Horizon CRM Privacy Policy

Last updated: January 8, 2026

Introduction

Horizon CRM ("Horizon", "we", or "us") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use and share it, and your rights in relation to your personal data when you use Horizon CRM's websites, products, and services (collectively, the "Services"). It applies to personal data we process as a data controller (for example, information you provide when signing up on our website or using our Services) and as a data processor on behalf of our customers (for example, content you input into your Horizon CRM account about your leads and clients). We process all personal data in accordance with applicable privacy laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

If you are using Horizon CRM as an end-user of one of our customers, that customer's privacy policy will apply to the data they collect in our platform. Horizon acts as a processor for such "Customer Data" and processes it only on our customer's instructions. If you have questions or requests regarding data that a Horizon CRM customer controls, please direct those to the respective customer.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. If we make material changes, we will notify you by email or through an in-app notice. The "Last updated" date above indicates when this Policy was last revised. We encourage you to review this Policy periodically. If you have any questions or concerns about our Privacy Policy or practices, please contact us using the information in the Contact Us section below.

Information We Collect

We collect various types of information about you and your business in order to provide and improve our Services. "Personal Data" means any information that relates to an identified or identifiable individual. The types of data we collect include:

Account and Contact Information

When you create an account or contact us, we collect information such as your name, business email address, phone number, job title, company/organization name, and contact preferences. If you choose to provide it, we may also collect additional profile details like your photo, time zone, or language preferences.

Business and Company Data

In the context of our B2B Services, we may collect information about the company you represent, such as business address, industry, company size, enterprise or VAT number, and other corporate identifiers. We may also collect publicly available business information (for example, basic corporate registration data from public databases) to help enrich your leads and accounts.

Credentials and Authentication

We collect account credentials like usernames and passwords (stored in hashed form) for your Horizon CRM account. If you enable two-factor authentication or API access, we process the information (e.g. mobile number for 2FA or API tokens) needed to secure and provide that access. If you choose to log in via a third-party identity provider (SSO), we will receive basic profile information from that provider as needed to authenticate you.

Financial and Payment Information

When you make purchases (such as subscribing to a paid plan or buying HC tokens), we collect billing details. This may include your billing name, billing address, and tax identification numbers (e.g. VAT number for EU businesses). Note: We do not directly collect or store full payment card details. Payments are handled securely by our payment processor (e.g. Stripe), which collects your credit card or bank account information on our behalf. We only retain limited information such as the last four digits of your card, card type, or a payment transaction ID for record-keeping.

Communications Content

Our Services involve customer communications, so we process the content of communications you send or receive through Horizon CRM. This includes emails you compose, send, or sync via our platform (including their content, recipients, attachments, timestamps, etc.), SMS messages or chat messages sent via integrated services, and call audio recordings and call metadata (caller ID, call duration, transcripts if generated, etc.) when using our VoIP/calling features.

Files and Documents

You and your users can upload or store files within Horizon CRM (for example, attaching proposals, quotes, contracts, images, call recordings, or other documents to CRM records). These files are stored in our cloud storage (such as AWS S3) and may contain personal data if you choose to upload such content.

Usage Data

We automatically collect information about how you and your users interact with our Services. This includes usage metrics and analytics data such as features you use, pages or screens viewed, buttons or links clicked, workflows triggered, time spent on various functionalities, and other engagement information within the application.

Device and Technical Data

Like most web services, we gather technical information when you use our website or app. This can include your IP address and general location derived from it, browser type and version, device type (e.g. mobile or desktop, OS version), unique device identifiers, language and region settings, and other information automatically logged by our systems or third-party analytics tools.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and within our application to provide and secure our Services, and to analyze use. Cookies are small text files placed on your device that remember your preferences and activity. Where required by law, we will obtain your consent before using non-essential cookies or similar trackers on your device. You can control cookies through your browser settings and other tools.

Third-Party Sources & Integrations

We may receive information about you from third-party sources that you choose to connect with Horizon CRM or that integrate with our Services. For example, if you connect a third-party lead generation source such as Facebook Lead Ads or LinkedIn Lead Gen Forms, we will receive personal data of individuals who responded to your lead forms. If you use our data enrichment integrations (e.g. Pappers API for European company data), we may obtain additional information about a business or lead from that external source.

Sensitive Personal Data

In the ordinary course, we do not seek to collect highly sensitive personal data unless necessary. However, certain features involve processing potentially sensitive data:

  • Voice/Call Recordings: If you record telephone calls or voicemail through our Service, you are capturing someone's voice which could be considered biometric data under some privacy laws.
  • Audio-to-Text and AI Analysis: When you use our AI features like voice-to-quote conversion or AI-generated call summaries, the audio content of your calls is sent to our AI processing provider (e.g. OpenAI) to transcribe and analyze the conversation.
  • Payment and Financial Info: Financial account details (like credit card numbers or bank accounts) are handled by third-party payment processors and are considered sensitive.

How We Use Your Information

We use personal data for the following purposes:

To Provide the Services

We process data to set up your account, authenticate you, and provide you with the features and functionalities of Horizon CRM. This includes using your information to allow you to manage leads and clients, send emails, schedule appointments, place calls, generate quotes/invoices, and utilize all core CRM and integrated features. Legal basis: Performance of contract.

To Communicate with You

We use contact information to send service-related communications including transactional emails, billing invoices, security alerts, customer support responses, and where permitted, marketing communications about product updates, new features, or promotions. Legal basis: Performance of contract and legitimate interests.

To Provide Customer Support

If you contact us for help, we will use your contact information and any information you provide about your issue to assist you. Legal basis: Performance of contract and legitimate interests.

To Improve and Develop Our Services

We analyze usage data, feedback, and other aggregated or de-identified information to understand how our Services are used and to make improvements. This helps us troubleshoot performance issues, develop new features, and make informed decisions about product design. Legal basis: Legitimate interests.

To Monitor, Secure, and Prevent Misuse

We process certain data to maintain the security of Horizon CRM and our users. This includes using technical information to detect and prevent fraud, hacking, or other malicious activities. Legal basis: Legitimate interests and legal obligation.

To Enable Communications Features

As part of providing the CRM's communications tools, we process personal data to facilitate those communications. When you use our email sequencing tool, VoIP calling, or SMS features, we process the necessary data to deliver those communications. Legal basis: Performance of contract and legitimate interests.

To Process and Analyze Data with AI Tools

Horizon CRM offers AI-powered features such as the "AI Secretary" for call handling, voice-to-quote conversion, AI-generated email responses, and AI-based lead scoring. When you choose to use these features, we process relevant personal data through our AI systems and third-party AI providers. Legal basis: Performance of contract or your explicit consent.

To Execute Transactions via Blockchain

If you choose to participate in our blockchain-based token system (e.g., purchasing or using HC tokens on the Polygon blockchain), we will use your personal data as necessary to carry out those transactions. Legal basis: Performance of contract.

For Legal Compliance

We may process and retain personal data as needed to comply with our legal obligations, including for accounting and tax purposes, e-invoicing compliance (such as Peppol in Belgium), and to respond to lawful requests by public authorities. Legal basis: Legal obligation and legitimate interests.

How We Share and Disclose Information

We value your privacy and handle your personal data with care. We do not sell your personal information to third parties. We only share your information in the following circumstances:

Service Providers (Sub-Processors)

We use trusted third-party companies to help us provide, support, and secure our Services. These service providers ("subprocessors") have access to your personal data only to perform specific tasks on our behalf and are obligated to keep your data confidential and secure. All subprocessors have signed Data Processing Agreements (DPAs) and comply with GDPR requirements.

Third-Party Service Providers (Subprocessors)

The following table lists all third-party service providers that process personal data on behalf of Horizon CRM:

Provider Service Data Processed Location GDPR Compliance
Amazon Web Services (AWS) / Heroku Cloud hosting, database, file storage All application data (CRM records, files, user accounts, communications) EU (Ireland) AWS DPA
Stripe Payment processing, subscription billing Billing information, payment card details, transaction history, invoice data EU / US (EU-US Data Privacy Framework) Stripe DPA
Google Cloud (Gemini API) AI enrichment, company data analysis Company names, addresses, industry information, business descriptions EU Google Cloud DPA
OpenAI AI features (email drafting, call transcription, voice-to-quote, lead scoring) Email content, voice recordings, call transcripts, lead data, conversation text US OpenAI DPA
Telnyx VoIP telephony, SMS, AI secretary Call recordings, phone numbers, SMS messages, voice data, call metadata US (EU adequacy via DPF) Telnyx Privacy
Zadarma VoIP white-label provisioning (optional) Phone numbers, call records, SIP account credentials, usage data Cyprus, EU Zadarma Privacy
Pappers European company data enrichment Company names, VAT numbers, addresses, corporate registration data France, EU Pappers Privacy
Redis Labs Caching, real-time data, session storage Session tokens, cached CRM data, temporary processing data EU Redis Privacy
Google Analytics Website analytics, usage tracking IP addresses (anonymized), browser data, page views, user interactions US / EU Google Analytics DPA
B2BRouter / Storecove Peppol e-invoicing network (optional) Invoice data, VAT numbers, company details, payment information EU (Netherlands) Storecove Privacy

Data Processing Agreements: All subprocessors listed above have signed Data Processing Agreements (DPAs) with Horizon CRM that include:

  • Processing only on Horizon CRM's documented instructions
  • Confidentiality obligations for all personnel with data access
  • Appropriate technical and organizational security measures
  • Assistance with data subject rights requests and data breach notifications
  • Deletion or return of personal data upon termination of services
  • Standard Contractual Clauses (SCCs) for transfers outside the EEA/UK

Subprocessor Changes: We may add, remove, or replace subprocessors from time to time. If we add a new subprocessor that processes personal data, we will update this list and notify customers at least 30 days in advance. Customers may object to new subprocessors within 30 days of notification.

Data Retention by Service Category

Different types of data have different retention periods based on legal requirements and business needs:

Data Type Retention Period Reason
Active user accounts & CRM data Duration of subscription + 1 year Service delivery, customer reactivation window
Deleted accounts (personal data) 30-day grace period, then anonymized GDPR Right to Erasure, allow account recovery
Financial records (invoices, payments) 7 years after transaction Legal requirement (Belgian tax law)
Call recordings 6 months after recording Business need + GDPR proportionality
Email campaign logs 90 days after sending Deliverability tracking, compliance
AI processing logs 30 days after processing Quality assurance, debugging
System backups 90 days rolling window Disaster recovery, data resilience
Security logs & audit trails 1 year Security monitoring, incident investigation
Marketing consent records Duration of consent + 3 years Proof of consent for regulatory compliance

Automated Deletion: We have automated systems in place to enforce these retention periods. Data is automatically deleted or anonymized when retention periods expire, unless there is a legal obligation to retain it longer (e.g., ongoing litigation).

Within Your Organization

If your Horizon CRM account is registered under a company or if you invite team members, certain data will be shared with other authorized users in your organization according to the permissions you configure.

Business Partners and Integrations

When you choose to integrate Horizon CRM with other tools or platforms, you are directing us to share data with that third-party at your request.

Legal Compliance and Protection

We will disclose personal information if we have a good faith belief that such disclosure is necessary to comply with applicable law, enforce our Terms of Service, detect and prevent fraud or security issues, or protect the rights and safety of Horizon CRM, our users, or the public.

Business Transfers

In the event Horizon CRM undergoes a business transaction such as a merger, acquisition, or sale of assets, your personal data may be among the assets transferred. We would ensure the successor honors the commitments made in this Privacy Policy.

International Data Transfers

Horizon CRM is based in Belgium and our primary data hosting is located in data centers within the European Union. However, personal data we collect may be transferred to and processed in countries outside of your country of residence. We take steps to ensure appropriate safeguards are in place when transferring personal data internationally:

  • Standard Contractual Clauses: We use European Commission-approved Standard Contractual Clauses (SCCs) when transferring data from the EEA/UK to countries not deemed to have adequate data protection.
  • Data Privacy Framework: Some U.S. service providers may participate in frameworks like the EU-U.S. Data Privacy Framework.
  • Adequacy Decisions: We may rely on adequacy decisions for transfers to countries like Canada or Switzerland.

Public Blockchain Notice: If you engage in blockchain transactions (such as using our HC token on the Polygon network), please be aware that any personal data written to a public blockchain will be transferred and accessible globally by the nature of blockchain technology.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with applicable laws:

  • Active Account Data: Retained for the duration of your usage of the Service.
  • Closed or Inactive Accounts: Personal data deleted within approximately 180 days from closure date.
  • Backups: Backup copies maintained for limited time (often 90 days) for resiliency.
  • Legal and Business Necessities: Financial records kept for at least 7 years as required by Belgian law; dispute-related information retained until resolution.

Data Security

We take the security of your personal data very seriously and have implemented robust security measures:

  • Encryption: HTTPS/TLS for data in transit; encryption at rest for sensitive data
  • Access Controls: Role-based access with strict confidentiality obligations
  • Authentication: Secure password hashing, two-factor authentication support
  • Network Security: Firewalls, intrusion detection, continuous monitoring
  • Multi-Tenant Isolation: Logical segregation of each customer's data
  • Incident Response: Procedures for handling security breaches with timely notifications

Your Rights and Choices

You have certain rights regarding your personal data. If you are in the EU/EEA, UK, or similar jurisdictions, you have the following rights:

  • Right to Access: Request confirmation and a copy of your personal data
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data in certain circumstances
  • Right to Restrict Processing: Request that we limit processing under certain conditions
  • Right to Data Portability: Obtain your data in a machine-readable format
  • Right to Object: Object to processing for direct marketing or based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where we rely on consent
  • Right to Complain: Lodge a complaint with a data protection supervisory authority

To exercise these rights, please contact us at the information provided in the Contact Us section below.

California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to Know: Request disclosure of personal information collected, used, and shared
  • Right to Delete: Request deletion of personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right of No Retaliation: Not receive discriminatory treatment for exercising your rights

We do not sell or share personal information as defined by CCPA. We have not sold or shared personal information of California consumers in the past 12 months.

Voice and Call Recording

Horizon CRM provides integrated calling and voicemail features, including options to record calls and use an AI-enabled virtual assistant. When you use our calling features:

  • We receive call setup information (caller ID, phone numbers, timestamps, duration)
  • If recording is enabled, we capture the audio of the call
  • If AI transcription is requested, audio is sent to our transcription service (OpenAI)

User Responsibility for Consent: Many jurisdictions require consent or notification to all parties before recording a conversation. You are responsible for ensuring you have a legal basis to record a call. If you cannot obtain necessary consent, you should not record the call or should disable the call recording feature.

AI and Automated Decision-Making

Horizon CRM incorporates AI features to enhance productivity, including:

  • AI Secretary / Virtual Assistant for call handling
  • Voice-to-Quote Conversion
  • AI Email Responses
  • Lead Scoring and Insights

Some AI functionality is powered by third-party AI services like OpenAI. We configure our usage so that providers do not retain your data or use it to train their models. We do not make automated decisions about individuals that have legal or similarly significant effects without a human in the loop.

Blockchain Data

Horizon CRM incorporates a blockchain component via the HC token (an ERC-20 token on the Polygon network). The blockchain is a public distributed ledger - any data recorded on it is public and immutable (cannot be altered or deleted).

When you engage in token transactions:

  • Wallet addresses are recorded on the blockchain
  • Transaction records (from address, to address, amount, timestamp) are public
  • We minimize personal data on-chain (typically just addresses and amounts)

Important: Blockchain transactions are permanent. While we can delete associations in our systems, we cannot remove historical transactions from the Polygon ledger. By using the HC token features, you acknowledge that certain data will be public and permanent.

Minors and Children's Privacy

Our Services are not directed to anyone under the age of 16. Horizon CRM is a business-oriented platform intended for use by organizations and professionals. We do not knowingly collect personal data from children under 16 years old.

If we learn that we have collected personal information from a child under 16 without verifiable parental consent, we will promptly delete that information. If you believe we might have information from a minor under 16, please contact us.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our business, the Services, or legal requirements. When we make changes, we will post the updated Policy on this page and update the "Last updated" date at the top. If the changes are significant, we will provide a more prominent notice or notify you directly.

By continuing to use our Services after a revised Privacy Policy has become effective, you acknowledge the new Policy terms.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us using the details below:

Horizon CRM – Privacy Department
(Attn: Data Protection Officer)
Email: privacy@horizoncrm.eu or dpo@horizoncrm.eu
Postal: Horizon CRM, Belgium

If you are a resident of the EEA, you also have the right to contact the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) regarding any concerns.

Related Documentation

Data Retention Policy

Learn how long we keep your data and why.

View Policy
GDPR Dashboard

Manage your data rights and privacy settings.

Go to Dashboard
Data Processing Agreement

For business customers (GDPR Article 28).

View DPA

Thank you for trusting Horizon CRM. We are dedicated to safeguarding your privacy and managing your data with the utmost care and respect.