Privacy Policy
Effective Date: March 1, 2026 · Version 2.0
1. Introduction
Customer City, Inc. ("Customer City," "Company," "we," "us," or "our") is a Delaware corporation with its principal place of business at 11335 NE 122nd Way, Suite 105, Kirkland, WA 98034. We operate the Customer City web application at app.customercity.com, the Customer City Chrome Extension, and the marketing website at www.customercity.com (collectively, the "Service").
Customer City is a Revenue Observability Platform. We connect to your existing business systems (such as Salesforce, HubSpot, Gmail, and Outlook) via authenticated API connections to analyze deal health, detect blind spots, and generate insights. We operate in a read-only capacity — we never create, modify, or delete data in your connected systems.
This Privacy Policy explains what data we collect, how we use it, who we share it with, and what rights you have. It applies to all users of the Service, regardless of location.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined by the EU General Data Protection Regulation (GDPR) Article 4(1) and applicable US state privacy laws.
"Controller" means the entity that determines the purposes and means of processing Personal Data. When you connect your organization's CRM or other business system to Customer City, your organization is the Controller of the CRM data accessed through that integration.
"Processor" means the entity that processes Personal Data on behalf of the Controller. Customer City is the Processor when we access and analyze CRM data on your organization's behalf.
"Sub-Processor" means a third-party service provider engaged by Customer City to assist in processing Personal Data.
"Customer Data" means all data that we access from your connected integrations (deals, contacts, accounts, activities, email metadata, meeting data) on behalf of your organization.
"Account Data" means data you provide directly when creating and managing your Customer City account (name, email, organization name).
"Usage Data" means data generated automatically through your use of the Service (page views, feature usage, error logs, device information).
3. Data We Collect
3.1 Account Data (Collected Directly)
When you create a Customer City account via our authentication provider (Clerk), we collect:
- Full name
- Email address
- Organization name
- Profile image (if provided via SSO)
- User ID (assigned by our authentication provider)
3.2 Customer Data (Processed on Behalf of Your Organization)
When your organization connects a data source, we access the following categories of data through authenticated OAuth connections:
| Data Category | Examples | Source |
|---|---|---|
| CRM deal data | Deal name, amount, stage, close date, probability, deal owner | Salesforce, HubSpot |
| CRM contact data | Contact name, email, phone, job title, company | Salesforce, HubSpot |
| CRM account data | Company name, industry, revenue, employee count | Salesforce, HubSpot |
| Activity data | Tasks, events, call logs, notes (metadata only) | Salesforce, HubSpot |
| Email metadata | Sender, recipient, subject line, timestamps (not email body content) | Gmail, Outlook |
| Calendar data | Meeting attendees, times, duration | Google Calendar, Microsoft Calendar |
| Conversation intelligence | Call metadata, talk metrics, key topics | Gong (if connected) |
| Customer success data | Customer health scores, engagement metrics, NPS | Gainsight (if connected) |
| Contract data | Contract metadata, signature status, document status | DocuSign (if connected) |
Important: By default, Customer City operates in a read-only capacity. We do not create, modify, or delete records in your connected systems unless your organization enables the Data Sync-Back feature. When Data Sync-Back is enabled for a specific integration by your administrator, Customer City may write enriched data — including health scores, enriched contact information, AI-generated insights, and data quality corrections — back to that connected system. Your administrator controls which integrations are connected, which have Data Sync-Back enabled, and can disconnect or disable them at any time.
3.3 Usage Data (Collected Automatically)
- Page views and feature interactions within the Service
- Session duration and navigation patterns
- Browser type, operating system, and screen resolution
- IP address (used for security and approximate geolocation)
- Error and crash reports (including stack traces)
- Session replay recordings (sampled — see Section 11)
3.4 Payment Data
Payment processing is handled entirely by Stripe, Inc. We never receive or store your credit card number, CVV, or full bank account details. We receive only transaction confirmation data (plan type, transaction IDs, billing cycle dates) from Stripe.
3.5 Enrichment Data
To enhance account and contact records, we may enrich company information (company name, domain, industry, size, logos) using third-party B2B data providers (Apollo.io, Logo.dev). This enrichment uses publicly available business information and does not involve personal data about individuals.
4. How We Collect Data
- Direct input: Account registration via Clerk (email, name, organization)
- OAuth integrations: When you authorize Customer City to connect to Salesforce, HubSpot, Gmail, Outlook, Gong, or other supported systems, we receive an access token that permits read-only access to your organization's data
- Chrome Extension (DOM reading): The Customer City Chrome Extension reads Salesforce page fields directly from the browser DOM when you are on a Salesforce Opportunity page (see Section 12 for details)
- Chrome Extension (API calls): When authenticated, the extension sends a Salesforce Opportunity ID to the Customer City API, which uses your organization's stored OAuth tokens to fetch additional data
- Automated collection: Cookies, analytics scripts, and error monitoring tools collect Usage Data when you interact with the Service (see Section 11)
- HTTP headers: Standard HTTP request metadata (IP address, browser type, operating system) is collected automatically with each request
5. Legal Bases for Processing (GDPR)
For individuals in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process Personal Data under the following legal bases:
| Data Category | Legal Basis (GDPR Art. 6) | Explanation |
|---|---|---|
| Account Data | Contractual necessity (Art. 6(1)(b)) | Required to create and manage your account |
| Customer Data (CRM, email, calendar) | Legitimate interest of Controller (Art. 6(1)(f)) | Your organization (Controller) authorizes access to analyze deal health and pipeline risks |
| Usage Data (analytics) | Legitimate interest (Art. 6(1)(f)) | Product improvement and user experience optimization |
| Payment Data | Contractual necessity (Art. 6(1)(b)) | Required to process subscription payments |
| Chrome Extension (Tier 1 — local) | Consent (extension installation) | Local processing only — no data leaves your browser |
| Chrome Extension (Tier 2 — API) | Contractual necessity (Art. 6(1)(b)) | Required to deliver enriched health analysis |
| Error and crash reports | Legitimate interest (Art. 6(1)(f)) | Service reliability and bug resolution |
| Marketing emails | Consent (Art. 6(1)(a)) | Product updates and onboarding communications (opt-out available in every email) |
6. How We Use Your Data
- Deal health scoring: Analyzing CRM deal data, activity patterns, email engagement, and meeting frequency to calculate a 0-100 health score across 7 factors
- Blind spot detection: Identifying risks such as silent champions, missing economic buyers, stuck deals, and multi-thread failures by correlating data across connected systems
- Pipeline visualization: Displaying deals, accounts, and contacts in interactive dashboard views
- AI-powered insights: Generating natural language recommendations using artificial intelligence (see Section 13)
- Data Sync-Back: When enabled by your organization's administrator on a per-integration basis, writing enriched and optimized data back to your connected systems, including health scores as custom fields, enriched contact data, AI-generated insights, and data quality corrections. This feature is available on all subscription plans, subject to the usage volume limits of your plan tier (see our Terms of Service Section 9.5 for full details)
- Account management: Authenticating your identity, managing your subscription, and providing customer support
- Product improvement: Understanding feature usage and user experience through analytics and error monitoring
- Security: Monitoring for unauthorized access, rate limiting, and abuse prevention
- Communications: Sending transactional emails (account verification, password resets) and, with your consent, product updates and onboarding sequences via Resend. All marketing emails comply with the CAN-SPAM Act: they include our physical mailing address, accurate sender information, and a one-click unsubscribe link in every message
7. Sub-Processors and Third-Party Services
We engage the following Sub-Processors to operate the Service. Each has been evaluated for appropriate data protection practices and maintains its own privacy policy and, where applicable, Data Processing Agreement.
7.1 Core Operational Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Neon | PostgreSQL database | All operational data | AWS us-east-1 (US) |
| Clerk | Authentication & SSO | Email, name, user ID, sessions | US |
| Upstash | Redis cache | Session tokens, cached data | AWS us-east-1 (US) |
| Inngest | Background job processing | ETL payloads, sync events | US |
7.2 Hosting and Delivery
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Vercel | Web app hosting & CDN | HTTP logs, deployment data | US (global CDN edge) |
| Railway | API server hosting | Application logs, API traffic | US |
| Cloudflare R2 | Object storage | Documents, attachments | Global (Cloudflare edge) |
| Resend | Email delivery | Email addresses, message content | US |
7.3 Analytics and Monitoring
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| PostHog | Product analytics & feature flags | Usage events, page views, feature interactions | US |
| Sentry | Error tracking & performance monitoring | Error logs, stack traces, sampled session replays | US |
| Axiom | Application logging | Server logs | US |
7.4 AI and Data Enrichment
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Anthropic | AI analysis & recommendations | Deal data for generating insights | US |
| Apollo.io | B2B data enrichment | Company names, domains | US |
| Logo.dev | Company logo retrieval | Company names | US |
| Bright Data | Web data enrichment | Company names, domains, publicly available business data | US and international (varies by data source) |
7.5 Payments
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Payment processing (PCI DSS compliant) | Transaction data, customer IDs, payment method tokens | US |
Sub-Processor changes: We will notify customers of any material additions or changes to our Sub-Processor list by email at least 30 days before the change takes effect. Customers with a Data Processing Agreement may object to Sub-Processor changes per the terms of their DPA.
8. Cross-Border Data Transfers
Customer City is based in the United States. If you are located outside the US (including in the EEA, the United Kingdom, or Switzerland), your Personal Data will be transferred to and processed in the United States.
For transfers from the EEA, UK, or Switzerland to the United States, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision (EU) 2021/914), Module 2 (Controller-to-Processor). Full details of the SCCs are included in our Data Processing Agreement. Customers may request a copy of the executed SCCs from privacy@customercity.com.
We take supplementary measures where necessary, including encryption of data in transit and at rest, to ensure that the level of protection of Personal Data is not undermined by the transfer.
9. Data Retention
We retain data only as long as necessary for the purposes described in this policy, plus a reasonable deletion period. Specific retention periods are:
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Account Data | Duration of account + 30 days | Account deletion request |
| Customer Data (CRM synced data) | Duration of integration connection + 30 days | Integration disconnection or account deletion |
| Health scores & insights | Duration of account + 30 days | Account deletion |
| Usage analytics (PostHog) | 12 months rolling | Automatic expiration |
| Error logs (Sentry) | 90 days | Automatic rotation |
| Server logs | 90 days | Automatic rotation |
| Chrome Extension cache (local) | 24 hours (deal data), 1 hour (portfolio), 7 days (descriptions) | Automatic cache eviction |
| Payment records | 7 years | Legal/tax retention obligation (non-deletable) |
| Backup data | 30 days | Automatic rotation |
When you request deletion, we will delete or anonymize your Personal Data within 30 days, except where we are required by law to retain it (e.g., financial records for tax compliance).
10. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit: All data transmitted between your browser, the Chrome Extension, and our servers is encrypted via TLS 1.3 (HTTPS)
- Encryption at rest: Data at rest is encrypted in our database (Neon PostgreSQL) and cache (Upstash Redis)
- Per-tenant isolation: Each organization's data is logically separated — your data is never visible to other organizations
- OAuth token security: CRM credentials (OAuth tokens) are stored server-side and are never exposed to the Chrome Extension or client-side code. All CRM API calls are proxied through our backend
- Shadow DOM isolation: The Chrome Extension injects its health badge into Salesforce pages using a closed Shadow DOM, preventing interference with Salesforce page functionality
- Minimal permissions: The Chrome Extension requests only the minimum permissions required for its functionality
- Access controls: Internal access to production data is restricted to authorized personnel and protected by multi-factor authentication
12. Chrome Extension
The Customer City Chrome Extension operates in two tiers:
Tier 1 — Local Processing (No Authentication Required)
When you are on a Salesforce Opportunity page, the extension reads the following fields directly from the page DOM:
- Deal name, amount, stage, close date, probability
- Deal owner and next step
All Tier 1 processing happens locally in your browser. No data leaves your device. This data is used to calculate an instant health score displayed as an overlay badge on the Salesforce page.
Tier 2 — Enriched Analysis (Requires Authentication)
When you sign in to the extension, it sends the Salesforce Opportunity ID to the Customer City API. Our API then uses your organization's stored OAuth tokens to fetch additional data (contact roles, activities, email engagement) and returns an enriched health analysis. The enriched data includes multi-factor scoring, blind spot detection, and actionable recommendations.
Extension Permissions
| Permission | Justification |
|---|---|
storage | Cache health scores, user preferences, and authentication tokens locally |
activeTab | Detect when you are on a Salesforce Opportunity page and read deal fields from the DOM |
sidePanel | Display the deal health detail panel alongside Salesforce |
alarms | Schedule periodic data refreshes and token maintenance |
Host permissions (*.salesforce.com, *.force.com, app.customercity.com, Customer City API endpoint) | Inject the health badge content script on Salesforce pages and communicate with the Customer City API for authenticated features |
Extension Analytics
The Chrome Extension collects anonymized usage events (such as "badge viewed" and "side panel opened") to improve the product. These events are queued locally and sent in batches when you are authenticated. The extension does not track browsing history, read data from non-Salesforce pages, or collect personally identifiable information from your CRM through these analytics events. Extension analytics can be disabled via the feature_analyticsOptOut storage flag.
13. AI-Powered Analysis
Customer City uses artificial intelligence (powered by Anthropic's Claude API) to generate deal insights, risk assessments, and recommendations. When AI analysis is performed:
- Deal data (including deal name, amount, stage, activity history, and contact engagement patterns) may be sent to Anthropic's API for processing
- Anthropic processes this data solely to generate the requested analysis and does not use your data to train AI models (per Anthropic's data processing terms)
- AI-generated insights are stored in our database alongside the associated deal record and subject to the same data retention and deletion policies
- You may decline AI-powered features without affecting access to the core health scoring and blind spot detection functionality
14. Your Rights
Depending on your location, you may have the following rights regarding your Personal Data:
Rights Under GDPR (EEA, UK, Switzerland)
- Access (Art. 15): Request a copy of the Personal Data we hold about you
- Rectification (Art. 16): Request correction of inaccurate or incomplete data
- Erasure (Art. 17): Request deletion of your Personal Data ("right to be forgotten")
- Restriction (Art. 18): Request that we restrict processing of your data
- Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON)
- Objection (Art. 21): Object to processing based on legitimate interest
- Withdraw consent (Art. 7): Where processing is based on consent, withdraw it at any time
- Lodge a complaint: File a complaint with your local data protection supervisory authority
How to Exercise Your Rights
To exercise any of these rights, contact us at privacy@customercity.com. We will respond within 30 days (or within the timeframe required by applicable law). We may verify your identity before processing your request.
Note on Customer Data: If your Personal Data is contained within Customer Data (i.e., CRM data processed on behalf of your organization), we will direct your request to your organization (the Controller), as they are responsible for responding to data subject requests related to the data they control.
Data Protection Officer: Gudiya Kumari, President — privacy@customercity.com
15. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You may request that we disclose what categories and specific pieces of Personal Information we have collected about you, the categories of sources, the business purpose, and the categories of third parties with whom we share it
- Right to Delete: You may request deletion of Personal Information we have collected, subject to certain exceptions
- Right to Correct: You may request correction of inaccurate Personal Information
- Right to Opt-Out of Sale/Sharing: See Section 18. Customer City does not sell your Personal Information and does not share your Personal Information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Personal Information: You may request that we limit the use and disclosure of your sensitive Personal Information to purposes necessary to provide the Service
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights
To exercise these rights, email us at privacy@customercity.com. We will verify your identity and respond within 45 days. You may authorize an agent to submit a request on your behalf with written authorization.
Categories of Personal Information Collected (Last 12 Months)
| CCPA Category | Examples | Sold? |
|---|---|---|
| Identifiers | Name, email address, user ID | No |
| Commercial information | Subscription plan, transaction history | No |
| Internet/electronic activity | Page views, feature usage, IP address | No |
| Professional/employment information | Organization name, job title (from CRM data) | No |
16. US State Privacy Laws
In addition to the CCPA/CPRA, we comply with the following state privacy laws where applicable:
| State | Law | Rights Provided |
|---|---|---|
| Colorado | Colorado Privacy Act (CPA) | Access, correct, delete, portability, opt-out of targeted advertising |
| Virginia | Virginia Consumer Data Protection Act (VCDPA) | Access, correct, delete, portability, opt-out of targeted advertising and profiling |
| Connecticut | Connecticut Data Privacy Act (CTDPA) | Access, correct, delete, portability, opt-out of targeted advertising |
| Texas | Texas Data Privacy and Security Act (TDPSA) | Access, correct, delete, portability, opt-out of targeted advertising |
To exercise rights under any of these state laws, contact privacy@customercity.com. If you disagree with our decision regarding your request, you may appeal by contacting us in writing, and we will respond within the timeframe specified by your state's law.
17. Children's Privacy
Customer City is a B2B enterprise product designed for use by business professionals. We do not knowingly collect Personal Data from anyone under 16 years of age. If we learn that we have collected Personal Data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with Personal Data, please contact us at privacy@customercity.com.
18. Do Not Sell or Share
Customer City does not sell your Personal Data or Personal Information.
We do not sell, rent, lease, or otherwise transfer Personal Data to third parties for monetary or other valuable consideration. We do not share Personal Data for cross-context behavioral advertising.
We share Personal Data with our Sub-Processors solely for the purposes of operating and improving the Service, as described in Section 7.
19. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes (such as new data collection categories, new Sub-Processors, or changes to your rights), we will:
- Notify you by email at least 30 days before the change takes effect
- Post the updated policy with a new "Effective Date" and version number
- Provide a summary of what changed at the top of the updated policy
For non-material changes (such as formatting or clarifications), we will update the policy and note the change date. Continued use of the Service after the effective date of a revised policy constitutes acceptance.
20. Contact Us
If you have questions about this Privacy Policy, your Personal Data, or our data practices, contact us:
Customer City, Inc.
11335 NE 122nd Way, Suite 105
Kirkland, WA 98034
United States
Privacy inquiries: privacy@customercity.com
Data Protection Officer: Gudiya Kumari, President
Legal inquiries: legal@customercity.com
General inquiries: hello@customercity.com
Website: www.customercity.com