At Ontoor, your privacy is not a compliance checkbox — it is a core part of how we build software. We will never sell your data. We will always be transparent about what we collect and why.
This Privacy Policy explains how Ontoor Solutions Pvt. Ltd. ("Ontoor", "we", "us", "our") collects, uses, discloses, and protects personal information in connection with Ontoor CRM — our cloud-based Customer Relationship Management platform — and related websites, applications, and services (collectively, the "Services").
Please read this policy carefully. By using our Services, you acknowledge you have read and understood it. If you are using Ontoor CRM on behalf of an organisation, you represent that you have the authority to bind that organisation to this policy.
Ontoor Solutions Pvt. Ltd. is a private limited company providing cloud-based business software to organisations worldwide. We operate Ontoor CRM as a software-as-a-service (SaaS) product.
| Legal Entity | Ontoor Solutions Pvt. Ltd. |
| Product | Ontoor CRM |
| Service Type | B2B SaaS — Customer Relationship Management |
| Data Controller Role | Controller for account and usage data; Processor for subscriber business data |
| Privacy Contact | privacy@ontoorsolutions.com |
| Website | www.ontoorsolutions.com |
This policy applies to:
Data we collect about subscribers, users, and visitors to operate, secure, and improve our Services.
When you use our Services, we automatically collect certain technical information:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provision and operation of the CRM service | Account data, user profiles, usage logs | Contract performance |
| User authentication, session management, and access control | Email, password hash, role assignments | Contract performance |
| Transactional emails — password resets, assignment notifications, invoice alerts | Name, email address | Contract performance |
| Subscription billing and payment processing | Billing contact data, payment token | Contract performance |
| Customer support, troubleshooting, and onboarding | Account data, support ticket content, usage logs | Legitimate interest |
| Security monitoring, fraud detection, and abuse prevention | IP addresses, login logs, activity patterns | Legitimate interest |
| Product improvement, bug fixing, and feature development (using anonymised/aggregated data) | Anonymised usage telemetry | Legitimate interest |
| Product update announcements and release notes | Name, work email | Legitimate interest (opt-out available) |
| Compliance with legal obligations (tax records, court orders) | Billing records, activity logs | Legal obligation |
| Enforcing our Terms of Service and resolving disputes | Account data, communications | Legitimate interest / Legal obligation |
We rely on the following legal bases under applicable data protection laws (including GDPR where applicable):
The business data your organisation stores in Ontoor CRM — leads, customers, deals, invoices, and more. You own this data. We are its custodian.
As part of using Ontoor CRM, your organisation stores and manages business data within the platform. This includes but is not limited to:
We refer to this collectively as "Service Data."
As the data controller for your Service Data, your organisation is responsible for:
Ontoor acts as a data processor for Service Data, processing it only on your documented instructions. We provide a Data Processing Addendum (DPA) for enterprise customers — contact privacy@ontoorsolutions.com to request one.
You can export your Service Data at any time while your subscription is active, in standard formats (CSV, Excel, PDF). Upon cancellation of your subscription, we provide a 30-day grace period during which you may export all your data before it is permanently deleted from our systems.
After the 30-day period, all Service Data associated with your account is permanently and irreversibly deleted from production databases and from backups within a further 30-day window.
Access to your Service Data by Ontoor personnel is strictly controlled and limited to specific circumstances:
| Circumstance | Who Can Access | Logged? |
|---|---|---|
| Resolving a support ticket where you have granted access | Authorised support engineers only | Yes |
| Investigating a security incident or data breach | Security team only | Yes |
| Legal obligation (court order, regulatory request) | Legal team + management | Yes |
| Technical maintenance causing unavoidable data exposure (extremely rare) | Senior engineering only, under strict controls | Yes |
Ontoor employees are contractually bound by confidentiality obligations and receive data privacy training. Access to production systems is granted on a least-privilege basis and reviewed periodically.
We use a limited number of trusted third-party service providers ("sub-processors") to help operate the platform. Each is bound by a Data Processing Agreement, is prohibited from using your data for their own purposes, and is required to maintain security standards equivalent to or greater than our own.
| Category | Purpose | Data Involved |
|---|---|---|
| Cloud infrastructure & hosting | Server hosting, database storage, file storage | All platform data — encrypted at rest and in transit |
| Transactional email delivery (SMTP provider) | Sending password resets, notifications, invoices, campaign emails | Recipient email addresses, sender name, email content |
| Payment processor | Subscription billing and invoicing | Billing contact name, email, amount — card data handled entirely by provider |
We do not share data with advertising networks, social media platforms, or analytics companies.
We may disclose personal data where required by law, court order, or legitimate government authority. Before doing so, we will:
If Ontoor undergoes a merger, acquisition, or sale of all or part of its assets, your data may be transferred to the successor entity. We will provide at least 30 days' notice via email and within the application, and will ensure the receiving entity provides equivalent privacy protections. You will retain the right to delete your data if you do not wish for it to be transferred.
We take data security seriously at every layer of the platform. Below are the technical and organisational measures we have in place.
We retain personal data for as long as necessary to fulfil the purpose for which it was collected, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Active account and user data | Duration of active subscription | Service delivery |
| Service Data (leads, customers, invoices, etc.) | Duration of subscription + 30-day post-cancellation export window | Data portability; then permanently deleted |
| Billing records and payment history | 7 years from transaction date | Legal / tax / accounting obligation |
| Security and access audit logs | 12 months rolling | Security monitoring and incident investigation |
| Support communications | 3 years from resolution | Service quality assurance and dispute resolution |
| Email communication logs (sent via platform) | 12 months | Deliverability troubleshooting |
| Anonymised, aggregated usage analytics | Indefinite | Product improvement — no personal identifiers retained |
After the applicable retention period, data is securely and permanently deleted or anonymised such that it can no longer be attributed to an individual.
You may request earlier deletion of your personal data by contacting us at privacy@ontoorsolutions.com, subject to any legal retention obligations.
You have the following rights over your personal data. We honour these rights regardless of your location or jurisdiction.
Email us at privacy@ontoorsolutions.com with the subject line "Privacy Request — [Right Type]". We will acknowledge your request within 3 business days and fulfil it within 30 days (or inform you if more time is needed under applicable law, up to a maximum of 60 days).
We may need to verify your identity before processing the request. We will not charge a fee for reasonable requests.
If you are unsatisfied with our response, you have the right to lodge a complaint with your relevant data protection supervisory authority.
Ontoor CRM uses a minimal, functional-only set of cookies. We do not use cookies for advertising, cross-site tracking, or third-party analytics inside the application.
| Name | Type | Purpose | Duration |
|---|---|---|---|
ontoor_session |
Essential | Maintains your authenticated session across page loads. Without this, you would need to log in on every click. | Session — expires on logout or browser close |
XSRF-TOKEN |
Essential (Security) | Cross-Site Request Forgery (CSRF) protection token. Validates that form submissions and API requests originate from our application. | Session |
sidebarCollapsed |
Functional (localStorage) | Remembers whether you have collapsed the navigation sidebar. Stored in your browser's localStorage — not transmitted to our servers. | Persistent until manually cleared |
The first two cookies are strictly necessary for the application to function and cannot be disabled while using the service. The localStorage preference is entirely local to your browser.
Our marketing website (separate from the application) may use analytics cookies to understand visitor behaviour. These are subject to your browser's cookie consent mechanism and can be declined.
Ontoor is headquartered in India and primarily stores data on servers in the region selected during account setup. If your organisation is based in the European Economic Area (EEA), UK, or another jurisdiction with cross-border transfer restrictions, data may be transferred outside your region.
In all such cases, we ensure appropriate safeguards are in place, including:
Enterprise and mid-market customers may request a signed Data Processing Addendum (DPA) by contacting privacy@ontoorsolutions.com. This is available at no charge.
Ontoor CRM includes workflow automation and rule-based features (such as lead assignment rules and scheduled campaign sending). These are deterministic, rule-based automations configured by you — not AI systems making independent decisions about individuals.
If we introduce AI-powered features in the future (such as predictive lead scoring or smart suggestions), we will:
We may update this Privacy Policy from time to time as our practices evolve, as our product grows, or to comply with legal requirements.
When we make material changes, we will:
For minor changes (grammar, clarifications, non-substantive edits), we will update the page without individual notice.
Previous versions of this policy are available upon request.
For any questions, concerns, or requests relating to this Privacy Policy or how we handle your data, please reach out through the channels below. We take privacy enquiries seriously and commit to a substantive response.
| Company | Ontoor Solutions Pvt. Ltd. |
| Website | www.ontoorsolutions.com |
| Privacy email | privacy@ontoorsolutions.com |
| Response time | Acknowledgement within 3 business days; resolution within 30 days |
| DPA available | Yes — available on request at no charge |