Privacy Policy — EU General Data Protection Regulation (GDPR)
Sarama CRM Platform
Controller: Angad Manik Beratung fur Strategie und Projekte, Rebgasse 53, 4058 Basel, Switzerland
Data Protection Contact: Angad Bank (ehemals Manik), impact@angad.swiss
Platform: sarama.angad.swiss
Effective Date: 12 June 2026
1. Introduction
This Privacy Policy explains how Angad Manik Beratung fur Strategie und Projekte ("we", "us", "Controller") processes personal data in connection with the Sarama CRM platform ("Platform") in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
We act in two capacities:
- Controller for account/user data, billing data, and platform analytics;
- Processor for personal data uploaded by our customers (contact records, form submissions, email content), where the customer is the Controller.
2. Data Protection Contact
Angad Bank (ehemals Manik)
Rebgasse 53, 4058 Basel, Switzerland
Email: impact@angad.swiss
You may contact the DPO for any questions regarding data protection.
3. Categories of Personal Data We Collect
3.1 Account & Authentication Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, OTP/OAuth authentication | Art. 6(1)(b) — contract performance |
| User ID | Internal identification | Art. 6(1)(b) — contract performance |
| Organization details | Multi-tenant access | Art. 6(1)(b) — contract performance |
| Membership roles | Access control | Art. 6(1)(b) — contract performance |
3.2 Billing Data (processed by Stripe)
| Data | Purpose | Legal Basis |
|---|---|---|
| Payment method | Subscription billing | Art. 6(1)(b) — contract performance |
| Transaction history | Invoicing, credit tracking | Art. 6(1)(c) — legal obligation |
| Credit balance | AI usage billing | Art. 6(1)(b) — contract performance |
3.3 Customer-Uploaded Data (we process as Processor)
| Data | Purpose | Legal Basis |
|---|---|---|
| Contact records (name, email, phone, address, job title, company, social URLs, date of birth, custom fields) | CRM functionality | Art. 6(1)(b)/Art. 28 — processing on behalf of Controller (customer) |
| Company records | CRM functionality | Art. 6(1)(b)/Art. 28 |
| Deal and pipeline data | Sales management | Art. 6(1)(b)/Art. 28 |
| Email content (sent/received) | Email integration | Art. 6(1)(b)/Art. 28 |
| Form submissions (all field data, UTM params, referrer, page URL) | Lead capture | Art. 6(1)(b)/Art. 28 |
| Calendar events | Scheduling | Art. 6(1)(b)/Art. 28 |
| Workflow configurations | Automation | Art. 6(1)(b)/Art. 28 |
3.4 Tracking & Analytics Data
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address (email opens/clicks) | Email campaign analytics | Art. 6(1)(f) — legitimate interest of customer |
| User agent (email opens/clicks) | Device analytics | Art. 6(1)(f) — legitimate interest of customer |
| Click URLs | Campaign performance | Art. 6(1)(f) — legitimate interest of customer |
| Form submission metadata (IP, user agent, referrer) | Fraud prevention, analytics | Art. 6(1)(f) — legitimate interest |
3.5 AI & Chat Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Conversation messages | AI agent interaction | Art. 6(1)(b) — contract performance |
| AI model API keys (encrypted) | AI functionality | Art. 6(1)(b) — contract performance |
When an AI agent reads or edits content on your behalf, it acts only within your own organisation and within the acting user’s permissions. Agents never receive your encrypted API keys, and they cannot access another customer’s data.
3.6 Integration Credentials
| Data | Purpose | Legal Basis |
|---|---|---|
| OAuth tokens (Gmail, Outlook, Calendar) | Email/calendar sync | Art. 6(1)(b) — contract performance |
| IMAP/SMTP credentials (encrypted at rest) | Email integration | Art. 6(1)(b) — contract performance |
| Social account OAuth tokens (Facebook Pages, Instagram, LinkedIn, TikTok — encrypted at rest) | Social media publishing & engagement analytics | Art. 6(1)(b) — contract performance, customer-initiated |
| Marketing analytics OAuth tokens (Google Analytics, Google Ads, Google Tag Manager, Meta Ads — encrypted at rest) | Importing the customer’s own marketing performance data | Art. 6(1)(b) — contract performance, customer-initiated |
3.7 Audit & Security Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Audit log entries (user ID, action, resource, timestamp) | Security, compliance | Art. 6(1)(f) — legitimate interest, Art. 6(1)(c) — legal obligation |
3.8 Social Publishing & Marketing Performance Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Social post content (captions, hashtags, media) and publishing schedule | Publishing to the customer’s connected Facebook Pages, Instagram, LinkedIn and TikTok accounts at the customer’s direction | Art. 6(1)(b)/Art. 28 — processing on behalf of the customer |
| Post engagement metrics (impressions, reach, likes, comments, shares, views) | Performance reporting on the customer’s own posts | Art. 6(1)(b)/Art. 28 — customer-initiated retrieval |
| Marketing metrics imported from the customer’s own accounts (Google Analytics 4 sessions/users/conversions, Google Ads and Meta Ads campaign impressions/clicks/spend, Google Tag Manager container inventory) | Aggregated marketing reporting and AI-assisted analysis inside the Platform | Art. 6(1)(b)/Art. 28 — customer-initiated import |
Social and marketing integrations are strictly customer-initiated: the customer connects their own accounts via OAuth, tokens are stored encrypted, and the customer can disconnect at any time, which stops all retrieval. We only access the data of accounts the customer explicitly connected; we never read other users’ data on those platforms.
4. Data We Do NOT Collect
- Passwords (OTP-only authentication)
- First-party tracking cookies beyond those disclosed below (Google Analytics and Cloudflare Turnstile set cookies as described in Section 5)
- Advertising pixels or cross-site trackers inside the Platform application (the public marketing website uses consent-gated Google Analytics as disclosed in Section 5)
- Device fingerprints
- Precise geolocation
- Session recordings
- Biometric data
5. Recipients and Sub-processors
We share personal data with the following categories of recipients:
| Sub-processor | Service | Location | Data Transferred | Safeguards |
|---|---|---|---|---|
| Supabase (AWS) | Database, authentication, file storage | Zurich, Switzerland | All platform data | CH adequacy — data stays in Switzerland |
| Stripe | Payment processing | USA | Billing data | EU-US Data Privacy Framework, Standard Contractual Clauses |
| Anthropic | AI model provider (Claude) | USA | Chat messages (via customer API keys) | Standard Contractual Clauses, customer-initiated transfer |
| OpenAI | AI model provider (GPT) | USA | Chat messages (via customer API keys) | Standard Contractual Clauses, customer-initiated transfer |
| Google AI | AI model provider (Gemini) | USA/EU | Chat messages (via customer API keys) | Standard Contractual Clauses, customer-initiated transfer |
| Gmail API / Outlook API | Email sync | USA | Email content (via customer OAuth) | Standard Contractual Clauses, customer-initiated |
| Google Calendar / Outlook Calendar | Calendar sync | USA | Calendar events (via customer OAuth) | Standard Contractual Clauses, customer-initiated |
| Meta Platforms | Facebook/Instagram publishing, page & ads insights (Graph API) | USA/EU | Post content, engagement & ad metrics of the customer’s connected accounts | Standard Contractual Clauses, customer-initiated transfer |
| Post publishing & share statistics | USA/EU | Post content and engagement metrics of connected accounts | Standard Contractual Clauses, customer-initiated transfer | |
| TikTok | Video publishing & video statistics | USA/EU/SG | Video content and engagement metrics of connected accounts | Standard Contractual Clauses, customer-initiated transfer |
| Google (Analytics Data / Ads / Tag Manager APIs) | Import of the customer’s own marketing metrics | USA/EU | Aggregated web/ads performance metrics of connected properties | Standard Contractual Clauses, customer-initiated transfer |
| Google (Analytics) | Website usage analytics | USA/EU | Page views, session duration, device info, IP address (anonymized), cookies (_ga, _gid) | EU-US Data Privacy Framework; consent-gated |
| Cloudflare (Turnstile) | CAPTCHA / bot protection | USA/EU | IP address, browser attributes, cookies | EU-US Data Privacy Framework, Standard Contractual Clauses |
| Microsoft (Entra ID) | OAuth authentication (optional) | USA/EU | Email, name, account ID | EU-US Data Privacy Framework, Standard Contractual Clauses |
| Google (OAuth) | OAuth authentication (optional) | USA/EU | Email, name, account ID | EU-US Data Privacy Framework, Standard Contractual Clauses |
Important: AI model API calls use the customer's own API keys. We do not control or have access to the customer's accounts with these providers. The customer initiates these data transfers and is responsible for the terms with those providers.
6. International Data Transfers
6.1 Our primary infrastructure is hosted by Supabase in Zurich, Switzerland. Switzerland has been granted an adequacy decision by the European Commission (Commission Implementing Decision (EU) 2024/2272).
6.2 For sub-processors located in the USA, we rely on:
- The EU-US Data Privacy Framework (where applicable);
- Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914;
- Supplementary technical measures (encryption in transit and at rest).
6.3 AI model transfers are customer-initiated: the customer provides their own API keys and chooses which models to use. We facilitate the technical connection but the customer controls the data flow.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of contract + 30 days for export |
| Billing/transaction data | 10 years (Swiss commercial law, OR Art. 958f) |
| Customer-uploaded CRM data | Duration of contract + 30-day export window |
| Email tracking events | Duration of contract |
| AI chat messages | Duration of contract |
| Audit logs | 2 years |
| OAuth/API tokens (email, calendar, social, marketing) | Until revoked/disconnected by customer or contract end |
| Social engagement & marketing metrics | Duration of contract |
| Form submissions | Duration of contract |
After contract termination and the 30-day export window, all customer data is permanently deleted unless retention is required by law.
8. Your Rights Under the GDPR
As a data subject, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Obtain a copy of your personal data | Email impact@angad.swiss |
| Rectification (Art. 16) | Correct inaccurate data | Email or self-service in Platform |
| Erasure (Art. 17) | Request deletion of your data | Email impact@angad.swiss |
| Restriction (Art. 18) | Restrict processing in certain cases | Email impact@angad.swiss |
| Portability (Art. 20) | Receive your data in machine-readable format | Email impact@angad.swiss |
| Objection (Art. 21) | Object to processing based on legitimate interest | Email impact@angad.swiss |
| Withdraw Consent (Art. 7(3)) | Withdraw consent at any time (does not affect prior lawfulness) | Email impact@angad.swiss |
| Complaint (Art. 77) | Lodge a complaint with a supervisory authority | Contact your local DPA |
For contacts stored by our customers: If you are a contact in a customer's CRM, please direct your request to that customer (the Controller). We will assist the customer in fulfilling the request as Processor.
We respond to data subject requests within 30 days. Complex requests may be extended by an additional 60 days with notification.
9. Security Measures
We implement the following technical and organizational measures pursuant to Art. 32 GDPR:
Technical Measures:
- AES-256-GCM encryption for API keys and sensitive credentials
- Supabase Vault for OAuth token encryption
- TLS 1.2+ for all data in transit
- Row-Level Security (RLS) on all database tables — data isolation between organizations
- HMAC-SHA256 token validation for unsubscribe links
- Content Security Policy (CSP) headers
- DOMPurify for HTML sanitization (XSS prevention)
- Rate limiting on public endpoints (5-10 requests/min/IP)
- No CORS wildcard — dynamic domain validation
Organizational Measures:
- OTP-only authentication (no passwords to compromise)
- Role-based access control within organizations
- Audit logging of all data access and modifications
- API key rotation recommended every 90 days
- Sub-processor agreements with all third parties
- Regular security reviews
10. Data Processing Agreement (DPA)
For customers who require a formal Data Processing Agreement under Art. 28 GDPR, we provide a DPA upon request. Contact impact@angad.swiss.
The DPA covers:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data and categories of data subjects
- Obligations of the Processor
- Sub-processor management
- Data subject rights assistance
- Breach notification procedures
- Audit rights
11. Data Breach Notification
In the event of a personal data breach:
- We will notify the relevant supervisory authority within 72 hours of becoming aware (Art. 33 GDPR);
- We will notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR);
- We will notify affected customers (as Controllers) immediately so they can fulfill their own notification obligations;
- We will recommend immediate API key rotation for all stored credentials.
12. Automated Decision-Making
The Platform does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects data subjects (Art. 22 GDPR).
AI-generated content is provided as suggestions to the customer's users, who retain full control over any actions taken.
13. Children's Data
The Platform is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that data from a child has been collected, we will delete it promptly.
14. Email Tracking Transparency
Our Platform enables customers to track email opens and clicks. As Processor, we provide the technical mechanism. The customer (Controller) is responsible for:
- Informing recipients about tracking in their privacy policy;
- Obtaining consent where required by applicable law;
- Providing opt-out mechanisms (unsubscribe links are mandatory).
We filter Apple Mail Privacy Protection opens (IP range 17.x.x.x) to improve accuracy.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The current version is always available at sarama.angad.swiss/site/privacy.
16. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. Given our Swiss establishment, the lead authority is:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, 3003 Bern, Switzerland
https://www.edoeb.admin.ch
For EU data subjects, you may also contact your local Data Protection Authority.
17. Contact
For any privacy-related inquiries:
Angad Manik Beratung fur Strategie und Projekte
Angad Bank (ehemals Manik) — Data Protection Contact
Rebgasse 53, 4058 Basel, Switzerland
Email: impact@angad.swiss
Last updated: 12 June 2026