Privacy Policy
MRR & Subscription Reports for Pipedrive — last updated 2026-06-03
Who we are
MRR & Subscription Reports for Pipedrive (the “Service”) is operated by Crosstown Tech (“Crosstown Tech”, “we”, “us”), 3703–39 Roehampton Ave, Toronto, ON, Canada. For privacy questions or data requests, contact support@crosstowntech.com.
Our role: data processor
The Service is a read-only analytics tool for businesses that use Pipedrive. When you install it, you (the Pipedrive account holder) are the data controller of the CRM records in your workspace, and Crosstown Tech acts as a data processor that processes that data solely on your instructions to provide the analytics you requested. We do not use your CRM data for our own purposes, and we do not process it beyond what is needed to compute and display your reports.
What the Service collects
The Service reads (never modifies) the following Pipedrive data via OAuth:
- Deals: ID, title, status, value, currency, created date, won/lost dates, and lost reason
- Deal products: the recurring products attached to a deal — product ID, name, recurring price, billing frequency, billing start date, billing-frequency cycles, and quantity
- Customer reference: the numeric person ID and/or organization ID attached to a deal — used only to group deals into customers for cohort analysis. We do not read or store contact names, email addresses, or domains.
- Webhooks: create / change / delete events for deals and deal products, used only to trigger a refresh of the cache described below
- Account basics: your Pipedrive user and company identifiers and the account’s currencies, read to identify the signed-in user and aggregate figures across currencies
What the Service stores
The Service keeps a working cache in Convex Cloud (US region):
- A per-user cache of your deals and deal products — used to compute MRR, cohorts, and retention without re-querying Pipedrive on every view. The MRR / waterfall / retention figures are computed on the fly from this cache, not stored as separate records.
- Your dashboard layout preferences (which widgets you show, and their order)
- OAuth tokens, used to fetch fresh data on demand when you open the dashboard and to refresh expired tokens
The per-user cache is ephemeral. Each cache entry has a time-to-live of about 15 minutes after your last dashboard session, and an automated hourly job purges entries whose time-to-live has elapsed. Your data does not sit at rest beyond what is needed to serve your active sessions.
Legal basis for processing
For customers in the EU/UK, we process your account data and OAuth credentials on the basis of contractual necessity (Article 6(1)(b) GDPR) — the processing is necessary to provide the Service you signed up for. We process the CRM records in your workspace as your data processor, acting on your instructions and on the legal basis you, as controller, rely on for that data.
Data retention and deletion
- While installed: the cache is retained to serve your sessions and is purged on the inactivity schedule above.
- On uninstall: when Pipedrive sends the uninstall callback, we revoke the OAuth token and delete all account-scoped data — deals, deal products, OAuth tokens, dashboard layouts, and the account record itself. Deletion runs promptly and, for large workspaces, in batches; it is not retained in backups under our control.
- Customer-requested deletion: uninstall the app from your Pipedrive Marketplace settings, or email us, and deletion runs promptly.
Sub-processors and international transfers
Your data is never sold, and never shared with advertising networks. We rely on the following infrastructure providers, who process data only to run the Service:
- Convex Cloud (US) — database and backend; encrypted at rest and in transit
- Vercel (US) — application hosting and server-side rendering, including PDF export; processes data in transit
- Pipedrive — the app reads your deal and product data back over Pipedrive’s HTTPS API to keep the cache fresh
Convex Cloud and Vercel are located in the United States. For customers in the EU/UK, transfers of personal data to the United States are made under appropriate safeguards, such as the EU Standard Contractual Clauses (and the UK addendum) incorporated into our providers’ data processing terms.
Your rights
Depending on your location, you have rights over your personal data — including the rights of access, rectification, erasure, restriction of processing, data portability, and objection. California residents have the rights to know, delete, and correct, and to opt out of the sale or sharing of personal information; we do not sell or share personal information as those terms are defined under the CCPA/CPRA.
Exercise any of these rights by emailing support@crosstowntech.com. We respond within the timeframes required by applicable law (30 days under GDPR; 45 days under the CCPA). If you believe we have processed your data unlawfully, you have the right to lodge a complaint with your local supervisory authority (for UK residents, the Information Commissioner’s Office).
Cookies
The standalone dashboard sets a single functional, httpOnly session cookie used only to keep you signed in. We do not use advertising or third-party tracking cookies, and the Service makes no automated decisions that produce legal or similarly significant effects about individuals.
Security
- OAuth 2.0 with read-only access to your CRM data — the app does not create, edit, or delete deals, products, or other records in your workspace. The only write-capable permission is webhook management, used solely to register and remove the change-notification webhooks the app depends on.
- HTTPS-only — all communication is encrypted in transit
- OAuth tokens are stored in Convex and protected by Convex’s encryption at rest; we do not log tokens or keep plaintext credentials in code
- Automatic OAuth token refresh — expired tokens are rotated without user intervention
- Webhook ingress authenticated via HTTP Basic against a per-deployment shared secret
If a data breach affecting your personal data occurs, we will notify affected users and the relevant supervisory authorities in accordance with applicable law (within 72 hours under GDPR where required).
Changes to this policy
We may update this policy from time to time. The “last updated” date above reflects the latest version, and we will give advance notice of material changes to installed users where practicable.
Contact
Crosstown Tech — 3703–39 Roehampton Ave, Toronto, ON, Canada. support@crosstowntech.com.
MRR & Subscription Reports for Pipedrive is an independent third-party application and is not affiliated with, endorsed by, or sponsored by Pipedrive. “Pipedrive” is a trademark of its respective owner.