Privacy Policy

1. Introduction & Data Controller

Exelab SRL ("we", "us", "our") operates PluSync, a HubSpot connector platform available at plugsync.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our website or use our Service.

For the purposes of the EU General Data Protection Regulation (GDPR), Exelab SRL is the data controller for personal data relating to website visitors and customer accounts. When processing customer CRM data that flows through the sync engine, we act as a data processor on behalf of our customers.

Data Controller:
Exelab SRL
VAT: IT08990591003
Italy
Email: [email protected]

2. Data We Collect

We collect and process different categories of personal data depending on how you interact with us:

2.1 Website Visitors

When you visit our website, we automatically collect certain technical information through Google Analytics and HubSpot tracking code, including:

• IP address
• Browser type and version
• Operating system
• Pages visited and time spent on each page
• Referral source (the website or link that directed you to us)
• Device information (screen resolution, device type)
• Approximate geographic location (derived from IP address)

2.2 Customers

When you create an account and use our Service, we collect:

• Name and email address
• Company name
• HubSpot portal ID
• OAuth credentials (encrypted at rest using Fernet symmetric encryption)
• Connector configurations (sync rules, field mappings, scheduling preferences)
• Usage data, including sync operation counts, error rates, and feature usage patterns

2.3 Customer Contacts (Processed as Data Processor)

As part of providing the sync engine, we process CRM data on behalf of our customers. This may include contacts, companies, deals, and custom objects that flow through the PluSync sync engine. This data is processed solely on behalf of and under the instructions of our customers, who remain the data controllers for their CRM data.

3. How We Use Data

We use the personal data we collect for the following purposes:

• Provide and maintain the Service: operate the PluSync platform, process your requests, and deliver the sync functionality you have configured
• Process and sync data: execute data synchronization operations between your systems and HubSpot according to your connector configurations
• Monitor performance and reliability: track service health, uptime, error rates, and sync pipeline performance to ensure reliable operation
• Provide customer support: respond to your inquiries, troubleshoot issues, and assist with configuration
• Send service-related communications: notify you about service updates, maintenance windows, security alerts, and important changes to your account or our terms
• Analyze usage patterns: understand how customers use the platform to improve features, user experience, and product roadmap decisions
• Ensure security and prevent fraud: detect and prevent unauthorized access, abuse, and fraudulent activity
• Comply with legal obligations: fulfill our obligations under applicable laws, including tax, accounting, and regulatory requirements

4. Legal Basis for Processing (GDPR Article 6)

We process personal data under the following legal bases as defined in Article 6 of the GDPR:

• Consent (Art. 6(1)(a)): We rely on your consent for the use of cookies and tracking technologies on our website. You may withdraw your consent at any time by adjusting your browser settings or using the opt-out mechanisms described in Section 7.
• Contract performance (Art. 6(1)(b)): Processing is necessary for the performance of our contract with you, including customer account creation and management, service delivery, connector configuration, and data synchronization operations.
• Legitimate interest (Art. 6(1)(f)): We process certain data based on our legitimate interests, including website analytics to understand visitor behavior, security measures to protect our platform and users, and product improvement based on aggregated usage patterns. We carefully balance these interests against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): Processing is necessary to comply with legal obligations to which we are subject, including Italian tax law, accounting regulations, and other applicable regulatory requirements.

5. Data Processing Role

Our role in data processing depends on the type of data involved:

• Data Controller: We act as the data controller for website visitor data (analytics, cookies, tracking) and customer account data (registration information, billing details, usage metrics). We determine the purposes and means of processing this data.
• Data Processor: We act as a data processor for CRM data that flows through the PluSync sync engine. This data is processed strictly in accordance with our customers' instructions as defined by their connector configurations. We do not use this data for our own purposes.

A Data Processing Agreement (DPA) is available upon request for enterprise customers. Please contact [email protected] to obtain a copy.

Our customers remain the data controller of their CRM data at all times and are responsible for ensuring they have a lawful basis for the collection and processing of personal data that they transmit through PluSync. Customers must ensure that appropriate privacy notices have been provided to data subjects and that any necessary consents have been obtained before transmitting personal data through the Service.

6. Third-Party Services

We use the following third-party services to operate and improve PluSync. Each provider has been assessed for adequate data protection standards:

• Google Analytics — Purpose: website analytics and visitor behavior tracking. Data location: USA. Safeguards: Standard Contractual Clauses (SCCs) as approved by the European Commission.
• HubSpot — Purpose: CRM platform integration and website tracking. Data location: USA. Safeguards: Standard Contractual Clauses (SCCs) as approved by the European Commission.
• Render — Purpose: hosting infrastructure for our application, API, and background workers. Data location: EU (Frankfurt, Germany). Safeguards: EU data residency ensures all data remains within the European Union.
• PostgreSQL (managed) — Purpose: primary database for application data storage. Data location: EU. Safeguards: EU data residency ensures all data remains within the European Union.

7. Cookies

Our website uses cookies and similar tracking technologies to collect information about your browsing activity. Below is a summary of the cookies we use:

7.1 Analytics Cookies (Google Analytics)

• _ga — Distinguishes unique visitors. Expiry: 2 years.
• _gid — Distinguishes unique visitors. Expiry: 24 hours.
• _gat — Throttles request rate to Google Analytics. Expiry: 1 minute.

7.2 Marketing and Tracking Cookies (HubSpot)

• __hstc — Tracks visitor identity and session information. Expiry: 6 months.
• hubspotutk — Tracks visitor identity for HubSpot form submissions. Expiry: 6 months.
• __hssc — Tracks session data (pages viewed, session duration). Expiry: 30 minutes.
• __hssrc — Determines whether the visitor has restarted their browser. Expiry: session (deleted when browser is closed).

7.3 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling cookies may affect the functionality of our website and your user experience.

To opt out of Google Analytics tracking specifically, you can install the Google Analytics Opt-out Browser Add-on.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Our retention periods are as follows:

• Website analytics data: 26 months (the default Google Analytics retention period).
• Customer account data: retained for the duration of your active service, plus 30 days after account closure to allow for reactivation or data export.
• Sync operation logs: 90 days. Logs include operation timestamps, sync status, error details, and record counts but do not contain CRM record content.
• Customer CRM data: transient processing only. CRM data passes through the PluSync sync engine in real time and is not stored beyond the completion of each sync operation. No CRM record content is persisted in our systems.
• Billing and financial records: retained as required by Italian tax law (10 years) in accordance with applicable fiscal regulations.

9. Your Rights Under the GDPR

Under the General Data Protection Regulation (Articles 15 through 22), you have the following rights regarding your personal data:

• Right of access (Art. 15): You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data.
• Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
• Right to erasure (Art. 17): You have the right to request deletion of your personal data ("right to be forgotten") where there is no compelling reason for its continued processing.
• Right to restriction of processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. PluSync does not currently engage in automated individual decision-making.

How to exercise your rights: To exercise any of the above rights, please contact us at [email protected]. We will acknowledge your request and respond within 30 days. In complex cases, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

You also have the right to lodge a complaint with the Italian supervisory authority, the Garante per la Protezione dei Dati Personali, at www.garanteprivacy.it.

10. International Data Transfers

Our primary infrastructure is hosted in the European Union (Frankfurt, Germany) through our hosting provider, Render. Database services are also located within the EU. This means that the majority of your data is processed and stored within the European Economic Area (EEA).

However, some of the third-party services we use, specifically Google Analytics and HubSpot, may transfer personal data to the United States. These transfers are carried out under Standard Contractual Clauses (SCCs) as approved by the European Commission, which provide appropriate safeguards for the protection of personal data in accordance with Article 46(2)(c) of the GDPR.

We regularly review our data transfer mechanisms and the data protection practices of our sub-processors to ensure that adequate safeguards are maintained for all international data transfers.

11. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your browser and our servers, and between our internal services, is encrypted using TLS 1.2 or higher.
• Encryption at rest: Stored data is encrypted at rest at the database and storage level.
• OAuth token encryption: HubSpot OAuth credentials and API tokens are encrypted using Fernet symmetric encryption before storage, ensuring they cannot be read even in the event of a database breach.
• Role-based access controls: Access to systems and data is restricted based on the principle of least privilege, with role-based access controls enforced at both application and infrastructure levels.
• Regular security assessments: We conduct periodic security reviews of our codebase, infrastructure, and third-party dependencies to identify and remediate vulnerabilities.
• Incident detection and response: We maintain monitoring and alerting systems to detect security incidents and have documented incident response procedures to ensure timely and effective responses.
• Secure development practices: Our development process includes code review, dependency scanning, and adherence to security best practices throughout the software development lifecycle.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the "Last updated" date at the top of this page.

For material changes that significantly affect how we collect, use, or share your personal data, we will provide notice to registered customers via email at least 30 days before the changes take effect. This gives you the opportunity to review the updated policy and, if necessary, take appropriate action.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

• Privacy inquiries: [email protected]
• General inquiries: [email protected]

Exelab SRL
Italy
VAT: IT08990591003