+1 (408) 320-0380

Privacy Policy

Last Update: September 3, 2025

This Privacy Policy describes how EspoCRM, Inc., a Delaware corporation, and its affiliates (“EspoCRM,” “we,” “our,” or “us”) collect, use, and share Personal Information (including “personal data,” as those terms are defined under applicable law) in connection with your use of our websites (including www.espocrm.com, related domains, and websites), services, and applications (collectively, the “Services”) and your installation and use of any software that we include as part of the Services, including, without limitation, mobile and web applications, scripts, instruction sets, and related documentation (collectively, the “Software”).

This Privacy Policy (the “Privacy Policy”) describes EspoCRM’s practices when we act as a data controller. This Privacy Policy does not apply to information or content our customers may process when using our Services or Software.

This Privacy Policy also explains your choices surrounding how we use information about you, which include how you can object to certain uses of information about you and how you can access and update certain information about you.

If you do not agree with this Privacy Policy, do not access or use our Services and Software and/or interact with any other aspect of our business.

This Privacy Policy is not intended to override the terms of any contract you have with us.

1. Collection of Information

The information we collect about you depends on how you use our Services and Software or otherwise interact with us.

You have choices about the information we collect. When you are asked to provide Personal Information, you may decline. However, if you choose not to provide information that is necessary to provide the Services or Software, you may not be able to use some of our features, Software, or Services.

1.1 Information We Collect about You

When you register to use an EspoCRM Service, create an account, or purchase a license to our Services and Software. This includes:

Identifiers and contact information, such as:

  • Full name;
  • Email address;
  • Telephone number;
  • Address, city, country and postal code;
  • Country.

Commercial and transaction information, such as:

  • Billing information;
  • Licenses purchased;
  • Types of Services and Software of interest.

Professional, business, or other demographic information, such as:

  • Title;
  • Occupation;
  • Job function;
  • Expertise;
  • Company details, such as the size, industry, and other information about the company where a user may work.

1.2 Communication Information

If you contact us directly, we may receive additional information about you, such as your name, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide.

1.3 Content and Other Information

When you use our Services and Software, we collect data you provide when you enter text, upload files, submit a complaint, or send us feedback. We collect additional content and information that you voluntarily provide to us, such as when you register for or attend an event, complete or update your profile, post a comment, or other information you provide to establish your identity.

1.4 Payment Information

We collect and store information about the Services and Software you purchase. When you create an order on our website, your financial information is directed to our third-party payment processor. We do not store your financial information on our systems; however, we have access to, and may retain, customer information we receive from our third-party payment processors.

2. Information We Collect Automatically

2.1 Information from Browsers, Devices, and Servers

When you visit our website or use our Services, we collect information that web browsers, mobile devices, and servers typically make available, including the browser type, IP address, unique device identifiers, language preference, referring website, the date and time of access, operating system, and mobile network information.

2.2 Usage Information

We collect information about your usage of our Services. For example, we collect information about the actions that users perform on our website — in other words, who did what and when. We also collect information about what happens when you use our Services (e.g. page views, support document searches). We use this information to, for example, provide our Services to you and get insights on how people use our Services, so we can make our Services better.

2.3 Location Information

We may determine the approximate location of your device from your IP address. We collect and use this information to, for example, calculate how many people visit our Services from certain geographic regions.

2.4 Information Collected by Cookies and Similar Tracking Technologies

We use tracking technologies, such as cookies, pixel tags, and session replay, to collect information about your interactions with our Services and our marketing communications. These technologies help us improve our Services and marketing communications, personalize your experience, and analyze your interactions with us, including to count visits and understand popularity of different features. For more information about our use of cookies and other technologies for tracking, including how you can control the use of cookies, please see our Cookie Notice.

3. How We Use Personal Information

We use Personal Information for the following purposes:

  • to provide you with the Services or Software you have ordered;
  • to process your transactions;
  • to prevent fraud or misuse of our Services or Software, and to protect the security and integrity of our Services, IT systems, network, and architecture;
  • to contact you if required in connection with your order or to respond to any communications you might send to us;
  • to send you technical notices, security alerts, support messages, and other transactional or relationship messages;
  • to monitor and analyze trends, usage, and activities in connection with our Services and Software;
  • to comply with our legal and financial obligations and protect our, your, and third parties’ rights, privacy, safety, or security;
  • to personalize your experience with us;
  • to inform you about any changes to the Services and Software;
  • to send you marketing communications and newsletters (based on your consent). You may withdraw your consent at any time by following the unsubscribe link or by contacting us as set forth in the “Contact Us” section below.

4. Disclosure of Information

4.1 Vendors and Service Providers

We make Personal Information available to our vendors, service providers, contractors and consultants who perform services on our behalf, such as companies that assist us with payment processing, marketing, customer service, provision of content and features, advertising, analytics, research, data storage, security, fraud prevention, and other services. These service providers may have access to or process your Personal Information for the purpose of providing these services for us.

4.2 Affiliates and Subsidiaries

We may share the information we collect within the EspoCRM family of companies.

4.3 Professional Advisors

We disclose Personal Information to our legal, financial, insurance, and other professional advisors where necessary to obtain advice or otherwise protect and manage our business interests.

4.4 Corporate Transactions

We disclose Personal Information in connection with, or during negotiations of, certain corporate transactions, including a merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.

4.5 As Required by Law and Similar Disclosures

We may also share information to:

  • satisfy any applicable law, regulation, legal process, or governmental request including requests made by public authorities to meet national security or law enforcement requirements;
  • enforce this Privacy Policy and our Terms of Service, including investigation of potential violations hereof;
  • detect, prevent, or otherwise address fraud, security, or technical issues;
  • respond to your requests;
  • protect our rights, property or safety, our users, and the public.

We also disclose aggregated or de-identified information that cannot reasonably be used to identify you. We maintain and use this information only in a de-identified fashion and will not attempt to re-identify such information, except as permitted by law.

4.6 With Your Consent

We may share information with your consent.

5. Children’s Privacy

EspoCRM does not knowingly collect information from children under the age of 16, and children under 16 are prohibited from using our Services or Software. If we become aware that a child has signed up for an account, we will take reasonable steps to deactivate the account and remove their Personal Information from our records as quickly as possible. If you learn that a child has provided us with Personal Information in violation of this Privacy Policy, you can contact us as set forth in the “Contact Us” section below.

6. International Transfers

EspoCRM is based in the United States, and we and our service providers process and store Personal Information on servers located in the United States and other countries. Whenever we make restricted international transfers of Personal Information, we take steps to ensure that your Personal Information receives an adequate level of protection.

When a data transfer mechanism is mandated by applicable law, we employ one or more of the following:

  • Transfers to certain countries or recipients that are recognized as having an adequate level of protection for Personal Information under applicable law;  
  • EU Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum issued by the Information Commissioner’s Office;
  • Other lawful methods available to us under applicable law.

7. Notice to Individuals Located in the EEA, UK, and Switzerland

“Personal Information,” as used in this Privacy Policy, includes “personal data” as defined in the European Union General Data Protection Regulation (GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR).

7.1 Your Data Protection Rights Under the General Data Protection Regulation (GDPR)

If you are located in the EEA, Switzerland, or the UK, you have the following data protection rights:

  • Right of Access: You can request information at any time about whether and which personal data we process about you.
  • Right to Rectification: You can request us to correct any inaccurate or incomplete information.
  • Right to Erasure (“Right to Be Forgotten”): You can request the deletion of your data if it is no longer required for its original purpose. However, please note that immediate deletion may not be possible in some cases due to legal or contractual retention obligations.
  • Right to Restriction of Processing: In some cases, you may have the right to demand that the processing of your personal data be restricted. Restricting the processing of personal data means that your personal data will still be stored, but the opportunities for further use and processing will be limited (for example, you dispute the accuracy of your data or believe that the processing is unlawful, you can request that we restrict the processing of your data).
  • Right to Data Portability: You have the right to receive your data in a structured, commonly used, and machine-readable format. You can also request that we transfer the data directly to a third party, if technically feasible.
  • Right to Object: You can object to the processing of your personal data unless there are compelling legitimate reasons for the processing.
  • Right to withdraw consent: You can withdraw your consent for processing at any time. This will not affect the legality of any processing carried out before the withdrawal.
  • Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that have legal or similarly significant effects.

8. Notice to California Residents

California has enacted the California Consumer Privacy Act (“CCPA”), which grants California residents certain rights and requires specific disclosures. If you reside in California, this section applies to you and also serves as our California notice at collection.

In the preceding sections, we explain how we collect, use, and disclose information about you.

We retain Personal Information for as long as necessary to carry out the purposes for which we originally collected it and for other purposes described in this Privacy Policy.

8.1 How We Collect and Use Your Personal Information

We have collected the following statutory categories of Personal Information in the past twelve (12) months:

  • Identifiers, such as name, e-mail address, mailing address, and phone number. We collect this information directly from you;
  • Commercial information, such as data collected for account registration and/or license purchases of our Services and Software. We collect this information directly from you;
  • Internet or network information, such as information about your activity on our websites. We collect this information directly from your device;
  • Geolocation data, such as IP address. We collect this information from your device;
  • Professional data, such as your job title, occupation and company;
  • Other Personal Information, in instances when you interact with us online, by phone, or mail in the context of receiving help through our help desks or other support channels; participation in customer surveys or contests; or in providing the Service or Software;
  • Inferences drawn from any of the above categories, alone or in combination. 

8.2 Your Rights under the CCPA

The CCPA provides California residents with specific rights regarding their Personal Information. If you are a resident of California, these rights include:

  • the right to know information about our processing of your Personal Information, including the right to access your Personal Information, often in a portable format;
  • the right to request deletion of your Personal Information;
  • the right to request correction of inaccurate Personal Information;
  • the right to limit use and disclosure of sensitive Personal Information;
  • the right not to be discriminated against for exercising any of your privacy rights.

8.3 Authorized Agents

You may also designate an authorized agent to submit rights requests on your behalf. For access, correction, or deletion requests, we may ask authorized agents to submit proof of their authority to make a request, such as a valid power of attorney or proof that they have signed permission from the consumer who is the subject of the request. In some cases, we may contact the individual who is the subject of the request to verify their own identity or confirm that the authorized agent has permission to submit the request.

8.4 How to Exercise your California Rights

You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your Personal Information, we will verify your identity by a method appropriate to the type of request you are making.

If you would like to exercise the rights, please contact us as set forth in the “Contact Us” section below.

8.5 Right to Opt Out of “Sale” or “Sharing”

You may opt out of activities that we engage in that constitute “sharing” or “sales” of Personal Information under the CCPA by:

Cookies and Similar Technologies

Clicking the “Cookie Settings” link in the footer of our websites and following the instructions that appear. Your opt-out choice will be linked to your browser only; therefore, you will need to renew your opt-out choice if you visit our website from a new device or browser, or if you clear your browser’s cookies.

Other Identifiers

Contacting us as set forth in the “Contact Us” section below to opt out of “sharing” and “sales” based on your email address and other non-cookie identifiers.

8.6 We Do Not Sell Your Personal Information

You have the right to know whether your Personal Information is being sold. Your Personal Information is “sold” when it is provided to a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA or other U.S. state data privacy laws. Please note that a “sale” does not include when we disclose your Personal Information at your direction, or when otherwise permitted under law. EspoCRM does not sell your Personal Information.

8.7 Appeals

You may have the right to appeal a decision we make relating to requests to exercise your rights. To submit an appeal, send your request using the methods described in the “Contact Us” section.

9. Legal bases for processing Personal Information

If you are located in the EEA or another jurisdiction that requires a lawful basis for processing Personal Information, please note that when we process your personal data as described in this Privacy Policy, we do so in reliance on the following lawful bases:

  • To perform our responsibilities under our contract with you (e.g., processing payments for and providing the Services and Software you requested);
  • When we have a legitimate interest in processing your Personal Information to operate our business or protect our interests (e.g., to provide, maintain, and improve our Services and Software, conduct data analytics, and communicate with you);
  • To comply with our legal obligations (e.g., to maintain a record of your consents and track those who have opted out of marketing communications);
  • When we have your consent to do so (e.g., when you opt in to receive marketing communications from us). When consent is the legal basis for our processing of your Personal Information, you may withdraw such consent at any time.

If you have any questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us as set forth in “Contact Us” below. We will process such requests in accordance with applicable laws.

10. Retention of Personal Information

How long we keep information we collect about you depends on the type of information and how we collect and store it.

We retain your Personal Information for as long as necessary for the purposes for which it was collected, to carry out the business purposes described in this Privacy Policy, to comply with legal obligations, to pursue our legitimate interests, to resolve disputes, to enforce our agreements, or as otherwise required by law.

When we have no ongoing legitimate business need to process your Personal Information, we securely delete the information or anonymize it or, if this is not possible, securely store your Personal Information and isolate it from any further processing until deletion is possible. We will delete this information at an earlier date if you so request, as described in the “Data Subject Requests” section.

11. Data Subject Requests

If you are located in a jurisdiction that grants you data subject rights, you have the right to:

  • know information about our processing of your Personal Information, including the right to access your Personal Information, often in a portable format;
  • request deletion of your Personal Information;
  • request to correction of inaccurate Personal Information;

Depending on where you live, you may have certain statutory rights in relation to your Personal Information. For example, you may have the right to:

  • transfer your Personal Information to a third party (right to data portability);
  • withdraw your consent—where we rely on consent as the legal basis for processing at any time;
  • restrict how we process your Personal Information;
  • object to how we process your Personal Information;
  • lodge a complaint with your local data protection authority.

If you would like to exercise any of these rights, please contact us as set forth in the “Contact Us” section below. We will process such requests in accordance with applicable laws.

12. Consent

By submitting Personal Information to EspoCRM, our service providers, or our agents, you consent to the collection, use, disclosure, and transfer of your Personal Information in accordance with this Privacy Policy and as permitted or required by law.

You may withdraw your consent at any time to the collection, use, disclosure, or transfer of your Personal Information by contacting us. If you withdraw your consent (or if you decide not to provide certain Personal Information), you acknowledge that EspoCRM may not be able to provide you, or continue to provide you, with certain Services, Software, or information that may be of value to you.

13. Contact Us

If you have questions about this Privacy Policy or would like to exercise your privacy rights, please contact us at privacy-concerns@espocrm.com or submit your request through the “Contact Us” form. We will process such requests in accordance with applicable laws.