Privacy Policy

Effective Date: 13July2026

Critical Mass Consulting ("Critical Mass Consulting," "Company," "we," "our," or "us") provides consulting services and software integrations that connect with third-party platforms, including LinkedIn and HubSpot. We are committed to protecting your privacy and handling personal information responsibly, transparently, and in accordance with applicable privacy laws.

This Privacy Policy explains how we collect, use, disclose, retain, and safeguard information when you visit our website, use our services, or authorize our application to access third-party services.

1. Scope

This Privacy Policy applies to:

  • Visitors to our website

  • Customers and prospective customers

  • Users of our software and integrations

  • Individuals whose information is processed through our integrations with LinkedIn, HubSpot, and other authorized third-party services

2. Information We Collect

Information You Provide

We may collect:

  • Name

  • Business email address

  • Employer

  • Job title

  • Telephone number

  • Billing information

  • Communications with our support team

  • Information submitted through forms

Automatically Collected Information

When you use our website or applications, we may collect:

  • IP address

  • Browser type

  • Device identifiers

  • Operating system

  • Log files

  • Usage analytics

  • Cookie identifiers

  • Session information

3. Information Obtained Through Third-Party APIs

Our application only accesses information after you explicitly authorize access using OAuth or another secure authorization method provided by the applicable platform.

LinkedIn Data

Subject to the permissions you approve, we may receive:

  • Basic profile information

  • Name

  • Profile photo

  • Email address (if authorized)

  • Organization or Company Page information

  • Organization administration information

  • Content management permissions

  • Other information explicitly approved during authorization

We only request the minimum permissions necessary for the features you choose to use.

LinkedIn member data is never used to create unrelated marketing databases, sold to third parties, or used for advertising unrelated to the services you requested.

HubSpot Data

Depending on the permissions granted, we may access:

  • Contacts

  • Companies

  • Deals

  • Tickets

  • Products

  • Custom Objects

  • CRM properties

  • Owners

  • Pipelines

  • Marketing assets

  • Metadata required for synchronization

We access only the CRM objects and scopes necessary to provide the requested functionality.

4. API Scope Disclosure

Our application requests only the permissions required to provide the services you enable.

Examples may include:

  • Reading contact information

  • Updating CRM records

  • Reading organization information

  • Synchronizing customer records

  • Creating or updating records on your behalf

  • Reading account configuration necessary for integration

We do not request permissions unrelated to the services we provide.

Should additional permissions become necessary in future releases, users will be required to authorize those permissions before they are used.

5. How We Use Information

We use personal information to:

  • Deliver consulting services

  • Operate our software platform

  • Synchronize authorized data between systems

  • Authenticate users

  • Provide customer support

  • Improve our products

  • Maintain system security

  • Detect fraud or misuse

  • Meet contractual obligations

  • Comply with applicable laws

We process personal information only where we have a lawful basis under applicable privacy laws.

6. Legal Basis for Processing (GDPR)

For individuals located in the European Economic Area (EEA), United Kingdom, or other jurisdictions requiring a lawful basis for processing, we process personal data under one or more of the following legal bases:

  • Performance of a contract

  • User consent

  • Legitimate business interests

  • Compliance with legal obligations

  • Protection of vital interests where applicable

Where processing relies on consent, consent may be withdrawn at any time.

7. Data Minimization

We follow the principles of data minimization by collecting and processing only the information reasonably necessary to provide our services.

We do not intentionally collect information unrelated to the authorized functionality.

8. Data Sharing

We do not sell personal information.

We may disclose information only to:

  • Cloud infrastructure providers

  • Hosting providers

  • Security monitoring providers

  • Analytics providers

  • Customer support vendors

  • Professional advisors

  • Government authorities where legally required

All service providers are contractually required to maintain appropriate confidentiality and security measures.

9. Subprocessors

To operate our services, we may engage trusted subprocessors that process data on our behalf.

Examples include providers of:

  • Cloud hosting

  • Database infrastructure

  • Monitoring services

  • Email delivery

  • Customer support

  • Logging and security monitoring

  • Backup and disaster recovery

Subprocessors receive only the information necessary to perform their contracted services and are bound by confidentiality and data protection obligations.

A current list of subprocessors is available upon request.

10. Data Retention

We retain information only for as long as necessary to:

  • Provide requested services

  • Maintain customer accounts

  • Resolve disputes

  • Meet contractual obligations

  • Comply with legal requirements

When data is no longer required, it is securely deleted or anonymized.

11. Security

We maintain administrative, technical, and organizational safeguards designed to protect personal information.

Security measures include, where appropriate:

  • Encryption in transit using TLS

  • Encryption at rest

  • Multi-factor authentication for administrative access

  • Role-based access controls

  • Audit logging

  • Continuous monitoring

  • Security patch management

  • Least-privilege access principles

  • Secure software development practices

Although we employ commercially reasonable safeguards, no electronic system can be guaranteed to be completely secure.

12. Breach Notification

If we become aware of a security incident involving personal information that we process, we will investigate promptly and, where required by applicable law or contractual obligations, notify affected customers and appropriate regulatory authorities without undue delay.

Notifications will include available information regarding:

  • Nature of the incident

  • Categories of affected information

  • Likely consequences

  • Measures taken to mitigate harm

  • Recommended actions where appropriate

13. International Data Transfers

Information may be processed in countries outside your jurisdiction.

Where required under GDPR or similar laws, we implement appropriate safeguards for international data transfers, including:

  • Standard Contractual Clauses (SCCs), where applicable

  • Contractual data protection obligations

  • Appropriate technical and organizational safeguards

14. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal information

  • Correct inaccurate information

  • Delete personal information

  • Restrict processing

  • Object to processing

  • Receive a copy of your information

  • Withdraw consent

  • Lodge a complaint with a supervisory authority

We respond to verified privacy requests within the timeframes required by applicable law.

15. Data Deletion Requests

You may request deletion of your personal information by:

  • Contacting us using the information below

  • Disconnecting our application from LinkedIn or HubSpot

  • Requesting account deletion

Upon receiving a verified deletion request, we will:

  • Delete personal information that is no longer required for legal or contractual purposes

  • Remove stored API tokens where applicable

  • Stop future synchronization with connected services

  • Delete or anonymize retained information unless retention is required by law

Certain information may be retained to comply with legal obligations, resolve disputes, or enforce agreements.

16. Revoking API Access

You may revoke our application's access to LinkedIn or HubSpot at any time through your account settings on those platforms.

Once authorization is revoked:

  • API access tokens become unusable

  • Future synchronization stops

  • We will no longer access new information from your account

  • Previously synchronized data will be handled according to this Privacy Policy and applicable legal requirements

17. Cookies

Our website may use cookies and similar technologies to:

  • Maintain authenticated sessions

  • Improve website performance

  • Measure usage

  • Analyze traffic

  • Remember preferences

You may disable cookies using your browser settings.

18. Children's Privacy

Our services are intended for business users and are not directed to children under 13 years of age.

We do not knowingly collect information from children.

19. Third-Party Services

Our application integrates with third-party platforms including LinkedIn and HubSpot.

Your use of those platforms remains subject to their own privacy policies and terms of service.

We are not responsible for the privacy practices of third-party services that are outside our control.

20. Compliance with LinkedIn and HubSpot Requirements

Critical Mass Consulting is committed to responsible use of third-party platform data.

Accordingly, we:

  • Request only the API permissions required for approved functionality.

  • Process platform data solely for the purposes authorized by the user.

  • Do not sell, rent, or broker platform-derived data.

  • Do not use platform data to build independent commercial databases.

  • Maintain commercially reasonable security safeguards.

  • Respect user requests to revoke authorization.

  • Honor applicable deletion requests.

  • Cooperate with platform compliance and security reviews where required.

  • Regularly review our data handling practices to ensure ongoing compliance with applicable platform policies and privacy laws.

21. Changes to This Privacy Policy

We may revise this Privacy Policy periodically.

The Effective Date above indicates when this policy was last updated.

Material changes will be communicated through appropriate means before becoming effective where required by law.

22. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact:

Critical Mass Consulting

Privacy Officer

Email: privacy@criticalmass-consulting.com

Website: https://www.criticalmass-consulting.com

Address:

1999 Harrison St

18th Floor #03018

Oakland CA 94612

If you are located in the European Economic Area or the United Kingdom, you may also contact us regarding GDPR-related requests using the contact information above.