Privacy Policy | Eris Core

1. Introduction

Eris Core ("Company", "we", "our", or "us") operates an integrated business communication and CRM platform (the "Service").

This Privacy Policy explains in detail how we collect, use, store, and protect your information. We are committed to transparency and want you to understand exactly what data we handle and how we safeguard it.

Please read this Privacy Policy carefully. By using our Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

User ID: A unique identifier for your account
Email Address: Your email for authentication and notifications
Display Name: Your chosen display name
Password: Stored securely using industry-standard hashing (handled by Better Auth authentication service)
Time Zone: To display times correctly (default: UTC)
Notification Preferences: Email preferences for weekly summaries and desktop notifications
User Role: Your role within the platform (client, admin, manager, member)

2.2 Team and Company Information

If you create or join a team, we collect:

Company Name: Your organization's name
Employee Count: Number of employees in your organization
Team Member Details: Email addresses and roles of invited team members
Access Permissions: CRM access, financial access, social media access, and operations access flags for each team member
Onboarding Status: Tracking completion of setup steps

2.3 Gmail Integration Data (Optional)

If you connect your Gmail account, we collect and store:

OAuth Tokens: Access tokens, refresh tokens, and token expiry times (stored encrypted)
Email Address: Your Gmail email address
OAuth Scopes: The permissions you've granted (gmail.readonly, gmail.modify, gmail.send, gmail.compose)
Sync State: History ID and last sync timestamp for efficient email syncing
Scheduled Emails: Draft emails scheduled for future sending, including recipients (to, cc, bcc), subject, body HTML, attachments metadata, and send time
Email Content: We process email content for AI-powered features but do not permanently store full email bodies unless explicitly saved by you

2.4 Contact Information (Encrypted)

We store contact information to enhance your CRM experience. All sensitive fields are encrypted at rest using AES-128 encryption (via Fernet):

Email Address: Encrypted and hashed (SHA-256) for quick lookups
Name: Encrypted
Company Name: Encrypted
Job Title: Encrypted
Phone Number: Encrypted
Physical Address: Encrypted
AI-Generated Notes and Summary: Encrypted
Latest Conversation Summary: Encrypted
Interaction Metadata: Last interaction timestamp, total emails sent/received (not encrypted)
Professionalism Score: A score (1-10) indicating communication formality preferences
Recent Email Summaries: Brief encrypted summaries of recent exchanges
Upcoming Meeting Information: Encrypted meeting details linked to this contact

2.5 CRM Data (Lead Management)

For leads and deals tracked in our CRM:

Lead/Deal Title: Plain text
Status: lead, in_progress, won, or lost
Value and Currency: Deal value in your chosen currency
Notes: Encrypted
Source: Where the lead originated
Metadata: Custom fields, encrypted as JSON
Last Touch Date: Timestamp of last interaction

2.6 WhatsApp Integration Data (Optional)

If you connect WhatsApp Business:

Phone Number ID: Your WhatsApp Business phone number ID
Business Account ID: Meta Business account identifier
Access Token: Encrypted Meta API access token
Verify Token: Encrypted webhook verification token, hashed (SHA-256) for lookups
Message Content: Message text, contact information, timestamps, and delivery status
Media URLs: Links to images, videos, or documents shared via WhatsApp
WhatsApp Message IDs: For tracking message delivery and status

2.7 Calendar and Meeting Data

Calendar Events: Title, description (truncated to 2000 characters), start/end times, all-day flag, location, attendees list, Google Meet links
Event Categories: Custom categories you create for organizing events
External Calendar IDs: If syncing with Google Calendar
Meeting Records: For recorded meetings (Zoom integration), we store encrypted summaries, transcripts, action items, recording file paths, and metadata

2.8 Social Media Management Data (Optional)

For clients using our social media services:

Dropbox Integration: Client folder IDs, folder paths, asset IDs and paths, file metadata
Social Media Assets: Asset versions, titles, captions, scheduling timestamps, approval status, client feedback, admin notes
Caption Instructions: AI-generated caption guidelines and preferences

2.9 Conversation and Chat Data

Conversation Folders: Custom folders for organizing conversations
Chat Messages: Messages exchanged within the platform's internal chat feature
Draft Messages: Unsent messages stored temporarily
AI Chat Context: Conversation history used to provide context-aware AI assistance (processed by OpenAI GPT models)

2.10 Company Instructions and Business Context

Business Instructions: Custom guidelines and preferences for AI responses specific to your business
Communication Tone: Preferred communication style and formality level

2.11 Technical and Usage Data

Session Tokens: Bearer tokens for authentication (cached for 30 minutes)
IP Address: For security and fraud prevention
User Agent: Browser and device information
Timestamps: Record creation, update, and access times
WebSocket Connections: For real-time updates (ephemeral, not stored)

2.12 Consent and Compliance Records

Terms Acceptance: Timestamp and version of terms you agreed to
Privacy Policy Version: Which version you consented to
Marketing Opt-In Status: Whether you opted in to promotional emails
IP Address at Consent: For audit trail purposes

3. Data Encryption and Security

We take data security extremely seriously. Here's how we protect your information:

Encryption at Rest: All sensitive personal data (contact information, notes, WhatsApp tokens, meeting transcripts, OAuth tokens) is encrypted using Fernet symmetric encryption (AES-128 in CBC mode with PKCS7 padding)
Encryption Key Management: Encryption keys are stored securely in environment variables, never in the codebase
Password Security: User passwords are hashed using industry-standard algorithms via Better Auth service
Transport Security: All data transmitted between your browser and our servers uses HTTPS/TLS encryption
Database Security: We use SQLAlchemy ORM with parameterized queries to prevent SQL injection attacks
Connection Pooling: Secure database connection pooling with automatic recycling (15 pool size, 30 max overflow, 1800s recycle time)
Access Controls: Role-based access control (RBAC) ensures users only access data they're authorized to see
Token Caching: Session tokens are cached with a 30-minute TTL to reduce database lookups while maintaining security

4. How We Use Your Information

We use your data for the following purposes:

Service Delivery: To provide core features like email management, CRM, calendar, and messaging
AI-Powered Features: To generate email summaries, draft responses, analyze communication patterns, and provide intelligent insights (processed via OpenAI API)
Synchronization: To sync data between Gmail, Google Calendar, WhatsApp, and our platform
Team Collaboration: To enable team features, access controls, and shared resources
Personalization: To customize the interface, suggestions, and AI responses based on your preferences and business context
Notifications: To send email notifications, weekly summaries, and desktop notifications (based on your preferences)
Analytics: To improve our service through usage analysis (we do not sell this data)
Security: To detect fraud, unauthorized access, and abuse
Compliance: To meet legal obligations and enforce our terms

5. Third-Party Services and Data Sharing

We integrate with and share data with the following third-party services:

5.1 OpenAI

We use OpenAI's GPT models to provide AI-powered features. When you use AI features, your conversation context, email content, and business instructions are sent to OpenAI's API for processing. OpenAI's data processing is subject to their Privacy Policy and Business Terms.

5.2 Google Services (Gmail, Google Calendar)

When you connect Gmail or Google Calendar, we use Google's OAuth 2.0 for secure authorization. We only access data within the scopes you explicitly grant. Your Google data handling is subject to Google's Privacy Policy.

5.3 Meta/WhatsApp Business API

WhatsApp integration uses Meta's Business API. Message data processed through WhatsApp is subject to Meta's Privacy Policy.

5.4 Dropbox

For social media asset management, we integrate with Dropbox to access client folders and assets. Dropbox data handling is governed by their Privacy Policy.

5.5 Better Auth

We use Better Auth for user authentication and session management. Authentication data is handled according to Better Auth's security standards.

5.6 Other Circumstances

Legal Requirements: We may disclose data to comply with legal obligations, court orders, or government requests
Business Transfers: In case of merger, acquisition, or asset sale, your data may be transferred
With Consent: We may share data with other third parties when you explicitly consent

We do not sell your personal information to third parties.

6. Cookies and Tracking

We use cookies and similar technologies for:

Authentication: Session cookies (better-auth.session_token) to maintain your logged-in state
Local Storage: We store session tokens in browser localStorage for authentication persistence
WebSockets: For real-time updates (Gmail sync, chat messages, notifications)

You can control cookies through your browser settings. Disabling cookies may affect functionality.

7. Data Retention

We retain your data as follows:

Account Data: Retained while your account is active
Email Sync Data: Retained to maintain synchronization state
Scheduled Emails: Deleted after successful sending or upon your request
Draft Messages: Stored until retrieved by you, then deleted
Session Tokens: Cached for 30 minutes, then expire
Deleted Accounts: When you delete your account, we purge all personal data from our database, including all encrypted contact information, CRM data, calendar events, and integration tokens

8. Your Privacy Rights

You have the following rights:

Access: Request a copy of all data we store about you
Correction: Update or correct your profile, contact information, and preferences at any time
Deletion: Delete your account and all associated data (accessible via account settings)
Data Portability: Export your data in machine-readable format
Opt-Out: Unsubscribe from marketing emails or disable notifications
Withdraw Consent: Disconnect integrations (Gmail, WhatsApp, Google Calendar) at any time
Object to Processing: Opt out of AI processing for specific features

To exercise these rights, contact us at privacy@eriscore.com or use the account settings in the application.

9. International Data Transfers

Your data may be stored and processed in data centers located in different countries. We ensure appropriate safeguards are in place for international transfers, including:

Using cloud providers with GDPR compliance certifications
Implementing Standard Contractual Clauses where required
Maintaining encryption for data in transit and at rest

10. Children's Privacy

Our Service is not intended for individuals under 13 years of age. We do not knowingly collect data from children. If we discover that a child under 13 has provided personal information, we will delete it immediately.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you within 72 hours via email and provide details about the breach, affected data, and steps being taken.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify you via email and/or a prominent notice in the application. The "Last Updated" date below reflects the most recent version.

13. Contact Us

For questions, concerns, or to exercise your privacy rights, contact us at:

Email: info@addictivedesign.ca

Last updated: February 2, 2026