Privacy Policy

InTouch (“we”, “us”, “our”) is a personal relationship management application available at app.getintouchcrm.com. InTouch is operated as an independent product by an individual developer and is not affiliated with any third-party CRM vendor. The data controller responsible for your personal data is the operator of InTouch, contactable at the email address below.

For any privacy enquiries, rights requests, or data breach reports, please contact us at nlndcrrz@gmail.com. We will respond within 30 days.

We collect only the minimum data necessary to provide the service. The categories are:

• Account data

  When you sign in via Google (Firebase Authentication), we receive your Google email address and display name. This is used solely to identify your account and associate your data with you. We do not store your Google password.

  Legal basis: Contract — necessary to provide the service.

• Contact data you enter

  Names, phone numbers, email addresses, job titles, locations, birthdays, notes, and interaction logs you add manually. This data belongs entirely to you and is stored in your personal account.

  Legal basis: Legitimate interest — the core purpose of the application.

• Profile data

  The optional personal profile you create (your name, phone numbers, email addresses, LinkedIn URL, location, birthday, education, and work history) to share via QR code. You control exactly which fields are included in any QR share.

  Legal basis: Consent — you voluntarily provide and can delete this at any time.

• Photo scan data

  If you use the optional AI photo scan feature, the image you select is transmitted to Google's Gemini API for contact detail extraction. The image is processed in real time and is not stored by Google beyond the duration of the API request. We do not store the original image on our servers.

  Legal basis: Consent — you must actively initiate each scan.

• Push notification tokens

  If you enable push notifications, your browser generates a push subscription token. This token is stored in Firestore linked to your account and is used only to deliver reconnect reminders and birthday alerts you have configured.

  Legal basis: Consent — you must explicitly grant notification permission.

• Usage analytics

  We use Vercel Analytics, a privacy-first analytics tool that does not use cookies and does not track individuals across sites. It records only aggregate page-view counts and performance metrics.

  Legal basis: Legitimate interest — understanding how the product is used to improve it.

• We do not sell, rent, or share your data with advertisers or data brokers — ever.
• We do not use tracking cookies or third-party advertising pixels.
• We do not access your device contacts, camera, or microphone without explicit in-app permission.
• We do not read the content of emails or messages you send outside the app.
• We do not collect payment information — InTouch is currently free to use.
• We do not store images submitted to the AI photo scan feature.

InTouch allows users to share their personal profile via a QR code. When another user scans your QR code and saves your details in their InTouch account, that user becomes an independent data controller for your personal information within their own account. We are not responsible for how other users store, use, or share data they receive via QR codes.

Equally, when you save a contact’s details that were shared with you via QR, you assume responsibility as a data controller for that individual’s personal data within your InTouch account. You should ensure you have a legitimate reason for storing another person’s data and handle it respectfully.

All user data is stored in Google Firebase(Firestore database and Firebase Authentication), operated by Google LLC. Firebase data is stored in Google’s data centres. For users in the European Economic Area (EEA), data may be processed in the United States. Google LLC participates in the EU–US Data Privacy Framework and provides appropriate GDPR safeguards under Standard Contractual Clauses (SCCs).

Contact data you enter is additionally cached in your browser’s IndexedDB (on-device storage) so the app works offline. This data never leaves your device unless you are signed in and cloud sync is active.

The application is hosted on Vercel (Vercel Inc., USA). Vercel acts as a data processor and is GDPR-compliant under Standard Contractual Clauses.

Photo scan requests are processed via the Google Gemini API. Images are transmitted securely over HTTPS, processed in real time, and are not retained by Google beyond the API request lifecycle.

• Account & contact data: retained until you delete your account or request erasure.
• Push notification tokens: retained until you revoke notification permission or delete your account.
• Analytics data: aggregate, non-personal, retained by Vercel per their own retention policy.
• On-device cache (IndexedDB): retained until you clear your browser data or uninstall the PWA.
• Photo scan images: not retained — processed in real time and immediately discarded.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (e.g. the ICO in the UK) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users directly without undue delay, using the email address associated with your account.

To report a suspected security vulnerability or breach, please email nlndcrrz@gmail.com immediately.

If you are located in the EEA or UK, you have the following rights:

• Right of access: Request a copy of all personal data we hold about you.
• Right to rectification: Correct inaccurate data at any time directly within the app.
• Right to erasure: Request deletion of your account and all associated data. We will action this within 30 days.
• Right to data portability: Export all your contacts in CSV format via Settings → Export Contacts.
• Right to object: Object to processing based on legitimate interest. We will cease processing unless we have compelling grounds.
• Right to restrict processing: Request that we limit how we use your data while a complaint is being resolved.
• Right to withdraw consent: For any processing based on consent (e.g. push notifications, photo scan), you may withdraw at any time in your device or browser settings.

To exercise any of these rights, email us at nlndcrrz@gmail.com. You also have the right to lodge a complaint with your national supervisory authority — for example, the Information Commissioner’s Office (ICO) in the UK, or your relevant EU member state authority.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know — you may request details of the personal information we collect, use, and disclose.
• Right to delete — you may request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale — we do not sell personal information. No opt-out is necessary.
• Right to non-discrimination — we will not discriminate against you for exercising any CCPA rights.

To submit a CCPA request, email nlndcrrz@gmail.com.

InTouch does not use cookies for tracking or advertising. The only browser storage we use is:

• IndexedDB — stores your contacts locally for offline access.
• localStorage — stores lightweight UI preferences (e.g. dark mode, dismissed banners).
• Service worker cache — caches app assets for offline use. No personal data is cached here.

None of these mechanisms are used to track you across websites.

InTouch is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For significant changes, we will notify signed-in users via an in-app banner. Continued use of InTouch after any changes constitutes acceptance of the updated policy.