Privacy Policy
Last updated: June 13, 2026
This Privacy Policy explains how TenthAvenue Labs LLC (“TenthAvenue”, “we”, “us”) collects, uses, and protects information when you use TenthAvenue CRM (the “Service”), including its scheduling features that connect to your Google Calendar, Microsoft Outlook, and Zoom accounts. By using the Service you agree to the practices described here.
1. Who this policy covers
TenthAvenue CRM is a business customer-relationship-management and scheduling platform offered to organizations (“Customers”). Where a Customer uses the Service to process information about their own contacts and clients, the Customer is the controller of that data and we act as their processor. For account holders who sign in to the Service, we are the controller of the account information described below.
2. Information we collect
- Account & profile information, name, work email, organization, role, and authentication details used to create and secure your account.
- Customer (CRM) data, contacts, companies, deals, activities, forms, and related records that you or your organization choose to store in the Service.
- Information from services you connect, when you connect a Google, Microsoft, or Zoom account (see Section 4), we receive a limited set of calendar or meeting data and an OAuth token that lets the Service act on your behalf.
- Usage & device data, log data such as IP address, browser type, pages accessed, and timestamps, used to operate, secure, and improve the Service.
3. How we use information
- Provide, maintain, and secure the Service and its features.
- Calculate availability and create, update, or cancel scheduled meetings on your behalf.
- Authenticate you and prevent fraud, abuse, and unauthorized access.
- Communicate with you about your account, security, and service changes.
- Comply with legal obligations and enforce our Terms of Service.
We do not sell your personal information, we do not use Google user data for advertising, and we do not use Google user data to develop, improve, or train AI or machine-learning models.
4. Data from connected services (Google, Microsoft, Zoom)
Our scheduling feature (“Meridian”) can connect to your Google, Microsoft, and Zoom accounts. For each, we ask only for the access needed to provide scheduling, store the minimum necessary data, and protect OAuth tokens using encryption (see Section 6). You can disconnect any connected account at any time from within the Service, which deletes the stored tokens for that connection.
Google Calendar
openid&userinfo.email, to identify which Google account is connected.calendar.calendarlist.readonly, to list your calendars so you can choose which ones count toward availability and which one receives bookings.calendar.freebusy, to read only your free/busy times (not event titles or details) so we can offer accurate open slots.calendar.events, to create, update, and cancel the meeting events booked through the Service.
You can also revoke Google access at myaccount.google.com/permissions.
TenthAvenue’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
AI features and your data
TenthAvenue CRM offers optional AI-assisted features (for example, drafting marketing copy, generating offering summaries, and building dashboards) powered by third-party AI providers, Anthropic (Claude) by default, or Google (Gemini) where a Customer configures it. These features operate only on business content you enter into the Service.
We do not use data obtained from connected services (Google, Microsoft, or Zoom), including any Google Workspace data, to develop, improve, or train generalized or personalized AI/ML models, and we do not transfer Google user data to any third-party AI or ML tools or models. No Google Calendar data (or other Google user data) is sent to an AI provider. Where an AI provider processes the inputs we send, it does so only to return a result for that request and does not train its models on that data.
Microsoft (Outlook)
openid,email&offline_access, to identify the connected account and keep the connection active.User.Read, to read your basic Microsoft profile and confirm which account is connected.Calendars.ReadWrite, to read your free/busy times and to create, update, and cancel the meetings booked through the Service.
You can revoke Microsoft access from within the Service or from your Microsoft account at account.microsoft.com; work or school accounts may be managed by your administrator.
Zoom
user:read:user, to read your Zoom account’s name, email, and user ID so we can identify the connected account.meeting:write:meeting, to create, update, and cancel the Zoom meetings booked through the Service.
You can disconnect Zoom from within the Service or by removing the app from your Zoom account’s Added Apps page at marketplace.zoom.us. When you remove the app, Zoom notifies us and we delete the stored tokens and associated data for that connection.
5. How we share information
We share information only as needed to run the Service:
- Service providers (subprocessors), infrastructure and tools that operate the Service on our behalf, such as our database/auth host (Supabase), application host (Render), and transactional email provider (Resend). These providers are bound by confidentiality and data-protection obligations.
- Within your organization, Customer data is accessible to authorized members of the same organization account.
- Legal & safety, where required by law, or to protect the rights, property, or safety of users and the public.
- Business transfers, in connection with a merger, acquisition, or sale of assets, subject to this policy.
Data we receive from connected services (Google, Microsoft, and Zoom) is never transferred to third parties except as necessary to provide the Service, for security, or to comply with law, and Google user data is handled consistent with the Limited Use requirements above.
6. Storage, security & retention
- Data is encrypted in transit (TLS) and at rest.
- OAuth refresh tokens for connected accounts are encrypted application-side before storage using AES-256-GCM.
- Access is restricted to authorized personnel and scoped by organization through row-level security.
- We retain account and Customer data for as long as your account is active. Connected-account tokens are deleted when you disconnect the account or close your account.
7. Your choices & rights
Depending on your location, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. Account holders can update much of their information in the Service directly. To make a request or to ask us to delete data we hold about you, contact us at privacy@tenthavenue.io. If your data is managed by a Customer organization, we will refer your request to that organization.
8. International users
The Service may be operated from, and your information processed in, countries other than your own. Where required, we use appropriate safeguards for cross-border transfers.
9. Children’s privacy
The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal information from children.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date above and, where appropriate, by additional notice.
11. Contact us
Questions about this policy or our data practices? Email privacy@tenthavenue.io.