Overview

This document explains exactly what UnfussyCRM (the service operator) can and cannot access from your data, how that data is protected, and what technical and operational controls are in place. We aim to be direct about the limits of our privacy model so you can make an informed decision.

What we can see

The following data is stored in plaintext and is accessible to the service operator:

DataNotes
Your login email addressUsed for account authentication and notifications
Organisation and workspace nameVisible in admin dashboard
CRM contact recordsNames, email addresses, company, pipeline stage, tags, last-touch date
Email subjectsStored unencrypted for fast list rendering
Email snippetsFirst ~200 characters of each email body, stored unencrypted for inbox list performance
Email participant addressesFrom / To / CC / BCC addresses for every synced message
Message metadataTimestamps (sent, received), direction (inbound/outbound), read status, thread groupings
Attachment metadataFilename, file size, MIME type — not the attachment content
Parsed contact signaturesStructured fields extracted from email signatures (name, title, phone)
Activity and touchpoint countsHow many emails exchanged, meeting notes, stage changes
Storage and usage metricsPer-workspace email count, contact count, storage volume
Billing and subscription statusStripe plan and status

What we cannot easily see

The following data is encrypted before being written to the database. It is not readable from a database dump or direct database access without additional server-side access:

DataEncryption
Email body textXChaCha20-Poly1305, per-user key
Email body HTMLXChaCha20-Poly1305, per-user key
Email headersXChaCha20-Poly1305, per-user key (stored for threading and compliance replay)
OAuth access and refresh tokensXChaCha20-Poly1305, server key
IMAP / SMTP credentialsXChaCha20-Poly1305, server key

Important caveat: This is encryption-at-rest, not zero-knowledge encryption. The key management model is described in the next section. A determined operator with server access could technically decrypt this data.

How encryption works

Key hierarchy

UnfussyCRM uses a two-tier key model:

  1. Key Encryption Key (KEK) — A single 32-byte random key held only as an environment variable on the API and mail-sync servers. It is never written to the database. It is used to wrap per-user keys and to encrypt OAuth credentials directly.
  2. Per-user Data Encryption Key (DEK) — A unique 32-byte random key generated the first time you connect an email account. Your DEK is stored in the database only in its wrapped (encrypted) form, protected by the KEK. The plaintext DEK exists only in server memory during active request handling.

Encryption algorithm

All content encryption uses XChaCha20-Poly1305 (via libsodium). Each encrypted value includes a random nonce, so no two ciphertexts are alike even for identical inputs.

What this protects against

ThreatProtected?
Database breach (attacker gets a database dump)Yes — email bodies, headers, and credentials are ciphertext without the KEK
Compromised backupYes — same as above
Insider threat (rogue employee with DB access only)Yes — they cannot read email bodies without the KEK
Insider threat (full server access, including env vars)No — the KEK is accessible to someone with server-level access
Subpoena for database contentsPartial — metadata and subjects would be disclosed; encrypted bodies would require also disclosing the KEK

Body storage policy

We apply a hybrid storage model to minimise unnecessary data retention:

What we do with your data

Data hosting and infrastructure

Database, API, and mail-sync services run on infrastructure you control when self-hosted, or on dedicated cloud instances for managed deployments. Database backups are encrypted at rest. All API traffic is TLS 1.2+ in transit. The database is not publicly accessible; it is reachable only from within the private network.

Data retention and deletion

Your controls

As a workspace administrator you can:

Summary

QuestionAnswer
Can you read my email bodies?Technically yes, if someone has both DB access and server env access. From DB alone: no.
Are my email credentials safe if the DB is leaked?Yes — credentials are encrypted and unreadable without the server key.
Do you use my emails to train AI?No. AI requests are per-action and use Anthropic's API under their data terms.
Is this zero-knowledge?No. The encryption key is server-side. This is strong encryption-at-rest, not end-to-end.
Who controls my data retention?You do — configurable per workspace, with on-demand purge.

If you have questions about a specific data handling scenario, please contact us directly.