Privacy, Security & Data Processing Policy
At Brand Built LLC, doing business as Digital Magic CRM ("Digital Magic CRM," "we," "us," or "our"), protecting the personal information you and your customers entrust to us is fundamental to how we operate. This document combines our Privacy Policy, Security Policy, and Data Processing Addendum (DPA) into a single, transparent reference.
This policy applies to information collected through our website, platform, and related services (collectively, the "Services"). By using the Services, you confirm that you have read and understood this policy.
Contents
- Part 1 — Privacy Policy
- Part 2 — California & U.S. State Privacy Rights
- Part 3 — Cookies, Pixels & Tracking Technologies
- Part 4 — Security Policy
- Part 5 — Data Processing Addendum (DPA)
- Part 6 — Subprocessors
- Part 7 — Sensitive & Regulated Data Restrictions
- Part 8 — How to Contact Us
Part 1 — Privacy Policy
1.1 Information We Collect
We collect the following categories of information:
(a) Information you provide directly:
- Account & identity data — name, email address, phone number, business name, billing address
- Payment data — processed by Stripe; we do not store full card numbers
- Content data — files, contacts, messages, automations, and other content you upload to the platform
- Communications — support requests, replies, survey responses, and feedback
(b) Information collected automatically:
- Technical data — IP address, device type, browser, operating system, language
- Usage data — pages viewed, features used, click and session data, referring URLs
- Cookies and similar technologies (see Part 3)
(c) Information from third parties:
- Authentication providers (e.g., Google sign-in) — where you authorize the connection
- Payment processor (Stripe) — limited transaction confirmation data
- Marketing partners — only where you have consented or where permitted by law
1.2 How We Use Information
We use the information described above to:
- Provide, operate, and maintain the Services
- Process payments and manage billing
- Authenticate users and protect against fraud and abuse
- Provide customer support and respond to your requests
- Send service-related communications (account, billing, security, product changes)
- Send marketing communications, where permitted, with a clear opt-out
- Improve and develop new features
- Comply with legal obligations and enforce our Terms
1.3 Legal Bases for Processing (EEA / UK Users)
Where the EU/UK GDPR applies, we process personal data based on one or more of the following: (i) performance of a contract; (ii) our legitimate interests in operating, improving, and securing the Services; (iii) your consent; or (iv) compliance with a legal obligation.
1.4 How We Share Information
We share personal data only as described below:
- Service providers / subprocessors — vendors who help us run the Services under written contracts requiring confidentiality and appropriate safeguards. See Part 6.
- Platform provider — our underlying CRM infrastructure is provided by HighLevel, Inc. under a white-label arrangement. Customer data is processed within that environment under our subprocessor agreement.
- Legal compliance — when required by law, subpoena, or other legal process, or to protect the rights, property, or safety of Digital Magic CRM, our customers, or others.
- Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality protections.
- With your direction — where you authorize sharing (e.g., integrations you connect).
We do not sell personal information for monetary consideration. Certain advertising and analytics activities may qualify as "sharing" or "targeted advertising" under U.S. state privacy laws — see Part 2 and Part 3 for opt-out options.
1.5 Data Retention
We retain personal data only for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods depend on the category of data:
- Account data — retained while the account is active, plus up to 90 days after termination, then deleted or anonymized.
- Billing & tax records — retained for the period required by applicable tax and financial reporting law (typically 7 years in the U.S.).
- Support & communications records — retained for up to 3 years from last interaction.
- Server, security, and audit logs — retained for up to 12 months unless a longer period is required for investigation or legal hold.
- Backups — retained on rolling schedules and overwritten in the ordinary course (typically within 35 days).
- Marketing data — retained until you opt out or for up to 3 years from last engagement, whichever comes first.
When data is deleted from active systems, residual copies in backups are overwritten on the rolling schedule above. We do not surgically remove individual records from existing backup snapshots.
1.6 Your Rights
Subject to applicable law, you may:
- Request access to the personal data we hold about you
- Request correction of inaccurate or incomplete data
- Request deletion of your personal data
- Request a portable copy of your data
- Object to or restrict certain processing
- Withdraw consent at any time where processing is based on consent
- Lodge a complaint with a supervisory authority
1.7 Submitting a Request
To submit a request, email [email protected] with the subject line "Privacy Request" and describe what you are requesting. We may need to verify your identity by confirming information already associated with your account before processing the request.
Response timing: We will acknowledge your request within 10 business days and respond substantively within 45 days (extendable by an additional 45 days where reasonably necessary, with notice). We will not charge a fee unless the request is excessive or repetitive.
Authorized agents: An authorized agent may submit a request on your behalf with written, signed permission from you. We may verify the authorization directly with you.
Limits: Certain requests may be denied or limited where required by law, where we must retain data for tax, fraud-prevention, security, or other legitimate purposes, or where fulfilling the request would compromise the privacy of another person.
1.8 International Data Transfers
We are based in the United States. If you access the Services from outside the U.S., your data will be transferred to and processed in the United States and other jurisdictions where our subprocessors operate. For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable.
1.9 Children's Privacy
The Services are not directed to children under 16, and we do not knowingly collect personal data from children. If we learn that we have collected personal data from a child without verifiable parental consent, we will delete it.
Part 2 — California & U.S. State Privacy Rights
This section provides additional disclosures and rights for residents of California, Colorado, Connecticut, Virginia, Utah, and other U.S. states with comprehensive privacy laws. Where state law provides rights stronger than those described above, those state rights apply regardless of the governing-law clause in Part 5.
2.1 Categories of Personal Information We Collect
In the past 12 months, we have collected the following categories:
- Identifiers — name, email, phone, IP address, account ID
- Commercial information — purchase and billing history
- Internet activity — browsing and usage data, interactions with the Services
- Geolocation data — approximate location derived from IP address
- Professional information — business name, role, industry
- Inferences — preferences and characteristics derived from the above
2.2 Sources, Purposes & Disclosures
We collect these categories from you directly, automatically through the Services, and from the third parties identified in Section 1.1(c). We use them for the purposes described in Section 1.2 and disclose them to the recipients described in Section 1.4 and Part 6.
2.3 Sale & Sharing of Personal Information
We do not sell personal information for monetary consideration. We may "share" personal information for cross-context behavioral advertising or engage in "targeted advertising" as those terms are defined under U.S. state privacy laws when we use advertising or analytics pixels (see Part 3). You can opt out at any time using the mechanism described in Section 2.5.
2.4 Sensitive Personal Information
We do not use or disclose sensitive personal information (as defined under the CCPA/CPRA) for purposes other than those permitted without the right to limit, such as providing the Services, security, and fraud prevention.
2.5 Your State Privacy Rights
Depending on your state of residence, you may have the right to:
- Know what categories and specific pieces of personal information we have collected
- Access a copy of your personal information
- Correct inaccurate personal information
- Delete your personal information
- Opt out of the sale or sharing of personal information and targeted advertising
- Limit the use of sensitive personal information
- Appeal a denied request
- Not be discriminated against for exercising these rights
To exercise these rights, email [email protected]. We honor Global Privacy Control (GPC) signals as a valid opt-out of sale/sharing for the browser or device transmitting the signal.
2.6 Notice at Collection
When you submit information through our website or platform, this Policy serves as our "notice at collection." We collect the categories listed in Section 2.1 for the purposes listed in Section 1.2 and retain them for the periods listed in Section 1.5.
Part 3 — Cookies, Pixels & Tracking Technologies
We and our service providers use cookies, pixels, SDKs, and similar technologies to operate, secure, analyze, and (in some cases) advertise the Services.
3.1 Categories We Use
- Strictly necessary — required for the Services to function (authentication, security, load balancing). Cannot be disabled.
- Functional — remember your preferences and settings.
- Analytics — help us understand how the Services are used (e.g., Google Analytics).
- Advertising — measure and improve marketing campaigns (e.g., Meta Pixel, Google Ads tags). May involve "sharing" under U.S. state privacy laws.
3.2 Specific Technologies
- Google Analytics — usage analytics. Opt out via the Google Analytics Opt-out Browser Add-on.
- Meta Pixel — advertising measurement and retargeting. Manage via your Facebook/Meta ad preferences.
- Stripe — fraud prevention cookies tied to payment processing.
- Platform-provider cookies — set by HighLevel to operate the application.
3.3 Managing Your Choices
You can manage cookies through your browser settings, our cookie banner, or the opt-out links above. Disabling certain cookies may affect Services functionality. We honor Global Privacy Control (GPC) signals for the categories described in Section 2.5.
Part 4 — Security Policy
4.1 Infrastructure
The Services are operated on enterprise cloud infrastructure provided through our underlying platform partner, HighLevel, Inc. HighLevel hosts customer data on Amazon Web Services (AWS) and Google Cloud Platform, both of which maintain industry-standard physical and network security controls, including network firewalls, load balancing, redundant backups, and physically secured data centers.
4.2 Encryption
- In transit: TLS 1.2 or higher for all data exchanged with the Services.
- At rest: AES-256 encryption for stored customer data.
4.3 Access Controls
- Role-based access controls limit internal access to data on a least-privilege basis.
- Two-factor authentication (2FA) is required for our internal personnel who can access production systems.
- Customer-side 2FA is available and strongly recommended for all account users.
4.4 Support & Internal Access
Our personnel may access customer accounts and data only when (i) you authorize access for a support request, (ii) we reasonably believe access is necessary to investigate a security incident, abuse, or violation of our Terms, or (iii) we are legally required to do so. Access is logged and limited to the minimum scope necessary.
Tenant isolation: Customer data is logically segregated within sub-accounts on our platform. We do not represent that customer data is physically isolated on dedicated, single-tenant hardware. Isolation is logical and enforced by role-based access controls.
4.5 Secure Development
- Code changes are peer-reviewed before deployment to production.
- Development, staging, and production environments are separated.
- Security patches and dependency updates are applied on a regular cadence.
4.6 Incident Response & Breach Notification
We maintain an internal incident response process. In the event of a confirmed personal data breach affecting your information, we will notify you without undue delay and, where feasible, no later than 72 hours after we become aware of the breach, except where law enforcement or ongoing investigation requires a brief delay. Notification timing and content will comply with applicable law.
Notice will be sent to the email associated with your account and, where required by law, to applicable regulators and affected individuals.
4.7 Customer Responsibilities
Security is a shared responsibility. You are responsible for: keeping your credentials secure; enabling 2FA; managing user access within your account; reviewing automations and integrations you authorize; and not uploading prohibited data (see Part 7).
Part 5 — Data Processing Addendum (DPA)
This Part applies where you, as a Digital Magic CRM customer, process personal data of individuals (your contacts, leads, customers) through the Services and where applicable data protection law requires a written processing agreement. By using the Services, you agree to the terms of this DPA.
5.1 Roles
You are the data controller (or business) for personal data you upload, import, or collect through the Services. Digital Magic CRM is the data processor (or service provider) and processes that data only on your documented instructions and as needed to provide the Services.
5.2 Scope & Duration
We process personal data for the duration of your subscription and for any limited period afterward needed to return or delete data in accordance with Section 5.6.
5.3 Subprocessors
You authorize us to engage the subprocessors listed in Part 6. We will impose data protection obligations on each subprocessor that are substantively equivalent to those in this DPA. We will give you at least 30 days' notice of any new subprocessor or material change to existing subprocessors by updating this Policy. You may object on reasonable data-protection grounds; if we cannot accommodate the objection, you may terminate the affected portion of the Services.
5.4 Confidentiality & Personnel
We will ensure that personnel authorized to process personal data are bound by confidentiality obligations and receive appropriate training.
5.5 Data Subject Requests
To the extent you cannot fulfill a data subject request through the Services' self-service tools, we will provide reasonable assistance to help you respond. If a data subject contacts us directly with a request relating to your data, we will refer them to you (unless legally prohibited).
5.6 Return and Deletion on Termination
On termination or expiration of your subscription, you may export your data through the Services for up to 30 days. After that period, we will delete or anonymize your personal data within 90 days, except where retention is required by law or for the limited purposes described in Section 1.5. Backup overwrite timing applies as described above.
5.7 International Transfers
Where personal data subject to EU/UK GDPR is transferred outside the EEA/UK to a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module 2 or Module 3, as applicable) and the UK Addendum apply and are incorporated by reference.
5.8 Audit
We will make available information reasonably necessary to demonstrate compliance with this DPA, including third-party certifications and audit reports from our platform provider where available, on written request and subject to confidentiality.
5.9 Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service, except where applicable data protection law prohibits such limitation.
5.10 Governing Law
This DPA is governed by the laws of the State of Delaware, USA, except that mandatory consumer-protection and data-protection rights of individuals are provided to the extent required by the law of the individual's jurisdiction, regardless of governing-law choice.
Part 6 — Subprocessors
Digital Magic CRM operates as a white-label of the HighLevel platform. The subprocessors listed below may include some or all of the third parties that process personal data in connection with the Services. This list is current as of the Last Updated date above and may change from time to time; updates will be reflected in revisions to this Policy.
Subprocessors are grouped by function. The platform infrastructure and AI subprocessors listed below are engaged by HighLevel, Inc. on our behalf and are reproduced from HighLevel's current subprocessor disclosures.
6.1 Core Infrastructure
| Entity | Description of Processing | Location |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud hosting and data storage (via HighLevel) | United States |
| Google Cloud Services | Cloud hosting and data storage (via HighLevel) | United States |
6.2 Communications & Messaging
| Entity | Description of Processing | Location |
|---|---|---|
| Twilio, Inc. | SMS, voice, and communications delivery | United States |
| Mailgun Technologies, Inc. | Transactional and marketing email delivery | United States |
| LeadConnector LLC | Communications routing and support services | United States |
6.3 Payments & Billing
| Entity | Description of Processing | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| Chargebacks911 | Chargeback management and dispute services | United States |
6.4 Analytics & Operations
| Entity | Description of Processing | Location |
|---|---|---|
| Google LLC (Google Analytics) | Website and product usage analytics | United States |
| Meta Platforms, Inc. | Advertising pixel and conversion measurement | United States |
| Pendo.io, Inc. | Product usage analytics | United States |
| ChartMogul Limited | Subscription analytics | United States |
| Mozart Data, Inc. | Internal data analytics | United States |
| People Data Labs | Business data enrichment and analytics | United States |
| Persona Identities, Inc. | Identity verification | United States |
| Freshworks, Inc. | Customer support and communication | United States |
| Zapier, Inc. | Workflow automation | United States |
6.5 Artificial Intelligence
The following AI subprocessors may process customer data only as needed to deliver specific AI features (e.g., content generation, chatbots, voice agents). Customer data is not used to train generalized public AI models.
| Entity | Description of Processing | Location |
|---|---|---|
| OpenAI, L.L.C. | AI content generation and language models | United States |
| Anthropic, PBC | AI content generation and language models | United States |
| Botpress Technologies Inc. | AI chatbot infrastructure | United States |
| Retell AI, Inc. | AI voice agent infrastructure | United States |
| Synthflow AI | AI voice agent infrastructure | United States |
6.6 Affiliate & Operational Support
| Entity | Description of Processing | Location |
|---|---|---|
| HighLevel India | Platform services and support | India |
Part 7 — Sensitive & Regulated Data Restrictions
The Services are not designed for, and you agree not to upload, transmit, or store the following categories of regulated data unless we have agreed in writing in advance:
- Protected Health Information (PHI) regulated by HIPAA
- Cardholder data in scope of PCI DSS (beyond what is tokenized via Stripe)
- Government-issued identification numbers (e.g., Social Security numbers, driver's license numbers, passport numbers)
- Financial account numbers, bank account credentials, or full credit card numbers
- Information from or about children under 13 (or under 16 in the EEA/UK) without verifiable parental consent
- Biometric identifiers regulated under specific state laws
- Information regulated by FERPA, GLBA, or similar U.S. or foreign laws unless we have agreed in writing
If you upload data in these categories without our prior written agreement, you do so at your own risk and indemnify us against claims arising from that upload. We may suspend or remove such data.
Part 8 — How to Contact Us
Brand Built LLC d/b/a Digital Magic CRM
535 Fifth Ave, 4th Floor
New York, NY 10017
Email: [email protected]
Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated by email to the address associated with your account and/or by prominent notice in the Services at least 30 days before they take effect, where feasible. The "Last Updated" date at the top reflects the current version.
