Loading…
Loading…
This Privacy Policy describes how Process Place LLC, a Delaware limited liability company ("Process Place," "we," "us," or "our"), collects, uses, shares, and protects information about you when you use our website at process.place, our application at app.process.place, and related services (collectively, the "Service").
Process Place is a CRM built for agencies. Much of the content in the Service is created by our customers and may include personal data about their own clients, prospects, and meeting participants. Where a customer uses Process Place to manage that data, the customer is the controller of it and Process Place acts as a processor on the customer's behalf; for account, billing, and website data, Process Place is the controller. By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service. You can reach us at privacy@process.place at any time.
When you sign up for and use the Service, we collect the following categories of information.
As the controller of the personal data you submit about your own contacts, prospects, and signers, you are responsible for having a lawful basis to collect and process it and for giving those individuals any notice required by law; your instructions govern our processing of that data (see §11 and the content-license terms in §7 of the Terms of Service).
When you connect a third-party account to the Service, we receive information from that account. The data we receive depends on the permissions you grant. For Google Workspace, see §3 (Google User Data). If you connect a meeting-notes provider (Fathom, Fireflies, Granola, or tl;dv), we use the API key you supply to pull your own meeting transcripts, summaries, and attendee details from that provider into your workspace; these are external sources you read from, not parties we send your CRM data to.
For company and contact enrichment features, we look up publicly available information about a company using Brave Search and by fetching the company's own public web pages, then use an AI model to extract structured facts (such as industry, size, funding, and description). This enriched company information is associated with the corresponding records in your workspace. To improve performance, enriched company data keyed to a public web domain may be cached and reused across workspaces; this cache holds only public business information about companies, not your private CRM data. Where this enrichment, or a customer's submission of a third party's data, brings us personal data that did not come from the individual directly, we rely on the customer-controller to provide any notice required under GDPR Art. 14; the categories, sources, and purposes of that data are described in this section.
We use the information we collect to:
We do not sell your personal information, we do not share it for cross-context behavioral advertising, and we do not use your data — including data received from Google APIs and content you create in the Service — to train generalized AI or machine-learning models.
Process Place integrates with Google Workspace (Gmail and Google Calendar) to provide email and calendar features. This section explains what Google data we access, why, and how you control it. Signing in with Google ("Google Sign-In") is separate from connecting Google Workspace: sign-in uses only your basic profile (name, email, and profile picture) to create or authenticate your account and does not grant access to your Gmail or Calendar. The scopes below apply only when you explicitly connect Google Workspace.
Process Place's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In particular:
When you connect Google Workspace, we request the following permissions ("scopes"). One is a restricted scope (gmail.readonly); the other three are sensitive scopes. You can review and revoke these at any time at myaccount.google.com/permissions.
For inbound email (synced from Gmail), we read the full message — headers and body — and store the sender, recipients (to/cc/bcc), subject, date, message snippet, and a copy of the message body (truncated at 50 KB per message). Messages identified as internal-only or marked do-not-track are skipped. Inbound attachment files are not downloaded or stored; if you open an attachment from Process Place, it is streamed from Gmail on demand.
For outbound email (composed in Process Place and sent through Gmail), we store the sender, recipients, subject, date, message body, and attachment metadata (filename, size, content type). Outbound attachment files are held only briefly in private storage during the send window and are deleted once Gmail confirms the message was sent.
For calendar events, we store the title, description, start/end time, attendees (name, email, and response status), and meeting URL. A meeting URL may be derived from the event's location or description, but the event location itself is not stored as a field. Events marked private or confidential are skipped.
AI processing of Google data. To power user-facing AI features you invoke — such as proposal and brief generation, email drafting, and inferring your writing style ("voice profile") so drafts sound like you — the content of your synced Gmail messages and calendar context may be sent, at the time you use those features and only as transient context, to the AI providers we use (Anthropic, OpenAI, and Google), reached through the Vercel AI Gateway. This happens only to provide features you invoke for your own workspace. These providers operate under terms that prohibit training their models on your data, and Process Place does not train any models on it either. This use is consistent with the Limited Use requirements in §3.1. Outputs and structured results derived from Google data (for example, a voice profile or a generated draft) are stored in your workspace.
Google OAuth access and refresh tokens are encrypted at rest using AES-256-GCM with a per-record initialization vector before they are stored in our database. Tokens are never logged or exposed in URLs.
You have two independent ways to manage Google data in Process Place:
You can also revoke Process Place's access to your Google account directly at myaccount.google.com/permissions. Doing so will not delete data already synced into your Process Place workspace; use the Delete-my-Google-data action above for that.
We share information only with the following categories of recipients.
We rely on the providers below to operate the Service. Each is bound by contractual obligations to process personal data only on our instructions and to protect it appropriately. All of these providers process data in the United States.
Each AI provider listed above is engaged under API terms that prohibit them from training their models on your data and that provide for no retention of inputs beyond what is needed to return a response.
Note on connected sources: the meeting-notes providers you may connect (Fathom, Fireflies, Granola, tl;dv) are sources you read your own data from using your own API key; they are not subprocessors we send your CRM data to, so they are not listed above.
We will update this list as our subprocessors change. Material changes will be reflected in the "Last Updated" date at the top of this policy. Enterprise customers may request advance notice of subprocessor changes by contacting privacy@process.place.
If you enable invoicing and connect your own Stripe account, the Service lets you collect payments from your own clients through Stripe. In those transactions, you are the merchant of record, your relationship with Stripe is governed by Stripe's Connected Account Agreement, and Process Place is not a party to and takes no custody of those funds. Personal data and payment-card details your clients provide during checkout are processed by Stripe under its own terms and are never stored on Process Place servers; the only billing details we store are your own payout and invoicing details, used to render the invoices you send (see §1.1).
We may disclose information when we have a good-faith belief that disclosure is reasonably necessary to comply with a law, regulation, legal process, or governmental request; enforce our Terms of Service; detect, prevent, or address fraud, security, or technical issues; or protect against harm to our rights, property, or safety.
If Process Place is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
We may share information for any other purpose disclosed to you and with your consent. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
We are based in the United States, and the personal data you provide is processed and stored entirely in the United States: application servers, database, and job queues are hosted in Oregon; uploaded files, images, generated documents, and meeting recordings are stored in California (San Jose); and operational logging and uptime monitoring is also performed in the United States. Our application logs may include request and response content and identifiers, which can contain personal data. See §4.1 for the full list of subprocessors and their locations.
For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where appropriate with additional safeguards such as encryption in transit and at rest. We are happy to provide a copy of the SCCs in place with any specific subprocessor on request to privacy@process.place.
The Service includes AI features such as proposal and contract generation, AI briefs, company enrichment, email writing-style ("voice profile") inference, call summaries and insights, and an editing assistant. When you use these features:
These AI features assist you and do not make solely-automated decisions that produce legal or similarly significant effects about any individual within the meaning of GDPR Art. 22; a person in your workspace always reviews and acts on the output. Where AI features process personal data obtained from a source other than the individual (for example, web enrichment or data a customer submits about a third party), the categories, sources, and purposes are described in §1.4, which serves as the disclosure contemplated by GDPR Art. 14, and we rely on the customer-controller to provide any required notice to those individuals.
If you enable meeting recording, a Recall.ai bot — shown in the participant list as "Process.place" — joins your meeting and records audio and video; the recording is stored in our object storage and transcribed by Deepgram, and the transcript may then be processed by AI models (via the Vercel AI Gateway) to generate summaries and insights. Recording is off by default and opt-in per meeting. You are responsible for obtaining any participant consent required by applicable recording, wiretap, and two-party-consent laws before recording a meeting. Recordings and transcripts are retained in your workspace until you delete them or close your account. We do not use recordings or transcripts to create biometric identifiers or voiceprints, and we do not perform voice-based identification; speaker labeling (diarization) distinguishes participants within a single meeting and does not produce a biometric template.
We retain personal data for as long as your account is active or as needed to provide the Service. Specifically:
Database and object-storage backups are managed by our infrastructure providers; deleted data is removed from active systems immediately and ages out of backups on the providers' rotation cycle, which does not exceed 30 days.
We implement security measures designed to protect your information, including:
No security measure is perfect. If you discover a vulnerability, please report it responsibly to privacy@process.place.
The marketing site presents a cookie banner. Analytics are off by default and load only after you accept the analytics category.
The application authenticates you using bearer and refresh tokens stored in your browser's local storage — it does not rely on cookies for login or session management.
Most browsers allow you to refuse, block, or delete cookies. EU/UK users: the marketing site presents a cookie banner allowing you to accept, reject, or customize non-essential cookies, and you can revisit it at any time to change your preferences.
Depending on where you live, you have rights regarding your personal data. We honor these rights for all users to the extent applicable, regardless of location. Where Process Place processes personal data on a customer's behalf (for example, a customer's CRM contacts or a prospect who submitted a public form), the customer is the controller. In that case we will, without undue delay, forward your request to the relevant customer and — where permitted — tell you which customer holds your data so you can exercise your rights directly with them, and we will assist that customer in responding as required under GDPR Art. 28(3)(e). The 30-day response commitment below applies to requests where Process Place is the controller.
You have the right to:
To exercise any of these rights, email privacy@process.place. We will respond within 30 days.
EU and UK representatives. Process Place is established in the United States and does not maintain an establishment in the EEA or the UK. Where we are required to designate a representative under GDPR Art. 27 or UK GDPR Art. 27, we will name that representative and their contact details here; until a representative is designated, you may direct any matter that would otherwise go to a representative to privacy@process.place. [Placeholder — EU/UK Art. 27 representative to be confirmed with counsel before offering the Service to EEA/UK users.]
If you are a California resident, you have the right to know, delete, and correct the personal information we hold about you, and to opt out of its "sale" or "sharing." We do not sell or share personal information for cross-context behavioral advertising, and we do not knowingly sell or share the personal information of consumers under 16. We will not discriminate against you for exercising any of these rights.
Categories of personal information we collect. Over the past 12 months we have collected the following CCPA categories, detailed in §1, §3, and §7: identifiers (name, email, IP address); commercial information (subscription, billing, and invoicing details); internet or other electronic activity (log, device, and usage data); approximate geolocation (an approximate location derived from a signer's IP address); professional or employment-related information (job title, organization); audio and visual information (meeting recordings and transcripts you choose to capture); inferences (AI-extracted summaries and enrichment-derived facts); and the contents of communications — your email content synced from Gmail and messages — which we treat as sensitive personal information. We use and disclose sensitive personal information only for the business purposes permitted under CPRA §1798.121 (such as providing the Service you request), so the right to limit the use of sensitive personal information does not apply.
Sources, purposes, and recipients. We collect this information from you, from your connected Google account, from your prospects who submit public forms, and from enrichment sources (§1.4). We use it for the business and commercial purposes described in §2, and we disclose it to the categories of recipients described in §4.1. We do not use any of these categories for cross-context behavioral advertising.
How to submit a request. Email privacy@process.place; signed-in users may also submit a request from within the application. Because Process Place is an online service, email is our designated method for requests. You may use an authorized agent to submit a request on your behalf; we will ask the agent for written authorization signed by you and may ask you to verify your own identity and confirm that you authorized the request. To protect your data, we verify requests by matching the request to the account email and information we already hold before we act on it.
If you reside outside the EU, UK, or California, you may have similar rights under your local privacy law (e.g., LGPD in Brazil, PIPEDA in Canada, the Privacy Act in Australia). Contact privacy@process.place to exercise any rights under applicable law.
You can delete your data at three levels:
The Service is not directed to, and we do not knowingly collect personal information from, children under 16 (or under 13 where COPPA applies). If you believe a child has provided us with personal information, please contact privacy@process.place and we will delete it.
If you use Process Place on behalf of an organization that processes personal data of individuals located in the EU, UK, or other jurisdictions with data-protection laws requiring a DPA, you can request our standard Data Processing Agreement by emailing privacy@process.place.
We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. For material changes, we will notify you in advance by email or via a prominent notice in the Service.
For privacy questions, requests, or complaints:
Process Place LLC
Email: privacy@process.place
General support: support@process.place
Mailing address: 440 N Barranca Ave #2198, Covina, CA 91723, USA