Privacy Policy

The Short Version

We collect only what we need to run fstop for you. We don't sell your data. We don't show you ads. We don't track you across the web. Your business data is yours, and we treat it that way.

Who We Are

Fstop CRM ("fstop", "we", "us", "our") is a client relationship management platform built for photographers and videographers. Our website is fstopcrm.com and our support email is hello@fstopcrm.com.

What Data We Collect

Account Information

When you sign up for fstop, we collect:

• Your name and email address (via Google OAuth sign-in)
• Your Google profile picture (provided by Google during sign-in)
• Your business name (entered during onboarding)

We use Google OAuth for authentication. We do not store your Google password. Google provides us with your name, email, and profile picture when you authorize sign-in.

Business Data You Enter

Everything you create inside fstop is your data. This includes:

• Client and inquiry information (names, emails, phone numbers, event details)
• Contracts and contract templates
• Email templates and sent emails
• Invoices and payment records
• Branding settings (logos, colors, fonts, social links)
• Timelines, tasks, notes, and media files
• Form builder configurations
• Team member information

Inquiry Data From Your Website Visitors

When someone fills out your fstop-connected contact form or embedded form, we receive the data they submit (typically name, email, event date, event type, and message). This data is stored in your fstop account so you can manage your inquiries. We process this data on your behalf — you are the data controller for your clients' information.

Payment Information

Subscription billing is handled by Stripe. When you subscribe, your payment details (credit card number, billing address) are collected and processed directly by Stripe. We do not see or store your full credit card number. We receive from Stripe: your subscription status, billing period, and the last 4 digits of your card for display purposes.

Google Calendar Data

If you connect Google Calendar, we access your calendar events to display them in your fstop dashboard. We request the minimum permissions needed to read and display your calendar. We do not modify your Google Calendar data unless you explicitly create events through fstop.

Gmail Integration

If you connect Gmail for sending emails through fstop, we request permission to send emails on your behalf. Emails are sent from your Gmail account directly. We do not read your inbox, access your email history, or store your Gmail credentials. The OAuth token is stored securely and used only to send emails you initiate through fstop.

Usage Data

We collect basic usage data to keep the service running and improve it:

• Pages visited within the app
• Browser type and device type
• General location (country/region level, not precise location)
• Error logs when something breaks

We do not use third-party analytics trackers on the marketing site or inside the app. We do not run Facebook Pixel, Google Analytics, or any advertising trackers.

How We Use Your Data

We use your data to:

• Provide and operate the fstop platform
• Authenticate your account via Google OAuth
• Process your subscription payments via Stripe
• Send emails on your behalf via your connected Gmail
• Display your Google Calendar events in your dashboard
• Send you account-related emails (billing confirmations, important updates)
• Respond to your support requests
• Fix bugs and improve the platform

We do not use your data to:

• Sell to third parties
• Show you advertisements
• Build advertising profiles
• Train AI models on your business data
• Send you marketing emails without your consent

Where Your Data Is Stored

Your data is stored on Supabase, which runs on Amazon Web Services (AWS) infrastructure. Supabase provides database hosting, authentication services, file storage, and edge functions. Data is stored in secure, encrypted databases. Supabase's infrastructure is SOC 2 Type II compliant.

Media files you upload (logos, photos) are stored in Supabase Storage with access controls so only you and your authorized team members can access them.

Third-Party Services

Fstop uses the following third-party services to operate. Each processes data only as needed for their specific function:

• Supabase — Database, authentication, file storage, and serverless functions
• Google OAuth — Account sign-in and authentication
• Google Calendar API — Calendar sync (only if you connect it)
• Gmail API — Sending emails on your behalf (only if you connect it)
• Stripe — Subscription billing and payment processing
• Vercel — Website and application hosting

We do not share your data with any service not listed above. We do not use data brokers, advertising networks, or analytics platforms.

Data Security

We take the security of your data seriously:

• All data is transmitted over HTTPS (TLS encryption in transit)
• Database data is encrypted at rest
• Authentication is handled via Google OAuth (we never handle your password)
• Row-level security policies ensure you can only access your own data
• API keys and secrets are stored in environment variables, never in code
• OAuth tokens for Google services are stored securely and scoped to minimum required permissions

Your Rights

You have the right to:

• Access your data — Everything you've entered is visible in your fstop account at all times
• Export your data — You can export your data while your account is active
• Delete your data — You can request deletion of your account and all associated data by emailing hello@fstopcrm.com
• Disconnect integrations — You can revoke Google Calendar and Gmail access at any time from your Google account settings

Data Retention

Your data is retained as long as your account is active. If you cancel your subscription:

• You retain access until the end of your billing period
• After your access expires, your data is kept for 30 days in case you resubscribe
• After 30 days, your data is permanently deleted from our systems

If you request immediate deletion, we will process it within 7 business days.

Cookies

Fstop uses only essential cookies required for the platform to function:

• Authentication cookies — To keep you logged in to your account
• Session cookies — To maintain your session state

We do not use advertising cookies, tracking cookies, or third-party cookies. There is no cookie banner because there are no optional cookies to consent to.

Children's Privacy

Fstop is a business tool designed for professional photographers and videographers. It is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors.

Changes to This Policy

If we make significant changes to this privacy policy, we will notify you by email and update the "Last updated" date at the top of this page. Minor clarifications or formatting changes may be made without notification.

Contact

If you have questions about this privacy policy or how we handle your data, email us at hello@fstopcrm.com.