← Back
EspañolEnglish

Privacy Policy

Effective date: 6/11/2026 | Last updated: 6/11/2026

1. Data controller

This policy applies to personal data processing by Ayuda CRM and its operating affiliates (together, the "Controller") in connection with the use of CRM, landing pages, forms, APIs, automation, and related services.

Privacy contact: privacy@ayuda.app

Mailing address: Corporate address available upon request through our privacy channel.

Phone: Available upon request through our privacy channel.

2. Geographic scope and legal frameworks

This notice is designed for international compliance with emphasis on:

  • European Union / EEA: GDPR and ePrivacy guidance.
  • United States: CCPA/CPRA and equivalent state frameworks where applicable.
  • Mexico: LFPDPPP and its regulations.
  • Latin America: habeas data principles and equivalent access/correction/deletion rights.

3. Personal data we process

  • Identifiers: name, email, phone, company, job title, online identifiers.
  • Usage data: navigation events, pages viewed, interactions with forms and campaigns.
  • Commercial data: conversation history, pipeline stages, operational notes.
  • Technical data: approximate IP, device, browser, time zone, security logs.
  • Billing and transactional data when you purchase paid services.

4. Purposes and legal bases

  • Provide and operate the Service (contract performance).
  • Security, fraud prevention, and operational continuity (legitimate interest).
  • Analytics, product improvement, and campaign measurement (legitimate interest and/or consent depending on region).
  • Marketing and commercial communications (consent where required by law).
  • Legal, tax, and regulatory compliance (legal obligation).

5. Cookies, pixels, and similar technologies

We use strictly necessary, functional, analytics, and advertising/measurement cookies. Where applicable law requires it, we obtain prior consent for non-essential categories and provide mechanisms to reject, withdraw, or adjust preferences.

If no dedicated cookie policy link is provided, this section applies supplementally across all Service domains.

For US residents, we honor compatible privacy preference signals (including Global Privacy Control where applicable) consistent with state requirements.

6. Disclosure and international transfers

We may share data with vendors acting as processors (hosting, analytics, messaging, payments, support) under processing agreements and appropriate security measures.

Where international transfers occur, we implement appropriate safeguards (for example, standard contractual clauses or equivalent measures) and risk assessments where required.

7. Retention and security

We retain data only as long as needed for legitimate purposes and legal obligations, applying minimization, access controls, encryption in transit and at rest where applicable, monitoring, and reasonable organizational and technical security measures.

8. Data subject rights

Depending on your jurisdiction, you may exercise:

  • Access to your data and information about processing.
  • Rectification of inaccurate or incomplete data.
  • Erasure/deletion of data where applicable.
  • Objection or restriction of processing where legally permitted.
  • Data portability where applicable.
  • Withdrawal of consent without retroactive effect.
  • Non-discrimination for exercising privacy rights (US where applicable).

In Mexico, these rights include ARCO rights and revocation under LFPDPPP. You may submit requests by email at privacy@ayuda.app.

9. EU/EEA-specific rights (GDPR)

  • Legal basis and transparency for each purpose.
  • Right to lodge a complaint with a competent supervisory authority.
  • Ability to request copies of safeguards for international transfers.
  • Right to object to automated decisions where legally provided.

10. US-specific rights (CCPA/CPRA and state laws)

  • Know categories and specific pieces of personal information collected.
  • Request correction and deletion of personal information.
  • Opt-out of sale or sharing of personal information, where applicable.
  • Limit use of sensitive personal information, where applicable.
  • Non-discrimination for exercising privacy rights.

11. Children

Our services are not intentionally directed to children where prohibited by law. If we learn that children’s data is processed without a valid legal basis, we will take reasonable steps to delete it.

12. Changes to this policy

We may update this policy for regulatory, functional, or security reasons. We will publish the current version with an updated date. For materially relevant changes, we will provide notice as required by applicable law.

13. Google and Microsoft integrations (calendar, email, and APIs)

If you voluntarily connect a Google or Microsoft (Outlook / Microsoft 365) account, the Service may access data those providers make available according to the permissions you approve on each provider’s consent screen. This section describes Google user data and Microsoft user data separately, using the same structure, without repeating principles that apply to both.

13.1 Common principles (Google and Microsoft)

  • Connection is optional and requires your explicit consent on each provider’s authorization screen.
  • We use that data only for CRM features you or your organization enable (appointments, transactional email, calendar sync).
  • We do not sell data obtained from Google or Microsoft or use it for third-party personalized advertising unrelated to the Service.
  • Processing is limited to your organization’s workspace on the platform (tenant isolation).
  • You may withdraw access at any time in the application and in your Google or Microsoft account permission settings (see retention and deletion in each subsection below).

13.2 Google (Calendar, Gmail, and Search Console if enabled)

Data we access

  • Connected account profile: email address, name, and basic profile identifier or photo if Google provides it with the profile permission.
  • Google Calendar: calendar list; event metadata (for example title, start and end time, status, video meeting link when present); availability queries (free/busy) to show scheduling options; attendee emails you or your organization add when creating or editing an appointment.
  • Gmail: send permission only (gmail.send). We do not read your inbox, access received message content, or sync your mail history.
  • Google Search Console (optional integration, separate from calendar): aggregated search performance metrics for sites you have verified in Search Console, for in-product SEO analysis.

How we use the data

  • Sync appointments between the CRM and Google Calendar (create, update, cancel, or import events per configured links).
  • Show availability and reduce scheduling conflicts.
  • Send appointment confirmations, reminders, reschedules, or cancellations via the connected Gmail account when you or your organization configure it.
  • Manage event attendees; Google may send invitation notifications under its own rules.
  • Operate, maintain, and secure the Service (for example secure token refresh and sync error logging, not for advertising).
  • Search Console (when enabled): assess search demand and guide content improvements on verified sites.

How we share the data

  • We do not sell or rent data obtained from Google.
  • Processors (cloud infrastructure, hosting, and database providers) that process data only to operate the Service, under data processing agreements and security measures.
  • Attendees or recipients you designate when scheduling, and Google when Calendar or Gmail flows require delivering invitations or messages.
  • Authorized users within your organization in the CRM, according to roles and permissions.
  • We do not share Google data with third parties for third-party advertising or commercial profiling unrelated to the Service.

Storage and protection

  • OAuth tokens (access and refresh) stored encrypted and tied to your user and organization.
  • Synced appointment metadata and external event identifiers stored in the CRM with per-organization isolation.
  • Communication with Google APIs over encrypted connections (HTTPS/TLS).
  • Internal access limited through authentication, organization-scoped authorization, and reasonable security controls.

Retention and deletion

  • OAuth credentials: while the connection remains active; when you disconnect they are deactivated in the Service. You may revoke permissions in your Google account: https://myaccount.google.com/permissions
  • Google Calendar: in the CRM, Settings → Integrations → External calendars → Disconnect for the linked Google account.
  • Gmail: remove the send connection in your account email settings (/account/email-config).
  • Appointment data already created or imported in the CRM may be retained per Section 7; you may request deletion per Section 8.
  • Privacy requests: privacy@ayuda.app or the Section 1 privacy contact. We respond within a reasonable period, generally within 30 days where GDPR or equivalent laws apply.

Processing of Google user data complies with the Google API Services User Data Policy (Limited Use): Google API Services User Data Policy.

13.3 Microsoft (Outlook, Microsoft 365, and calendar)

Data we access

  • Connected account profile: sign-in email or identifier, display name, and basic profile data exposed by Microsoft Graph with User.Read.
  • Outlook / Microsoft 365 calendar: calendar list; event metadata (title, start, end, status, online meeting link when present); availability for scheduling; attendee emails you or your organization add when creating or editing an appointment.
  • Outlook mail: message sending only (Mail.Send on Microsoft Graph). We do not read your inbox or received message content.

How we use the data

  • Sync appointments between the CRM and Microsoft calendar (create, update, cancel, or import events per configured links).
  • Show availability and reduce scheduling conflicts.
  • Send appointment confirmations, reminders, reschedules, or cancellations from the connected Outlook account when configured.
  • Manage event attendees; Microsoft may send notifications under its own rules.
  • Operate, maintain, and secure the Service (token refresh, sync error logging, not for advertising).

How we share the data

  • We do not sell or rent data obtained from Microsoft.
  • The same processors described in Section 6, only to operate the Service under contractual security measures.
  • Attendees or recipients you designate, and Microsoft when calendar or mail flows require it.
  • Authorized users within your organization in the CRM, according to roles and permissions.
  • We do not share Microsoft data with third parties for third-party advertising or unrelated commercial profiling.

Storage and protection

  • OAuth tokens stored encrypted per organization, with the same security approach as Google connections.
  • Appointment metadata and external event identifiers in the CRM, with per-organization isolation.
  • Communication with Microsoft Graph over HTTPS/TLS.
  • Organization-scoped access controls equivalent to those described for Google.

Retention and deletion

  • OAuth credentials: while the connection is active; deactivated in the Service when you disconnect. Manage apps and permissions at https://account.microsoft.com/privacy
  • Microsoft calendar: Settings → Integrations → External calendars → Disconnect for the linked Microsoft account.
  • Outlook mail: remove the connection in account email settings (/account/email-config).
  • Appointment data already in the CRM: per Section 7; deletion requests per Section 8.
  • Privacy requests: privacy@ayuda.app or the Section 1 contact, with a reasonable response time (generally within 30 days where applicable).

Processing through Microsoft Graph is also governed by Microsoft’s notices and terms; reference: Microsoft Privacy Statement.

13.4 Responsibility among providers

Google and Microsoft are independent controllers for processing they perform under their own privacy notices. The Controller for processing through the Service is identified in Section 1; OAuth connections are made to carry out instructions from the user or the customer operating the platform.

14. WhatsApp Business API integration (Meta)

If you or your organization connect a WhatsApp Business account (WhatsApp Business API / Meta Cloud API) or send messages to end contacts through the Service via WhatsApp, this section describes how personal data related to those messages is processed. It applies when the Customer (organization using the CRM) uses WhatsApp as a communication channel with its own contacts.

14.1 Common principles (WhatsApp)

  • Sending WhatsApp messages requires that the end contact has provided opt-in (consent) under applicable law and WhatsApp policies; the Customer is responsible for obtaining and documenting it.
  • Opt-in must clearly state the trade name of the business the person will receive messages from and that communication may occur via WhatsApp.
  • We use WhatsApp-related data only to operate features the Customer enables (confirmations, reminders, replies, permitted campaigns, support).
  • We do not sell data obtained through WhatsApp or use it for third-party personalized advertising unrelated to the Service.
  • Processing is limited to the Customer’s organization workspace on the platform (tenant isolation).
  • Individuals may withdraw consent or opt out of further messages at any time; the Customer must honor opt-out promptly.

14.2 WhatsApp Business API (Meta Platforms)

Data we access

  • End contact phone number and, where applicable, name or identifier linked in the CRM.
  • Message content sent or received through the Service (text, approved templates, attachments allowed by the API) and conversation metadata (date, time, delivery or read status when Meta exposes it).
  • Technical identifiers for the connected WhatsApp Business account, business phone number, and messages in Meta’s API.
  • Operational Service logs related to sending (errors, templates, queues), not for advertising.

How we use the data

  • Send and receive messages that the Customer or its authorized users initiate from the CRM (transactional, operational, or marketing where valid opt-in exists).
  • Display conversation history in the CRM and link messages to contacts, appointments, opportunities, or other Customer records.
  • Operate message templates, automations, and reminders configured by the Customer.
  • Prevent abuse, fraud, or policy violations; log delivery or integration errors.
  • Handle access, rectification, or deletion requests per Sections 7 and 8.

How we share the data

  • Meta Platforms, Inc. and its affiliates process and route messages as the WhatsApp Business API provider; Meta’s processing is governed by its own terms and privacy notices.
  • Service processors (cloud infrastructure, database, support) that process data only to operate the platform, under data processing agreements and security measures.
  • Authorized users within the Customer’s organization in the CRM, according to roles and permissions.
  • We do not share WhatsApp conversation data with third parties for third-party advertising or unrelated commercial profiling.

Storage and protection

  • WhatsApp integration tokens, credentials, and identifiers stored encrypted and tied to the Customer’s organization.
  • Message content and history stored in the CRM with per-organization isolation, restricted access, and encrypted communication with Meta APIs (HTTPS/TLS).
  • Access controls, authentication, and organization-scoped authorization equivalent to the rest of the Service.

Retention, deletion, and opt-out

  • WhatsApp integration: while the connection remains active; credentials are deactivated in the Service when disconnected. The Customer may revoke permissions in Meta Business Manager and in the business WhatsApp settings.
  • Message history in the CRM: per Section 7 and Customer configuration; deletion may be requested per Section 8.
  • Opt-out: if a person indicates they no longer want messages (for example by replying STOP, a opt-out keyword configured by the Customer, contacting the business, or requesting through another published channel), the Customer must immediately stop sending promotional or unsolicited WhatsApp messages and update its lists in the CRM.
  • Privacy requests regarding WhatsApp data: privacy@ayuda.app or the Section 1 contact; we respond within a reasonable period (generally within 30 days where GDPR or equivalent laws apply).

Use of the WhatsApp Business API is also governed by WhatsApp/Meta terms and policies, including: WhatsApp Business Terms of Service.

14.3 Responsibility among providers

Meta is an independent controller for processing it performs as the WhatsApp operator under its own notices. The controller vis-à-vis the Customer’s end contacts is typically the organization sending the messages; the Controller for processing through the Service is identified in Section 1 to the extent it operates the platform on the Customer’s instructions.

15. Terms and legal channels

See the Terms and Conditions of Use published in this application.

For privacy requests, rights, audits, or regulatory questions, privacy@ayuda.app.