We implement technical and organizational measures designed to protect your data, including:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS.
- Encryption at rest: Data stored on our servers is encrypted at rest.
- Access controls: Access to production systems is restricted to authorized personnel on a least-privilege basis and protected by multi-factor authentication (MFA).
- Audit logging: We maintain audit logs of access to sensitive systems.
- Future certifications: We plan to pursue SOC 2 Type II certification as we scale. We will update this Policy when a formal audit engagement begins. We do not currently claim SOC 2 certification.
No system is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@clientforgelab.com.
8. Cookies
We use cookies and similar tracking technologies on our website and application:
- Essential cookies: Required for the Service to function (session management, authentication, security tokens). These cannot be disabled.
- Analytics cookies: We use Google Analytics 4 to understand how users interact with the Service. GA4 sets cookies that collect anonymized usage data.
We do not use advertising or cross-site tracking cookies.
You can control analytics cookies through your browser settings or by using Google's Analytics Opt-out Browser Add-on. For more detail, please refer to our Cookie Policy if one is published at clientforgelab.com, or contact privacy@clientforgelab.com.
9. Your Rights
Depending on where you are located, you may have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Correction | Request correction of inaccurate or incomplete data. |
| Deletion | Request deletion of your personal data, subject to legal retention obligations. |
| Portability | Receive your data in a structured, machine-readable format. |
| Objection | Object to processing based on legitimate interests or for direct marketing. |
| Restriction | Request that we restrict processing in certain circumstances. |
| Withdraw Consent | Where processing is based on consent, withdraw it at any time. |
To exercise any of these rights, email privacy@clientforgelab.com. We will respond within 30 days (or sooner as required by law). We may ask you to verify your identity before acting on requests.
CCPA Rights (California Residents)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell.
- Delete personal information we have collected from you (subject to exceptions).
- Opt out of the sale of your personal information. We do not sell personal information. You may confirm this by contacting us at privacy@clientforgelab.com — or use the Do Not Sell link (which leads to a confirmation that we do not sell data) at Do Not Sell My Personal Information.
- Non-discrimination: We will not discriminate against you for exercising your CCPA rights.
10. Children's Privacy
The Service is not directed to children under the age of 13 and we do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will delete that information promptly. If you believe we may have collected data from a child, contact privacy@clientforgelab.com.
11. International Data Transfers
ClientForge Lab is operated from the United States. Our servers are located in Ashburn, Virginia, USA (hosted by Hetzner). If you are accessing the Service from outside the United States, please be aware that your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.
For transfers of personal data from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission as a lawful transfer mechanism. Customers who need a DPA with SCCs may request one at privacy@clientforgelab.com.
12. Third-Party Links and Services
The Service may contain links to third-party websites or integrate with third-party services (such as WhatsApp). This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you use through or alongside ClientForge Lab.
13. SMS / Text Message Communications
When you or your customers opt in to receive text messages (SMS) through the ClientForge Lab platform, the following applies:
13.1 What we collect
For SMS messaging, we collect and process: (a) the mobile phone number provided at opt-in; (b) the timestamp and source of the opt-in event (web form, in-app, SMS keyword); (c) message delivery status from carriers; and (d) message content for compliance and abuse-prevention purposes.
13.2 How SMS data is used
We use SMS-related data solely to: (a) deliver messages you (or your customers) have consented to receive; (b) honor opt-out requests; (c) comply with carrier and TCPA requirements; and (d) detect and prevent fraud, spam, and platform abuse.
13.3 SMS data is NOT shared with third parties for their marketing
No mobile information or opt-in data is shared with third parties or affiliates for marketing or promotional purposes. Phone numbers collected for SMS consent are not sold, rented, leased, or otherwise transferred to advertising networks, data brokers, or any unaffiliated third party for their own commercial use. SMS opt-in data is shared only with the messaging-infrastructure subprocessors strictly necessary to deliver your messages (Twilio for SMS, 2Chat for WhatsApp) under contractual data-protection terms.
13.4 Consent, opt-out, and help
All SMS recipients have given prior express consent via a web-form checkbox, in-app opt-in, or SMS keyword (such as JOIN or START). Recipients can opt out at any time by replying STOP to any message; they can request help by replying HELP. Message frequency may vary depending on the program and the recipient's activity. Standard message and data rates may apply.
13.5 Retention
We retain SMS message content and metadata for 12 months after delivery for compliance, abuse-prevention, and dispute-resolution purposes, after which it is deleted or anonymized in accordance with Section 6.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email to your registered address at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent version.
Questions?
For privacy questions, data access requests, or to exercise your rights, contact us at privacy@clientforgelab.com.
Crystal Palace Metals Inc. 2 S Biscayne Boulevard, Suite 3200 #2415, Miami, FL 33131