Privacy Policy

Deskmantle ("we", "us", "our") is an AI-powered business management platform operated by Kurt Navale. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website (deskmantle.com), application (app.deskmantle.com), and related services (collectively, the "Service"). This policy applies to all users worldwide, including those protected by the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Philippine Data Privacy Act (R.A. 10173). For privacy-related inquiries, contact our Data Protection Officer at privacy@deskmantle.com.

We collect the following categories of personal data: Account Data: Name, email address, phone number, company name, job title, timezone, and profile preferences you provide during registration and onboarding. Usage Data: Feature usage, login timestamps, pages visited, actions taken within the Service, device type, browser, IP address, and session duration. Communication Data: Emails, messages, and conversations you process through the Service, including Gmail data synced via IMAP, SMS messages sent via Twilio, and AI chat interactions. Financial Data: Billing information, subscription plan, payment history, and invoice data. We do not store credit card numbers directly — payments are processed by Whop and Stripe. AI Interaction Data: Prompts, queries, and responses exchanged with Desk AI, including voice conversations, research requests, and automated actions. CRM Data: Contact information, deal data, pipeline stages, health scores, lead records, and interaction history you store in the Deskmantle CRM. Files and Documents: Documents, images, proposals, and other files you upload to or generate within the Service.

We use your personal data for the following purposes: • Service Delivery: To provide and operate the Service, including AI-powered features, email sync, CRM, calendar management, and automation • Personalization: To personalize your experience, including AI memory, daily briefs, and proactive recommendations • Billing: To process payments and manage your subscription • Communications: To send transactional emails (receipts, notifications, daily briefs, security alerts) • Marketing: To send marketing communications (only with your explicit consent, with easy unsubscribe) • Security: To detect, prevent, and address fraud, abuse, and security issues • Legal Compliance: To comply with legal obligations • Improvement: To improve and develop new features based on aggregated, anonymized usage patterns • Support: To provide customer support and respond to your requests

Deskmantle uses AI features powered by Google Gemini to provide insights, content generation, and automation. We want to be transparent about how your data interacts with AI: • AI features process your data solely to deliver the Service to you (e.g., generating email drafts, CRM insights, automated actions) • Your data is NOT used to train, fine-tune, or improve any AI models — neither ours nor any third party's • AI-generated content may contain inaccuracies and should be reviewed before use in critical or legal contexts • You can disable AI features at any time from your account settings • AI memory and conversation history are deleted immediately upon account deletion Our AI sub-processor, Google Cloud (Gemini API), processes data under a Data Processing Agreement that prohibits use of customer data for model training.

We process your personal data under the following legal bases: Contract: Processing necessary to provide the Service you signed up for (account management, email sync, CRM, AI features). Consent: Marketing communications, optional analytics cookies, and voice recording. You can withdraw consent at any time. Legitimate Interest: Security monitoring, fraud prevention, product improvement using aggregated data, and customer support. Legal Obligation: Tax reporting, compliance with applicable data protection laws, and responding to lawful government requests.

We do not sell, rent, or trade your personal data. We share data only with the following categories of service providers ("sub-processors"), all bound by Data Processing Agreements: • Supabase — Database hosting and authentication (US) • Google Cloud Platform — Infrastructure, hosting, and AI processing via Gemini (us-central1, US) • Resend — Transactional email delivery (US) • Twilio — SMS and voice services (US) • Whop / Stripe — Payment processing and billing (US) All sub-processors are contractually required to process data only as instructed and to implement appropriate security measures. We may also disclose data if required by law, court order, or to protect the rights and safety of Deskmantle and its users. A current sub-processor list is maintained in our Data Processing Agreement at deskmantle.com/dpa.

Your data is processed and stored in the United States (Google Cloud Platform, us-central1 region). If you are located outside the United States (including the EU/EEA), your data will be transferred to the US for processing. We ensure appropriate safeguards for these transfers through: • Standard Contractual Clauses (SCCs) approved by the European Commission • Data Processing Agreements with all sub-processors • Sub-processor compliance with relevant data protection frameworks By using the Service, you acknowledge that your data will be processed in the United States.

We retain your personal data according to the following schedule: Active Account Data: Retained for the duration of your active subscription and account. Deleted Accounts: Upon account deletion, we permanently remove your personal data within 30 days, except as noted below. Audit Logs: System and security audit logs are retained for 1 year, then automatically purged. Billing Records: Retained for 7 years as required by applicable tax law. Anonymized Data: Aggregated, anonymized analytics data (containing no personal identifiers) may be retained indefinitely. AI Memory: AI conversation history and memory are deleted immediately upon account deletion or upon your request.

Depending on your location, you may have the following rights under applicable law (including GDPR, CCPA/CPRA, and the Philippine Data Privacy Act): Right to Access: Request a copy of all personal data we hold about you. Right to Correction: Correct any inaccurate or incomplete data. Right to Deletion: Request deletion of your personal data ("right to be forgotten" / "right to delete"). Right to Data Portability: Receive your data in a structured, machine-readable format (JSON or CSV export). Right to Object: Object to processing based on legitimate interest or for direct marketing. Right to Restrict Processing: Request that we limit how we use your data. Right to Withdraw Consent: Withdraw consent for any consent-based processing at any time. Right to Opt-Out of Sale: See Section 10 (CCPA). To exercise any of these rights, email privacy@deskmantle.com. We will respond within 30 days (or sooner if required by applicable law). We will not discriminate against you for exercising your rights.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA): Do Not Sell or Share My Personal Information: Deskmantle does NOT sell your personal information. We do NOT share your personal information for cross-context behavioral advertising. No action is required on your part. Right to Know: You may request the categories and specific pieces of personal information we have collected, the sources, the business purpose, and the categories of third parties with whom we share it. Right to Delete: You may request deletion of personal information we have collected from you. Right to Non-Discrimination: We will not deny you services, charge different prices, or provide a different quality of service for exercising your CCPA rights. Categories of Personal Information Collected (per CCPA categories): • Identifiers (name, email, phone, IP address) • Commercial information (subscription plan, payment history) • Internet or electronic network activity (usage data, feature interactions) • Professional or employment-related information (job title, company name) • Inferences drawn from the above (AI-generated insights, recommendations) To make a CCPA request, email privacy@deskmantle.com with the subject "CCPA Request." We will verify your identity before processing.

We implement industry-standard security measures to protect your data: • All data encrypted in transit (TLS 1.3) and at rest (AES-256) • Row-level security (RLS) on all database tables via Supabase • Secrets stored in Google Cloud Secret Manager, never in code • Rate limiting on all API endpoints • Webhook signature verification for all third-party integrations • Regular security audits and vulnerability assessments • Firewall protection on infrastructure • Session-based authentication with secure HTTP-only cookies • Access controls limiting employee access to personal data on a need-to-know basis

We use the following cookies: Essential Cookies: Required for the Service to function (authentication session, CSRF protection). These cannot be disabled as they are necessary for the Service to operate. Analytics Cookies: We use analytics tools to understand how visitors use our website. Analytics cookies are only placed with your explicit consent. You can manage your cookie preferences at any time through the cookie banner or your browser settings. We do not use advertising, tracking, or third-party marketing cookies.

Deskmantle is a business platform not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that we have collected data from a child under 16, we will delete it immediately. If you believe a child under 16 has provided us with personal data, please contact privacy@deskmantle.com.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through a notice on the Service at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy. The "Last updated" date at the top of this page indicates when this policy was last revised.

For any privacy-related questions, concerns, or requests: Data Protection Officer: Kurt Navale Email: privacy@deskmantle.com Website: https://deskmantle.com For EU residents, you also have the right to lodge a complaint with your local data protection authority. For Philippine residents, you may contact the National Privacy Commission at https://privacy.gov.ph.