Privacy Policy

CLView ("we", "us", "our") is a client dashboard SaaS built and operated by App & Design, a New Jersey digital studio. This Privacy Policy explains what information we collect, how we use it, and the controls you have over it.

We've written this in plain English. If anything is unclear, email [email protected] and we'll explain it.

1. Who we are

CLView is operated by App & Design, based in New Jersey, United States. You can reach us at:

• Email: [email protected]
• Website: appandesign.com
• Mailing address: Available on request

2. What information we collect

We collect three categories of information:

(a) Account information you give us.

• Your name, business name, email address, and phone number
• Your billing address and payment method (processed by Stripe — we never see card numbers)
• Login credentials (passwords are hashed with bcrypt; we cannot read them)

(b) Data you put into the dashboard.

• Lead submissions from your website's contact forms
• Phone call logs and recordings (if you enable call tracking via Twilio)
• Page-level analytics (visits, conversions, source attribution)
• SEO scan results (Core Web Vitals, page speed, security flags)
• Google Business Profile reviews you connect to your dashboard
• Documents, notes, or content you upload

(c) Technical data collected automatically.

• IP address, browser type, and device information (for security and logging)
• Session cookies (to keep you logged in)
• Server logs (request paths, response times, error traces — retained 90 days)

3. How we use it

We use your information only to:

• Operate and improve the CLView dashboard you signed up for
• Send you the notifications and reports you've configured
• Respond to your support requests
• Send billing notices and account updates
• Detect abuse, fraud, and security threats
• Comply with legal obligations (taxes, lawful requests)

We do not sell your data. We do not share it with advertisers, data brokers, or anyone else for marketing purposes. Period.

4. AI processing

CLView includes an AI assistant powered by a self-hosted Ollama instance running the deepseek-r1 model on our server in New Jersey. When the AI assistant analyzes your leads, drafts replies, or summarizes reports:

• Your data never leaves our infrastructure
• Your data is not used to train any public AI model
• Inputs and outputs are not retained beyond your session unless you explicitly save them

We do not send your data to OpenAI, Anthropic, Google, or any other third-party AI provider.

5. Where your data lives

All client data is stored on a Dell PowerEdge T440 server running Ubuntu 24.04, physically located at App & Design's facility in New Jersey. The server is:

• Behind a Cloudflare Tunnel (encrypted in transit, no exposed ports)
• Backed up nightly to encrypted offsite storage
• Monitored 24/7 for uptime and security events
• Connected to a UPS for power resilience

Each client has their own isolated MariaDB database. There is no shared multi-tenant table — your data is physically separated from every other client's data.

6. Third-party services we use

CLView relies on a small number of trusted services to deliver core functionality. Each one is listed below with what data it receives:

• Cloudflare — DNS, DDoS protection, TLS termination. Sees: encrypted traffic metadata only.
• Twilio (optional, for call tracking) — Phone numbers, call durations, recordings if you enable them.
• Stripe — Billing only. Sees: your name, email, billing address, and card details (we never see your card).
• Google APIs (optional) — Search Console, Business Profile, Analytics. Read-only access scoped to data you explicitly authorize.
• Gmail SMTP — Outbound transactional emails (reports, notifications, login alerts).

That's the complete list. We don't use Facebook pixels, Google Tag Manager, ad networks, behavioral analytics platforms, or session replay tools.

7. Cookies

We use exactly the cookies needed to make the dashboard work:

• Session cookie — Keeps you logged in (expires when you log out or after 30 days if you check "remember me")
• CSRF token — Prevents cross-site request forgery on form submissions

We do not use tracking cookies, advertising cookies, or third-party cookies.

8. How long we keep your data

• Active account data — As long as your account is active
• Lead and call records — Retained for the lifetime of your account unless you delete them
• Server logs — 90 days, then automatically purged
• Call recordings — 60 days by default; configurable per client
• Billing records — 7 years (US tax law requirement)
• Cancelled accounts — All operational data deleted within 30 days of cancellation, except billing records

9. Your rights

Regardless of where you live, you have the right to:

• Access — Get a copy of all data we have about you
• Export — Download your full dashboard in CSV or JSON, anytime
• Correct — Update inaccurate information
• Delete — Request deletion of your account and all associated data
• Object — Tell us to stop processing your data for specific purposes
• Complain — File a complaint with a data protection authority if you're in the EU, UK, or California

To exercise any of these rights, email [email protected] from the address associated with your account. We respond within 7 days for most requests; complex requests may take up to 30 days.

10. Children

CLView is a B2B product for service businesses. It is not directed at children under 13, and we don't knowingly collect data from them. If you believe a child has signed up, email us and we'll delete the account immediately.

11. Security

We take security seriously:

• All traffic encrypted in transit via TLS 1.3
• Passwords hashed with bcrypt (cost factor 12)
• Database connections require authentication and are not exposed publicly
• Server access restricted by SSH key authentication only
• Nightly encrypted backups to offsite storage
• Cloudflare Tunnel — no inbound ports open to the public internet

No system is perfectly secure. If we ever detect a breach affecting your data, we'll notify you within 72 hours of confirmation.

12. Changes to this policy

If we make material changes to this policy, we'll email all active account holders at least 30 days before the changes take effect. Minor clarifications (fixing typos, improving language) will be posted here with an updated "Last updated" date.

13. Contact

Questions, concerns, or requests about this policy? Email us at [email protected]. A real person will respond, usually within 24 hours.