Privacy Policy

How Piraja collects, uses, stores, and protects personal data.

Published 01/21/2026Updated 11/25/20254 min read

1. Controller and contact

Piraja AS is the data controller for personal data processed when you use Piraja.

Piraja AS (org. no. 927 989 484) Gravane 12, 4610 Kristiansand S Norway

Privacy contact: support@piraja.io

2. Scope

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use Piraja, including optional integrations such as Gmail (Google APIs) and Outlook/Microsoft 365 (Microsoft Graph).

3. Personal data we process

Depending on your use of the Service, we may process:

  • Account data: name, email address, authentication identifiers, security events.
  • Business/workspace data: business name, members, settings, and configuration.
  • CRM content you create: contacts, organizations, tickets, activities, notes, and related metadata.
  • Mailbox data (if you enable the Mailbox module): email headers, participants, subject, timestamps, message bodies (text/HTML), thread metadata, and attachment metadata.
  • Usage and device data: logs, diagnostics, performance and security telemetry.

4. Mailbox integrations (Gmail and Outlook)

4.1 Gmail (Google APIs)

If you connect Gmail, you authorize Piraja to access and process Gmail data according to the permissions you grant during Google’s consent screen. Piraja uses this access to provide a user-facing mailbox experience inside the CRM (sync, search, threading, drafts, sending, and state changes like read/unread and archive/labels).

Piraja stores:

  • OAuth tokens (access/refresh tokens) required to maintain the connection and perform background syncing. These tokens are encrypted at the application layer before being stored.
  • Synced email content in our database (including message bodies and metadata) so the CRM can provide mailbox functionality and communication history.
  • Attachment metadata; attachment content may be fetched from the provider on-demand when you download or preview.

4.2 Outlook/Microsoft 365 (Microsoft Graph)

If you connect Outlook/Microsoft 365, Piraja uses Microsoft Graph delegated permissions to sync and send mail on behalf of the user who connected the mailbox. Some organizations require tenant-wide admin approval before users can connect their own mailboxes.

Piraja stores the same categories of mailbox data as described above (tokens, message content, message/thread metadata, and attachment metadata).

5. Google API Services User Data Policy (Limited Use)

Piraja’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular:

  • We do not sell Google user data.
  • We do not use Google user data for advertising, including personalized, re-targeted, or interest-based advertising.
  • We do not allow humans to read Gmail content except when necessary for providing user-requested support, security investigation, compliance with law, or other Limited Use-permitted purposes.

6. Purposes and legal bases (GDPR)

We process personal data to:

  • Provide and operate the Service (contractual necessity).
  • Sync and display mailbox data when you enable integrations (contractual necessity; user-initiated features).
  • Secure the Service, prevent abuse, and troubleshoot (legitimate interests; and in some cases legal obligations).
  • Comply with legal obligations (legal obligation).

7. Sharing and subprocessors

We use trusted subprocessors to operate the Service. Depending on features enabled, these may include:

  • Supabase (database, auth, storage)
  • Vercel (hosting and delivery)
  • Resend (transactional email delivery)
  • Google (Gmail/People APIs, OAuth)
  • Microsoft (Microsoft Graph, OAuth) We do not share mailbox content with advertisers or data brokers.

8. International transfers

Some subprocessors may process data outside Norway/EEA. Where applicable, we use appropriate transfer safeguards (such as standard contractual clauses) and vendor protections.

9. Retention and deletion

We retain personal data for as long as necessary to provide the Service and for legitimate business purposes, unless a longer period is required by law.

Mailbox data:

  • Disconnecting Gmail/Outlook stops future syncing (and may revoke provider access), but does not automatically delete mailbox data already synced into Piraja.
  • Mailbox data remains available as part of your CRM communication history until you delete it in Piraja or close your account. You can revoke Google access via Google Account permissions, and Microsoft access via your organization’s app access controls.

10. Security

We apply technical and organizational measures designed to protect personal data, including access controls, encryption in transit, tenant isolation (multi-tenant protections), and monitoring.

11. Your rights

Depending on your location (including GDPR/EEA rights), you may have rights to access, rectify, delete, restrict processing, object, and request portability. To exercise your rights, contact support@piraja.io.

12. Changes

We may update this Privacy Policy from time to time. The latest version will be available on this page with an updated date.

Was this helpful?